On August 3rd 2023, when the Bill was passed it was intended to cover the processing of digital personal data that is collected in India, whether it is done so online or off. If the processing is being done to offer goods or services in India, it also applies to processing done outside of India. This legislation has the intention to give importance to one's consent as it states that only with the subject's consent and for legitimate purposes may personal data be handled.

But this legislation also creates certain exceptions for certain lawful purposes, such as the processing by the State in order to process applications for permits, licenses, benefits, and services, or the voluntary data sharing by the individual, consent may not be required. The bill also stated how data fiduciaries are required to keep data accurate, safe, and deleted once its purpose has been served.

Individuals are granted a number of rights under the Bill, including the right to information, the ability to request correction and erasure, and the right to access grievance procedures. In the interest of specific reasons, such as the security of the state, public order, and the prevention of crimes, the central government has the power to exclude government agencies from the application of the Bill's requirements.

The Data Protection Board of India is created by the national government to make decisions regarding Bill requirements that are not being followed. On 11th August 2023, the Digital Personal Data Protection was passed and it became Digital Personal Data Protection Act, 2023.

Imperative of Data Fiduciary under the Act

"Data Fiduciary" is a body which is already mentioned or named by the current Indian law. Under the DPDP Act, the term "Data Fiduciary" has been introduced to describe a person who, individually or jointly with others, "determines the purpose and means of processing" personal data in accordance with Data Principles.

This definition includes both natural persons (such as any individual) and artificial or juristic persons (such as a company, firm, or other organization). In addition, the DPDP Act establishes a distinction between a "Data Fiduciary" and a "Significant Data Fiduciary" and sets forth the necessary responsibilities and obligations for each.

In order to ensure compliance with the DPDP Act, Data Fiduciaries must, among other things, put in place the necessary technical, legal, and security safeguards and set up grievance processes. In addition to their own compliance, Data Fiduciaries are accountable for any Data Processors (i.e., anyone hired to process data on behalf of the relevant Data Fiduciary) as well. In terms of additional responsibilities, a Data Fiduciary is specifically held accountable for the personal information of Data Principals who are minors.

In order to ensure compliance with the DPDP Act, Data Fiduciaries must, among other things, put in place the necessary technical, legal, and security safeguards and set up grievance processes. In addition to their own compliance, Data Fiduciaries are accountable for any Data Processors (i.e., anyone hired to process data on behalf of the relevant Data Fiduciary) as well.

In terms of additional responsibilities, a Data Fiduciary is specifically held accountable for the personal information of Data Principals who are minors. As mentioned before the act draws a distinction between "Data Fiduciary" and "Significant Data Fiduciary", the differentiation is mainly based on various components like "value" and "sensitivity" of the private data that is being dealt by "Data Fiduciary" versus the threat present to a data principal.

Elucidation of the term "consent"

The DPDP Act states up front that Data Fiduciaries may only use any personal data of an individual for legitimate purposes only with the consent (or "deemed" consent") of such individual; and in a way that complies with the DPDP Act and other applicable laws. It states unequivocally that "consent" (with relation to a Data Principal) refers to consent that is freely given, explicit, and informed.

Such consent must be unequivocal and can take the shape of any affirmation or action that amply demonstrates that a Data Principal has consented to the processing of his or her personal information. In order to obtain this consent, Data Fiduciaries are required to send relevant Data Principals (including even those whose consent was obtained prior to the issuance of the act) a notice that, among other things, specifies the data that is intended to be collected.

Additionally, in response to such notice, an explicit request must be made to the pertinent person in order to obtain their consent (in the format required). In order to accomplish this, Data Fiduciaries must first appoint a "Data Protection Officer" (whose information must be communicated with the Data Principal when requesting consent) and a "Consent Manager" (i.e., a particular class/category of Data Fiduciary under the DPDP Act).

Importantly, a Data Principal has the choice to not only provide consent to a Data Fiduciary but also to revoke that consent through the Consent Manager, a recognised organization that acts on a Data Fiduciary's behalf and is answerable to the Data Principal. A Consent Manager must offer a Data Principal a clear platform or method to "give, manage, review, or withdraw" their consent in order to fulfill this obligation. When a Data Principal's consent is revoked, Data Fiduciaries are responsible for making sure that their personal data is no longer processed (within a "reasonable time").

Requiring consent for data collection and sharing, stiff fines for data breaches, and requirements for data fiduciaries (companies that collect and retain data) are the positive facets included in this act. "However, if you look more closely, you'll see that there are no specifics. There is no map available. The regulation must be as explicit as possible in order to be effective" according to Prateek Waghre, policy director of the Internet Freedom Foundation.

Use of the phrase "As May Be Prescribed"

Delegated legislation provides several administrative authorities a great deal of discretion, which could result in widespread misuse or the use of excessive power. The Government purposefully left this piece of law up to the whims of subordinate agencies under the guise of making the legislation lean. Justice B.V. Nagarathna reminded us that unrestricted and unfettered powers under delegation would be ex-facie arbitrary and suffer from the vice of unconstitutionality in his dissenting opinion in the Supreme Court's decision on demonetisation.

The overuse of the phrase "as may be prescribed" in the Act raises questions about the lack of precision and detail in its provisions. Due to the fact that the legislation does not extensively cover the details of execution, there is an excessive amount of delegated power. The DPDP Act's main feature appears to be the government's go-to phrase, "as may be prescribed." It appears 28 times in 44-sections in a 21-page Act.

To allow the government to make arbitrary decisions, the ambiguity has been maintained. If most of the phrases are referred to as "as may be prescribed," then no law can be said to be insulated. Therefore, the executive branch of the government is free to make the choice whenever it sees fit. This not only reduces the openness of the legislative process but also makes it more difficult for the general people to comprehend the reach and ramifications of the law.

Section 32: The integral part of the Act

The DPDP Act's central portion, Section 32, introduces the perplexing paradigm of "Voluntary Undertaking." The clause gives the Data Protection Board the power to accept voluntary commitments from those who are not abiding by the Act's rules and to halt further investigations. The fundamental significance of this clause lies not in its seemingly innocuous nature but rather in the potential it possesses to act as a shield for offenders to avoid punishment.

This could result in a scenario where criminals can avoid fines up to an astounding Rs 250 crore per crime by providing a simple assurance, negating the law's deterrent intent. The law unintentionally creates a let-out clause that might potentially be used by persons with dishonest intentions by allowing data fiduciaries to avoid fines for non-compliance. In turn, this might weaken the Act's emphasis on responsibility and lead to ineffective enforcement.

Implied Exemptions under DPDPA

The Act's patchwork of exemptions conceals a glaring weakness. The Union government is free to exempt government entities and data fiduciaries, including start-ups, from a number of rules under Section 17. A question about the unrestrained use of executive power is raised by the broad permission granted to government agencies, which is ostensibly anchored in the interests of India's sovereignty and integrity, the security of the State, friendly relations with foreign States, the maintenance of public order, or preventing incitement to any cognizable offense related to any of these. This can lead to an excessive invasion of privacy rights.

Section 9(5) is also concerning because it gives the government the authority to waive the requirement that Data Fiduciaries obtain parental consent before processing the personal data of certain age groups of children or to give them the go-ahead to track or monitor the behavior of children or to use their data to target advertisements to children if it determines that their track record of data processing is demonstrably secure. The possibility of surveillance, behavioral analysis, and targeted advertising for children without their parents' knowledge or consent raises concerns.

Data Fiduciaries are given extensive permissions under Sections 7(b) and 7(c) to treat personal data on behalf of the State and its agencies. Section 7(c) grants a Data Fiduciary broad permission to process any personal data for the State or any of its instrumentalities in the name of sovereignty, integrity, or security of the state, whereas Section 7(b) permits the use of personal data for any government purpose without explicit consent, even by converting the non-digital data to digital form without the permission of the data principal. These clauses may be used for monitoring and manipulation while ostensibly serving official purposes.

Conclusion:
The Supreme Court has stated, in reference to the monitoring operation "Pegasus," that "the right to privacy is directly violated when there is surveillance or spying done on an individual, whether by the State or by any external agency." The ideals of "personal informational privacy" are violated by the widespread storing and gathering of individuals' personal data taken without their consent under this current legislation.

India's dedication to enhancing data privacy in a world that is increasingly going digital is reflected in the Digital Personal Data Protection Act, 2023. The Act includes significant safeguards, but it also poses significant queries about how to strike a balance between individual privacy, legal use, and governmental control. Although the Act has a noble purpose, there are a number of obstacles and potential problems in its execution, particularly in relation to ambiguous criteria, government interference, and repurposing current institutions to handle complicated data governance issues.

References:

PRS Legislative Research, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
Ashneet Hanspal , Aditi Mendiratta and Gaurav Bhalla, Analysis of Digital Personal Data Protection Bill, 2019, January 04, 2023, https://www.mondaq.com/india/data-protection/1267190/analysis-of-the-digital-personal-data-protection-bill-2022
Section 8, Digital Personal Data Protection Act, 2023
John Brittas and Aneesh Babu, What Lies Beneath the PR Blitz on the new Data Protection Act,August 27, 2023 https://thewire.in/government/what-lies-beneath-the-pr-blitz-on-the-new-data-protection-act
Section 32, Digital Personal Data Protection Act, 2023
Rashmi Rajagopal, 16 August 2023, 'New data protection law draws criticism', https://www.deccanherald.com/india/karnataka/bengaluru/new-data-protection-law-draws-criticism-2648820
Section 17, Digital Personal Data Protection Act, 2023
Section 9(5), Digital Personal Data Protection Act, 2023
Section 7, Digital Personal Data Protection Act, 2023