Version: 1.0

Across the world, the natural person is at the centre of any Personal Data protection legislation and laws. All provisions are made in such a manner to protect/ safeguard the person and her interest. The digitalisation and common internet across the world have threatened the privacy of a person, which was beyond imagination few decades back. Thus, a person faces threats to her human/fundamental rights not only from the State but also from companies, especially big companies. The bill has added unnecessary and dangerous obligations on the data principals, that will deter anyone approaching the board for any relief, and give free run to data fiduciary, except where the board takes any suo-moto action. There also the data fiduciary may say, that same will not be repeated in future and, will go off the hook.

It is obvious from the very first bill placed in Parliament in 2019, that the intent of the government by bringing personal protection data law was never to address the issue of fundamental rights as ordered in the Justice Puttaswami Judgement. It is consistent view of the government that as far as “procedures established by law” in respect of privacy or any other things are already in force hence no new law is required to be legislated. However, the Justice Srikrishna Committee report clearly enunciated the responsibilities of data fiduciary if it is a government entity. Some features of the Personal Data Protection Bill 2018 regarding responsibilities of the government entities were retained in 2019 version, which was submitted in the Parliament. The DPDP Bill 2023 has no such responsibilities of any government entity. The DPDP bill 2023 is therefore focussed on relationships between individuals whose personal data is processed by non-government entities. Here also it appears that presumption is made that two are equal parties. Forgetting that individual person is weak and incapable to taking on the might of companies, especially very big companies and MNCs.

What appears to be the case that on government mind is the target of becoming 5 trillion Dollar Economy and probably is the single point of focus. The Digital Personal Data Protection Act 2023 is drafted in such a manner which moves person and personal data away from the centre of gravity of the law. Will it be a safe bet? Only time will tell.

There is an additional threat from cybercriminals who uses the personal data from the Internet to create profile of their targeted person and undertake social engineering attack to defraud innocent person. Apparently, the drafting team has kept Cybercriminals, especially organised cybercriminals or Cybercrime-as-a-Service out of their cone of vision. Therefore, it is necessary to bring this back into the sight of the executive and legislature. Cyber criminals collect data from the Internet, especially from the hacked data which is available on the dark net. Collecting data from various sources including open sources such as Facebook and Twitter, profile of a person is prepared. This profile is either directly used by the cyber criminals or sold in the dark web as a service. The recipient of such profile, then prepares the social engineering strategy to defraud his victim whose personal data he has got in the profile. Therefore, to undertake social engineering attacks including phishing attack the cyber criminals use multiple sources of data and not any specific leaked data. Therefore, attribution of any act of defraud cannot be directly linked to any specific data breach. In any case it is nearly impossible even for the law enforcement agencies to find out as to which all data breaches have contributed to make the social engineering attack possible. That is the core reason for presumption of guilt of data fiduciary in case of data breach. Still accurate assessment of actual or possible future loss to an individual is next to impossible. Because of these peculiar circumstances the decision on quantum of compensation by a normal civil court is complicated to say the least, and pinning down a specific company’s data breach is next to impossible. Sadly, while drafting the DPDP Act 2023, it was not in the consideration of the drafting committee.

The use of words ‘as prescribed’ or ‘rules made’ or ‘notification’ have been used 25 + 13 +7 times in operative part of the DPDP Act 2023. It means that the executive has kept the power to modify the law as required. This is a double-edged sword on one side the government will use these powers to move with the quick pace of changing scenario of the cyberspace, on other hand it will create an uncertainty in the minds of data fiduciary as well as data principle as to what changes can come in future and at a short notice. The tribunals and the courts also may face problems unless date wise version control of such notifications, rules and prescriptions are maintained. Though, according to the existing procedure, such notifications, rules and prescriptions are kept in the parliament for 30 days, in case, if there is any objection by anybody. However, in practice it has been seen that it is extremely rare for any such rules to be questioned in parliament at any time. Unless the legislatures become proactive and keep an eye on all such notifications, rules and prescriptions, the executive will have free run. Therefore, balance is possible but such practice is not in vogue.

There is no safeguards for sensitive and critical personal data. All personal data is clubbed together and ambiguously defined which can lead to different interpretation by different entities. Loss of IP address which changeable is kept at par with loss of bio-metric data which can never be changed and are placed in the same basket. And loss of both will be penalized with same degree. It means both are to be protected with equal vigor. It is like saying as a kitchen utensil and jewelry requires same degree of protection. This is against the cyber security best practices and nowhere followed in the world. (Refer Sub-Section 2(n))

According to Sub-Section 3(c)(ii)(A), the protection of this law is not available in case the data principal makes her personal data public. On surface, especially user of Facebook, it may sound reasonable but then there is legal hitch because of the meaning of word “public”. Under various defamation rulings, an information is not public if it is communicated one-to-one but moment it is communicated one-to-many (two onward) it is public information. Thus, even if one has WhatsApp group of 3 or more members, any information shared there is public information. Any information shared through Public social media platform can also be interpreted as public. Let’s say one shares her birthday with her Facebook friends, and for some reason Facebook is breached or unauthorizes access takes place due to technical fault in Facebook, compromise of such data is not covered under the act. There exists a live case where Facebook provided unauthorized access to Cambridge Analytica. Such acts are kept out of preview of the law. It also means that social media data will be freely available without any legal complication for Artificial Intelligence input. Obviously, industries working in AI will operate far more freely in India to design and develop their products, and this could well be the intent of the government.

Section 6 talks about the consent and how it can be given. And Section 7 relates to the matters where no consent is required. That includes services provided by the government.

Duties and responsibilities of data principal. According to go digital personal Data Protection Act 2023 following are the duties and responsibilities of a data principal.

Categorically and specifically withdraw consent, if ever given. If the same is not done, data fiduciary is under no obligation to process digital personal data.

The data principle should exhaust all possible means to address its grievances with the data fiduciary prior to approaching the board. This implies that a data fiduciary can block anyone approaching the board under the pretext that all possible means were not exhausted.

Comply with the provision of the law.

Not to impersonate. This is tricky. If anybody uses the pen name or attempts to hide her identity while on any platform, then her rights to safeguard her personal data are not available.

Not to register false or frivolous grievances or complaints. In case any person does so, she will have to give the penalty of Rupees 10,000. As we have seen above, in the case of social engineering attack it is not possible to exactly pinpoint the cause of it. Therefore, any such complaint or grievances can be considered as frivolous and penalty may be imposed on the data principal. Probably India is the only country where the data principal can be penalized under the personal data protection law.

The DPDP Act 2023 has no provision for grant of any compensation to Data Principal. All recovered penalty will enrich the government though Consolidated Fund of India. The decision of the Board will only help improve the case of compensation to the Data Principal. Thus, for compensation data principal must approach the civil court. It is possible that while the matter is still being decided by the board, the limitation period will be over. Therefore, data principle will be required to initiate two cases simultaneously, one with the board and other with the civil court. And as discussed above, it is not easy to directly link to likely losses and also it is difficult to guess the expected losses. Therefore, it will be very difficult to prove in the civil court, regarding the quantum of compensation. Under such circumstances along with additional duties and responsibilities of data principle it may not be possible for any individual to take on the might of the corporate, who will be more than willing to pay a few crore rupees, to a high-end advocate to save penalties of rupees 250 crore. There’ll be no motivation to lodge any complaint with the board or start any civil case.

The formulation of award of penalty under DPDP Act is harsh on small companies (Data Fiduciaries) but benevolent on large MNCs. Following is the top 5 Fine awarded under GDPR (four to Meta and one to Amazon) The maximum Fine awarded is Euro 1200000000 which is about Eleven Thousand Crore INR. In India for same offence Meta would never pay beyond 250 Crores INR. The earlier formulation in Personal Data Protection Bill 2019 had provision of penalty up to fifteen crore rupees or four per cent of total worldwide turnover of the preceding financial year. That was not so steep for smaller Data Fiduciaries but large MNCs could be penalized heavily. Therefore, MNCs and big companies Indians personal data will be good playground but the requirement to keep some reserve (say Rupees 100 Crores as contingency) can put most SMEs out of business. Is this the intent of the government to get ahead of curve by making India as research lab for Artificial Intelligence related technologies with minimum hindrance at the small cost of SMEs? Probably not but obviously someone has not thought through the impact of law of SMEs.

In conclusion, it appears that government has clear objective to touch 5 trillion Dollar economy at the earliest by attracting big companies to India where they will face least resistance from personal data protection laws. And in the bargain, the Data Principal is moved out of centre of focus.

Note: This article is expected to be updated few times. Please revisit to see version number on top.