-Sonali Srivastava*
Abstract
This piece examines certain critical concepts under newly introduced Digital Personal Data Protection Act, 2023 (“DPDP Act”) in India such as data localization, extra-territorial jurisdiction, and cross border data flow. It also provides comparative analysis of aforesaid concepts with similar concepts prevailing in European Union (EU) and China, for bringing out international stance on the same. The significant differences highlighted on the above concepts between India, EU and China, will help to evaluate India’s stance on such concepts and may serve as a reference for re-evaluation of DPDP Act.
Introduction
The ‘India e-Conomy Report 2023’ showed that a continued shift in consumer and merchant behaviour, matched with strong investor confidence, has ushered India into its ‘Digital Decade’ and set the country on a path to reach a $1Triliion internet economy by 2030. With increase in digital growth, the number of cyber-attacks is also increasing in India.
Breach of confidential data such as health care data, identity data, financial data or intellectual and technology related data or government data results in severe lasting consequences. The ‘India Ransomware Report 2022’, shows the ransomware attack has increased by 53% in India. As per the latest report of Surfshark, a cyber security company, there have been 154 million breached accounts in the first half of 2023, Q2 accounting for 111 million accounts having been breached. As discussed in KS Puttaswamy & Ors vs. Union of India (“Puttaswamy Judgement”), every individual should have a right to be able to exercise control over his/her own life and image as portrayed to the world and to control commercial use of his/her identity. The breach of confidential data of an individual leads to commercial, physical, and emotional exploitation of individual thereby destructing social order in the society.
Prior to the DPDP Act, there was no comprehensive legislation on data protection except certain provisions under Information Technology Act, 2000 (“IT Act”) read with Reasonable Security Practices Rules 2011. The above law lacked robust regulatory mechanism ensuring safe collecting, storing and processing of personal data, only catered to ‘sensitive’ personal data. Finally, DPDP Act has been notified by Indian Government to address the deficiencies in the data flow regulations in India.
This article will bring forward the need to re-evaluate and revise certain concepts under the DPDP Act by (i) examining how far the aforesaid concepts will succeed in protecting individual’s privacy and prevent the misuse of personal data and (ii) comparing the same with the General Data Protection Regulations (“GDPR”) of EU and Personal Information Protection Law (“PIPL”). The article will deal with following concepts and provide comparative analysis with GDPR and PIPL:
Extra-territorial Jurisdiction;
Cross border data flow;
Data localization;
Rising surveillance concern on non-consensual processing of data; and
Independence of Data Protection Authority.
Extra-Territorial Jurisdiction
Jurisdictional issue in the cyberspace is one of the heated evolving topic in the digital world. DPDP Act is applicable on the processing of digitalized personal data (i) within India and (ii) outside India in connection with any activity related to offering goods or services to data principals located within India [see DPDP Act, Sec 3(b) at 3].[2]
A Similar provision on extra-territorial jurisdiction is provided under the GDPR. However, the term ‘activity related to’ remained undefined in DPDP Act as well as in GDPR and therefore, may have broad interpretation, so as to even include processing of data outside India of target audience in course of marketing and advertising activity of the establishment offering goods and services to data principals in India.
Further, the Article 3(1) of GDPR is wider than DPDP Act in sense, that if the processing of personal data of data principals, irrespective of whether the processing take places within or outside EU, take place in the context of the activities of an establishment of controller or a processor situated in the Union, then GDPR will be applicable on the controller or processor, as the case may be. The term ‘establishment’ is defined as establishment having effective and real exercise of activity through stable arrangements. The example of aforesaid is, let’s say, a car manufacturing company having United States as its head quarter, has a branch in Brussels which oversee all European operations of company. The Belgian branch can be considered to be a stable arrangement, doing real and effective activities in EU in light of the economic activity carried out by the car manufacturing company.
The Court of Justice of the European Union in the case of Weltimmo v. NAIH (C-230/14) asserted that the concept of establishment under Article 3(1) of GDPR by holding that activity of an establishment is effectively "extends to any real and effective activity — even a minimal one — exercised through stable arrangements."
Here, it should be noted that DPDP Act does not specifically address its applicability on a particular situation. This situation is , where the processing of data takes place outside India with respect to any activities undertaken in India by (i) an Indian establishment of foreign entity or (ii) representative of a foreign entity, situated in India, where such activities under a valid contract with foreign entity may (i) not relate to offering of goods or services to data principals in India (such as conducting survey in India) and therefore, the entire situation is out from the applicability of Section 3(b) (as discussed above) of DPDP Act or (ii) be undertaken on behalf of foreign entity.
Accordingly, to tap the aforesaid situation, the idea of incorporating Article 3(1) of GDPR under DPDP Act can be explored. Further, the aforesaid incorporation will make foreign entity also subject to DPDP Act under the aforesaid situation.
Profiling
Profiling excluded from DPDPA
Profiling means any form of processing of personal data that analyses or predicts aspects concerning the behavior, attributes or interests of a data principal [see DPDP Bill, 2022, Sec 4(2)]. Lot of sensitive personal information of Indian users is stored in the foreign owned and controlled social media applications such as Instagram, Whatsapp, Microsoft, Facebook and Google and can be used for profiling including to track and target individuals for illegal purposes including discrimination.
While one may argue that DPDP Act regulates profiling in India as the definition of the term ‘processing’ [under Sec. 2(x)] is wide and inclusive and DPDP Act apply to all kind of processing of digital data in India, no additional restriction or safeguards are sated in DPDP Act, against the profiling. Also, others may argue that DPDP Act does not intend to specifically regulate profiling in India, as regulation of profiling as specifically proposed in the Section 4(2) of the DPDP Bill 2022, has been eliminated from DPDP Act.
However, unlike prevailing dilemma on regulation of profiling of adults, DPPD Act specifically prohibit data fiduciary from tracking or behavioural monitoring of children or targeted advertising directed at children.
For extra-territorial profiling of individuals in India, it be noted that DPDP Bill 2022 and earlier drafts of DPDP Bill, regulated the same. However, DPDP Act has done away with extra-territorial application in case of profiling, by only regulating processing of data outside India vis-à-vis activities in relation to offering of goods and services and not activities involving analysis or prediction aspects concerning the behaviour, attributes or interests of a Data Principal.
Other Jurisdictions on profiling
GDPR and PIPL is applicable on processing of data for profiling. Further, Chinese’s PIPL also governs profiling carried outside China, of personal data of natural person within China.
Barring the applicability of DPDP Act on profiling may have adverse impact on the privacy rights of individuals in India and lead to inaccurate, biased and unfair outcomes. For prevention of such adverse impact, in pursuance of DPDP Act, a (i) code of conduct and (ii) standard operating procedure, can be issued to processors and controllers providing clear guidance on processing purpose(s) including tapping and preventing all activities involving bias-based profiling, so as to avoid any form of discrimination, denigration, humiliation or prejudiced behaviour against the data principals.
Artificial intelligence (AI) system can help in identifying and reducing the biasness, provided such systems has structured keeping in mind processes that mitigate biasness such as while processing information, use of appropriately trained datasets having incorporated technical ways of defining fairness. Further, to ensure fairness humans can be put in the loop to double check the processing done by AI.
DPDP Act may incorporate enabling provisions on profiling for lawful purposes i.e. to further public interest and for the benefit of national security. However, here also, for undertaking profiling, one has to ensure elimination of unconscious biasness. Among other safeguards, the option of providing appropriate human rights training to the processors and controllers can be explored here.
Cross-border Data Flow
India has experienced immense growth from the open flow of data across borders, including the export and import of digital services and products. However, unregulated cross border data transfer has led to unwarranted privacy breach, unauthenticated surveillance and unlawful processing of personal data.
Volumes of data flow take places freely across Indian border. In light of this, a proper legal framework regulating cross border data transfer is critical for India and same has been accepted under Justice B.N Krishna Committee Report, which recommended total prohibition on cross border transfer of critical personal data from India and same to be processed only in India. For this critical personal data may be understood as sensitive personal data of individual as defined in DPDP Bill 2019, including financial data, health data, sex life, sex orientation, genetic data, caste, intersex status and political belief and affiliation.
Even in G20 Digital Economy Ministers’ Meeting, India emphasized upon security in digital economy. However, under DPDP Act, Government has allowed the transfer of personal data outside India by data fiduciary except to certain countries as specified by Government. Currently, for the transfer of data outside India, DPDP Act does not provide for any specific adequacy checks, security requirements to be fulfilled by data recipient and data fiduciary or adequate safeguard agreement template to be executed with data recipient. However, a better clarity on the aforesaid argument may come when government publish DPDP rules in this respect, which may highlight the regulatory measures and/or any adequacy check to be implemented for cross-border data flow.
Other jurisdictions on Cross-border Data Flow
GDPR and PIPL have adopted stricter procedural requirements for cross border transfer of data. GDPR allows transfer of personal data of EU citizens only in countries having adequate data protection regulatory framework. In the absence of adequacy decision also, the cross-border transfer of personal data is allowed provided such transfer is subject to certain safeguards i.e., usage of standard contractual clauses or adherence to binding corporate rules (BCRs), which are approved by supervisory authority under GDPR.
Whereas, PIPL requires fulfillment of certain essential conditions, before any cross-border transfer of personal data such as obtaining specific consent of data subject, completing security assessment, obtaining personal information protection certification and executing data transfer agreements consistent with the template agreement issued by Cyberspace Administration Office of China, with data recipient situated outside China. Depending upon the volume of data transfer outside China, entities must comply with above conditions.
India’s approach towards cross border data protection seems liberal and lenient under DPDP Act in comparison to EU and China. Better clarity on factors which Indian Government will consider while providing list of restricted countries will help us to understand how far India has safeguarded its cross-flow data flow.
Data Localization
The Indian Position
Data localization consists of collecting, storing and processing data within one’s territorial boundaries. Data localization is adopted by many countries as it results in data security and fulfils the aim of keeping the sensitive data of individual within one’s country. Currently, the legal framework on data localization, is only focused on the digital payments sector, with the Reserve Bank of India's directive issued under the Payment and Settlement Systems Act 2007. The Directive provides that all system providers shall ensure that the entire data relating to payment systems operated by them is stored in India. Further, Section 128 of the Companies Act, 2013, requires storage of financial documents of company at the registered office in India.
However, India lacks a comprehensive policy for implementing data localization. Justice B.N Krishna Committee Report and Joint Parliamentary Committee (“JPC”) Report suggested adoption of data localization for mitigating the risk associated with the cross border data transfer such as foreign surveillance and threat to national security. Considering the same, data localization requirement was initially incorporated in DPDP Bill, 2019. However, the same has been removed under DPDP Act in light of tech giants’ objections that same will reduce the ease of doing business and will increase operational cost for creating new storage infrastructure in India.
Other Jurisdictions
Under GDPR, cross-border data flow is possible if the non-member country has an adequate level of data protection mechanism. What qualify as ‘adequate level of data protection’ is decided by European Commission. The so called ‘adequacy decision’ may be seen as a data localization measure, which allows the Commission to have an influence on and control over the main directions for data flow.
Accordingly, GDPR provisions result in creating de facto localization requirements. Russia and China imposes additional technical-localization requirements such as review of source code.
Should Data localization be adopted?
Azmeh and Foster in their 2016 study, point out the benefits that developing countries can derive from a policy of data localization. These include first, higher foreign direct investment in digital infrastructure and second, the positive impact of server localization on creation of digital infrastructure and digital industry through enhanced connectivity and presence of skilled professionals. A significant premises of data localization based on the concept of data sovereignty. The increased usage of cloud-based data storage resulting from cross border data transfer is leading to massive revenue potential but at the same time, this raised concerns on surveillance by other governments, and security issues if local law enforcement did not have access to data.
The above situation raises doubt on the benefit of data localization as the same hinders trade and economic benefit and give rise to practical challenges for businesses due to its complex implementation process and increased operational cost.
The importance of data localization has been emphasized by Joint Parliamentary Committee (“JPC”) Report published in December, 2021. JPC observed that national security of India is of ultimate importance and Indian Government cannot compromise on the same on ground of ease of doing business. JPC further observed that notwithstanding the benefits of data sharing and collaboration, a country has to balance innovation with the risks associated with cross-border transfer of data.
In absence of regulatory framework around storing data locally, in longer run, Indian Government might suffer difficulty in ensuring data security especially vis-à-vis sensitive data of individuals and country.
Accordingly, considering the potential of risk involved in transferring and storing sensitive data abroad, such as risk of foreign surveillance, personal and national security breach, data localization measures vis-à-vis sensitive data, should be incorporated under DPDP Act.
Surveillance Concerns
Government’s ability to conduct surveillance has been jacked up in light of the emerging identification related digital technologies. The misuse of technology by the government has increased the fear of state surveillance.
Hon’ble Supreme Court of India, in the Puttaswamy Judgement, have also observed that a balanced regulatory framework protecting the rights of individuals at the same time catering to the legitimate concerns of State, is required to be enacted.
Indian Government has wide surveillance power. IT Act has the provision empowering the Government to intercept or decrypt any information generated or stored in any computer resource [see IT Act, Sec. 69]. Further, in Puttaswamy Judgement, the Court empowered the government to undertake non-consensual processing of the personal data on grounds such as security of state and prevention of contraventions of law, for preventing a potential threat.[1] However, the above grounds are too wide and have not been interpreted anywhere.
Furthermore, Justice Dr. D.Y. Chandrachud, J., in the Puttaswamy Judgement, highlighted parameters whose existence is essential for invasion of privacy rights of individuals by the State. Such parameters involved three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them; and privacy has both positive and negative content.
For curbing the wide surveillance power of government, Justice B.N Krishna Committee Report has recommended that Government to bring law for the oversight of intelligence gathering activities of government. However, Section 7(c) of the DPDP Act has further widened the surveillance power of Indian Government as same allows non-consensual data processing by Government as a legitimate use if it is in the interest of sovereignty, integrity and security of state, maintenance of public order or preventing incitement to any cognizable offence relating to any of these. What all will constitute ‘security of state’ and ‘public order’ is again vague and overbroad.
Further, DPDP Act does not establish any agency to monitor and regulate the surveillance related power and activities of Government. Such wide processing related power of Government and its instrumentalities under DPDP Act, has the potential to infringe right to privacy of individuals. Accordingly, there is a need to put in place a system of safeguards to ensure any form of intrusion or non-consensual processing of data is done only wherever essential and in proportionate manner.
With the existing framework, how far Government may use its surveillance power on the aforesaid grounds in reasonable and proportional manner, in the absence of any checks and balances, is a question that remains answered.
Other jurisdictions
GDPR also provides for the investigatory power of supervisory authority. However, the aforesaid power is subjected to appropriate safeguards, including judicial remedy and due process, given in Union and Member State laws.
In United Kingdom also, the Investigatory Powers Act 2016 (“IP Act”), provides for the power of the government officials to collect, intercept and retain communication data of individuals. The IP Act states that the surveillance powers can be exercised by acquiring a warrant that has to be approved by the appointed judicial commissioner, and further supplementary tests should be followed. The tests take into account ‘relevant grounds’ looking at interests of national security, preventing serious crime and interests of the economic well-being. Further, the commissioners are responsible for overseeing the use of investigatory by public authorities.
From the above, it can be concluded that balanced safeguards have been provided under IPA 2016 and GDPR against surveillance power of Government.
Further, China’s PIPL also permit its non-consensual processing of personal data but with safeguard that same to be performed as per the administrative regulations. Further, the state organ performing such processing of personal data is required to provide prior information of the same to the data subject except when such (i) processing is required to be kept confidential and (ii) notification to the data subject will hinder the State organ from performing its statutory duties.
Considering the balanced approach of above countries towards providing surveillance power to the government, it can be said that surveillance power under DPDP Act has the potential to be misused by the government.
Independence of the Date Protection Authority
Under DPDP Act, a Data Protection Board of India (“DPBI”) will be established to direct remedial or mitigation measures upon data breach and to inquire into personal data breach.
Appointment of members of DPBI
In the Personal Data Protection Bill 2018, the selection committee for data protection authority members consists of (i) executive members, (ii) judicial members and (iii) industrial expert to be jointly nominated by an executive, in line with recommendation of B.N. Krishna Committee, to ensure the independence of selection committee. However, in the Personal Data Protection Bill, 2019, the government excluded judicial and industrial experts by only including executives in selection committee. DPDP Act takes a step forward and eliminate the concept of selection committee in the formation of DPBI and provides that the appointment of members of DPBI will be done by Central Government in such manner as may be prescribed.
The aforesaid manner of appointment of members of DPBI may be provided by Government in the rules to DPDP Act. However, Government having entire control on the DPBI appointment mechanism which may affect its independence resulting in compromising its autonomous status. Further, the appointment provision for DPBI under DPDP Act also contradicts with the Joint Parliamentary Committee recommendation which provides for nomination of independent expert in the field of data security, information technology and directors of IIM and IITs, in the DPBI.
Talking about other jurisdictions, under GDPR, the supervisory authority for ensuring enforcement of GDPR is defined as an independent public authority which is established by a Member State pursuant to Article 51 of GDPR. Further, unlike DPDP Act, GDPR provides a mechanism for ensuring independence.
Considering, it is seen that government ends up violating privacy right of the individuals under many instances, the independence of DPBI becomes must for pursuit of justice to individuals and for implementing principles of natural justice.
Concluding Remarks
No doubt that the legal framework balancing the needs and interest of businesses for growth of digital economy and securing the privacy rights of masses, is imperative. As highlighted in this article, there are serious concerns regarding effectiveness of safeguarding measures critical to data privacy, introduced under DPDP Act. The comparative analysis of DPDP Act with GDPR and PIPL helped in understanding the global position on safeguarding measures for ensuring adequate protection of privacy rights. The concerns raised in this article should be used for evaluating and redefining India’s footing under DPDP Act, for the betterment of data governance in the India’s digital landscape.
[1] Justice Abhay Manohar Sapre, “In view of foregoing discussion, my answer to question No. 2 is that "right to privacy" is a part of fundamental right of a citizen guaranteed under Part III of the Constitution. However, it is not an absolute right but is subject to certain reasonable restrictions, which the State is entitled to impose on the basis of social, moral and compelling public interest in accordance with law”, at 282.
*Sonali Srivastava is a corporate lawyer, working as a Principal Associate at Lakshmikumaran & Sridharan. Her practice areas are general corporate advisory and transaction advisory. She specializes in corporate commercial laws including data privacy laws in India.