Despite some reservations, India's technological landscape will be profoundly altered by the groundbreaking Digital Personal Data Protection Act (DPDPA) 2023. Users will have more say over their data and the ability to see what information has been collected and with whom it has been shared.
The new law's details, including why some exemptions were eliminated and how the government plans to cope with emerging threats, are explained by Rajeev Chandrasekhar, the minister of state for electronics and information technology. He believes that in order to achieve the greater goal of preserving law and order and a secure environment, the government and public service delivery must have properly crafted exceptional circumstances.
These exceptions are narrowly tailored in line with the nine-judge bench decision in Justice Puttaswamy vs. Union of India, he says.
Edited excerpts from an interview: One of the criticisms of the act has been the exemptions the government has granted to certain firms. What should be the basis to decide the categories of firms who can avail exemptions and under what obligations?
There are narrow exemptions envisaged in the act to reduce the hindrances to the innovation ecosystem and the start up economy. The se exemptions are not provisioned for any significantd at a fiduciaries (SDFs). In addition to the volume and nature of the personal data processed , other criteria that could be considered are with respect to data fiduciaries working on new technology, new ideas, privacyenhancing technologies, etc, and for a specified period. These criteria will be decided in consultation with startups.
The law provides for sectoral regulations to supersede the data law, but sectoral regulators may not have the expertise on personal data protection. They may take a conservative approach or impose disproportionate burdens on the industry. How will you address this? We have had a consultative process during the bill drafting process, whereby all ministries, departments and other stakeholders were involved and their concerns incorporated. The law’s framework for regulation and overtime is in its early stages and we expect new challenges to emerge.
As long as it is within the DPDPA framework, certain sectors or classes of data can have higher degrees of protection and/or consequences. Prima facie, this law defines the data protection framework, but if there is a segment of the economy or sectoral issues, for instance health, which requires a higher set of rules for more sensitive data, they may prescribe more rigorous rules. Similarly, RBI as a financial sector can prescribe rules or regulations that impose higher regulation for some class of data.
A new right provided in India is the right to nomination. How and when can nominees be appointed?
Through DPDPA 2023, we are pioneering a new international standard with respect to the rights of the individual in the digital space. The nomination process can be initiated at any time after registration on a platform and can also be changed at any point. We will discuss these matters in upcoming industry consultations.
Concerning the definition of SDFs, the law only provides the types of parameters and not the parameters themselves. When will the government explain how it will classify firms as significant?
The broad parameters are provided in the law — SDFs are those with volume and sensitivity of personal data, risk to the rights of data principal, impact on sovereignty and integrity of the country, security of state, risk to electoral democracy and public order. The examination of factors for determination and the notification of SDFs will be a periodic exercise.
It may not be useful to think of the ‘State’ as one monolithic entity. How will we divide up the state into different data fiduciaries and data processors? How will different instrumentalities of the state get classified as SDFs?
Every data platform that seeks to deliver a service or product by processing personal data is a data fiduciary under the DPDP Bill. There is one standard that applies to all data fiduciaries, and no differentiation under the law for any data fiduciary entity.
The law empowers users to demand that personal data collected with their consent be corrected, updated, completed or erased. But how can this gap be addressed?
There is absolutely no differentiation in the obligations under the law for any entity, be it private or government, as long as it’s a data fiduciary. That means, if you collect data — regardless of whether you are the government or a private entity — you will be liable to follow the law and carry out obligations that have been laid out for you as a data fiduciary. The specific exemption has been provided to the government keep ing in view their obligations to law enforcement, public service delivery and national security.
For the industry, going back to users for additional personal data or taking consent for new purposes is likely to become an expensive exercise. How can digital tools help reduce this expense?
There would be deep behavioural changes in the way personal data is processed by data fiduciaries keeping in view the best interests of the citizens. Requirement for consent (even for additional purposes) is built into the architecture of the law. The industry may have to explore digital tools to reduce technical and financial overload in seeking consent. Also, the consent architecture through a consent manager can modularise and ease this exercise.
In practice, how will government exemptions work? What kind of internal checks and balances should the government build?
Consent of the individual is built into the architecture. Any exception to that is only in the event of a national security incident, like a pandemic or an earthquake.
Similarly, law enforcement agencies cannot be expected to take consent of terrorists. These are very carefully carved out exceptional circumstances, which the government or public service delivery agent must have with a larger objective of law and order. These exceptions are narrowly tailored in line with the nine-judge bench decision in Justice Puttaswamy vs Union of India. As the judgment identified, privacy is a fundamental right but not an absolute right, and like with free speech, there are some reasonable restrictions such as national security and public emergencies. There will be suitable checks and balances even within the government to ensure that this power is not misused. In addition to the obligations of DPDPA, processing of data will also have to be within the data governance policy framework (National Data Governance Policy).
Why were children and adults with disabilities clubbed together? Also, the act doesn’t define disability. Will all differentlyabled people be treated as one homogenous category?
Those are two categories of people who will need special intervention in their consent for platforms, and rules will define them granularly.
What was the thinking behind removing exemptions given to journalists, which was present in earlier iterations of the bill?
There is no situation envisaged where a journalist needs any special exemption under this act. The act deals with rights of data principles and obligations of data fiduciaries, and how breaches will be adjudicated by the Data Protection Board (DPB).
Can you explain verifiable consent and will this be feasible at scale?
Verifiable consent may be treated as consent obtained from the parent or lawful guardian, which can be verified if needed. Hence, the consent record should be stored and be linked to the individual for whom it is obtained. The rules around the manner and procedure for capturing verifiable consent would be finalised upon consultations with various stakeholders, including parents, students and the industry.
The law bars any processing that is likely to cause a detrimental effect on the well-being of a child. How will firms determine what is likely to cause this?
Safety, trust and accountability of the internet for all is an article of faith for us. While traditionally, cyberspace has been seen as a space for good — allowing citizens to interact with each other — it has, in recent years, become a space for illegalities and user harm, taking on various forms that are particularly unique to the internet. The DPDPA puts additional obligation on data fiduciaries with respect to handling of children’s data by ensuring that processing in any form is likely to cause any detrimental effect on the well-being of a child. What would constitute a detrimental effect would itself evolve over time. For this, data fiduciaries will evolve their processes and systems.
An SDF would also have to appoint a data protection officer. Should there be rules on qualification criteria with regards to these appointments, to ensure that the DPO can function in an independent manner? The DPDPA does not provide for the rule making or qualification criteria of DPOs. However, there are provisions in the act, such as its responsibility to the board of directors, which will ensure that they function in the interest of the data principals. It is up to the data fiduciaries to do everything they can, including having good data protection officers to be able to discharge their obligations.
Comments