Amidst the substantial discourse concerning the provisions of the India's Digital Personal Data Protection Act of 2023 (DPDP Act), a provision of considerable significance, particularly when viewed through the perspective of a litigator, has largely escaped attention.
Section 38 of the Act provides that the “…provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force.” The provision assumes significance primarily because data protection law is interrelated to and entwined with several other fields of law. For instance, the nexus between data protection law and cyber security is intricate, making it difficult to establish clear boundaries between these two domains. Moreover, an intersection between data protection law and competition law arises, especially in the context of data accumulation by digital platforms. Additionally, there is significant overlap between consumer protection and data protection law.
The DPDP Act will be followed by notification of Rules by the Central government. The Data Protection Board of India (DPB) will also be established as the adjudicatory body, with the power to determine non-compliance with the DPDP Act and impose penalties. The actual extent of overlap between the DPB and authorities under different laws will only be clear when the Data Protection Board is established and the rules for its operations are notified.
In this article, we delve into the overlap of jurisdiction between the Adjudicating Officer established under the Information Technology Act, 2000 (IT Act) and the DPB. We aim to shed light on the interplay between these related legal domains and the potential complexities that arise owing to their overlap.
Data protection and cyber security
The nexus between data protection law and cybersecurity is complex, blurring the lines between the two domains since the safeguarding of personal data is inherently tied to the implementation of robust cybersecurity measures. Therefore, defining the precise boundaries where data protection ends and cybersecurity begins can be a challenging task.
Overlaps and conflicts between the DPDP Act and the IT Act
Section 46 of the IT Act confers powers upon an Adjudicating Officer appointed by the Central government to adjudicate on issues relating to contravention of the provisions of the IT Act and Rules, regulations or directions issued under it.
An interesting aspect lies in the omission of Section 43A of the IT Act, a move that not only addresses any potential conflict between the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the DPDP Act, but also takes away the jurisdiction of the Adjudicating Officer in cases involving data breaches by companies. Yet, the broad scope of Section 43 of the IT Act raises the possibility of instances where data access without appropriate consent could fall within the purview of both the DPDP Act and the IT Act. Section 43 reads as under:
“43. Penalty and compensation for damage to computer, computer system, etc.—If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,—
(a) accesses or secures access to such computer, computer system or computer network or computer resource;
(b) downloads, copies or extracts any data, computer database or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer database or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
(j) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;
he shall be liable to pay damages by way of compensation to the person so affected.”
Upon analysing the language of Section 43 of the IT Act, which begins with “if any person without permission of the owner,” it becomes evident that the scope of Section 43 encompasses instances of access to computer systems, as well as access, downloading and extraction of data without consent. Consent also stands as a foundational principle within the DPDP Act, forming the cornerstone of how personal data is processed, collected and utilized in the digital realm. However, the question whether ‘permission’ under the IT Act would be similar to standard of ‘consent’ under the DPDP Act remains open.
Section 4 of the DPDP Act mandates that data principals must provide informed and voluntary consent in the manner laid down in the Act, before their personal data is collected or processed by data fiduciaries. Section 4 states as under:
“4. Grounds for processing personal data.—
(1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,—
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.”
(2) For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law.
Consider, for instance, a scenario where a mobile application gains access to personal data on a user's phone without obtaining proper consent. This action could potentially be viewed as a violation of Section 43(a) and 43(b) of the IT Act as well as a breach of Section 4(1) of the DPDP Act. The complexity in this situation emerges when determining which adjudicatory body holds jurisdiction over such a case – the Adjudicating Officer or the DPB? Could a situation of concurrent jurisdiction arise?
It is worth noting the DPDP Act's omission of a compensation remedy for the data principal. This raises the argument that the Adjudicating Officer's authority, including the ability to grant compensation to affected individuals, might indeed coexist alongside the DPB's jurisdiction, which primarily revolves around imposing penalties on the data fiduciary.
As the legal terrain evolves with India's data protection framework, these intricate intersections between the IT Act and the DPDP Act are likely to bring forth multiple legal challenges before courts in India. The eventual resolutions to these questions will not only influence the dynamics of data governance, but also set essential precedents for the harmonious functioning of multiple regulatory bodies.
Srishti Kumar is an Associate at Saikrishna & Associates.