Six years after the Supreme Court held privacy as a fundamental right in a landmark judgement, India finally has a data protection law. On Saturday, the Digital Personal Data Protection Act, 2023 was published in the official gazette after receiving the President’s assent on Friday, making India one of the final democracies in the world to have a regulatory framework for privacy. But the law has received a mixed response, with concerns around wide-ranging government exemptions and dilution of powers of the data protection board. In an interview with Soumyarendra Barik, Rajeev Chandrasekhar, Minister of State for Electronics and IT responds to questions about the most contentious provisions in the law. Edited excerpts:
Sec. 3 (c) (ii) The provisions of this Act shall not apply to personal data that is made or caused to be made publicly available by… the data principal
Just because someone has published their personal data online voluntarily, why does the law exempt it from protections?
It is a fair assumption that today a large amount of personal data has been published online. The moment the law is in effect, every company that has personal data with it will have to disclose it and at that stage, a person can ask them to delete it. Once that is done, you are at the starting point of this law.
We have seen examples of companies like Clearview AI whose entire business model is to scrape public images of people to build a facial recognition surveillance tool. Shouldn’t people be protected from that?
Let’s say this company has your personal data. They are obliged to notify you they have your data. You can ask them to delete it. The effect of this law is that regardless of where an entity might find the data, they can not use it without consent. I want to clarify that when someone finds your personal data, no one can use it without your consent.
Sec. 5 (1) Every request made to a data principal… for consent shall be accompanied or preceded by a notice…
How would this change the way web browser cookies are collected?
The way cookies are currently gathered on websites, we don’t think that meets the test of informed consent. So there will be a lot of innovation required from the current three page ‘I Agree’ model of seeking consent to something that is much more informed.
Sec. 6 (6) If a data principal withdraws her consent… Data Fiduciary shall… cease processing their personal data…
There is however, another provision which requires entities to retain data for law enforcement purposes. There is a clash between these two…
Do we know all the scenarios that might come up going forward? We have made some things very unambiguous, around norms of consent, for instance. But for some reasons, entities may need to retain data, and even in that case, they can not process that data without your consent.
Sec. 7 (a) A data fiduciary may process personal data… for which she has not indicated that she does not consent to the use of her personal data.
Under this provision, one has to explicitly say no to an entity to stop them from processing their data. Will this not be open to broad interpretation, especially by private companies?
There has to be a balance between consent and the barrage of notices you receive for your consent. We have added this provision for ease of doing business so that entities can process data that is reasonably within the proximity of what you have originally consented to.
Sec. 8 (6) In the event of a personal data breach, the data fiduciary shall give the data protection board and each affected data principal, intimation of such breach in such form and manner as may be prescribed.
Is there a timeframe in your mind for notifying data breaches?
It has to be immediate. There is an incentive for platforms to show responsible conduct. In the jurisprudence that will evolve around the law in the coming years, if a platform says it has reported a breach ten days later, an impacted person can argue that ten days worth of damage has been caused to them.
Sec. 9 (1) The data fiduciary shall, before processing any personal data of a child or a person with disability… obtain verifiable consent of the parent…
Why have norms for persons with disability been clubbed with norms for children?
Those are two categories of people who will need help. There was an argument for example, that for differently abled people, a consent manager would do. But the consent manager’s job would be to deal with a large group of people, and not in specialised situations like this. But also, a lot of this will evolve over time.
Sec. 9 (5) The Central Government may, if satisfied that a data fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe… notify the age above which that data fiduciary shall be exempt…
Could social media companies be part of this relaxation? For instance, Meta has a Messenger Kids app which is to be used only by children…
100 per cent not. Under this provision, the prerequisite is that a platform has verified that all of its users are youngsters. We do not believe that social media is an area where age-gating should be relaxed.
Sec. 10 (1) The Central Government may notify… significant data fiduciary on the basis of an assessment of… potential impact on the sovereignty and integrity of India…
The MHA and NIA could be in possession of very sensitive data. Will government ministries and departments be classified as significant data fiduciaries as well?
There is one standard that applies to all data fiduciaries. Anyone, including government institutions irrespective of their size, that collects data with consent is liable to safeguard it under this law. So, yes, even government institutions – big or small – will be classified as significant data fiduciaries.
Sec. 17 (2) (a) The provisions of this Act shall not apply in respect of the processing of personal data by such instrumentality of the State as the Central Government may notify in the interests of sovereignty and integrity of India, security of the State…
Everyone agrees that the government will need exemptions. But the concerns around it emanate from the fact that there are no safeguards in the letter of the law for when the government decides to exempt itself from obligations. Why have words like ‘proportionate’ not been used as a safeguard to these exemptions?
Proportionate as defined by who? We don’t want issues of national security and law and order to be second guessed by the courts. If the police need data for these purposes, they should be able to do so. There will be checks and balances within the government to ensure that this power is not misused.
Sec. 17 (2) (b) The provisions of this Act shall not apply… for research
There are concerns that this exemption could be used by companies to use personal data to train AI algorithms in the name of research. Why has research not been defined clearly?
I am willing to agree that there is some ambiguity in the way it has been written. I want to make it clear that it is certainly not for AI research, or commercial research. It will apply for instances like if the government wants to conduct statistical research based on the data it has in its possession to frame policies.
Sec. 19 (1) The data protection board consists of a chairperson and such number of other Members as the Central Government may notify.
Everyone’s concerned by the control of the government over the selection of members of the DPB. Why not have judicial representation within the board or in the selection committee?
I’m not averse to having a retired judge on the board, but there are many options that we can consider. Why should we not have a young lawyer instead of a retired judge, for instance. Why not a young serial entrepreneur who wants to be part of the board for some time? The members must be willing to invent the new, rather than prescribe the old.
Sec. 27 (3) The board may… on a reference made by the Central Government, modify, suspend, withdraw or cancel its direction
You have said that the board will be independent. But the Centre also has powers to cancel its directions. That seems like the Centre can sidestep the board whenever it wishes to…
The performance of the board should be measured on merit. To read into what the powers of the government are and to surmise that it is some sort of a conspiracy to trip up well established processes is pure speculation. The board will be transparent and responsive. If you see what’s happening in the grievance appellate committees today, despite all the concerns that were initially raised, they are creating a culture of accountability.
Sec. 29 (2) Every appeal… shall be accompanied by such fee as may be prescribed.
If ordinary citizens have to pay a fee to appeal decisions of the board, will that not act as a deterrent?
The idea of a fee is to prevent frivolous appeals. Whether that is a barrier to natural justice, we will see. If it is preventing people from appealing, we will respond at that time.
37 (1) The Central Government could block platforms that have been fined on at least two occasions for violating the law.
This is essentially a censorship provision that has been added to a privacy law, when the government already has that power under the Information Technology Act, 2000. What is the rationale for that?
We hope that we never have to use it, but this has been kept to act as a deterrent for companies – many of whom have learnt how to game regulations – beyond the prescribed penalty of Rs 250 crore per data breach. It has also been kept to act as a signal for the data protection board for when it is dealing with matters related to voluntary undertaking.