By Ameen Jauhar
In 2017, during a sultry summer, the Supreme Court of India created a watershed as the custodian of individual rights and liberties guaranteed by our Constitution. In a unanimous decision (in Puttaswamy I), it overturned almost four decades of jurisprudence and recognised an individual right to privacy, as part of the larger right to life and personal liberty (Article 21 of the Constitution). I call this ‘watershed’ because akin to some previous moments in India’s constitutional history (like the formulation of the basic structure doctrine), this too has had, and will continue to have far-reaching ramifications. The most obvious outcome, which was also considered and discussed at length in the apex court’s judgement, was the need for India to develop its domestic data protection regime. In an era where digital economies are fuelling national and international ambitions of more efficient and lucrative exploitation of personal data, the right to privacy is vital to safeguard informational autonomy (i.e., the ability of individuals to control the collection, collation, processing, and further sharing of their personal information).
Since the Supreme Court’s ruling in Puttaswamy I, India has witnessed concerted efforts at the national and even some state levels to effectuate some forms of consent-based data governance frameworks. In terms of legislation, the Indian government constituted the Srikrishna committee to provide detailed inputs on establishing India’s data protection law, which did so in 2018. In December 2019, a Bill was tabled in Parliament (PDP Bill 2019), which was immediately referred to a joint-parliamentary committee. The JPC’s report came belatedly two years later in December 2021 and shortly thereafter, the PDP 2019 Bill was withdrawn. Instead, a draft Bill entitled “Digital Personal Data Protection Bill, 2022” (DPDP Bill 2022) was put out late last year for public consultation. The same has now been tweaked into the Digital Personal Data Protection Bill 2023 (DPDP Bill 2023), which was passed by Parliament this week.
Though the government has emphasised on how the latest DPDP Bill is a significant improvement on the PDP Bill 2019, there are some common threads which illustrate a continuity between the two, and justify the moniker of a work in progress. For instance, a key concern in the PDP Bill 2019 was the excessive leeway afforded to the state and state entities for processing personal data. This seems to have been carried forward even in this latest iteration of the Bill. Surprisingly, and reaffirming the faith of proponents of participatory governance, some contentious provisions like the novel provision stipulating “deemed consent” have been dropped. These were proposed for the first time in DPDP Bill 2022, resulting in immediate furore and backlash. Similarly, the dangerously “succinct” and nebulous provisions around the establishment of a Data Protection Board (DPB) have been fleshed out. In DPDP Bill 2023, the excessive amount of delegation, regarding the establishment and functions of the DPB in the earlier draft, has been rectified. The provisions around the DPB now closely mirror similar provisions for regulators, and quasi-judicial bodies in other legislation, where appointment, remuneration, tenure, and allied issues are set out in the parent legislation rather than delegated rules.
Another significant alteration between the PDP 2019 and the DPDP 2023 Bills is the stance on cross-border data sharing. The PDP 2019 was drafted in the background of BigTech scandals like Cambridge Analytica, which exposed the vulnerabilities in personal data processing that can be exploited by dominant tech giants (in that case, Facebook). In 2023, the threat of BigTech has not disappeared, but revisions to cross-border data transfers now seem to signal India’s intent of harnessing its start-up sector in lieu of a heavy-handed clamp-down through stringent legislation. In this, the DPDP 2023 clearly shows an evolution in legislative reasoning, distancing itself from ideas of data localisation to establish more liberal and free-flowing data access. This shift in stance is also crucial to the government’s posturing of it being more mature and pragmatic to realise India’s ambitions in this techade.
While the DPDP Bill 2023 is expected to bring some scrutiny and decrying for its sweeping governmental exemptions, I believe it is imperative to assess its merit against a larger tapestry of digital rights in India. Unlike many other countries, Indians literally did not possess a right to privacy (and informational autonomy) before this decade. In countries like the US where this right has been afforded for years, we still see limited state and no federal privacy legislation. Compared to that, the DPDP 2023 not only provides for a foundation, but arguably an optimistic one. While the challenge of governmental overreach certainly persists, this Bill (and eventual law) will not be the last, but instead be the first shot fired in the movement to establish an ecosystem where digital rights drive digital innovation and adoption. For this, it should be credited, but the work must continue.
The author is Team lead, Centre of Applied Law and Technology Research, Vidhi Centre for Legal PolicyViews are personal