Data privacy has been a matter of concern in India ever since the advent of the digital revolution in the country. Personal data can be on financial matters, health-related issues, consumption habits and so on. There can be unpleasant consequences for the owner if unscrupulous elements gain access to it. Against this backdrop, the Digital Personal Data Protection Act, 2023 Parliament passed recently is a step in the right direction.
However, a close look at its provisions would show that it falls short of being a foolproof legal framework to prevent theft or misuse of data: it should be considered only a decent beginning. For one thing, there are some loose ends to be tied up. For another, it has to be updated regularly as new types of crimes appear in the fast-changing digital scenario.
First, some of the important omissions in the Act with respect to the areas it covers.
At the height of the Covid-19 pandemic the Kerala government transferred to the US-based company Sprinklr health-related data of more than 1.75 lakh people who had been in quarantine. This created a controversy. It subsided gradually, but the questions it raised remain.
Section 16 of the Act says that “the Central government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to a country or territory outside India as may be so notified.” But the Sprinklr experience shows that when the Data Fiduciary in such transfer of personal data is a State government or its agency, the transfer should happen only with the prior permission of the Central government. This condition ought to be an integral part of the Act. In this case the Central government’s responsibility to protect Indian citizens supersedes the State government’s.
Section 3 (b) says the Act shall “also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India…” This provision may partially defeat the purpose it is meant for. Suppose the medical data of X is sent abroad as in the Kerala case and it falls into wrong hands, there is a possibility that any adverse information contained in it will be used to her disadvantage. If an insurance company acquires the data, her children, if any of them are settled abroad, will have to pay a heavy price in terms of higher than normal insurance premium because the insurer can claim that they would inherit the disease. Hence the provision may be altered to read as irrespective of the fact whether there is any intention to offer goods and services in India or abroad….
De-digitising digital data and taking a printout or converting it into another form and saving it should be considered an offence. This provision may be added to Section 3 (a).
Section 8 (7) (a) says a Data Fiduciary shall “erase personal data upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served.” Instead of using the word “reasonable”, a time limit should have been prescribed, making the section more precise.
The exemption that may be given under Section 17 (3) to startups, which include private limited companies, partnership firms and limited liability partnerships, from the purview of Section 5, Section 8 (3) and (7), Section 10 and Section 11, can create problems in future. For instance, there may be pharma companies among these which hold health-related data of a large number of people.
A justice delivery system is judged by its impartiality and ability to dispense quality justice in the shortest possible time. In the case of this Act, the Chairperson and Members of the Data Protection Board of India should be above suspicion. Section 22 (3) stipulates that a Chairperson or Member of the Board shall not take up any employment within one year after the end of her tenure on the Board except with the prior approval of the Central Government.
Whether there is any restriction on taking up consulting is not clear. Besides, there has to be a provision asking the Chairperson or a Member to recuse herself from the case if the parties involved include a family member, employers of an immediate family member, or companies in which her family members have a financial interest.
As mentioned earlier in this article, there are lurking threats to personal data privacy that find no place in the Act. The threats are present almost everywhere. In your smartphone, laptop, television, and whatnot.
Malls and showrooms are among centres of large-scale data misuse. Shops demand personal data from customers, often much more than what is essential. Experience shows that in several cases this data, in digitised form, is passed on to interested parties. This is nothing but data sale, which should be made a punishable offence in the Act. Customers’ right to say no and still purchase goods and receive other benefits needs to be protected.
The digital revolution gave a big boost to online marketing in the country. There has been a mushrooming of operators in the field, both Indian and foreign. The merchandise they deal in range from fast-moving consumer goods to prescription drugs. After initial hiccups the government managed to bring them somewhat within the ambit of Indian laws. Still precautionary measures are needed in certain areas.
For instance, online pharmacies — often other pharmacies too — store details of medicines bought for a patient. Measures have to be designed to ensure that the details of the patient and the medicines are not transferred illegally.
Health-related data means big money for certain groups, including insurance companies. Therefore, the law must have suitable additions to cover testing laboratories, diagnostic imaging centres, and so on.
There are instances of big companies, including multinationals, asking employees to submit details of the financial situation, including shareholdings, investments, liabilities, etc., of their immediate family. This is in clear violation of their fundamental right and can put them in difficult situations. Such data transfer should be stopped. The Act has to take note of this. Even the practice of asking employees to furnish all details of their own financial situation is questionable.
There is another data security risk that goes apparently unnoticed in everyday life. Strangely, it has emerged from the use of digital technology to increase “security”. Many flats now have doors that are opened using biometric data such as finger print. An important question is: who will take responsibility for the security of this data? The residents’ association need not be technically equipped for the task. The manufacturer will most likely pass the buck, claiming to be a mere seller. The lawmakers will have to intervene here.
We often ignore the possibilities of data theft from a third-party app or other apps pre-installed by the mobile manufacturer. There can be malware attacks, hacking attempts, etc., if the software is not safe enough. The company along with the app developer must be held responsible for any data theft or loss. The company must be held responsible also for any data loss due to a software update done without the user’s permission.
Lastly, the law should provide for a government portal for aggrieved parties to file complaints in secrecy. Secrecy because the offender should be deprived of an opportunity to destroy evidence.
The writer is an advocate