Like the United States Constitution, the Indian Constitution does not explicitly recognise the right to privacy.1 Courts in India initially held varying perspectives on the nature and scope of the right to privacy. It took approximately 67 years after the Indian Constitution’s adoption for the right to be acknowledged as a fundamental right — it was not until a landmark decision2 in August 2017 by the Supreme Court of India that privacy was declared a fundamental right. While recognising that privacy is a fundamental aspect to the right to life and personal liberty under Article 213, the Court heavily relied upon Rustom Cavasjee Cooper v. Union of India4, a ruling rendered by an eleven-Judge Bench, which had established that fundamental rights were not mutually exclusive, and that the test for Article 21 would have to include a requirement of reasonableness in conformity with Article 145 in order to pass the constitutional muster.
Building on this landmark judgment and in response to the increasingly data and technology-driven “Web of the World6,” India recognised the urgent need to regulate the processing of digital personal data in a way that empowers individuals to safeguard their privacy. This led to the formulation of the Digital Personal Data Protection Bill, 20237, an evolution of the earlier Personal Data Protection Bill, 20198. The Bill was approved by the President of India9 and became law as the Digital Personal Data Protection Act, 202310 (DPDPA) on 11-8-202311.
The DPDPA contains 9 Chapters and a Schedule that provides penalties for breach of provisions. For the purposes of this article, it may be apposite to reference only those provisions of the Act that pertain to consent and the rights of a data principal, as these aspects are central to comprehending the full impact of the captioned subject.
The Act defines “data fiduciary” as any person who alone or in conjunction with other persons determines the purpose and means of processing of data. “Data principal” is defined as an individual to whom the personal data relates. It also covers children (including parents and lawful guardians) and persons with disabilities (including their lawful guardians acting on their behalf). A “data processor” is any person who processes personal data on behalf of a data fiduciary. The term “person” encompasses individuals, Hindu undivided families, companies, firms, associations of persons, the State, and every artificial juristic person. “Personal data” refers to information about an individual that can identify them, either directly or indirectly.
Section 4(1)12 of the Act authorises a person to process the personal data of a data principal only in accordance with the provisions of the Act and for a lawful purpose:
(a) for which the data principal has consented to; or
(b) for certain legitimate uses.
It has been clarified in Section 4(2) that “lawful purpose” would mean any purpose which is not expressly forbidden by law. The term “certain legitimate uses” has been clarified in Section 7(a)13 to mean providing implied consent since it permits a data fiduciary to process personal data for certain legitimate uses, namely, for the specific purpose for which the data principal has voluntarily provided their data to the data fiduciary, and for which they have not indicated that they do not consent to the use of their personal data.
Section 514 of the Act requires the data fiduciary to provide notice to the data principal for consent informing them of the personal data and purpose for which the same is proposed to be processed, the way the data principal may exercise their rights under Sections 6(4)15 and 1316, and the manner in which the data principal may make a complaint to the Board.
Section 11 of the Act empowers the data principal with the right to obtain from the data fiduciary to whom consent was provided previously, a summary of personal data being processed and processing activities undertaken; the identities of other data fiduciaries and data processors with whom data has been shared, along with a description of the personal data so shared; and any other information relating to the personal data of the data principal. The proviso to this section invalidates these rights in respect of sharing the data to other data fiduciaries authorised by law to obtain such personal data, where such sharing is accompanied by a written request for preventing, detection, or investigation of offences or cyber incidents, or for prosecution or punishment of crimes. Section 1217 of the Act provides for the right to correction, completion, updating, and erasure of personal data for which consent was previously provided. Section 1718 carves out exceptions to certain provisions and rights in certain cases.
A cursory reading of the DPDPA provisions elucidates that consent — whether express or implied — is a condition precedent for exercising data principals’ rights. This requirement may not only lead to potential negative consequences, but also may not satisfy the test of “reasonableness” under Article 1419. Government agencies may process pension-related data even if the information is inaccurate, and individuals would not have the right to correct these inaccuracies. This lack of a corrective mechanism could lead to potentially adverse consequences. Errors in pension data could result in individuals receiving incorrect benefit amounts or facing delays in their payments, which could severely impact their financial well-being. Similarly, inaccuracies in the processing of data related to eligibility for social welfare programs could have detrimental effects. This might lead to individuals being unjustly denied benefits or receiving incorrect amounts of assistance. Such discrepancies may compromise financial stability and limit access to essential services, thereby compounding issues.
Article 14 enjoins the State from denying to any person equality before law or the equal protection of laws. While interpreting Article 14, the Supreme Court has permitted reasonable classification if such classification is founded on intelligible differentia and if the differentia has a rational relation with the object sought to be achieved by the law. In D.S. Nakara v. Union of India20, the Court struck down a memorandum that liberalised the formula for computation of pension respecting government employees retiring after 31-3-1979, observing, that the division that classified the pensioners into two classes on the basis of the specified date was devoid of any rational principle and was arbitrary and unrelated to the object sought to be achieved by grant of liberalised pension.
Drawing parallels with D.S. Nakara21, the Act classifies data principals into two categories on the basis of “consent” which appears to not only be unrelated to the object sought to be achieved but also seems to defeat the purpose of the Act, which is stated to provide for the processing of digital personal data in a manner that recognises both the rights of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
In conclusion, India has made significant strides in advancing data protection and privacy through DPDPA. The requirement to provide notice to the Data Principal, detailing the personal data being collected, the purpose of its processing, and the methods for exercising rights under the DPDPA underscores the importance of these protections. The inclusion and quantification of penalties for breaches further emphasises the gravity of safeguarding personal data and reinforces the commitment to data privacy.
However, there is a pressing need to re-evaluate specific provisions concerning the exercise of Data Principal rights to align them with the object sought to be achieved. Restricting the exercise of rights solely to data processed with consent may fall foul of Article 14. Expanding the scope to include data processed under other bases could enhance the protection and enforcement of data principal rights, ensuring that individuals have a more comprehensive means of addressing concerns and accessing their data, regardless of the consent status. This adjustment could lead to a more robust and inclusive data protection framework, better aligning with the principles of transparency and accountability.
*Former lawyer at the Bombay High Court and the founder of GT Legal a data privacy consultancy based in Canada. LLM graduate from Northeastern University, Boston, United States, holding a CIPP/US by the International Association of Privacy Professionals. Author can be reached at: gauravthote10@gmail.com.
1. The US Supreme Court first recognised the right to privacy in Griswold v. Connecticut, 1965 SCC OnLine US SC 124 : 14 L Ed 2d 510 : 381 US 479 (1965).
2. K.S. Puttaswamy (Privacy-9J.) v. Union of India, (2017) 10 SCC 1.
3. Constitution of India, Art. 21, Protection of life and personal liberty.—No person shall be deprived of his life or personal liberty except according to procedure established by law.
5. Constitution of India, Art. 14, Equality before law.—The State shall not deny to any person equality before the law or equal protection of the laws within the territory of India.
6. Joint Parliamentary Committee Reports, Seventeenth Lok Sabha, Report of the Joint Committee on the Personal Data Protection Bill, 2019 (December 2021).
7. Digital Personal Data Protection Bill, 2023.
8. Personal Data Protection Bill, 2019.
9. Jan Vishwas (Amendment of Provisions) Act, 2023.
10. Digital Personal Data Protection Act, 2023.
11. Jan Vishwas (Amendment of Provisions) Act, 2023.
12. Digital Personal Data Protection Act, 2023, S. 4(1).
13. Digital Personal Data Protection Act, 2023, S. 7(a).
14. Digital Personal Data Protection Act, 2023, S. 5.
15. Digital Personal Data Protection Act, 2023, S. 6(4).
16. Digital Personal Data Protection Act, 2023, S. 13.
17. Digital Personal Data Protection Act, 2023, S. 12.
18. Digital Personal Data Protection Act, 2023, S. 17.
