India’s growing digital economy has revealed the limitations of conventional and constitutional characterisations of privacy in the country. As India’s first data privacy legislation, the newly drafted Digital Personal Data Protection Bill (DPDPB) is intended to transform the country’s privacy landscape with plans to now be introduced in Parliament’s monsoon session. While the DPDPB has the components to provide a statutory framework to regulate the personal data of individuals in India, its prioritisation of the state’s interests through its clause of ‘deemed consent,’ decreases its protection abilities.
Technological advancements have enhanced the ability of the state to collect, store, analyse, and distribute personal data at a much larger scale. With the increased presence of “digital databases,” the fear of the ‘aggregation effect’ arises. This phenomenon suggests that the sum of data is more valuable than its parts as it is easier to make inferences about individual behaviours and personalities. In response to innovations in information technology and the adverse impact of the aggregate effect, the DPDPB was drafted in 2022; this bill builds upon long standing definitions of privacy in India and encompasses an important aspect of privacy in this evolving digital world, addressing the threat of technological advancements on individual data privacy rights.
The DPDPB is a step forward in establishing and asserting the importance of protecting privacy rights of individuals in India; however its underlying assumption that people are willing to give up their individual privacy rights for the state–through ‘deemed consent’ – increases the likelihood of privacy violations. The bill assumes that the Data Principal, the owner of the data, is ‘deemed’ to have given ‘consent’ to the processing of their data by the Data Fiduciary when “necessary.” This produces ambiguities in determining when privacy violations are justifiable, creates power imbalances between the Data Principal and Fiduciary, and exempts the state apparatus from taking responsibility when handling personal data during the provision of essential services; such provisions, if abused, may undermine individual data privacy rights.
The bill states that the Data Principal is assumed to have given consent for the processing of their data when it is a matter of “public interest” or for any other “fair and reasonable purpose.” Here, the inherent ambiguity in the terms, “public interest” and “fair and reasonable purpose,” create opportunities for government authorities to collect data for unspecified purposes. The parameters of these classifications should be narrowed down to better establish the instances in which a Data Principal would need to give up their expectations of data privacy. This would allow the bill to safeguard the national interests of the country while extending the same protection to its citizens.
Another instance in which deemed consent is applicable is when the “legitimate interests of the Data Fiduciary in processing [data] . . . outweigh any adverse effects on the rights of the Data Principal.” The bill provides no real guidance on the extent of “adverse effects” that are reasonable for the Data Principal to endure. Additionally, in preceding clauses, the bill creates the illusion that the Data Principal has control over their own information; however, weaving in this clause establishes that the Data Fiduciary ultimately has the power to decide whether the collection or processing of data is necessary– inevitably creating power imbalances between the Data Fiduciary and Principal, in favour of the Data Fiduciary. The bill should narrowly define instances in which the Data Fiduciary is able to make the decision to collect and process data without consent from the Data Principal and should also outline the adverse effects that are reasonable for the Data Principal to endure– stating, for instance, the types of effects it encompasses– psychological, physical, etc. These provisions would offer protection to the Data Principal and their data while also creating some exemptions for the Data Fiduciary to use their discretion when necessary.
During the provision of essential services by the state, such as the issuance of a licence or a permit, the state is able to gain access to personal data records of individuals. In this process, the clause of deemed consent suggests that individuals accepting these services have allowed the state indefinite access to their private data– beyond the purpose of the provision of services. This clause also prevents the state from having to take responsibility for their handling of the data– an exemption not available to private institutions. With access to this sensitive data, the bill should put in place mechanisms that force states to take responsibility for their handling of the data, instead of creating exemptions that encourage misuse and may violate the fundamental right to privacy.
While it is reasonable to have provisions that allow the country to use their discretion when making decisions, in instances that would protect state security or uphold the national interests, it is equally important to protect individual liberty during and in the aftermath of a crisis. Similar to the landmark judgement in S.R. Bommai v. Union of India, which attempted to curb the misuse of Article 365 of the Indian constitution by increasing its implementation threshold, this bill could address conflicting objectives by clearly defining circumstances in which the collective would need to be prioritised over the individual– inevitably decreasing its misuse. The bill should also have clauses to ensure that if/when personal data is collected and processed during a crisis, it is not misused to harass or oppress individuals. This will afford better protection to individuals and their privacy rights.
For a bill as important as the DPDPB, it is imperative that a nuanced discussion on its benefits and potential harms occurs, in order to ensure citizen’s data privacy is protected. While the DPDPB has the components that would safeguard individuals from data privacy violations in a rapidly evolving digital age, its clause of ‘deemed consent’ diminishes the power of its protection mechanisms, decreasing the effectiveness of the bill.
