Striking a Balance Between Privacy Rights and Government Authority

President Droupadi Murmu granted assent to the Digital Personal Data Protection Bill (DPDPB), 2023 on August 12. With an intent to ensure that the processing of digital personal data upholds citizens’ privacy, this Act will have major implications for citizens’ privacy, and how their data is used.

Personal data legislation in India has been through an extensive consultative process and various iterations. Through these, the DPDPB, 2023, which is the latest version,  attempted to balance the processing of digital personal data in a manner that recognises individuals’ right to privacy with the processing of data for lawful purposes. However, certain provisions of the Act undermine these objectives. 

Firstly, through ‘certain legitimate uses’ (formerly deemed consent), the Act reserves instances in which the processing of data can be done without the informed consent of the Data Principal. Far too broad and ambiguous, this clause outlines certain circumstances under which data can be processed, taking away the power Data Principals have over their data and potentially allowing for the unnecessary processing of data. 

Secondly, the Act significantly expands on the discretionary powers of the Union Government and its instrumentalities to process data, while diluting their accountability mechanisms. Again, these exemptions are too broad, increasing the likelihood of the unnecessary processing of data and subsequently, decreasing the ability of individuals to protect their personal data. 

The unnecessary processing of personal data without any repercussions for exempted parties could undermine individual rights to privacy, which could hinder the Act’s intentions in bolstering the country’s privacy landscape.

‘Certain Legitimate Uses’

The DPDPB’s 2022 draft had the underlying assumption that the Data Principal was assumed to have given consent to the processing of their data by the Data Fiduciary when ‘necessary.’ 

As subject to scrutiny by numerous stakeholders, in the DPDP Act, the clause of ‘deemed consent’ has been replaced with ‘certain legitimate uses’ – however, primarily in name. Provisions under this clause mimic the provisions that were previously under deemed consent – one such example is the processing of citizens’ data during a health disaster to ‘maintain public order.’ Taking the example of the Covid-19 pandemic, health data could be processed without consent from Data Principals. 

As previously discussed in ‘The Changing Nature of Digital Privacy Rights,’ the clause of deemed consent diminished the power of the bill’s protection mechanisms. However, the problem with the clause was surrounding its applicability rather than its mere existence. Its applicability was far too broad, increasing the likelihood of the unnecessary processing of data and subsequently infringing on data protection mechanisms. Altering the language of the clause but reserving its previously served purpose produces similar problems. 

Expanding Powers of the Government and its instrumentalities 

In the 2022 draft of the DPDPB, the Central Government had given itself authority to exempt government instrumentalities from adhering to the data processing standards. While previously also considered too broad, the DPDP Act has further widened the scope of exemptions. 

In the revised version, even the Central Government is exempt from adhering to these standards if it has been provided data by an exempted party. Additionally, both parties have the authority to retain personal data for an unlimited period of time, regardless of whether the purpose for which the data is collected is served or not – building on the Covid-19 example, this would mean that critical health data could be stored for an indefinite period of time, creating opportunities for misuse and exploitation. 

Moreover, in the DPDP Act, the Central government will appoint the Chairperson and other members of the Data Protection Board of India. As the independence of the board is dependent on the composition of its members, it is important to have a more diverse selection process to uphold its accountability abilities. 

Weakening the power of other stakeholders while creating greater exemptions for certain parties is likely to exacerbate pre-existing power imbalances between the Data Principal and exempted parties. The bill should have sought to correct the power imbalances and provide mechanisms to force greater accountability to prevent the unnecessary processing of personal data; instead, through these provisions, it achieves the opposite. 

While the Opposition raised concerns about certain aspects of the bill, and encouraged for it to be referred to a standing committee, the bill was passed with little to no debate by both houses of Parliament. While this Act is a good first attempt in balancing the need for processing data for lawful purposes and allowing Data Principals to retain control over their personal data, a few of its exemptions and provisions, if abused, could undermine the individual right to privacy.