Tag: dataprivay

Editor's column, Uncategorized

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: can women expect any meaningful protection for Data privacy now? by Dr.Debarati Halder
Women for women

On 11th August, 2023 the much awaited The Digital Personal Data Protection Act, (DPDA) 2023 came into existence finally. Drafted majorly in the shadow of the EU general Dara Protection Regulations, DPDA offers certain rights to the data principals and certain duties to the data fiduciaries. But first, let me break a myth: DPDA is not an exclusive statute for providing privacy to our Data. The words ‘protection’ and ‘privacy’ may not be synonymous always.

 If we look into the preamble of DPDA we would see that the preamble offers four reasons for enacting this law:

  1. To provide for the processing of digital personal data in a legalised manner
  2. To recognise the right of individuals to protect their personal data and
  3. To recognise the  need to process such personal data
  4. To recognise the  lawful purposes for processing the data

Every individual is a data principal according to S.2(J) of the DPDA. Irrespective of gender and age a data principal is a person to whom the concerned data is related. However, this provision clarifies the status of children and disabled by stating that for the former the parents or the lawful guardians will become the data principal and the for later, the lawful guardian will be the data principal. As we know from the Information Technology Act, 2000(amended in 2008), data means nothing but information that may represent many profiles of individuals: these may include financial status, health status, educational status, maturity status, marital status, and what not. Data itself may be extremely costly especially when it is processed and formally associated with specific organizations or institutions. According to S.2(x) “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction

Interestingly,  DPDA therefore advocates not only for the protection of the integrity of the data while it is being processed, it also bats for right to be forgotten.

For years I have been observing that women are targeted on the cyberspace for many illegal acts. I have witnessed the amendment of Indian Penal Code whereby a dedicated series of S.354 was introduced for penalizing several patterns of criminalities on cyber space. These included cyber stalking, voyeurism, disrobing women in the physical space and photographing the assault, sexual harassment and using sexually explicit language, gestures etc. Several other laws such as The sexual harassment at workplace (prevention, prohibition and redressal) Act, Indecent representation of women (prohibition) Act etc, were introduced, amended to provide further protection to women and support Information Technology Act, 2000(amended in 2008). None could actually completely prevent online crimes against women. On the contrary, perpetrators have found new ways to commit cyber-crimes against women. At present we get to see women are targeted more by fraudsters who are tricking them for financial loss.

DPDA creates a layer of protection against the data processing stakeholders. A processed data may contribute for creating identity of the data principal, educational degrees, health records, financial records etc.  Most of these are vulnerable sensitive personal data. DPDA therefore has enhanced the responsibility of the data fiduciaries to protect the consensual data that is shared with them.

But now let us see how DPDA may not protect the interest of women:

  1. Who manages the Artificial intelligence that will be applied for processing of the data under S.2(X) of the DPDA?

The Act indicates that the Data fiduciaries and the data processors may be responsible for controlling the AI for processing the data. But where is the data pool for the AI which will be working with the data ? we must not forget that most data fiduciaries may use foreign based AI for  processing data. In that case is there any specific rule to control the foreign entity who may be controlling the AI? The answer may be found in S.3(b) of the DPDA which shares about the scope of the Act. It says as follows:

        Subject to the provisions of this Act, it shall (b)        ………..also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India ;

The answer may also be found in S.11 which speaks about rights of the data principal. But again, this needs a clear explanation.

It is not very clear if the AI system (that will be applied for data processing) falls within the meaning of “services to data principles within the territory of India”. If this falls within this category, then we need to see whether the contractual obligations between the data fiduciary and the AI creator company/entity can be made transparent to the data principal.

2.How would the non-digitized data be digitized without manipulating the original data?

Let us go back to S.3 of the DPDA again. While explaining the scope of the DPDA, S.3 (a) mentions that this Act shall apply to the processing of digital personal data within the territory of India where the personal data is collected…….in non-digital form and digitised subsequently. In such case and also in the case of processing digital data, DPDA does not mention what security procedure may be applied to restrict the leaking of sensitive personal data of data principals, especially women. Such question may be answered through the DPDA Rules that we are looking forward for. But honestly, there may be many occasions where data would be exposed unauthorisedly by the data protectors themselves. We need to see how far the statute would be implemented to heal the harm and compensate the data principal directly especially when the data principal is a senior citizen or a minor or educationally challenged or a disabled woman.

3.Now comes the question of grievance redressing mechanism system that must be set up by data fiduciary as has been mentioned in S.8(10) of the DPDA.

The Act remains silent about the infrastructure of the said mechanism. If we look into Information Technology Act, 2000(amended in 2008) we get to see the court system where the qualification of the forum members (for example, Administrator for civil offences etc) are clearly mentioned. But neither the Information Technology Act, 2000(amended in 2008) mention anything about the qualification of the grievance redressal officers. IT(intermediary guidelines and digital media ethics) Code, 2021 discusses in detail about engaging grievance redressal mechanism by the intermediaries in Rule 3(focusing on due diligence by intermediaries ) and Rule 10 (furnishing and processing of grievance), and Chapters 2, 3 and 4(which discuss about level 1, 2 and 3 of self regulating mechanism and oversight related mechanism. We have to see if DPDA applies parts of   IT(intermediary guidelines and digital media ethics) Code, 2021 for mandating the data fiduciaries to set up grievance redressal mechanisms. In my opinion, data fiduciaries must consider engaging women officers to look after the grievances from women data principals. This may make the female data principals (especially those coming from orthodox societies and those who may be educationally and/or socio-economically challenged to access the male dominated grievance redressal mechanisms) feel comfortable to share their grievances. This may also encourage better reporting of criminal activities on cyber space.

  • DPDA under S.3© very clearly withdraws its scope from the data principals in the following situations:

(i)    personal data processed by an individual for any personal or domestic purpose; and

(ii)   personal data that is made or caused to be made publicly available

by—(A)   the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

The explanation to S.3 of the DPDA explicitly shows that if a data principal voluntarily shares her personal data publicly, DPDA provisions (regarding the responsibilities of data fiduciaries) will not be applicable here. In my capacity as cybercrime victim counsellor, I have seen the unfortunate rise of cybercrime cases and more unfortunate cases of victim blaming in cases such as those mentioned in the exception of S.3© of the DPDA: bloggers, digital creators and social media influencers intentionally share their personal data for profit gain. In case of infringement of their data integrity or data breach, they will now become ‘guardian-less victims’ who should brace themselves to face challenges in the system of criminal justice. But here lies the legal twist: such women may claim the protection of DPDA if their sensitive personal data integrity is violated due to the negligence of the data fiduciary i.e., the intermediary/website/web domain etc, who are providing them platforms to publish their blogs, write-ups, opinions, videos, business related information etc.  As such, women bloggers, digital creators and social media influencers must go ahead with their data sharing and data processing contracts with the primary data fiduciary (the web domains, websites etc) with extreme care. Such women (and men too) must now consult lawyers to prepare an agreement for entering into contract with such intermediaries etc, who have always tried to dominate the contractual relationships with their custom made agreements which may enable them to escape the liabilities by using immunity veils.

4. Last, but not the least is the question of “lawful purposes” that makes the data fiduciaries liable to share the personal sensitive data with the government stakeholders.

The issue of surveillance is mention-able here. While there may be surveillance in the name of safety of the nation, peace and security of the community, friendly relationship with neighbouring countries and even for protecting the rights of the fellow citizens as has been stated under Article 19(2) of the Constitution, misuse of power by government officials including police officers to breach the integrity of personal data of women may be a serious blow on the right to protection and privacy of digital data.

DPDA, 2023 offers many positive aspects for data protection. But this is a beginning of a new understanding of data protection regime in India. We need to have lot more research on the practical applicability of the Law to provide safety to women. Let this ‘new beginning’ bring more positive attitude and awareness for a holistic safety on cyber space.

Please note: please do not violate the copy right of this writeup. If you want to use it for your article, assignment, project etc, please cite it has Halder Debarati (August, 2023) THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: can women expect any meaningful protection for data privacy now? Published in https://wordpress.com/post/internetlegalstudies.com/1433 on 24-08-2023