On 24 August 2017, a nine-judge constitutional bench of the Supreme Court unanimously upheld the right to privacy as a fundamental right, albeit through six different judgments. Much water has flown under the bridge since then.
It’s been seven years and so it would be instructive to consider seven markers especially with respect to the Digital Personal Data Protection Act (DPDPA) formalized in August 2023 after multiple iterations and consultations even as the idea had been endorsed by the union cabinet way back in July 1998.
1) Scope
Genesis of the Puttaswamy judgment was with respect to concerns around digital personal data protection in the context of Aadhaar, the biometric based digital unique identification number issued to Indian residents. However, the Supreme Court judgment itself dealt with privacy in a comprehensive and holistic manner even as there was indeed substantial analysis of informational privacy therein.
As manifest in its very title, the DPDPA however, is limited to protection of digital personal data only – an important aspect of privacy but a subset thereof nevertheless. Accordingly, the mobile number or address written in a visitor’s register at a government office or even a housing society is not subject to DPDPA unless such data is digitised!
Clearly, the DPDPA is not a comprehensive privacy law even as it promises to push the envelope for privacy in the digital realm.
2) Rights of Data Principals
The Supreme Court had emphasised on all the dimensions of right to privacy. The DPDPA does cover most such rights such as the right to portability and the right to erasure. However, the right to be forgotten per se is amiss!
3) Reasonable Restrictions
According to the SC, just like other fundamental rights, even the right to privacy is not absolute and subject to reasonable restrictions. However, it added that such restrictions must be necessary, proportionate, and in pursuit of a legitimate aim.
In this context, the sheer absence of words like ‘proportionate’ or ‘proportionately’ is rather starkly conspicuous with respect to such restrictions though the Section 33 of the DPDPA does ask the Data Protection Board of India to consider whether the penalty is ‘proportionate’ with respect to the specific breach before imposing the same.
4) Judicial Scrutiny
Further, the judgment underlined that any state action infringing on privacy should also be subject to judicial scrutiny. However, beyond the writ jurisdiction available for enforcement of all the fundamental rights, the DPDPA itself does not include any other mechanism for judicial oversight.
5) Independence of Statutory Regulator
Just days before the SC judgment was delivered, the government had constituted an experts committee chaired by Justice Srikrishna on July 31, 2017 to recommend a data protection framework.
Unsurprisingly, the judgment itself did not refer to establishment of a statutory regulator per se. However, considering that DPDPA deals with a fundamental right, concerns have been voiced around lack of clear safeguards to ensure autonomy and independence of the Data Protection Board of India, the statutory regulator under DPDPA.
6) Surveillance Reforms
The apex court had emphasized the need for safeguards against arbitrary state surveillance. However, the DPDPA neither addresses the issue of state surveillance nor there has been any other significant progress reforms in this direction notwithstanding the discourse and the debate around these issues.
7) Duty of Data Principals
The SC judgment was all about privacy as a fundamental right. However, the DPDPA also casts certain duties on the data principals. In case of non-compliance, a penalty up to Rs. 10,000 may be imposed on the data principal.
What Next?
The DPDPA has numerous provisions necessitating subordinate legislation. Though the DPDPA had been ‘published for general information’ in the official gazette on August 11, 2023 following the President’s assent earlier in the day, public consultation for the draft rules is yet to commence.
Hopefully, this would be done sooner than later as indicated by the Minister of Electronics & IT, considering the ever-increasing digitization and digitalization underway.
Deepak Maheshwari, a public policy professional, is Senior Consultant with Centre for Social and Economic Progress, a Delhi-based think tank.