Data “Of the People, By the People, For the People”

India’s digital economy comprises of over 123 crore aadhaar, 120 crore mobile phones, 75.9
crore internet users1 and a number of digital schemes including DigiLocker, UMANG, Jeevan
Pramaan etc. Massive volumes of Personal Data is being generated by people in the field of
Healthcare, Agriculture, Financial services as a result of rapid digitalization. The need for
protection from misuse of personal data is therefore imperative.

The Indian Parliament recently enacted the Digital Personal Data Protection Act, 20232,
acknowledging the rights of over 83 crore ‘Digital Nagriks’3 to safeguard their personal data
while providing guidelines for its lawful processing.

The legislation is a culmination of judicial endeavors to infer the Right to Privacy as a

Fundamental Right in Justice K.S. Puttaswamy (Retd.) v. Union of India4 coupled with the
formation of a committee by the Union Government chaired by Justice B.N. Srikrishna
(Retd.)5.

Data Principals are entitled to informed and unambiguous notices seeking consent,
presented in plain and simple language for the lawful automated processing of data. However,
the act falls short in providing compensation to victims of privacy violations. In addition to
rights such as correction, completion, updation, and erasure of data, Data Principals also bear
the duties such as not to impersonate another person. While serving as a deterrent, the
associated penalties may disproportionately impact individuals lacking digital literacy.
Moreover, the provision of deemed consent for cases involving employment purposes or
service delivery may be susceptible to misuse, leading to citizen profiling. Notably, crucial
components like Right to Data Portability and Right to be Forgotten, integral in the 2018
Draft Bill6 and 2019 Bill7 have been omitted.

The Data Fiduciary is obliged to adhere to principles such as data minimization, data
accuracy, purpose, and storage limitation. They are responsible for notifying the board in case
of a data breach and implementing reasonable safeguards to prevent such incidents.

1
Data from meity.gov.in
2
The Digital Personal Data Protection Bill,2023
3
Composition of Internet Subscription in India by TRAI
4
Justice K.S. Puttaswamy (Retd) vs. Union of India,
5
‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’
6
Clause 26, The Personal Data Protection Bill, 2018
7
Clause 33 and 34, The Personal Data Protection Bill, 2019
Significant Data Fiduciaries, as determined by the state, must fulfill additional obligations,
including appointing an independent Data auditor and conducting a Data Protection Impact
Assessment. However, exemptions from notice requirements for certain data fiduciaries,
aimed at creating a compliance-friendly environment for startups, may result in a lack of
informed consent.

The Union Government is set to establish the Data Protection Board of India to address
non-compliance, adjudicate penalties, and develop Data Protection jurisprudence. Concerns
exist regarding the board's independence due to high executive control in appointing board
members and a short two-year tenure. Additionally, exemptions granted to Government
Instrumentalities without necessary procedural safeguards raise questions about the necessity
and proportionality of such powers for interception of communication, as recommended by
the Supreme Court8. The Srikrishna committee suggested such exemptions through a separate
law having institutional oversight, aligning with United Kingdom’s approach9.

Experience from European Union’s General Data Protection Regulation can further be used
to gauge the importance of having a board with well-equipped human and material resources
to contend with wealthy corporations10 and also protecting new startups from
disproportionate regulatory cholesterol.

While the act represents a positive step towards upholding the Fundamental Right to Privacy
and realizing the goal of ‘India’s Trillion-Dollar digital opportunity’, its success hinges on
addressing concerns and ensuring effective implementation in both letter and spirit.

////////////////////////////
Additional provisions/concerns that i haven’t yet used:
1. Cross border transfer of data
2. Definition of ‘child’ in the act
3. ‘Risk’ arising from personal data
4. Mentioning amount of penalties
5. Diluting RTI

8
People’s Union for Civil Liberties (PUCL) vs Union of India, Supreme Court of India,
December 18, 1996.
9
Part 6, 7, and 8, Investigatory Powers Act, 2016, United Kingdom.
10
Point no.1 in data from European Data Protection Board
Regulatory Framework:

● Digital Personal Data Protection Act (DPDPA), 2023: This Act grants individuals
various rights over their personal data, including the right to access, rectification,
erasure, and restriction of processing. It also imposes obligations on organizations
(data fiduciaries) handling personal data, requiring them to implement robust data
security practices and obtain informed consent from individuals

● Information Technology Act, 2000: This existing law already covers some aspects of
data privacy and cybersecurity and continues to have relevance. However, the DPDPA
supersedes the IT Act in matters related to personal data protection.
● Telecom Regulatory Authority of India (TRAI) regulations: Govern data collection
and usage practices of telecom service providers.
● Reserve Bank of India (RBI) guidelines: Set standards for data security and privacy in
the financial sector.
● Sector-specific data privacy regulations: Some sectors like healthcare and education
might have their own privacy policies and regulatory frameworks.
● Information Technology Act (IT Act) 2000:
● Predecessor to the DPDPA, it covers aspects like cybercrime, data security, and data
confidentiality.
● Sections like 43A and 72 provide some protection against unauthorized access and
disclosure of personal information.
● However, the IT Act's scope and provisions for individual rights are limited compared
to the DPDPA.

Indian Penal Code (IPC):

● Contains provisions addressing cybercrimes like hacking, data theft, and identity
fraud.
● Section 66F of the IPC specifically deals with offenses involving personal data.

Quantifying Data Volume:

While specific figures are elusive, estimates suggest:

 ● Aadhaar holds over 1 TB of biometric data and 1 PB of demographic data.
● Daily GST data transactions exceed 5 million.
● Indian telcos store months of call detail records for millions of users.
● Social media platforms handle petabytes of user data globally, including a sizeable
share from India.

Government Data:

● Aadhaar: The Aadhaar identification program holds demographic and biometric data
of over 1 billion Indian citizens.
● Financial Transactions: The Goods and Services Tax (GST) system captures
comprehensive data on financial transactions across businesses.
● Telecom Data: Mobile operators and Internet Service Providers (ISPs) collect and
store metadata on calls, texts, and internet usage under government mandate.
● Government Surveillance Programs: While details remain secretive, programs like
NATGRID aim to integrate data from various agencies for security purposes.

Private Sector Data:

● Social Media: Platforms like Facebook, WhatsApp, and Twitter collect vast amounts
of user data, including demographics, interactions, and location information.
● E-commerce and Fintech: These sectors collect extensive data on user purchases,
financial transactions, and online behavior.
● Healthcare Systems: Hospitals and medical institutions hold sensitive personal health
data of patients.
● Online Services and Apps: Many services and apps require user data for registration,
personalization, and targeted advertising.

In the age of ubiquitous digitization, the once abstract notion of data has morphed into a
potent currency, shaping interactions, driving economies, and raising profound questions
about individual privacy and security. In India, where the digital revolution is in full swing,
navigating this data labyrinth through effective data protection policies remains a critical and
evolving challenge.
For decades, India's data landscape lacked a comprehensive legal framework, leaving
individual rights vulnerable amidst rampant data collection practices. The Information
Technology Act of 2000, while offering limited safeguards, proved inadequate for the
complexities of the digital age. This lacuna allowed private entities and even the government
to gather vast amounts of personal data with minimal transparency or accountability.
Concerns surrounding state surveillance programs like Aadhaar, coupled with a rising tide of
data breaches, further underscored the urgency of robust data protection legislation.

The recent enactment of the Digital Personal Data Protection Act (DPDPA) in 2023 marks
a significant turning point. The Act grants individuals various rights over their personal
data, including the right to access, rectification, erasure, and restriction of processing. It also
imposes obligations on data fiduciaries, who must implement strong security measures and
obtain informed consent from individuals before collecting and processing their data.

However, the journey towards robust data protection remains far from over. The DPDPA
itself faces potential shortcomings, with exemptions granted to the government raising
concerns about potential misuse of data for surveillance purposes. Moreover, the
effectiveness of the Act hinges on its implementation and enforcement. Building an efficient
Data Protection Board with adequate resources and expertise will be crucial to ensure
compliance and address violations.

Beyond legislation, fostering a culture of data protection necessitates multiple pillars.

Public awareness campaigns and educational initiatives are essential to empower
individuals to understand their rights and make informed choices about their data.
Simultaneously, encouraging ethical data practices within organizations, along with strong
data security protocols, can minimize the risk of breaches and misuse.

Balancing individual privacy with legitimate societal needs, such as for public health
research or national security, requires a nuanced approach. Policymakers must strive for
transparency and accountability in data-driven initiatives, ensuring that individual rights are
not compromised in the pursuit of broader objectives. This necessitates open dialogue and
collaboration among stakeholders, including government agencies, private companies, civil
society organizations, and the public.

Looking ahead, India's data protection journey necessitates continuous adaptation and
improvement. Keeping pace with evolving technologies and addressing emerging threats
like deepfakes and facial recognition will require ongoing policy revisions and capacity
building. Additionally, international cooperation on data sharing and harmonization of data
protection frameworks will be crucial in a globalized digital landscape.

In conclusion, the quest for effective data protection in India demands a multifaceted
approach. Robust legislation, empowered individuals, ethical data practices, and
proactive policy adaptations are the cornerstones for navigating the digital labyrinth. By
prioritizing individual rights and fostering a culture of responsible data stewardship, India
can unlock the vast potential of the digital age while safeguarding the privacy and
security of its citizens.