Law, Literature and Judicial Process

(LAW145)

CIA 1

Topic
Implications Of Data Privacy Laws In India

Submitted to:

Ms. Snigdha Singh

Submitted by:

(1) Ryan Prasad — 2450448

(2) Saakshi A — 2450449

(3) Sadashiv Dikshit — 2450450

(4) Sameera Shetty — 2450451

(5) Sana Pradeep Hulyalkar — 2450452

CONTRIBUTIONS
(1) Ryan Prasad (2450448) — Analysis

(2) Saakshi A (2450449) — Case Laws

(3) Sadashiv Dikshit (2450450) — Applicable Laws (2019 & 2023)

(4) Sameera Shetty (2450451) — Rationale, Analysis, Literature Review (Ii & Iii)

(5) Sana Pradeep Hulyalkar (2450452) — Introduction, Analysis, Literature Review (I & Iii)
INTRODUCTION
The Right to Privacy is primarily recognised as a fundamental right in Article 21 of the
constitution and is protected under the national legislature. Privacy is an essential component
of our right to be free from unwarranted interference into one’s personal matters, not to
mention indefensible collection, use and disclosure of relevant information. Data protection is
a concept of protecting the privacy of data. The right to privacy has emerged as an issue of
critical importance in this era of big data. India’s Digital Personal Data Protection Act, 2023
is the landmark law governing and regulating collection, processing and transfer of personal
data in digital form. The Act was passed by the Indian parliament in August 2023, after a
deliberation of over 5 years. The Act is the first fragmentary law on personal data protection
and was introduced with an intention of corresponding with the European Union’s General
Data Protection Regulation (GDPR). The act is expected to take effect in July 2024 after a
government notification.

In the age where the world is dominated by continuous exchange of digital information and
dynamic environment of technology, the task of protecting data has become an immensely
important priority for individuals, corporations, and governments around the globe. The
exponential expansion of social media, e-commerce, and digital transactions has
changed how we live, by impacting work and interactions significantly and simultaneously
also highlighting the critical need for strong data security and privacy rules.

Therefore, the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act)
in India marks a crucial moment in privacy and data protection. This landmark legislation
seeks to establish a new pattern ,wherein there is a delicate balance between the benefits
of technological innovation and the imperative of safeguarding individual privacy rights.

The Act regulates the governance of personal data collected by organisations, and aims at
protecting the individual’s privacy by empowering them with rights over the manner in which
their data is processed.

RATIONALE
With privacy at its core, this landmark legislation would empower individuals, redefine
business practices, and usher in a new era of responsible data handling.
We review the Act and specifically the area of data privacy of the people of India. Data
privacy has become a key issue of debate and requires a detailed discussion and review to
raise awareness regarding the same. It is also important to understand that data privacy goes
beyond the private person and has larger implications for the world that is shifting towards
more digital means and one which has created a need for an online presence. Financial
penalties up to INR250 crore per instance of non-compliance with the law make it clear that
data protection has become a key highlight of the current legal system and so, it becomes
essential to analyse the Act and its related impact on data privacy.

ANALYSIS
Purposes of The Personal Data Protection Bill, 2019 and The Digital Personal Data
Protection Bill, 2023:

1. Citizen verification to transfer benefits at an individual level.

2. Enhance the life of citizens by providing lifelong benefits and prevent frauds by or
against citizens.

3. Enable transfer of citizens assets to legal heirs by verifying data accuracy in the
transfer of assets.

4. Information validation by banks when an individual applies for a loan.

The government and banks collect information about citizens from public records, the citizen
themselves and reliable agencies. Some of the information is provided by citizens on a
voluntary basis. Some of it is collected as a matter of normal activity. They continually assess
a nation's economic health based on certain globally acceptable guidelines and standards.
The objective of such a data protection act is to provide information and protect such
information, based on past and current track record to their creditors and others, including the
government as allowed by law.
The objective of The Personal Data Protection Bill, 2019 and The Digital Personal Data
Protection Bill, 2023 is to verify, protect, analyse and enable smooth flow of digital services
based on the information provided by applicants (citizens and residents of India) through
reliable sources or by their existing creditors.
This point indicates whether the information shared to you or shared by you is true and
correct or if there are any misrepresentations. Each source may report personal information
differently, which may result in variations in their name, address, etc. The Data Protection
Board that is set up to enforce this act will help in all the above steps. As a part of fraud
prevention efforts, a notice with additional information / variations may appear.

There are additional benefits at a macroeconomic level:

1. These bills help both the borrower and creditor, the government and the citizen, the
country and the international lending institutions.

2. A well developed assessment procedure of citizens data and its protection is essential
to take the nation forward in its quest to economic progress and meet international,
environmental and financial obligations.

The scope of data that is collected by the government on each individual is staggering.

The list below shows the private and public records that possibly falls under “personal data”.

The new bill of 2023 means that all this information is available to the government when it
deems it necessary to be accessed, by notification.

I. Identification:

● Aadhaar card

● Voter Identity

● PAN

● Driving license

● Passport

II. Address Information

● Bank Sources

● Voter ID

● Telephone bills
 ● Driving license

● Income tax statements

III. Employer Information

● Employer name

IV. Coordinates Information

● Telephone

● Mobile Number

● Email

V. Court Matters

● Indian Law Jurisdictions, i.e. Supreme Court, High Court, District Court.

VI. Criminal Records

● Indian Law Jurisdictions

● Local Police

● CBI

VII. Money laundering Records

VIII. Defaulters List

IX. Utility payments track record

These are all the information that our government is trying to protect.

Collection and handling of personal data must be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are processed and finally, personal data
must be accurate and, where necessary, kept up to date.

To get a deeper understanding of India’s Digital Personal Data Protection Act, 2023 it is
important to analyse and compare it with EU’s General Data Protection Regulation. .
Both laws cover "personal data" which is defined as data relating to an identifiable natural
person. But the DPDPA only applies to personal data in digital form or is digitised after
collection, which is very different from the GDPR. businesses with physical entry-exit
registers and/or hotels collecting physical copies of ID cards may take some comfort knowing
that the law does not apply to data that is completely collected offline. This also means that it
makes hardly or even no difference to most digital businesses.

When it comes to data categorisation, the DPDPA applies to all personal data and
excludes publicly available data and EU’s GDPR allows public availability of data in scope
and recognises special categories of data such as racial/ethnic, political views etc.
The DPDPA uses consent centric grounds for processing data whereas The GDPR uses
broader legitimate interests for processin . DPDPA also allows for the processing of personal
data for certain ‘legitimate uses’. but this term does not have a broad scope like the term
'legitimate interests' like that of the GDPR. The DPDPA lists 9 legitimate users; the scope of
which doesn't enable as wide a range as data processing activities, unlike the legitimate
interests ground of the GDPR. To sum up, the consent centric approach is used which has a
much narrower category of legitimate uses.

The Act marks a distinctive approach to safeguarding Personal Data, addressing longstanding
needs in the context of increasing internet users, data generation, and cross-border trade. In
its entirety, the Act signifies India's unique stance on modern data protection, enriched by
extensive post-draft consultations. While the provisions of the Act are less detailed than
European Union’s GDPR, it certainly mandates a significant shift from how Indian
businesses should now approach privacy and Personal Data, while legitimising CG’s act to
control, retain, and monitor its citizens’ personal information.

While the notification of the Sections of the Act for their implementation is still awaited, one
has to wait and watch how the Courts interpret wide empowering provisions and in what
manner the Act evolves.

[Keywords — Privacy, Data Protection, Consent, Legitimate Use, Citizen Empowerment]

g​
APPLICABLE LAWS

I. Case Laws

(1) Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India (2017)
The ‘Right to Privacy’ is ensured as a basic right to everyone by the Indian
constitution. This landmark case was a constitutional challenge to the Aadhar
Act,2016 on the grounds that it violated the right to privacy. A nine judge supreme
court bench ruled in this and other related cases that every individual has a
constitution right to privacy under Article 21, and the collection of personal data
under the Aadhar Act must be done through informed consent.

(2) R. Rajagopal v. State of Tamil Nadu (1994)

The case was established for the right to privacy as a part of the right to freedom
of speech and expression under Article 19(1)(a) of the Constitution. The Supreme
Court of India ruled that a magazine publication of an individual’s autobiography
without their consent would amount to a violation of their right to privacy.

(3) Shreya Singhal v. Union of India (2015)

This is a judgement by a two judge bench of the Supreme Court of India in 2015
on the issue of online freedom of speech and intermediary liability in India. The
Supreme Court struck down Section 66A of the Information Technology Act,2000
which criminalised certain types of online speech, and violated the right to
freedom of speech and expression under Article 19(1)(a) of the Constitution and
was therefore unconstitutional.

II. The Digital Personal Data Protection Bill, 2023 [Public Law]
The 2023 Act creates a data protection law for the first time in India. It requires consent
before personal data is processed and offers a limited number of exceptions that are clearly
listed in the law. It offers consumers the right to access, correct, update and delete their
data in addition to the right to name. This creates additional safeguards for the processing
of children's data. Sets limitations and obligations for companies in relation to the purposes
of use informs about the collection and processing of data and requires security measures.
 The law requires companies to set up complaint mechanisms. The DPB handles complaints
and appeals and has the power to impose penalties for violations of the law . So, for the
first time in India, there is a mandatory data protection framework. The existence of the
law will gradually lead to the development of minimum standards of behaviour and their
enforcement among companies that collect data.

Applicability to Foreigners
The DPDP Act applies to Indian residents and companies that collect information about
Indian residents. Interestingly, this also applies to non-citizens living in India, whose data
processing "in connection with activities related to the supply of goods or services" takes
place outside India. This affects, for example, the digital use of a resident American
citizen. in India. Goods or services in India from a service provider located outside India.

Purposes of data collection and processing

The Law of 2023 allows the processing of personal data for any lawful purpose. An entity
processing the data can do so either by obtaining consent from the individual concerned or
for "lawful use", a term. defined in the Act. Consent must be "free, specific, informed,
unconditional and unequivocal, with a clearly affirmative action" and for a specific
purpose. The information collected must be limited to the information necessary for the
specified purpose. Consumers must receive a clear notice that contains this information,
including the rights of the affected person and the complaint mechanism. A person has the
right to withdraw consent if consent is the basis of data processing.

III. The Personal Data Protection Bill, 2019 [Public Law]

The Bill establishes a framework to protect the privacy of personal data of individuals
(data controllers) that are processed by entities (data controllers). Processing can only take
place for a specific purpose after obtaining consent from the controller. Such consent is not
required in the event of a medical emergency or for government benefits or services. The
invoice grants certain rights to the data controller. These include the right to correct your
data, confirm whether the data has been processed or restrict its further publication. The
bill allows exemptions from many of its provisions if the information is processed for
​
national security purposes or for the prevention, investigation or prosecution of crime.
Sensitive personal data such as financial and health data can be transferred abroad but
must also be kept in India. The bill creates a national data protection authority (DPA) to
monitor and regulate data processors.

Key issues and analysis

Personal data processed for the prevention, detection, investigation and prosecution of
crime is exempt from most of the provisions of the Bill. Such an exception may be too
broad. To provide the service, the state does not need to obtain consent from the person to
process their data. Thus, for commercial services, public sector entities (which are part of
the state) are treated differently than their private sector competitors. Mandatory local
storage of sensitive personal information has certain advantages, such as the ease and
speed of access to information by law enforcement agencies. But it can also lead to
additional infrastructure costs for data controllers. Trustees must notify the Data Protection
Commissioner only if the data breach is likely to cause harm to the Data Protection
Commissioner. This can lead to reliable under-reporting violations to protect their
reputation in the market. The decision-making body does not have to have a legal
background. This official must assess issues related to the right to be forgotten and may
not have the necessary constitutional right..
LITERATURE REVIEW
I. Article: Data Protection Act 2023's Impact on Consumer Businesses: The Way
Forward
According to Naveen Malpani (Grant Thorton), Data is the lifeblood of consumer industry
and hence, the Digital Personal Data Protection Act, 2023 will be a powerful game-
changer.
DPA 2023 is seen by him as being paradigm shift in the means companies handle
customer info. New regulations present both opportunities and challenges for businesses.
This analysis examines how DPA 2023 influences consumer firms and provides practical
suggestions for adaptation in this new environment. The following is a review of the DPA
2023 according to Naveen Malpani which helps fill up the space between consumers and
what every consumer should know.

Retailers’ Impact:
According to the author, the Consumer Bill of Rights is updated as follows; The DPA 2023
now gives more power to consumers regarding their personal information, and this means
that businesses are faced with a variety of new demands:-
- Access and Correction: Consumers can now ask for access to their personal data and
request that it be corrected. Firms should ensure they maintain accurate records and make
them easily accessible.
- Right to Erasure: Some call it “right to be forgotten” because customers’ data may be
removed by their request albeit with some difficulty on the part of companies.
- Data portability relates to the right of customers to move their own data from one
service provider to another, requiring secure transfer methods and compatible formats.
- Right to Object: Customers have the ability not only disallow certain types of using
one’s data but also say no particular practices concerning such areas as analytics or
marketing.

Tougher Consent Requirements

The DPA 2023 changes how organizations collect data by stipulating that companies must
obtain express consent from consumers before collecting or using their consumer
information.

Explicit Consent: It is important that consent forms are restructured in order to capture
explicit and unambiguous consent.

Reversible Consent: Possible revocation of consent by customers anytime necessitates the

availability of mechanisms for effectively handling such requests.

Enhanced Openness and Responsibility: There is some need for evidence that they comply
with the following principles regarding data protection.

Sanctions and Implementation

Non-compliance can lead to severe penalties and legal actions, highlighting the
importance of strong data protection measures:
>Fines: Violations have severe consequences on firms.
>Legal Actions: The possibility of numerous legal actions from authorities as well as
customers encourages proactive data security measures.

Possibilities and Difficulties

Barriers:
Operational Costs: Small and medium-sized enterprises (SME’s) could suffer substantial
compliance-related costs.
Technological Adaptation: System upgrades may require significant technological
investments to secure conformity.
Staff Education: It's critical to provide staff education on the latest data protection
regulations.

Prospects
Increased Customer Trust: By putting data security first, customers’ loyalty and
confidence can be gained.
Competitive Advantage: For instance, by adhering to effective regulations, firms may
differentiate themselves in the market and attract privacy-conscious clients.
 Better Data Management: Improved data management procedures might lead to higher
quality data.

The Way Forward: There are various Strategies for Compliance as per the author, a few
of them are:

- Data audits - as they identify opportunities for improvement by routinely evaluating data
practices.

- Privacy by design - takes privacy into account at every stage of developing new products
and services.

- Customer Communication - makes sure consumers are aware of data practices and rules
in a clear and trustworthy manner.

Using Compliance to Gain an Advantage in Business as per the study, they are:
Marketing as it is used to draw in privacy-conscious clients, emphasise your dedication to
data protection.
Innovation makes an investment in technologies that improve consumer satisfaction and
guarantee compliance.
Partnerships to stay current on best practices, work with technology suppliers and data
protection specialists.

To sum up the author’s opinion, it is believed that for customer organisations, the Data
Protection Act of 2023 implies a lot of potential and as well as challenges. In line with
this, being compliant would be an opportunity to win customers’ confidence and
distinguish oneself in the market despite its possible need for major adaptations and
expenses. Effective compliance processes and exploitation of the legislation will enable
corporations to sail safely across turbulent waters of changing data protection regulation.

____________

II. Article: ETtech Interview | Data Bill to make social media companies accountable,
fortify IT industry: IT Minister Ashwini Vaishnaw — 10 August 2023
In the article from the Economic Times (ET), Union Minister for Electronics &
 Information Technology Ashwini Vaishnaw spoke about the Digital Personal Data
Protection (DPDP) Bill, 2023 and its impact on social media companies operating in
India.
The article says that the Data Bill seeks to make social media companies more
accountable for the data they collect from Indian users and they will be subject to the
same rules as the Indian companies. The accountability includes ensuring transparency in
data handling and data processing. According to IT Minister Ashwini Vaishnaw, the Data
Bill is also aimed at making the Indian IT industry stronger.
When asked about the concerns that were been raised by experts, lawyers and opposition
parties around the exemptions the government has taken for itself the minister said that
the exemptions for the government are exactly within the framework of the Constitution
of India. Comparing it to the GDPR (General Data Protection Rules of the European
Union), there are 16 exemptions for things like economic or financial interest of the
Union, monetary, public health etc. while India makes only a few.
In the article we see the government’s stand on the DPDP through its minister of
concerned industry. It becomes increasingly important to know the government I.e, the
legislation’s intention and thought process behind a law which will have significant
impact on the current digital world where the people and especially the citizens of India
are becoming increasingly active on social media platforms and require the protection of
their data from global platforms and advertising companies that process and handle data
with little care at times.
__________________

III. Article: 54% data fiduciaries lack experience in enforcing data protection laws |
Business Standard | May 28, 2024
The administration of India’s Digital Personal Data Protection Act (DPDPA), 2023
presents substantial obstacles for businesses in the country. The report states that “over
50% of data fiduciaries with a substantial user base in India lack experience in
implementing data protection laws in other jurisdictions” which means that most
companies lack expertise in data protection. Inexperience, and the fact that the Act’s rules
and provisions are yet to be finalised create some uncertainty about its implementation
and creates a more complex environment for businesses to function in. Moreover, the
requisite of The Act to provide multiple languages, including some with limited usage
adds as a challenge. For example, the report states that 94% of respondents stipulated that
implementation of this requisite would also require technical changes to the business's
products and services. Furthermore, the ACT's provisions on obtaining consent from
children and individuals with disabilities are ambiguous due to the lack of clarity in the
definition of "person with disability". Hence, it underscores the importance of defining
"person with disability" to include those with severe mental disabilities, respecting the
rights of physically disabled individuals and clear guidelines should be maintained to
obtain verifiable consent from the same. These challenges emphasize on the need for a
comprehensive approach at its implementation. The report states that like the jurisdictions
of EU, Japan, Brazil, and California, a 2 year time-frame is needed for compliance. And
finally, the report states the need for regular open-house discussions to clarify terms and
provisions under the DPDP.
The new Act, which is supposed to help provide for a more smooth flow data is dependant
on the efficiency of data fiduciaries.
Data fiduciaries will be needed to maintain the accuracy of data, keep data secure, and
delete the data once its purpose has been met. These fiduciaries which have such great
responsibility with respect to the Act, turning out to be lacking in experience is a major
deficiency on part of execution of the Act. The DPDPA has a compliance heavy
framework which will face a major hurdle if the fiduciaries are not equipped to handle
their duties. Further the article states that the language option requirement for notices as
mandated under the Act have lead to situations where there is no direct translations for
certain English words and phrases. This can lead to misinterpretation and loss of meaning
of certain texts. In larger implications, this could even mean the opening up of loopholes
in legal scenarios.
The article also mentions that the languages that are considered for translation are only the
languages in the Eighth Schedule. These languages are such that in some there is a
minimal speaking population while there are more languages - more popular - with no
provision.
This shows that the Act is still lacking in certain aspects and is only the first step towards
securing a ‘private future’.
REFERENCES

ACTS:

• https://www.meity.gov.in/writereaddata/files/
Digital%20Personal%20Data%20Protection%20Act%202023.pdf

• https://sansad.in/getFile/BillsTexts/LSBillTexts/Asintroduced/
341%20of%202019As%20Int....pdf?
source=legislation#:~:text=(1)%20This%20Act%20may%20be,outside%20India%20by%2
0any%20person

BLOGS:

• https://www.cookieyes.com/blog/india-digital-personal-data-protection-act-dpdpa/

• https://www.legalserviceindia.com/legal/article-10664-right-to-privacy-and-data-
protection-era.html

• https://www.legal500.com/developments/thought-leadership/gdpr-v-indias-dpdpa-key-
differences-and-compliance-implications/

ARTICLES:

• https://www2.deloitte.com/in/en/pages/risk/articles/the-digital-personal-data-protection-
act-2023.html

• https://www.brookings.edu/articles/regulating-for-a-digital-economy-understanding-the-
importance-of-cross-border-data-flows-in-asia/#_ftn7

• https://amlegals.com/data-privacy-in-the-era-of-social-media/#

• https://economictimes.indiatimes.com/tech/technology/data-bill-to-make-social-media-
companies-accountable-fortify-it-industry-it-minister-ashwini-vaishnaw/articleshow/
102583490.cms?from=mdr
• https://www.grantthornton.in/insights/blogs/data-protection-act-2023s-impact-on-
consumer-businesses-the-way-forward/

• https://www.researchgate.net/publication/
380360250_DIGITAL_PERSONAL_DATA_PROTECTION_ACT_2023_A_NEW_LIGH
T_INTO_THE_DATA_PROTECTION_AND_PRIVACY_LAW_IN_INDIA

WEBSITES:

• https://www.cloudflare.com/en-gb/learning/privacy/what-is-data-privacy/

• https://unacademy.com/content/upsc/study-material/polity/an-overview-of-justice-k-s-
puttaswamy-retd-and-anr-vs-union-of-india

• https://globalfreedomofexpression.columbia.edu/cases/r-rajagopal-v-state-of-t-n/
#:~:text=The%20Supreme%20Court%20of%20India,auto%2Dbiography%20was%20not%
20published

• https://globalfreedomofexpression.columbia.edu/cases/shreya-singhal-v-union-of-india/

• https://en.m.wikipedia.org/wiki/Shreya_Singhal_v._Union_of_India