The Digital Personal Data Protection Bill (DPDP), approved by the Central Cabinet on

July 5, 2023, is an important legislative step aimed at regulating the collection, storage,
and processing of personal data in India. It seeks to protect the privacy of individuals
while ensuring that data fiduciaries (those who collect and process data) are held
accountable for how they handle this information.

The Bill finds its roots in the landmark Supreme Court judgment of Justice K.S.
Puttaswamy (Retd.) & Anr. v Union of India & Ors. (2017). In this case, the Court
declared that the right to privacy is a fundamental right under Article 21 (right to life and
personal liberty) of the Indian Constitution. The Court directed the government to
introduce legislation to protect citizens’ personal data from unauthorized use.

The Digital Personal Data Protection Act, 2023 (DPDP Act) plays a pivotal role in
shaping India’s digital economy and governance by establishing a comprehensive
framework for the protection of personal data. It addresses the growing concerns around
privacy, data security, and the responsible use of personal data in the digital age. In this
context, the Act is essential in creating a balance between safeguarding individuals’
privacy rights and supporting the legitimate needs of businesses, government bodies, and
law enforcement agencies. The Act's enactment also aligns India with global data
protection standards while addressing the unique challenges of its digital landscape.

Exemptions for the State:

The Act applies to personal data collected both online and offline, as long as it is
digitized. It introduces consent-based processing of personal data, which ensures that
individuals (data principals) are informed about how their data is collected and used.
However, consent is not required in specific scenarios like government benefits, medical
emergencies, or certain state activities, which brings in national security concerns.
Government entities are exempt from many provisions of the Act for reasons such as
national security, public order, and crime prevention.
Highlights of the Bill (Digital Personal Data Protection Bill, 2023)

1. Applicability:

• The Bill applies to the processing of digital personal data in India, whether
collected online or offline (if digitized).
• It also applies to processing outside India if it's related to offering goods or
services to individuals in India.

Example: If an Indian customer purchases a product online from a foreign company, the
company must comply with this Bill if they collect the customer’s data.

2. Consent for Data Processing:

• Personal data can only be processed with the individual's consent, except in
specific situations like providing government benefits or in emergencies, then
consent is not required.
• Consent may be withdrawn at any point in time.
• Consent will not be required for ‘legitimate uses’ including:
(i) specified purpose for which data has been provided by an individual
voluntarily,
(ii) provision of benefit or service by the government,
(iii) medical emergency, and
(iv) employment. For individuals below 18 years of age, consent will be provided
by the parent or the legal guardian.

EXCEPTION:
• The government can use personal data without consent when providing services
like permits, licenses, benefits, or other public services.
Example: An individual must give consent before their data is used by an online
shopping platform, but the government can use the individual's data to issue a license
without needing their consent.

3. Data Fiduciaries' Obligations:

Entities processing data (data fiduciaries) must ensure accuracy, security, and deletion of
data once its purpose is fulfilled.
The obligations of data fiduciaries are the responsibilities of entities (like companies or
organizations) that decide how and why personal data is processed. These entities must
follow certain rules to protect the personal data they handle:

1. Accuracy of Data: They must make sure the personal data they collect is correct
and complete.
2. Security Safeguards: They are required to put in place security measures to
prevent any data breaches (unauthorized access or leaks).
3. Breach Notification: If a data breach happens, they must inform both the Data
Protection Board of India and the people affected by the breach.
4. Erasure of Data: Once the purpose of using personal data is fulfilled, and it’s no
longer needed for legal reasons, they must delete or erase the data.

REAL LIFE CASE EXAMPLE:

Aadhaar Data Breach Incident (2018):

Aadhaar, India's unique identification program, faced serious allegations of a data breach
in 2018. It was reported that personal details of over a billion Indian citizens were
accessible for as little as ₹500 through an anonymous WhatsApp user. The breach raised
concerns about the security safeguards in place to protect Aadhaar data, the accuracy of
the information, and whether the authorities were properly notifying affected individuals.

Unique Identification Authority of India (UIDAI), acting as the data fiduciary, would
have specific obligations in such matters

Example: A mobile company collecting customer data must ensure it is accurate, keep it
secure, and delete it once the service contract ends.

4. Rights of Individuals:

• Individuals (data principals) have the right to know how their data is processed,
correct or delete data, and file complaints if necessary.

Example: A person can ask an online retailer to correct their address or delete their
account data after discontinuing the service.

REAL LIFE EXAMPLE

Zomato Data Leak (2020):

In 2020, a data breach occurred on Zomato, a popular food delivery platform in India.
The personal data of 17 million users, including names, email addresses, and hashed
passwords, were leaked and made available on the dark web. This raised concerns about
how the company was handling user data and whether it was taking adequate steps to
protect personal information.

Under the proposed Digital Personal Data Protection Bill, users (as data principals)
would have the following rights:

1. Right to Know: Users would have the right to know how Zomato was processing
their data and whether their data was being shared with third parties.
2. Right to Correct or Delete Data: Affected users could request Zomato to correct
any incorrect information (such as their contact details) or ask for their data to be
deleted, especially if they no longer used the service.
3. Right to File Complaints: If Zomato failed to address these requests or didn't
adequately protect their data, users would have the right to file a complaint with
the Data Protection Board of India.

This incident highlights the significance of individuals' rights to control their personal
data and ensure it is managed responsibly by data processing entities.

5. Exemptions:

The Government and the State can collect and use personal data without restrictions for
reasons like national security, which might lead to excessive data collection, affecting
privacy.

Example: A police department can process personal data for investigating a crime
without needing consent or following all the obligations imposed on other organizations.

REAL LIFE EXAMPLE:

Aadhaar-PAN Linking Case (2017):

In 2017, the Indian government made it mandatory to link the Aadhaar number (a unique
identification number) with the PAN (Permanent Account Number) used for taxation
purposes. This decision was justified on grounds of preventing tax fraud and improving
national security. However, the move faced significant privacy concerns, particularly
since it meant the government could collect and store vast amounts of personal data
(biometrics, financial information, etc.) without needing individual consent for every use.
Under the proposed Digital Personal Data Protection Bill, exemptions are provided for
government and state entities when processing data for purposes like national security or
law enforcement.

Since the Aadhaar-PAN linking was mandated by law, individuals had no option to
refuse consent, raising concerns about their right to privacy.

This case highlights the potential implications of granting broad exemptions to the
government for data collection, which might infringe on individuals' privacy rights under
the guise of national security or public interest.

CRITICISM

1. Risk of Harm from Data Processing:

• The Bill doesn’t address how to deal with harm like financial loss or reputational
damage caused by data misuse.

Example: If a person’s data is leaked and used for identity theft, the Bill does not offer a
clear remedy or compensation for the victim.

When personal data is processed, it may be exposed to risks such as data breaches,
unauthorized access, or misuse. If such incidents occur, they can result in serious
consequences for individuals, including:

• Financial Loss: This could happen through identity theft, where personal
information like credit card details or bank information is stolen and used for
fraudulent transactions.
• Reputational Damage: If sensitive personal data (such as health records or
private communications) is leaked, it could harm an individual's reputation or lead
to social stigmatization.

While the Bill outlines principles for the protection of personal data, it does not provide
clear provisions or mechanisms for compensating individuals who suffer such harm. For
example, if a person’s data is stolen and used to commit identity theft, leading to
financial loss, there is no explicit recourse or remedy in the Bill that addresses how the
victim can be compensated for the damage.
REAL LIFE EXAMPLE:

Aadhaar Data Leak Incident (2018):

In 2018, a security breach was reported where personal details of over 1 billion Aadhaar
cardholders, including names, addresses, phone numbers, and other sensitive data, were
exposed on government websites. Despite the importance of this data, the leak posed
serious risks of identity theft and financial fraud.

The Digital Personal Data Protection Bill, much like in this case, lacks clear provisions
for compensating individuals who suffer financial or reputational damage due to data
breaches. Although the government took steps to rectify the breach, there were no clear
compensation mechanisms for those whose data had been exposed, leaving victims
without proper recourse for the harm caused.

Example Scenario:

I] Data Leak and Identity Theft: Imagine a scenario where a financial institution is
hacked, and customers' personal data, including their Social Security numbers and credit
card details, is leaked. A criminal uses this data to steal the identity of a customer,
applying for loans in their name and making large purchases.

II] Consequences for the Victim: The customer whose identity has been stolen faces
financial ruin—they are held liable for the loans and purchases, despite being a victim.
Additionally, they face a damaged credit score, making it difficult for them to secure
loans or credit in the future. They may also face legal fees in trying to prove their
innocence.

International Comparison:

In some other jurisdictions, such as the General Data Protection Regulation (GDPR) in
the European Union, specific provisions exist for individuals to claim compensation for
both material and non-material harm resulting from data breaches. Individuals can hold
data controllers accountable, and if negligence is proven, the controllers may be obligated
to compensate the victims. The DPDP Bill lacks such clear mechanisms.

2. BILL DOES NOT INCLUDE GUARANTEE REMOVAL OF DATA:

The Bill does not include the right to data portability (ability to transfer one’s data
between services) or the right to be forgotten (removal of personal data from the
internet).
Without these rights, individuals may find themselves at the mercy of data controllers,
with limited options to manage their data effectively.

Without the right to be forgotten, individuals may have no recourse if their data continues
to be available online, potentially causing harm to their reputation or future prospects
(e.g., job opportunities, personal relationships).

Example Scenario:

Suppose an individual in India posted certain sensitive or personal information on a

social media platform several years ago, during a period of personal difficulty. This
information was never removed from the platform, and even after the individual’s
situation changed, the posts remained accessible online. Years later, this outdated
information is discovered by potential employers or acquaintances, causing
embarrassment and affecting their career opportunities or social relationships.

International Comparison:

In contrast, jurisdictions like the European Union under the General Data Protection
Regulation (GDPR) recognize both the right to data portability and the right to be
forgotten. This gives individuals more power over their personal data, allowing them to:

• Transfer data easily between services.

• Request the deletion of data when it is no longer necessary or relevant, or if they
withdraw consent.

3. Cross-Border Data Transfers:

• The Bill allows data to be sent to other countries, except those restricted by the
government, However, the Bill does not require that these countries have strong
data protection laws to safeguard the personal data they receive. This creates
significant risks for individuals' data privacy and security.

If the country has weak or insufficient data protection regulations, there is a higher risk
that the data could be:

• Misused or accessed without consent.

• Shared with third parties or foreign governments.
• Inadequately protected against hacking, breaches, or unauthorized access.
REAL LIFE EXAMPLE:

The Facebook-Cambridge Analytica Scandal-

In this case, Cambridge Analytica, a British political consulting firm, obtained data
from Facebook users without their consent. The data, which included personal
information such as interests, political views, and behavior patterns, was used to
influence political campaigns, including the 2016 U.S. presidential election.

Under the proposed Digital Personal Data Protection Bill, companies like Facebook or
any foreign entity offering services to Indian individuals (whether through social media,
online shopping, etc.) would be required to comply with the Bill's data protection
regulations. They would need to follow strict rules on data collection, processing, and
handling, or face penalties from Indian authorities.