INTRODUCTION
In today’s world, which seems to be on an inexorable march towards rapid and extensive digitization, data and information stored or present in electronic form have gained paramount importance. The digitization of data, information and transactions has essentially replaced the cumbersome manual practices of the past whereby data and information were stored in physical form and transacted or used manually.
In this modern digital world the dissemination, capturing, profiling and transmission of data has become effortless and rapid, however, the issue of Privacy and Protection of data has captured the attention of legislators and judicial bodies across the globe.
In India, the Right to Privacy is now recognised as a Fundamental Right enshrined within part III of the Constitution, by the 9-judge bench judgement in the landmark case of “Justice K.S. Puttaswamy (RETD.) And Anr. V. Union of India”[1], where the Supreme Court held that the said right to privacy is a fundamental right flowing from the Art. 21 [2]of the Constitution.
In the said judgement, the court had also shed light upon the concept of Informational Privacy which has gained great importance in the present digital age.
The need to protect Digital Personal Data has become essential and it also forms an essential component of Informational Privacy. “Information collection can be the swiftest theft of all”[3], therefore, to protect this digital information and personal data countries across the globe have come up with legislations. “The General Data Protection Regulation” commonly known as the “GDPR”, of the European Union is one of the most prominent legislations to protect and regulate the processing and use of Personal Data. Now, India is also on the verge of finally having its own Data Protection Legislation as the “Digital Personal Data Protection Bill, 2023” edges closer to becoming a reality.
WHAT IS THE “DIGITAL PERSONAL DATA PROTECTION BILL, 2023”?
The new “Digital Personal Data Protection Bill” was passed by the Lower House on 7th August 2023, and was passed by the Rajya Sabha on 9th August 2023, and is presently awaiting the Presidential assent.
This bill is enacted to address the urgent need to specifically regulate the use and processing of digital personal data of Individuals by the Data Fiduciaries.
This bill essentially aims to regulate and govern the processing of digital personal data of Individuals in a way, wherein, the Individual’s Right to Protection of Personal Data as well as the requirement to process such data for specific lawful and relevant purposes, both are taken into account.
The provisions of this bill, in most cases, make it mandatory for Data Fiduciaries to obtain the clear and unambiguous consent of the Data Principals before engaging in the processing of their data, and such processing is allowed only for lawful purposes in accordance with provisions of this legislation. Further, this legislation also makes it incumbent upon Data Fiduciaries to provide notice to the Data Principals before obtaining their consent, and such notice shall provide details of the data that is sought to be processed and the purpose for which it is to be processed. Also, this notice is to inform the Data Principal of his or her rights, and details of the manner in which a complaint can be made to the Data Protection Board.
There are many other pertinent provisions in this bill that cast serious and specific obligations upon the Data Fiduciaries while granting the Data Principals important rights needed for the protection of their personal data. For Example, The Data Principals now have the right to ask for a summary of the personal data that the Data Fiduciary is engaged in processing[4], and the details regarding the nature of the processing that is taking place[5], the Data Principal can also demand the identities of other said Data Fiduciaries and processors with whom such data has been shared[6], further important rights like Right to Correction, Erasure and Updation of personal data which are provided in the GDPR, have also been provided in this bill to the Data Principals. A key feature of this bill which further benefits the Individuals providing their personal data is the 3 tier grievance redressal system, wherein, the 1st form of grievance redressal emanates from the Sec.13 [7]of this legislation, while the 2nd is in the form of the “Data Protection Board” and the 3rd is formed by the Appellate Body which is the “Telecom Disputes Settlement and Appellate Tribunal”.
VIEWING THE BILL THROUGH THE LENS OF GDPR
The “General Data Protection Regulation” of the EU came into effect in 2018 and is one of the most comprehensive regulations to regulate and govern the processing of personal data.
The GDPR contains detailed Principles in Chapter 2 which regulate the data processing activities, it affords elaborate rights to the “Data Subjects” while placing broad obligations upon the “Data Controllers”.
The Indian “Digital Personal Data Protection Bill” although is not an imitation of the GDPR, still, does bear many similarities to the said EU law. The Indian bill does not have any explicit provisions or sections which spell out the principles to be followed while processing personal data but upon the perusal of the bill, one can identify many of the GDPR principles present in spirit, like the Principle of processing personal data Lawfully, the reflection of which can be seen in the Sec. 4[8] of the Bill, the Principle of “Transparent Communication” of GDPR is reflected in Sec. 6(1)[9] & 6(3)[10] of the Bill, the reflection of the Principle of “Purpose Limitation” of the GDPR can be seen in the Sec. 7 (a)[11] of the Bill, further, the spirit of GDPR principle of “Accuracy” can be witnessed in the Sec. 12[12] of the Bill, the reflection of the GDPR Principle of “Integrity and Confidentiality” can also be seen reflected in Sec. 8(5)[13] of the Bill.
The similarities between “GDPR” and the Indian “DPDP Bill” are not just limited to the reflection of the principles of the former in the latter, rather, there are more elements that are common between these two pieces of legislation, in terms of Rights of the “Data Principal” or “Data Subjects”. Further, among the many similarities, there are notable similarities between Art. 13[14] of the “GDPR” which pertains to the Right to Information when Personal Data is Collected, and certain provisions of Sec. 11[15] and Sec. 5[16] of this Indian Bill, also both under the “GDPR” and the Bill, the “Data Subjects” have the right to “Rectification”, “Updation”, and “Erasure”.
Also, there are similarities between these two legislations in relation to the obligations which both of them cast upon the “Data Fiduciaries” or the “Data Controllers”.
It is also striking that both these legislations have extra-territorial jurisdiction, the “GDPR” has this enshrined in its Art. 3[17] while in the case of “DPDP Bill” it is contained in its Sec. 3(b)[18].
CONCLUSION
In this present digital age it is of paramount importance for nations to have specific and comprehensive laws for protecting the personal data of its citizens.
The GDPR since its coming into effect in 2018, has been a prominent data protection legislation. Now, the Indian “Digital Personal Data Protection Bill” (DPDP Bill) of 2023 borrows and reflects several elements that are enshrined in the GDPR. However, upon taking a closer look at both these said legislations, a conclusion can be drawn that in certain respects the GDPR is broader and has a wider scope as compared to the DPDP Bill, for example- the GDPR under its Art. 4 [19]in the definition of “Processing” includes those operations performed on “personal data” which are not always carried out by “Automated means”, that is to say, the definition of “Processing” under the GDPR also encompasses operations done on personal data by way of “Non-Automated means”, while, the DPDP Bill under its definition of “Processing” only covers automated operations which can be either “Wholly automated” or “Partly automated”. Further, the “Material Scope” of GDPR which is provided under its Art. 2[20], makes it clear that this law applies to operations on “personal data” which are not just “wholly” or “Partly” automated but also covers and applies to “data processing” which is “Non-Automated” where it is to form a part of “filing system”, while the DPDP Bill’s applicability is restricted to “Processing” of “digital personal data” where such data is gathered or collected – either in the digital format or in a “non-digital” format but has been subjected to subsequent digitization.
Further, another understanding which can be reached upon perusal of these two legislations is that “Notice Requirements” under the GDPR are more stringent as compared to DPDP Bill.
It can be concluded that GDPR in terms of scope is wider than the DPDP Bill, however, it is imperitive to take into account that the DPDP Bill is still in its nascent stage whilst GDPR has been in effect for around 5 years. When DPDP Bill comes into effect it is natural that there shall be certain implementation and adaptability issues, Data Collecting and Processing organizations in India will have to adapt and make required infrstructral changes and these can be classified as teething troubles, however, looking at this bill from a long-term Indian perspective it can be said that it is a step in the right direction.
Author(s) Name: Uday Sharma (Guru Gobind Singh Indraprastha University)
References:
[1] Justice K S Puttaswamy (Retd.) & Anr v Union of India & Ors (2017) 10 SCC 1
[2] Constitution of India 1950, art 21
[3] Christina P. Moniodis, ‘Moving from Nixon to Nasa: Privacy’s Second Strand- A Right to Informational Privacy’ (2012) Yale J.L. & Tech. 139 <https://yjolt.org/sites/default/files/15_yjolt_139_christinamoniodis_nasa_0_0.pdf> accessed 10 August 2023
[4] Digital Personal Data Protection Bill 2023, s 11(1)(a)
[5] Digital Personal Data Protection Bill 2023, s 11(1)(a)
[6] Digital Personal Data Protection Bill 2023, s 11(1)(b)
[7] Digital Personal Data Protection Bill 2023, s 13
[8] Digital Personal Data Protection Bill 2023, s 4
[9] Digital Personal Data Protection Bill 2023, s 6(1)
[10] Digital Personal Data Protection Bill 2023, s 6(3)
[11] Digital Personal Data Protection Bill 2023, s 7(a)
[12] Digital Personal Data Protection Bill 2023, s 12
[13] Digital Personal Data Protection Bill 2023, s 8(5)
[14] General Data Protection Regulation 2016, art 13
[15] Digital Personal Data Protection Bill 2023, s 11
[16] Digital Personal Data Protection Bill 2023, s 5
[17] General Data Protection Regulation 2016, art 3
[18] Digital Personal Data Protection Bill 2023, s 3(b)
[19] General Data Protection Regulation 2016, art 4
[20] General Data Protection Regulation 2016, art 2
