Date : 18/08/2023

Relevance: GS Paper 3- National Security- Data Protection

Keywords: Data Protection Act, Digital Age Privacy, Cross-Border Data Transfer, Emerging Digital Challenges, K. S. Puttaswamy (Retd) Vs Union of India Case (2017)

Context-

The Digital Personal Data Protection Act, 2023, colloquially known as the Data Act, has thrust India into a new era of digital world.

Evolution of Data Protection Regime

• The origins of the Data Act can be traced back to the government's fervent pursuit of total control over its citizens. This relentless quest for dominance finds its roots in the belief that technology holds the key to reshaping the very foundations of democracy. In a speech delivered in Silicon Valley in September 2015, Prime Minister Narendra Modi expressed an unshakable faith in technology's transformative power, envisioning a world where digital solutions would mend the fractures within society.

The Necessity for the Digital Personal Data Protection Act, 2023

• The realm of personal data, encompassing information that identifies individuals, has spurred the Ministry of Electronics and Information Technology into action. Conceiving a comprehensive framework, the ministry has crafted the 'Digital Personal Data Protection Act, 2023' draft, epitomizing a pivotal endeavor to safeguard personal data while acknowledging its lawful utilization.

Different Approaches to Data Protection Laws in Various Countries

The European Union Approach: The General Data Protection Regulation (GDPR) represents a comprehensive data protection framework governing the processing of personal data. It establishes the right to privacy as a fundamental right, safeguarding an individual's dignity and control over their generated data. Notably, the Digital Services Act targets concerns like hate speech and counterfeit goods, while the Digital Markets Act identifies and regulates "dominant gatekeeper" platforms to prevent non-competitive practices and abuse of power.

The United States Model: Privacy protection in the US centers around preserving individual "liberty," shielding personal space from government intrusion. Unlike the EU, the US lacks an overarching set of privacy rights or principles that collectively address data collection, usage, and disclosure.

The Chinese Approach: The Personal Information Protection Law (PIPL) grants data principals the authority to prevent personal data misuse. Simultaneously, the Data Security Law categorizes business data by importance levels, imposing restrictions on cross-border transfers. The government wields extensive powers to oversee data collection and regulate private companies, even mandating operational suspensions until compliance is demonstrated.

Similarities with India: India has introduced a comparable provision, empowering the Central government to block platforms that repeatedly breach its guidelines, echoing the Chinese approach.

Act's Core Objectives: Striking the Balance

• Rooted in a dual purpose, the draft Act underscores individuals' prerogative to safeguard their personal data while addressing the imperative of legitimate data processing. Its significance lies in providing a set of ethical guidelines and best practices to guide organizations and the government in handling personal data.
• A pivotal aspect is the regulation of personal data processing, balancing the rights and obligations of both citizens, referred to as 'Digital Nagriks,' and Data Fiduciaries entrusted with lawful data usage.

Crucial Highlights of the Digital Personal Data Protection Act, 2023

• Extensive Applicability: The ambit of the Act extends to the processing of digital personal data within India. It extends its jurisdiction to personal data processing beyond Indian borders if it pertains to offering goods, services, or profiling individuals within India.
• Informed Consent: The Act enshrines the principle of processing personal data solely for lawful purposes, contingent upon an individual's informed consent. A prerequisite notice is mandatory before seeking consent, detailing the intended data collection and processing. Individuals retain the right to revoke consent at any juncture. For those under 18, consent shall be secured from their legal guardian.
• Empowering Data Principals: Individuals, recognized as Data Principals, are endowed with certain rights under the Act, including the right to obtain processing information, demand correction or erasure of personal data, and designate a representative in the event of their incapacity or demise.
• Cross-Border Data Transfer: The Central Government holds the authority to specify countries where Data Fiduciaries can transfer personal data, subject to prescribed terms and conditions.
• Exemptions and Data Protection Board; Certain exemptions from the Act's provisions are granted, including government activities in the interest of security and public order. The establishment of the Data Protection Board of India assumes significance, entrusted with functions such as compliance oversight, penalties imposition, addressing data breaches, and redressing grievances.
• Imposing Penalties; The Act delineates penalties for violations, spanning from non-compliance penalties for children's data protection to penalties for inadequate data breach prevention measures.

Significance of the Digital Personal Data Protection Act, 2023

• The Act embodies a critical stride toward safeguarding users' personal data, curbing corporate impunity, and reinforcing the Right to Privacy. Corporate giants and consumers alike will be held accountable through substantial fines for non-compliance. By rendering internet companies, mobile applications, and businesses more transparent, the Act reinforces citizens' digital privacy rights.
  Reservations and Critical Appraisals

Government Exemptions and Data Access:

• Detractors are expressing apprehension regarding the Act's expansive government exemptions from data protection obligations. Granting the government access to personal data without consent for reasons like national security, public order, and sovereignty raises serious privacy and civil liberty concerns. The provision allowing the government to compel entities to provide anonymized or non-personal data for policy-making or research purposes is seen as potentially enabling data misuse.
• An alarming trend of democratic regression in the digital realm, marked by legislation like the Criminal Procedure (Identification) Act, 2022, and the Registration of Births and Deaths (Amendment) Act, 2023, both of which create databases holding exhaustive information about Indian citizens and their families.
• A glaring example is the Aarogya Setu app, which transformed from a pandemic-fighting tool into a mandate for surveillance. Even the online vaccination platform, Co-Win, suffered from similar privacy issues. This disregard for data protection becomes evident in the very architecture of such projects, like the "Smart Cities Mission," which seeks to centralize real-time data for residents but often misses deadlines, leaving citizens questioning their safety and the program's efficacy.

Cross-Border Data Transfer

• The Act's provisions for transferring personal data across borders are facing criticism for lacking clear approval mechanisms and criteria. The mandate for storing a copy of personal data in India poses challenges for multinational entities, introducing operational complexities and higher costs.
• The absence of well-defined guidelines for international data transfers raises uncertainties around compliance and data flow.

Individual Rights and Remedies

• Critics contend that while the Act confers certain rights upon individuals concerning their data, these rights are subject to exceptions that could undermine their effectiveness. Notably, the right to erasure is not absolute and can be denied under specific circumstances. Additionally, the Act's provisions do not establish a robust mechanism for individuals to seek compensation or redressal for harm resulting from data breaches or misuse.
• Initiatives like the "social media communications hub" and the "National Automated Facial Recognition System" underscore a blatant pursuit of mass surveillance. Disturbingly, these projects find legal cover in the Data Act, which paradoxically fails to safeguard citizens' interests. Instead of protecting personal data, the Act lays the burden of duty on individuals, even imposing fines on marginalized groups for potentially inaccurate or incomplete data submissions. Such provisions highlight a warped perspective, where the state's interests trump citizens' rights.

Addressing Emerging Challenges in the Digital Era

• Detractors have highlighted potential gaps in the Act's ability to effectively address challenges arising from emerging digital technologies and practices. Aspects such as artificial intelligence, big data analytics, social media platforms, and online profiling demand specialized considerations to ensure robust protection of personal data.
• Advocates emphasize the importance of integrating privacy by design and default principles from the outset of system and process development to uphold privacy safeguards.

Global Perspectives on Data Privacy Regulation

• Around 70% of countries globally have enacted data protection legislation, with the EU's General Data Protection Regulation standing as the gold standard. Nations like China and Vietnam have tightened data transfer regulations, while Australia passed legislation granting police access to encrypted data.

Conclusion

The Digital Personal Data Protection Act, 2023 encapsulates a substantial stride towards securing individuals' data rights while compelling businesses and institutions to uphold ethical data practices. The legislative backing fortifies the Supreme Court's assertion of the constitutional right to privacy in the Justice K. S. Puttaswamy (Retd) Vs Union of India Case (2017). As India embraces this digital evolution, it does so with an eye toward preserving the sanctity of personal data and individual liberties.

Source - The Indian Express