Premium
This is an archive article published on August 19, 2023
Premium

Opinion Data Protection Bill: In process and practice, a step back

The inclusion of significant new changes in the law at the final stage without an opportunity for broad public engagement and input was a flawed approach and will likely further distance the law from its objectives

Data Protection ActWith rules and regulations for implementation being left to the government, the real work begins now. It’s crucial for courts and governments to remember that the real power to protect the digital privacy of digital nagriks lies with them.
August 19, 2023 04:55 PM IST First published on: Aug 19, 2023 at 04:54 PM IST

Written by Jhalak M Kakkar and Shashank Mohan

On August 9, Parliament passed India’s first data protection law — the Digital Personal Data Protection Bill, 2023 (DPDP). Compared to previous drafts, this law has several new provisions that have significant implications for the privacy of Indians. Although public consultations in the last five years have had serious limitations, through these, the government has engaged with multiple stakeholders, including both industry and civil society. This made for some, if not enough, time and space for public scrutiny of each version of the Bill.

Advertisement

The hurried passage of the Bill through Parliament is a deviation from this practice and has disallowed broader public engagement with new provisions inserted into the law. This becomes especially important since some of these provisions are divergent from global best practices, For example, the exclusion of publicly-available personal data from protection, enabling government access to information, and allowing blocking of internet services.

Also Read | Derek O’Brien writes on Data Protection Act: A systematic wreckage of democratic procedure

It is a settled position of privacy law that not only does it protect the private realm of an individual, but people also continue to enjoy a sense of privacy in public spaces. The Supreme Court too, in its judgment in K S Puttaswamy v Union of India (2017) held that privacy was not lost when an individual was in a public place.

Despite this, the DPDP Bill 2023 excludes any publicly available personal data that is shared by an individual from protection. This raises questions about the interaction of this exemption with other aspects of the law and opens it up to critical litigation. As it stands, if a third-party uses one’s data shared in the public domain, one loses all rights under the law (including the right to erase or correct information, granted under the DPDP Bill).

Advertisement

However, it cannot be assumed that someone who shares personal data in the public domain would agree for it to be used by any third party for unrestricted purposes. When sharing photos of their vacation on Instagram, users assume that many people, including strangers, may view the pictures. But despite their “public” nature, users wouldn’t want them to show up on rogue websites that sell them for money.

This provision may have been introduced to boost the AI ecosystem and enable existing practices deployed by services like ChatGPT that scrape publicly available data en-masse from the web. However, just because information is technically accessible and collectable doesn’t imply that we should enable this through the law without obligations on third parties, and processes like the need for consent.

The DPDP Bill 2023 enables the government to ask the Data Protection Board and any digital service to share any information “for the purposes of this Act”. Although other laws like the Consumer Protection Act or the Patents Act also have information-calling provisions, they are typically for specified purposes, or empower a specialised independent regulator to call for relevant information. The DPDP Bill doesn’t add any such nuance to its information-calling provision nor is it a power being exercised by an independent regulator.

Don't Miss | Digital Personal Data Protection Bill: Spectre of a Barbenheimer future

This may open the law to court challenges — it may not meet the standard of proportionality laid down by the Supreme Court in the privacy judgment.

As per the DPDP Bill 2023, the government can now block access to digital services on the fulfilment of certain conditions. If the Data Protection Board imposes monetary penalties twice or more on a digital service, the Board can advise the government to block it on grounds of the general interest of the public.

This clause adds to wide powers under the IT Act that permit the government to block websites and online services in India. Using this power, the government frequently blocks websites, tweets, YouTube channels, and even apps in India. These blockings have significant implications for online free speech, especially since practically, users are not intimated and these orders have to be kept confidential as per the law.

Blocking access to services has two aspects: Content and blocking of business. If a business repeatedly falls foul of the data protection law, it may be worthwhile to bar it from processing the data of Indians. However, if this clause is used for content blocking on the internet, it may have significant ramifications on online free expression.

The inclusion of significant new changes in the law at the final stage without an opportunity for broad public engagement and input was a flawed approach and will likely further distance the law from its objectives. With rules and regulations for implementation being left to the government, the real work begins now. It’s crucial for courts and governments to remember that the real power to protect the digital privacy of digital nagriks lies with them.

Kakkar is Executive Director and Mohan is a Programme Manager at the Centre for Communication Governance at National Law University Delhi

© The Indian Express Pvt Ltd
newsguard-logo
Latest Comment
Post Comment
Read Comments