Assignment 1

How K.S Puttaswamy have effect on the Digital Personal Dta Protection Act. (Historical development
and why is it came into force)

In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act,
2023.1 The new law is the first cross-sectoral law on personal data protection in India and has been
enacted after more than half a decade of deliberations.

The 2023 act is the second version of the bill introduced in Parliament, and fourth overall. An initial
version was prepared by a committee of experts and circulated for public feedback in 2018. This was
followed by the government’s version of the bill that was introduced in Parliament in 2019—the
Personal Data Protection Bill, 2019. This version was studied by a parliamentary committee that
published its report in December 2021. The government, however, withdrew this bill, and in November
2022, published a fresh draft for public consultations—the draft Digital Personal Data Protection Bill,
2022. This draft was quite different compared to the previous versions. The 2023 law is based, in
significant part, on this draft. However, it has some new provisions that are consequential for the
questions this paper seeks to answer.

These four drafts were preceded by a landmark 2017 judgment by India’s Supreme Court in Justice K.S.
Puttaswamy and Anr. v. Union of India and Ors. The judgment declared that the right to privacy is part of
the fundamental right to life in India and that the right to informational privacy is part of this right. The
judgment, however, did not describe the specific contours of the right to informational privacy, and it
also did not lay down specific mechanisms through which this right was to be protected.

Following this, the first government version of the law, the Personal Data Protection Bill, 2019, was
introduced in Parliament in December 2019. This version was expansive in scope and proposed cross-
sectoral, economy-wide data protection regulation to be overseen by an all-powerful data protection
regulator—the Data Protection Authority (DPA). The 2019 bill provided for a preventive framework. It
imposed a number of obligations on entities collecting personal data—to provide notice and take
consent from individuals, to store accurate data in a secure manner, and to use it only for purposes
listed in the notice. Businesses were also required to delete data once the purpose was satisfied and to
provide consumers rights to access, erase, and port their data. Businesses were required to maintain
security safeguards and transparency requirements, implement “privacy by design” requirements, and
create grievance redress systems. Finally, this bill introduced an entity known as “consent managers,”
who were intermediaries for collecting and providing consent to businesses on behalf of individuals.
The bill grouped personal data into different categories and required elevated levels of protection for
“sensitive” and “critical” personal data. Certain businesses were also to be categorized as “significant
data fiduciaries,” and additional obligations were proposed for them—registration in India, data audits,
and data impact assessments. In addition, the bill imposed localization restrictions on the cross-border
flows of certain categories of data. The DPA was empowered to impose penalties on businesses for
violating these requirements. The bill also proposed to criminalize activities related to the
deanonymization of individuals from anonymized datasets.

The 2019 bill exempted certain entities and businesses from notice and consent requirements under
certain circumstances—for lawful state functions, medical and health services during emergencies or
epidemics, breakdown of public order, employment-related data processing, the prevention and
detection of unlawful activity, whistleblowing, and credit recovery, among others.

The 2019 bill also had a provision to empower the government to regulate nonpersonal data. It allowed
the government to require private entities to hand over specific nonpersonal data that the government
asked for as per conditions it prescribed. In short, the 2019 bill proposed a comprehensive, cross-
sectoral framework based on preventive requirements for businesses (defined as “data fiduciaries”) and
rights for individuals or consumers (“data principals”).

This regulatory structure was based mostly on the 2018 draft bill proposed by the Srikrishna Committee
—the committee, chaired by Justice B.N. Srikrishna, a retired Supreme Court judge, was set up by the
Ministry of Electronics & Information Technology in July 2017 to help frame data protection norms. The
recommendations of this committee, in turn, were based on major regulatory developments that were
popular while the work of the committee was proceeding. Primary among these was the European
Union’s (EU’s) General Data Protection Regulation (GDPR). While the general preventive framework of
the 2019 bill was welcome, its expansive scope was problematic. It created a number of significant
compliance requirements that would have affected both big and small firms in the economy. It also
proposed the creation of a DPA that had significant regulation-making and supervisory powers. These
regulations would have further detailed the already significant compliance requirements in the bill. The
novelty of the law and the lack of prior experience in implementing a data protection law of this nature
would have created serious risks of overregulation or under-regulation.

The DPDP Act is based on the draft proposed by the government in November 2022, which adopted a
radically different approach to data protection regulation.
KEY FEATURES OF THE DPDP ACT, 2023

Compared to the 2019 version of the bill, the DPDP Act, 2023 is more modest—it has reduced
obligations for businesses and protections for consumers. On the one hand, the regulatory structure is
simpler, but on the other, it vests the central government with unguided discretionary powers in some
cases.

Applicability to Nonresidents

The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents.
Interestingly, it also applies to non-citizens living in India whose data processing “in connection with any
activity related to offering of goods or services” happens outside India. This has implications for, say, a
U.S. citizen residing in India being provided digital goods or services within India by a provider based
outside India.

Purposes of Data Collection and Processing

The 2023 act allows personal data to be processed for any lawful purpose.The entity processing data can
do so either by taking the concerned individual’s consent or for “legitimate uses,” a term that has been
explained in the law.

Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative
action” and for a specific purpose. The data collected has to be limited to that necessary for the
specified purpose. A clear notice containing these details has to be provided to consumers, including the
rights of the concerned individual and the grievance redress mechanism. Individuals have the right to
withdraw consent if consent is the ground on which data is being processed.

Legitimate uses are defined as: (a) a situation where an individual has voluntarily provided personal data
for a specified purpose; (b) the provisioning of any subsidy, benefit, service, license, certificate, or
permit by any agency or department of the Indian state, if the individual has previously consented to
receiving any other such service from the state (this is a potential issue since it enables different
government agencies providing these services to access personal data stored with other agencies of the
government); (c) sovereignty or security; (d) fulfilling a legal obligation to disclose information to the
state; (e) compliance with judgments, decrees, or orders; (f) medical emergency or threat to life or
epidemics or threat to public health; and (g) disaster or breakdown of public order.
Rights of Users/Consumers of Data-Related Products and Services

The DPDP Act also creates rights and obligations for individuals. These include the right to get a
summary of all the collected data and to know the identities of all other data fiduciaries and data
processors with whom the personal data has been shared, along with a description of the data shared.
Individuals also have the right to correction, completion, updating, and erasure of their data. Besides,
they have a right to obtain redress for their grievances and a right to nominate persons who will receive
their data.

Obligations on Data Fiduciaries

Entities responsible for collecting, storing, and processing digital personal data are defined as data
fiduciaries and have defined obligations. These include: (a) maintaining security safeguards; (b) ensuring
completeness, accuracy, and consistency of personal data; (c) intimation of data breach in a prescribed
manner to the Data Protection Board of India (DPB); (d) data erasure on consent withdrawal or on the
expiry of the specified purpose; (e) the data fiduciary having to appoint a data protection officer and set
up grievance redress mechanisms; and (f) the consent of the parent/guardian being mandatory in the
case of children/minors (those under eighteen years of age). The DPDP Act also states that any
processing that is likely to have a detrimental effect on a child is not permitted. The law prohibits
tracking, behavioral monitoring, and targeted advertising directed at children.The government can
prescribe exemptions from these requirements for specified purposes. This is potentially a problem
since the powers to exempt are broad and without any guidelines.

While the 2023 act retains the broad categories of obligations for the most part, the key difference from
the 2019 bill is the absence of the scope for the regulator, the DPA, to make detailed regulations on
these obligations. In addition, the substantive requirements under each of these categories have been
reduced.

There is an additional category of data fiduciaries known as significant data fiduciaries (SDFs). The
government will designate data fiduciaries as SDFs based on certain criteria—volume and sensitivity of
data and risks to data protection rights, sovereignty and integrity, electoral democracy, security, and
public order.

SDFs will have additional obligations that include: (a) appointing a data protection officer based in India
who will be answerable to the board of directors or the governing body of the SDF and will also serve as
the point of contact for grievance redressal; and (b) conducting data protection impact assessments and
audits and taking other measures as prescribed by the government. The 2019 bill required that SDFs
register in India. This requirement has been removed from the 2023 act.
Moderation of Data Localization Requirements

The 2023 law reverses course on the issue of data localization. While the 2019 bill restricted certain data
flows, the 2023 law only states that the government may restrict flows to certain countries by
notification. While this is not explicit, the power to restrict data flows seems to be to provide the
government necessary legal powers for national security purposes. The law also states that this will not
impact measures taken by sector-specific agencies that have or may impose localization requirements.
For example, the Reserve Bank of India’s localization requirements will continue to be legally valid.

Exemptions From Obligations Under the Law

The law provides exemptions from consent and notice requirements as well as most obligations of data
fiduciaries and related requirements in certain cases: (a) where processing is necessary for enforcing any
legal right or claim; (b) personal data has to be processed by courts or tribunals, or for the prevention,
detection, investigation, or prosecution of any offenses; (c) where the personal data of non-Indian
residents is being processed within India; and so on.

In addition, the law exempts certain purposes and entities completely from its purview. These include:

Processing in the interests of the sovereignty and integrity of India, security of the state, friendly
relations with foreign states, maintenance of public order, or preventing incitement to any cognizable
offense. This will allow investigative and security agencies to remain outside the purview of this law.

Data processing necessary for research, archiving, or statistical purposes if the personal data is not to be
used to take any decision specific to a data principal.

The government can exempt certain classes of data fiduciaries, including startups, from some provisions
—notice, completeness, accuracy, consistency, and erasure.

One problematic provision allows the government to, “before expiry of five years from the date of
commencement of this Act,” declare that any provision of this law shall not apply to such data fiduciary
or classes of data fiduciaries for such period as may be specified in the notification. This is a significant
and wide discretionary power and is not circumscribed by any guidance on the basis for such exemption,
the categories that may be exempted, and the time period for which such exemptions can operate.
New Regulatory Structure for Regulating Data Privacy

The 2023 law completely changes the proposed regulatory institutional design. The 2019 bill proposed
an independent regulatory agency. The DPA was proposed on the lines of similar government agencies
in many EU countries that function independently of government and implement the GDPR. The
proposed Indian DPA was arguably more powerful since it was proposed to have much more extensive
regulation-making powers than DPAs under the GDPR. In addition to framing regulations, the DPA would
have been responsible for framing codes of conduct for businesses, investigating cases of
noncompliance, collecting supervisory information, and imposing penalties on businesses.

In contrast, the 2023 law establishes the DPB. The board is not a regulatory entity and is very different
from the DPA. Compared to the latter, the board has a limited mandate to oversee the prevention of
data breaches and direct remedial action and to conduct inquiries and issue penalties for noncompliance
with the law. The board does not have any powers to frame regulations or codes of conduct or to call for
information to supervise the workings of businesses. It can only do so during the process of conducting
inquiries.

The members of the board will be appointed by the government, and the terms and conditions of their
service will be prescribed in rules made by the government. The law states that these terms and
conditions cannot be varied to a member’s disadvantage during their tenure.

The law allows the board to impose monetary penalties of up to 250 crore rupees (approximately $30.5
million). Appeals from the board’s orders will go to an existing tribunal— the Telecom Disputes
Settlement and Appellate Tribunal (TDSAT). In addition to monetary penalties, the bill allows data
fiduciaries to provide voluntary undertakings to the board as a form of settlement of any complaints
against them. Therefore, the board is a very different institution in design compared to the DPA.

Finally, the 2023 law contains a novel provision not included or discussed in any previous version. This is
Section 37, which allows the government, based on a reference from the board, to block the public’s
access to any information that enables a data fiduciary to provide goods or services in India. This has to
be based on two criteria: (a) the board has imposed penalties against such data fiduciaries on two or
more prior occasions, and (b) the board has recommended a blockage. The government has to provide
the data fiduciary an opportunity to be heard before taking such action.
Tracing the Evolution of the Debate on the Legislation

The DPDP Act is a remarkable shift in the approach toward data protection legislation compared to the
2018 draft bill and the 2019 bill introduced in Parliament. This shift was most visible in the November
2022 draft bill and has now been enshrined in the 2023 law. There are three major axes on which this
shift is visible.

1. Reductions in rights and obligations, and compliance:

The 2018 and 2019 versions of the bill adopted a more expansive and all-encompassing framework
toward data protection. As the preceding sections of this paper explain, many of these rights and
obligations have been either diluted or discarded—data portability, for example, has been completely
removed, while others such as the right to be forgotten have been recast to a simpler right to “erasure.”

Detailed prescriptions regarding the contents of notices and privacy by design requirements, among
others, have been discarded, and it is now up to businesses to translate these requirements. This is a
better and more innovation-friendly approach. Given the lack of prior data protection law and
jurisprudence, firms will experiment with different approaches to translate them into business practices.
The practices that do not meet the requirements of the DPDP Act will be adjudicated in the DPB, the
TDSAT, and the courts. This process will provide for an organic emergence of good practices suited to
the Indian context.

This reduction in prescriptive requirements and overall compliance should also be seen in the context of
the shift away from criminalization. The 2018 bill created a number of criminal offenses. The 2019 bill
reduced this to just one—deanonymization. The 2022 draft and the 2023 version do not provide for any
criminal offenses and stipulate only monetary penalties to be directed by the DPB.
2. A sharper focus on data privacy:

The 2018 draft, and more so the 2019 draft, included several provisions that were only tangentially
related to data privacy. For example, the provision mandating the sharing of nonpersonal data did not
further privacy interests in any way. Similarly, data localization requirements have been shown to have
only a tangential relationship to data privacy, and better alternatives exist to achieve the same
objectives. Their presence in the 2018 and 2019 bills were a source of uncertainty. In addition, data
localization became a proxy for debates on issues such as data sovereignty, something that, again, is not
directly related to the issue of privacy.

3. The abandonment of a “regulatory” law:

The 2018 and 2019 bills created a legislative framework that had a high degree of regulatory intensity—
the bills provided a full-fledged independent regulator, the DPA, with extensive powers to frame
regulations and codes of conduct on many provisions within those bills, such as notice and consent
requirements, security safeguards, manner of storage of data, and so on. In addition, the DPA would
have had powers to collect information necessary for ensuring compliance with the law and impose
penalties for noncompliance. The DPA, therefore, was proposed to have many more touchpoints with
the economy, and its mandate, by definition, required it to be relatively more interventionist.

These legislative proposals made the DPA a centerpiece of the regulatory framework, and the agency
was expected to function like other Indian independent regulators, such as the Securities and Exchange
Board of India and the Telecom Regulatory Authority of India. The DPA was expected to exercise these
powers across all sectors of the Indian economy. It would have had to prescribe standards for all the
legal provisions that provided for standard-setting requirements through regulations, modify and update
them periodically, conduct the necessary stakeholder consultations across different economic sectors,
create or identify research to support its regulatory agenda, and build its regulatory legitimacy. The
proposed legislative role of the DPA in 2018 and 2019 was thus one of high regulatory intensity. Given
this wide remit, it would have faced obvious challenges related to deciding on its overall approach,
prioritizing among its many functions and objectives, and building the internal capabilities required to
deliver on this expansive mandate.
The DPDP Act does away with the idea of an independent regulator like the DPA. The DPB does not have
many regulation-making powers under this law. Its powers are limited to ensuring remedial actions
against any data breaches and issuing directions to businesses requiring them to comply with the law. In
addition, the DPB can pass orders issuing penalties or imposing voluntary settlements for
noncompliance with the law. This is not a design that is “regulatory” in the same way as the proposed
DPA in the 2018 and 2019 versions and is a major shift in approach. The DPB’s limited mandate will
create less frequent touchpoints with the economy even though its orders regarding compliance or
noncompliance will be extremely consequential.

These shifts have occurred incrementally over the last few years. The 2018 bill proposed an expansive
law based closely on the GDPR. The 2019 bill rationalized some provisions while retaining most of them
and adding to the regulatory expanse. It imported concerns that were at best tangential to privacy
concerns in some cases. The 2022 bill and the 2023 act are a major shift away from this expansive
framework. This indicates a change in how Parliament and the Indian government now view the salience
of the data protection law to India’s economy. In 2017 and 2018, there were a few animating factors
that led to the early versions of the bill. The Supreme Court had recently declared privacy to be a
fundamental right and was about to rule on the constitutionality of India’s biometric ID project,
Aadhaar. In addition, there was a global debate on data protection regulation sparked off by the
impending implementation of the GDPR. The regulation was enacted in 2016 and came into force in
2018. At that point in time, it was viewed as a viable template for adoption and influenced deliberations
on the Indian law.

By 2022, the GDPR had been in effect for four years, and numerous issues with its design and
implementation had been voiced. The Indian Supreme Court had upheld the use of Aadhaar for certain
purposes and the potential constitutional law issues had been resolved. Arguably, deliberations on the
different versions of the data protection legislation also allowed concerns about the proposed
framework to be articulated consistently. This was especially visible on issues such as data localization.
The long period of deliberations, therefore, allowed the shift to a more pragmatic version of the law to
be finally enacted.
However, one part of the government’s approach toward the law has remained noticeably consistent—
the exemptions given for state functions. State surveillance agencies have been consistently exempted
from the application of data protection requirements. The 2018 draft bill sought to narrow the scope of
exemptions and proposed some checks and balances, which were diluted in the 2019 bill. The 2019 bill
instead gave the central government the power to exempt any national security agency from any or all
provisions of the proposed legislation. A similar provision has now been enacted into the law—other
non-security-related government uses of data will continue to be exempted from certain parts of the
law. Lastly, as pointed out earlier, the DPDP Act also gives the government problematic levels of
unfettered discretion in some cases.

The next part of this paper speculates on how two developing strains of data-related regulation—the
working of the data protection law and the concerns of national security and sovereignty—are likely to
inform the next stage of data regulation in India.