OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT,

2023

INTRODUCTION
It's likely that you've heard the saying "Data is the new oil." It means that business people are
exploring data as a valuable asset in an attempt to reap enormous riches. It has to be refined into
something useful because it is inherently crude. In addition, we currently live in the largest
digital economy possible, where all individuals are treated like data. Opinions are not as good as
data, which is favored because it is more dependable and predictable. Based on the data that is
now available, we may forecast results, gain insights for improved business performance,
develop better plans, etc. However, it might be just as dangerous if the data is not managed
carefully. Although data is strong in and of itself, regulation requires the help of the law.

A recent piece of legislation regarding the processing of personal data in India is the DPDP Act.
Almost six years after the Supreme Court upheld the basic right to privacy in Article 21, it was
ultimately adopted. The DPDP Act addresses privacy and protection requirements pertaining to
personal data and is presented against the backdrop of global privacy legislation, such as the
GDPR of the European Union. It is believed that the DPDP Act has broad applicability that
extends beyond of the region and directly incorporates several principles from the GDPR.
Governmental organizations are exempt from several of the Act's provisions, despite the fact that
the Act on the one hand sets strict penalties for handling personal data improperly. The narrow
provisions of the IT Act were superseded by the DPDP Act, which established a thorough
framework for the handling of personal data.

The Act imposes obligations on Data Fiduciaries, those processing data, and outlines the rights
and duties of Data Principals, individuals to whom the data pertains. It also introduces financial
penalties for breaches.

Draft legislation states that the purpose of PDPB 2022 was to "provide for the processing of
digital personal data in a manner that recognizes both the right of individuals to protect their
personal data and the need to process personal data for matters connected therewith or incidental
thereto, as well as for lawful purposes."

What is meant by Data Protection and Data Privacy

Here, data protection and privacy are the two factors at play. Data privacy refers to the
circumstances under which, in what manner, and to what degree a customer's personal
information may be disclosed to third parties . Names, addresses, phone numbers, marital status,
and ethnicity are examples of personal information. The necessity for data privacy laws is crucial
given the rise in internet usage over time.
On the other side, data protection refers to the legal measures taken to protect data against
corruption, loss, or harm. Data protection from unapproved sources is a major concern since data
is currently being collected at a rate never seen before.

Evolution of Data Protection laws

The idea of data privacy is not new. It dates back to the Semayne case of 1604, when it was
agreed that each person's home served as both their castle and stronghold. After that, the idea of
privacy changed and came to light once more in an article titled "The Right to Privacy," which
was written by Justice Louis Brandeis and Attorney Mr. Samuel Warren. In it, they recognized
the right to privacy as the cornerstone of modern-day individual freedom. Later in 1984, Article
12(4) of the Universal Declaration of Human Rights (UDHR) established the statutorily
recognized right to privacy.

In the Indian context, the judicial courts have debated the issue of privacy; some have addressed
it as a fundamental right, while others have refused to acknowledge it as one under Article 21 of
our Constitution. The renowned case of K.S. Puttaswamy v. Union of India (2018) ultimately
declared the right to privacy to be a basic right protected by Article 21 in 2017. The Indian Penal
Code (1860), the Information Technology Act (2000), and other laws pertaining to privacy
already had certain gaps in them. However, there was no stand-alone, all-inclusive law regarding
the matter. Eventually, after seven years of making and three attempts to pass the privacy
legislation, India adopted a full-fledged data protection and privacy law on August 9, 2023.

JUDICIAL DEVELOPMENT REGARDING THE RIGHT TO PRIVACY

The right to privacy has developed from being protection against superfluous governmental
intrusion in the lives of its citizens to the right to informational privacy, shielding individuals’
sensitive personal information from unwanted and unlawful attacks by the state or even non-state
actors. The emergence of these technologies has presented further difficulties in safeguarding
personal information from identity theft, cyber attacks, and data breaches.

Here is the plethora of cases which deals with the Right to Privacy as a fundamental right in
India:

M.P Sharma vs. Satish Chandra (1954)

In this case the issue was raised that whether the Right to Privacy is guaranteed in the
constitution. The Eight Judge bench of the Supreme Court was of the view that the power of
search and seizure is not a violation of right to privacy, as no such right is guaranteed by the
Constitution. Further, these powers are necessary for the maintenance of law and order and for
proper discharge of police duties.
Kharak Singh vs. State of UP (1963)

The petitioner in this case, Kharak Singh, was charged with dacoity but was released due to a
lack of evidence. The police included him in the list of “history sheeters,” and he was put under
surveillance under Regulation 236 of the U.P. Police Regulation. The petitioner challenged the
constitutionality of Chapter XX of the U.P. Police Regulation Act under Article 32 of the
Constitution.

This case was decided by the Six Judge bench of the Supreme Court, with the dissenting
opinions of Subba Rao and Shah, JJ. The majority ruled that the remaining monitoring measures
were constitutional and that the police officer's domiciliary inspections under Regulation 236(b)
to verify the accused's night time presence in his home were illegal. Other measures, such as
picketing or stalking, according to the court, did not prevent the suspects from moving around
freely and, therefore, did not violate their rights as granted by Article 19(1)(d) or Article 21 of
the Constitution.

The justices who dissented felt that the surveillance provisions were all illegal. Not only does the
freedom to move come with no physical restrictions on one's movements, but it also ensures that
one can move around freely without being observed, tracked, or followed. There are two
different types of rights in Articles 19 and 21. It is incorrect to argue that the freedom of
movement is a component of the right to liberty; rather, freedom of movement is a feature of
personal liberty. One aspect of the right to privacy is the right to solitude.

Govind vs. State of Madhya Pradesh (1975)

This is the first case in India that extensively discusses the right to privacy. The constitutionality
of the police surveillance of criminals on the list of “history sheeters” was again challenged
before a three-judge bench of the Supreme Court.

The bench dismissed the petition and held that the regulation made under the provision of the
Police Act has the force of law and was made in furtherance of the object of the Police Act to
prevent the commission of a crime; hence, it is not an infringement of a fundamental right
provided under Article 21 but a reasonable restriction on the rights of a certain class of persons
who are determined to lead a criminal life.

The bench further noted that the right to privacy is not explicitly stated in the Constitution and
assumed that though it emanates from the right to liberty, the right to move freely, and the right
to speech, it cannot be an absolute right and should be subjected to the compelling public
interest. The law infringing the right to privacy must satisfy compelling state interests.

However, the court interpreted the regulation in a narrow way to prevent it from being struck
down. It also noted that the challenged regulations are on the verge of being violative of
fundamental rights, and hence, the state should revise the old police regulations. The surveillance
should be reduced to the clearest cases of community security, not as a routine function of the
police to visit every person whose conviction ends or is released from jail.

State of Maharastra & Ors. Vs. Madhukar Narayan Mardikar (1991)

The Supreme Court ruled in this case that everyone has the right to respect a woman's privacy,
even if she is a woman of "easy virtue," and that no one can infringe upon her private space at
will. The court also disagreed with the Bombay High Court's ruling, which disregarded Banubi's
testimony since it was untrustworthy and her testimony could not have destroyed a public
official's career.

R Rajagopal vs. State of Tamil Nadu (1995)

This case is famously known as the Auto Shanker Case. The right to privacy was dealt with
against the right of the media to publish the autobiography of a prisoner exercising the right to
freedom of speech and expression under Article 19(1)(a). The Supreme Court held that the
publication of a person’s life story without his consent is violative of his right to privacy, and the
person is entitled to damages for injuries resulting from an unauthorised invasion. The right to
privacy, though not explicitly mentioned in the Constitution of India, is the penumbra of the right
to life and personal liberty under Article 21. The right to privacy entails the right to be let alone .

PUCL vs. Union of India (1997)

This is the first PIL case to challenge the constitutionality of a law as violative of the right to
privacy. The Apex Court held that the right to privacy is guaranteed under Article 21 of the
Constitution by referring to the previous judgements in MP Sharma’s case, Kharak Singh’s
case, Gobind v. State of M.P., and Rajagopal’s case. The right to have a telephonic conversation
without intrusion is a part of the right to privacy under Article 21 and cannot be curtailed except
by procedures established by law.

Mr. X vs. Hospital Z (1998)

The right to marriage and the right to health, which derive from the right to life and personal
liberty under Article 21, clashed in this instance. It was determined that the right to privacy is not
unalienable and may be restricted in order to further the greater good of society.

The court further held that when there is a conflict between a person’s right to privacy and
another person’s right to health, which serves the larger public interest, the right that serves the
public interest or public morality would be enforced by the courts. The right to life includes the
right to live a healthy life, enjoying every function of the human body in its prime condition.

In Re Ramlila Maidan Incident vs. Home Secretary, Union of India & Ors. (2012)

The government's suppression of a peaceful protesting mob sleeping at Delhi's Ramlila Maidan
around midnight or 12:30 am was brought to the attention of the Supreme Court suo moto. The
Court determined that in order to apply Section 144 of The Code of Criminal Procedures, 1973,
there must be three requirements met: significant facts, impending harm, and the need to act
quickly to stop the harm. According to Article 21, the right to privacy and the right to sleep are
essential components of the right to life, just like the right to food, drink, and other necessities.
The state has an obligation to defend people's rights against illegitimate and arbitrary
interference.

Justice K.S.Puttaswamy (Retd.) vs. Union of India (2017)

The watershed decision in the judicial history of India acknowledged the right to privacy as a
distinguishing fundamental right under Article 21 of the Constitution of India. The ruling in this
case paved the way for the recognition and defense of other Indian rights, including the
decriminalization of adultery in Joseph Shine v. Union of India (2018) and the decriminalization
of consenting to a same-sex relationship in Navtej Singh Johar v. Union of India (2018). The
Indian Supreme Court noted that the idea of privacy encompasses a person's inherent right to
autonomy in the decisions they make about fundamental areas of their lives.

The contemporary age of technological advancements has been regarded as the “era of
ubiquitous dataveillance, the systemic monitoring of the communications and actions of
individuals through information technology.”

The judgement overruled the previous judgement in MP Sharma’s case and the Kharak Singh’s
case to the extent they held that the Constitution of India does not protect the right to privacy of
an individual.

The judgement in the case of ADM Jabalpur vs. Shivkant Shukla was also overruled to the extent
that the right to life and liberty, including the right to privacy, can be surrendered in an
emergency.

It was held that the right to privacy is a concomitant right to life and personal liberty protected
under Article 21. It is a natural right that is inalienable to human existence and is not a boon
granted by the state. Although the right is not absolute, it does not amount to usurpation of
legislative function.

Justice K.S. Puttaswamy vs. Union Of India (2018)(2019)

After the judgement given by the nine-judge constitution bench, the issue raised about the
constitutionality of the Aadhar scheme and the Aadhar Act, 2016, was decided by the Five-Judge
constitution bench, comprising Chief Justice Dipak Mishra, A.K. Sikri, A.M. Khanwilker, Dr.
D.Y. Chandrachud, and A. Bhusan, JJ, in three opinions, with Justice Chandrachud writing the
dissenting one.
The matter in the case was related to the informational privacy of an individual. The
demographic and biometric information being collected by the state is for the purpose of
providing its citizens with a unique identity, for better dissemination of government services,
subsidies, and other benefits, and to prevent the dissipation of funds for direct benefit transfers,
such as in the public distribution system (PDS), or MGNREGA.

 The court while deciding whether the Aadhar Act violates the right to privacy. The court
noted that it meets the threefold criteria of the test laid down in the Puttaswamy
judgement (2017), that is the legality, means backed by the law;
 need, defined in the terms of a legitimate state’s interest, and
 proportionality, which is a rational nexus between the objects sought to be achieved and
the means employed to achieve it.

In his dissenting opinion, Justice Chandrachud ruled that the Aadhar money bill's passage
was illegal. He pointed out that the Act lacked privacy protections, such as the need that
people have the ability to see, amend, and remove their data. Biometric data should only be
collected and retained with consent. Moreover, it is necessary to specify the retention
duration. The person needs to have the choice to opt out.

He pointed out that Aadhar poses the risk of creating a surveillance state, which is violative
of informational self-determination, informational privacy, and the protection of data. The
Aadhar Act is violative of Article 14 in absence of robust regulatory and monitoring
framework for data protection. An individual must not be compelled to compromise his or
her right to privacy to avail themselves of food and other welfare services.

Biometric protocol will, among other things, take into account the following: (i) The biometric data is
stored and transmitted only in encrypted form. (ii) The encrypted biometric data is decrypted only on
authentication. (iii) The service provider does not obtain access to decrypted biometric data. (iv) The
decrypted or digital key is kept separate from the biometric data. (v) The protocol put in place by DSLSA
would also provide the leeway to the victim to seek deletion of his/her biometric record after attaining
majority in terms of the extant legal regime