By Shobhit S.
Editor’s note: This blog is a part of our ongoing Data Protection Blog Series, titled Navigating the Indian Data Protection Law. This series will be updated regularly, and will explore the practical implications and shortcomings of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and where appropriate, suggest suitable safeguards that can be implemented to further protect the rights of the data principals. For a detailed analysis of the Indian data protection legislation, the comprehensive comments provided by the Centre for Communication Governance on the 2022 DPDP Bill and the 2018 DPDP Bill can be accessed here. For a detailed comparison between the provisions of the DPDP Act and the 2022 Bill, our comparative tracker can be accessed here. Moreover, we have also provided an in-depth analysis of individuals’ rights under the DPDP Act in the Data Protection 101 episode of our CCG Tech Podcast.
A brief genesis of the DPDP Act
On August 11, 2023, after a protracted pre-legislative saga involving five drafts in six years, India’s first personal data protection regime, the DPDP Act, came into force.
The Aadhaar project, involving the systematic accumulation of citizens’ personal data by the state, sparked public discourse surrounding legal protection of informational privacy. Prompted initially to consider the legality of Aadhaar, the Supreme Court emphatically reaffirmed the fundamental right to privacy in Indian constitutional jurisprudence, in its hallowed decision in August 2017 (“Puttaswamy I”).
Recognising privacy as an innate aspect of human dignity and autonomy, the Court held that any interference with it must be justified against the touchstone of ‘proportionality’. According to the majority opinion, such interference must be: (i) sanctioned by law, (ii) in furtherance of a legitimate purpose; (iii) proportionate in extent to the purpose sought to be achieved; and (d) accompanied with procedural guarantees against abuse. While inconsistencies have been noted (here and here) in the application of the proportionality-standard by the Court, it has become central to fundamental rights adjudication, signalling a putative shift from “a culture of authority to a culture of justification”.
The Court identified ‘informational autonomy’, i.e., an individual’s control over the dissemination of information personal to them, as a key facet of their privacy. Accordingly, it expressed the expectation that the state would institute a robust data protection framework, aligned with principles enunciated by it. This expectation was restated with added urgency in September 2018, in the Court’s judgement upholding Aadhaar (‘Puttaswamy II’). In fact, the judgement manifestly rested on the expectation that the state would imminently enact such a framework, following the Srikrishna Committee’s report in July 2018.
Viewed thus, the DPDP Act represents a long-awaited response to the Court’s directions to protect individuals’ informational privacy, both against the state and private entities. However, it is striking for its disavowal of proportionality (and all its judicial constructions), in its application to the state as a data fiduciary.
Broad grounds for confidential processing of personal data
Under the DPDP Act, the state can process personal data confidentially, i.e., without the individual’s consent or knowledge (prior or subsequent), towards any state function under any extant law (Section 7(c)). Even without a legally-provided function, it can do so in the ambiguous interests of national sovereignty, integrity or security (Section 7(c)). It can use data collected in any other context by any of its notified agencies, to purportedly facilitate the issuance of benefits, subsidies, certifications, licenses, or permits. (Section 7(b)).1 Moreover, it can retain any data in perpetuity, even where the original purpose stands served (Section 17(4)).
The breadth and the malleability of the grounds on which the state can confidentially process personal data, invites the possibility of “function creep” – it enables the state to use personal data collected for a specific purpose towards any other, without the individual’s knowledge and without any other mechanism for accountability. It also magnifies recognised privacy-risks associated with integration of personal datasets at scale and with profiling of citizens by the state. Notably, the power to process data confidentially can be exercised by any “instrumentality of the state” – an expression interpreted liberally by the Court to even include entities such as statutory corporations. While the broad interpretation has generally aided in the invocation of fundamental rights against these ‘instrumentalities’, it empowers them to collect and use personal data in complete opacity under the DPDP Act.
Admittedly, there are circumstances in which alerting an individual before or upon processing their data may be counterproductive, say, where such processing is to respond to an imminent threat to public security. Nevertheless, since confidential use of individuals’ personal data interferes with their privacy, any grounds for such use must be proportional to the legislative aim sought to be achieved. But in enabling practically limitless and unaccountable processing by the executive, the DPDP Act sidesteps any such consideration.
A law more cognisant of proportionality would, first, narrowly define the constitutionally permissible ends that the state may pursue via confidential processing. It would require that confidentiality have a rational nexus with the ends and be functionally suitable to achieve them – this would arguably preclude confidential use of personal data for provision of public services, where public scrutiny is particularly crucial. Further, it would require the state to consider alternative means, which are less intrusive, to achieve such ends. For example, if the state envisages confidentially processing citizens’ biometric data for delivery of benefits, the law would require it to consider whether verification of beneficiaries for such delivery can be undertaken using less sensitive forms of personal data.
Where (and only where) alternative means are not available or feasible, the law would provide narrow grounds for confidential processing, considering the importance of the desired ends and only to the extent necessary to achieve them. In such cases, it would include procedural safeguards to protect individuals’ privacy against arbitrary state interference, per Puttaswamy I. Illustratively, such safeguards could include a requirement to report instances of confidential processing to an independent authority, or to erase personal data after the underlying purpose is served.
Blanket exemption for notified agencies
In addition to provisions that enable the state to confidentially use personal data for vague purposes, the DPDP Act allows exemption of certain state agencies and instrumentalities from all obligations under it. The executive can notify any such entity, in the interests of national sovereignty and integrity, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these (Section 17(2)(a)).
Much like provisions enabling opaque data processing, this exemption (unlike the 2019 Bill (Clause 35) and the 2018 Bill (Clause 43)) does not evince any attempt to balance the state’s powers with the legislative interests sought to be guarded. It enumerates ill-defined interests to enable privacy-incursions, without requiring the state to demonstrate any particular threats to the stated interest. It does not provide any legislative guidance on the nature of the exempted agencies that may be notified. Further, it empowers such entities to process data without upholding any other duties that ordinarily attach to data fiduciaries. These include duties integral to secure data processing (and are wholly unrelated to the interests sought to be protected), such as those to institute security measures to prevent breaches (Section 8(5)) and to protect children’s data (Section 9). In allowing such carte blanche, Section 17 effectively discharges notified entities from their fiduciary relationship with data principals – a relationship considered intrinsic to the processing of an individual’s personal data.
Concluding remarks
The analysis above points to the ways in which the DPDP Act fails to meaningfully protect individuals’ informational privacy against the state.2 Styled as a data protection framework, the Act affirmatively facilitates disproportionate encroachment into the private realm, and dubious surveillance measures akin to those struck down by the Court in 1962 (Kharak Singh v State of UP).
It is in recognition of such legally-enabled abuse that the Court recently emphasised the requirement of ‘sufficient safeguards’, in assessing the proportionality of any law (Ramesh Chandra v. State of UP). The decision provides a sound basis for challenging laws that invite even the possibility of abuse, where actual instances cannot (yet) be demonstrated. As Bhatia notes, it acknowledges that abuse usually “takes place not in open contravention of the law, but under the cover of a law that leaves wide discretion for executive action within its interstices”. Hopefully, this exposition of proportionality would assist courts in (at least) reading down the DPDP Act and thereby, reducing the risk of abuse embedded in it.
______________________
1 Pertinently, Section 7(b) does provide scope for further standards for processing of such data, to be notified under a policy issued by the Central Government. Further, Section 40(1)(e) allows the Central Government to notify specific subsidies, benefits, services, certificates, licences or permits for the provision of which personal data may be processed under Section 7(b).
2 As we have argued here and here, these concerns are exacerbated by the lack of regulatory powers and the lack of independence of the statutory data protection authority.