The Digital Personal Data Protection Act, 2023 - A Scenario of Arising Liabilities

Facebook changed the dynamics of traditional ways of social networking ever since its inception. In 2012, Facebook marked a milestone of having 1 billion active users, or rather, it became the custodian of personal information of 1 billion people. Given the popularity of the veritable mecca of social media, it has also featured in multiple controversies around data breach. The reputation of Facebook was compromised with the scandal involving, Cambridge Analytica’s, a political consulting firm, illegitimate procurement of the Facebook data hit 87 million users globally and 5.62 lakh Indians. Cambridge Analytica, in collaboration with Global Science Research, was able to gather data through a personality test app, called “thisisyourdigitallife” wherein millions of users were paid to carry the test, agreeing that their data could be used just for academic purposes. The information so collected was used to build users profile based on their openness, conscientiousness, extraversion, agreeableness and neuroticism levels, thereby allowing people managing the app to compile the complete user profile of individuals. This entire episode of collection of data happened without people actually realizing that their data was collected and used by third parties without their consent.

Digital transformation has led to burgeoning supply of data exposing a large tract of population to risk of data breaches. Data breach can lead to magnified usage and misuse of personal information of individuals. There is enough evidence to substantiate the concerns that revolve around that risk.

Closer to home, in December 2022, five servers of AIIMS, New Delhi were affected by a cyber-attack. The attack paralysed the digital services of AIIMS which is the warehouse of sensitive health data of majority of Indian Population and led to encryption of estimated 1.3 terabytes of data. Though all the data was retrieved from a back-up server which was unaffected and restored on new servers, the data of millions of patients including sensitive data and medical records of VIPs was feared to have been compromised to the attack.

An act of data breach can lead to two situations:

1. Losing access to one’s own data, though the data still exists.

2. Unauthorized access to data

Where loss of data primarily means that Data Principal loses or fears to have lost access to its data. For instance, taking into account a case where a social media account of an individual is hacked and the Data Principal can no longer access the account. Whereas, on the other hand, unauthorized access to data would mean gaining illegal access to someone’s personal data and using the same for illegitimate purpose. For example, recent Economic Times article disclosed that there is a tenfold increase in complaints related to morphed images or deep nudes created through advanced tools .These cases often relate to influencers and other public personalities being blackmailed with threats of releasing their deepfakes images unless a ransom is paid.

Artificial Intelligence has led to rapid developments in audio, video and image manipulation techniques and has raised questions about the  duty of fiduciaries to safeguard personal data against all forms of breach and misuse. In February 2023, the Ministry of Electronics and Information Technology asked the social media firms, Facebook, Instagram, WhatsApp, YouTube and Twitter to take ‘reasonable and practicable measures’ to remove or disable access to ‘deepfake imagery’ as per the Information Technology Rules, 2021.

With all personal and businesses moving to digital domains that require access to personal data. protection of that data floating around in various digital domains becomes crucially important. The Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “Act”) has come into force after being duly passed by both the Houses and subsequently received President’s assent on August 11, 2023.  The Act provides for the processing, storage and sharing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.

Personal Data is any data about an individual who is identifiable by or in relation to such data. Details such as name, address, email id, location, voice recording, health records, biometrics, Internet Protocol (IP) Address, etc. are personal data.  Accordingly, ‘digital personal data’ is personal data stored in digital form. This also includes information and details collected offline but digitized subsequently. That is to say any information or data pertaining to an individual which is in digital form means digital personal data, where ‘data’ [Section 2(h) of the Digital Personal Data Protection Act, 2023] means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

The Act defines “Data Fiduciary” as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data . To understand, a service provider who collects information of its potential customer base at the time of sign up is a Data Fiduciary. For example, A Bank when it collects information of its customers to provide the services offered by it becomes a Data Fiduciary. Another relevant example today would that be of a Dating App that requires individuals to register on the application and fill in the mandatory personal details such as name, age, email address, gender, sexual orientation, location, etc. also become a Data Fiduciary under the Act being the guardian of personal data of individuals. 

A “Data Processor” is the any person who performs contractual obligations as to the processing of personal data on behalf of Data Fiduciary. (To process personal data on its behalf for an activity related to offering of goods or services)

“Data Principal” is an individual to whom the personal data relates [Section 2(j) of the Digital Data Protection Act, 2023].

A Data Principal can be any person whose data is to be collected, processed, used and stored by a Data Fiduciary. For instance, an individual who signs up on Google to access the services offered by Google i.e. Google Web Search, Gmail, Google Maps, Google Photos, etc. Likewise, to book an online cap, when a user registers on any of the ride hailing applications, the user becomes the Data Principal by giving access to certain personal information, including location data to the ride hailing company, now Data Fiduciary.

The Act aims to achieve introduction of data protection law with minimum disruption, enhance the ease of doing business and enable India’s digital economy and its innovation ecosystem.

Section 3 of the Act specifically provides that the Act will apply to processing of digital personal data alongside the personal data collected in non-digital form which is digitized subsequently. For example, As data fiduciaries insurance companies hire individual agents to sell insurance policies and help with policy renewals and other related services in during the service collect personal information of the subscribers. These agents work with different types of horizontals like life, general, health and others, most of the data is collected in an offline mode through physical submission of documents. Thus, such collection of data in non-digital form is also brought under the purview of this Act.

The applicability of the said Act is also extended to cases where the data is processed outside the territory of India as long as the processing is in connection with any activity related to offering of goods and services to individuals (Data Principals) within the territory of India [Section 3 of the Digital Data Protection Act, 2023]. A classic example of this can be a case of online gaming intermediary located outside the territory of India offering gaming services in India. These gaming operators operating from outside the country through their gaming websites and applications, they are all bound by the Digital Personal Data Protection Act 2023. There is no bar whether the data relates to only Indian citizens and whether it is being processed within or outside the territory of India.

In a famous case in Canada, the court recognized that the respondent an American company was in the business of soliciting customer requests for confidential information about Canadians and then paying researchers for obtain it, transforming virtually unknown information to a publicly available commodity. The Court upheld that the American company was disclosing the personal information of Canadians without their knowledge or consent to third parties and hence held liable though it was located outside the territorial limits of Canada.

Being a true trailblazer, the Act touches on all crucial aspects of data protection and privacy, just that the steps taken vis-à-vis the rights and obligations of the Data Principal and Data Fiduciaries need to be analyzed through a critical lens based on seven principles of the Act, that include:

1. Consent and transparency

2. Limitation of purpose to process personal data

3. Data minimization that is collection of as much data as is necessary to serve the specified purpose

4. Accuracy of data

5. Limiting storage of data that is, storing as much data as is required to serve the purpose;

6. Reasonable security safeguards;

7. Accountability for data breaches and imposition of penalties

One important feature that serves as a foundation of the Act is the concept of ‘purpose’ for which the data has been obtained by the Data Fiduciary. In a landmark case where the service provider installed security cameras, the data of which was stored in a cloud server provided by the fiduciary. One of the former employees  of the service provider, or fiduciary, enjoyed watching the recordings of women from the security cameras in the homes of individuals and the same continued for quite some time before it was eventually discovered. This entire episode involved processing personal data of individuals for purpose other than for which it was collected without their consent for the extended purpose. The fiduciary has agreed to pay $5.8 million fine as settlement in the matter. Therefore, the Act squarely outlines that the data is to be collected, processed, and stored only for the purpose for which it is required unless the falls under one of the lawful exemptions [Section 4 of the Digital Personal Data Protection Act, 2023].

The Legitimate Use

The Act lists down the legitimate uses for which the data may be collected by the Data Fiduciaries that include [Section 4 of the Digital Personal Data Protection Act, 2023]:

a. Voluntarily provided personal data by data principal;

b. Data principal has not indicated ‘does not consent’ to use personal data;

c. By the state and any of its instrumentalities for any function  under any law for the time being in force in India;

d. For matters  concerning public interest; e.g., medical emergency, judicial use;

e. For the purposes of employment or those  related to safeguarding the employer from loss or liability

The Data Fiduciaries are further obligated to provide Data Principals with a notice informing them about the purpose for which the data proposed to be processed; the manner in which the Data Principals may exercise her rights and make complaints with the Data Protection Board [Section 5 of the Digital Personal Data Protection Act, 2023].

The Concept of Consent

The Data Fiduciaries are required to obtain verifiable consent from the Data Principal. Thus, Data Fiduciaries can process data only when they obtained free, specific, informed, unconditional and unambiguous consent with a clear affirmative action [Section 6(1) of the Digital Personal Data Protection Act, 2023].

Amidst the controversies, this long pending Act has taken a commendable step towards ensuring that the data collected by the Data Fiduciaries is processed in a specified manner and vests the Data Fiduciaries with the responsibility to make efforts to ensure accuracy and completeness of data, build reasonable safeguards to prevent instances of data breach and duly inform Data Protection Board of India in cases of breach. However, this duty to ensure accuracy, completeness and consistency is limited in cases where the personal data is processed by a Data Fiduciary is likely to be [Section8 (3) of the Digital Personal Data Protection Act, 2023]-

a. Used to make a decision that affects the Data Principal; or

b. Disclosed to another Fiduciary,

For example, an individual registers on a website that facilitates the sale and purchase of properties and fills in all the information required on the website for services to be availed.  The personal information will involve data: financial, marital status, location, health among others. The said information then is further required to be processed to be provided to the financial institution for the purposes of availing applicable loan for purchasing the property. The first fiduciary is under obligation to ensure the accuracy and updation of the data of the information it has collected as it will affect the financial institution’s decision to grant a loan to the Data Principal.

This provision of the Act is of much importance as it allows the Data Fiduciary to disclose the data of Data Principals to other Data Fiduciaries. The Act though does not specify the instances that may lead the Data Fiduciary to make decisions that ‘affect’ Data Principals or where the data may be disclosed to another Fiduciaries for that matter. The Act, however, does not clearly state the extent of disclosure that are allowed under the law and level silent on the aspects of the extent of disclosures and that can be made under the Act and the third-party disclosures.

Withdrawal of Consent

Data Fiduciaries are under obligation to comply with the provisions of the Act and rules made thereunder. Section 6 (4) further states that the Data Principal shall also have the right to withdraw consent for processing of data, with the ease of doing so being comparable to the ease of giving consent. However, any consequences such withdrawal of consent shall be borne by the Data Principal itself.

For example, a food delivery app may carry the name, present as well as previous locations data, food preferences, time and history of orders placed and the payment options that may be lost once the Data Principal withdraws the consent.

Data Principal registers self for a matrimonial prospects on a matrimonial website which asks for details such as name, age, gender, preferences as to the prospective partners, location, salary, economic and religious status and previous matrimonial history. Once the consent is withdrawn, the Data Fiduciary may not process it further than the date of withdrawal unless required by law.

The entire concept of consent and withdrawal of consent is to make organizations and Data Fiduciaries to understand and acknowledge the fact that Data Principals are the rightful owner of their data whereas Data Fiduciaries act merely as the custodians of data for certain purposes as specified under the Act.

This provision of the Act is of much importance as it allows the Data Fiduciary to disclose the data of Data Principals to other Data Fiduciaries. The Act though does not specify the instances that may lead the Data Fiduciary to make decisions that ‘affect’ Data Principals or where the data may be disclosed to another Fiduciaries for that matter. The Act however, does not clearly state the extent of disclosure that are allowed under the law and level silent on the aspects of the extent of disclosures and that can be made under the Act and the third party disclosures.

The Act empowers the Central Government to designate a class of Data Fiduciaries as a “Significant Data Fiduciary” based on certain criteria ranging from volume and sensitivity of personal data, potential impact on the sovereignty of India to security of State and public order. The question here is to know what ascertains the sensitivity of personal data in the absence of a proper definition as to sensitive personal data.

In Europe, the General Data Protection Regulations (GDPR) define ‘sensitive personal data’ as distinct personal information that is more sensitive than personal data and includes racial, political, religious, trade union membership, genetic, biometric, sexual orientation, and health details of individuals.

In 2018, a famous voice assistant bot marketed by an E-commerce giant collected voice records, geo-location of children and flouted the provisions of the Children’s Online Privacy Protection Rule. These voice recordings and geo-locations were kept indefinitely without the consent of parents of children.

The matter reached the stage of settlement in May 2023 wherein the e-commerce giant agreed to pay $25 million fine to settle the case.

As per the Indian Act, where an individual is a child then the Data Principal includes the parents or the lawful guardian of such a child. Thus, in furtherance of the accepted principle that the children’s data should be subjected to a greater protection, the Act places additional obligations on the Data Fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child.

Section 11 and 12 of the Act recognizes the right of the Data Principal to seek information as to the personal data as well as correction, updation and erasure of such data. In cases relating to Aadhaar, the Data Principal has to right to get any previously entered information corrected or updated. 

Another applicable example would that be of a ride hailing service. While booking a cab the Data Fiduciary will share the locational data with a third party as the same is necessary for the purposes of completion of the service the Data Principal has asked for. The Data Fiduciary will require permission to access the location of the Data Principal to be further shared with the GPS tracker Company. The Data Principal in most of the cases is also given the right to update address, contact details, name of the person availing the service which is important for using the service. Once the Data Principal withdraws the consent, she reserves the right to ask for complete erasure of such data however, the right to erasure of personal data may not apply to the data that is already processed or published.

Data Principals rights include the right to seek grievance redressal and the right to nominate another person in case of incapacity of the Data Principal along with a duty to provide accurate, and verifiably authentic personal information among other duties.

The Act empowers the Central Government to restrict, by notification, the transfer of personal data by a Data Fiduciary for processing to another country or a territory outside India [Section 16 of the Digital Personal Data Protection Act, 2023].

Nations have lately recognized the critical importance of data breach and data espionages therefore, many countries have actively taken steps to restrict websites and applications that bear the risk of illegitimate transfer of data across borders. Likewise, TikTok, a short-form video hosting service app has been banned by the United States, Europe and Canada for concerns around endangered sensitive user data. Earlier this year, the Ministry of Electronics and Information Technology banned and blocked 232 illegal betting and digital loan apps that either originated from China or had links with the country. These apps were banned for flouting Section 69 of the Information Technology Act, 2000.

The Act further lists down the exemptions to the Central Government or its instrumentalities where the personal data of Data Principals can be processed by State for the purposes of enforcing a legal right, for ascertaining financial information in cases of mergers and amalgamations, for research and statistical purposes, etc. These special situations are for practical ease as it would be contrary to purpose, expensive and time consuming to seek consent from individuals whose data is thus being processed.

Exemptions for Individuals

Individuals have an exemption as to processing of data for any personal or domestic purpose. Therefore, a guest list for a wedding will not come under the purview of law unless it has sensitive information attached to it. A blogger putting details on a website makes her information public consensually [Section 3(c) (ii) of the Digital Data Protection Act, 2023]. The act differentiates between information available publicly and personal information access to which might be subject to certain rules. The court judgments which are available in a public domain with the names of parties are quite unlike the judgments which do not reveal the personal information.

Central Government has been given the power to establish an independent Board, named Data Protection Board of India, to function as a civil court and empowered to conduct and enquiry, impose penalties and enforce conditions on Data Fiduciaries. The Appeal against the decision of the Board can be made in the Appellate Tribunal as provided under the Act.

The Redressal mechanism involves the unique feature of having a Consent Manager accredited by the Board who shall be responsible to manage consent of the Data Principals. However, there is an additional requirement for Significant Data Fiduciaries to appoint a Data Protection Officer who must be based in India and be a point of contact for grievance redressal mechanism under the Act. Significant Data Fiduciaries are also under the obligation to appoint independent data auditor and carry out data audits and undertake periodic Data Protection Impact Assessments.

The Act imposes hefty penalties starting from ₹10,000/- extending up to ₹250 crore for breach in observing the obligation of a Data Fiduciary to take reasonable security safeguards to prevent personal data breach. For instance, a Data Fiduciary, say banks or financial institutions, in possession of personal data of Data Principals in physical form somehow fails to protect such data though the said data has been digitized in the due course. Some of the documents containing sensitive personal information of Data Fiduciaries is misplaced and a financial fraud occurs because of the same will amount to Data Fiduciary’s failure to observe security safeguards to prevent data breach.   

Protection of Data in the wake of growing cyber-crimes and identity thefts has led the nations to identify possible risks associated with collection and processing of personal data that cannot only lead to personal loss but can also result in large scale threat to national security. Thus, the Act has been enacted after several attempts to provide a rigid legal framework ensuring strict obligations with hefty penalties for non-compliance and breach of duty to perform obligations of Data Fiduciaries.

The Act though comes as a ray of light in the dark, it does have a shortfalls that has struck debates and discussions on the independence of the Board, exemptions for the State and procedure to be adopted by the Board while dealing with the complaint of data breach and like. But what must be understood here is the fact that this law is just the first step towards ensuring cyber-security and preventing instances of data breaches. Thus, the law attempts to create an ecosystem for protection of personal data of individuals from being misused and prevent infliction of unquantified harm on individuals as well as the nation, thereby, pushing organisations rather Data Fiduciaries to obtain personal data more sensibly.

Anuradha Gandhi is a Managing Associate and Rachita Thakur is an Associate at SS Rana & Co.