Student's OpEd: DATA PROTECTION AND SWARAJ

Introduction

Data – a value, containing information, has become eponymous to our lives. We live in a digital world, where all our information, be it educational, professional, financial, or personal, is now stored on digital platforms. These platforms have access to each, and every sphere of our lives, whether we may wish so or not, due to the necessity for securing an easy life in our increasingly digitalized world. Consequentially, we have observed a rise in privacy infringement of our digital data. This has led to the recognition of this “Right to Privacy” by the Supreme Court in the landmark case of Justice K.S. Puttuswamy (Retd.) and Anr. V. Union of India and Ors. (2017). In light of this verdict, the Government of India introduced the Personal Data Protection Bill, 2019, which was later withdrawn, and consequent introduction and enactment of the Digital Personal Data Protection Act, 2023.

Legal Principles of DPDP Act, 2023

When we try to analyze the DPDP Act of 2023, we can easily recognize a few of its key features, which form the bedrock as its legal principles on which the entire act is based and aimed. These features, which concern with key issues dealt by this article, include:

• Significance of Personal Data – The act, primarily deals with personal data, which includes any data about an individual who is identifiable by or in relation to such data, and instances of its breach.
• Consent-based data processing – Section 6 of the said act explicitly enumerates that free and fair consent of the Data Principal, i.e., the owner of the data, is necessary to process the personal data of such owner.
• Exemptions for State – Section 7 (b) of the act allow the state and its instrumentalities to process personal data without the consent of the individual under certain exceptional circumstances.
• Centralized structure – The Act promotes a centralized structure with a top-down approach adorning the central government with immense control authority. Section 10 regarding the appointment of “significant data fiduciaries” and Section 18 regarding the establishment of the Data Protection Board of India, further this approach.

These features, along with many others, align very closely with the General Data Protection Regulation (GDPR) of the European Union.

Core Principles of the Act

By analyzing the aforementioned principles, we can identify the core principle of the Act being “Informational Self-determination” based on the idea of “Individualism” and “Centralization” as well. These ideas, based on the liberal notion, are rooted in the Western jurisprudential theory

John Locke argued that individuals have natural rights over their bodies, labour, and properties. In today’s digital world, the meaning of “property” has extended to also include digital information. Individuals have a right over this personal information of theirs, thus making privacy, a private right of an individual. This concept rapidly developed, and now information is also recognized as the private property of an individual. Furthermore, this idea of individualism is also furthered in the Harm Principle propounded by John Stuart Mill. According to this principle, the state should only interfere in individual liberty when the actions of such an individual cause harm to others. This ensures minimum state interference in the self-determination of individuals.

The idea of individual control over personal data was explicitly dealt with by Alan Westin, in his work – Privacy and Freedom (1967), propounded the concept of “Informational Self-determination”. Accordingly, it means that an individual should be guaranteed privacy, that is to say, they should be armored with the right and ability to control how their personal information is collected, used, processed, shared, or dealt with in any other way, by any authority or person, be it the state , institutions or other private individuals.

The act enshrines the aforementioned principles exponentially, to achieve its aim of data protection by prioritizing individual control.

On another note, we can also recognize a centralized, top-down approach in the institutional working established for the implementation of the act. This includes the provisions relating to the Data Protection Board, whose establishment is entirely controlled by the Central Government as well as the appointment of the so-called “Significant Data Fiduciary”.

Feasibility of the Principles in the Indian Context and Swaraj.

The Indian legal philosophy is rooted in the idea of Swaraj or self-rule which places a significant importance on community governance and shared responsibility. This is in complete opposition to the Western notion of data being an individual asset, to be dealt by the individual only. Swaraj places emphasis on community rather than a single individual, as opposed to the Western jurisprudential notion of “individualism” and “liberalism”. Indigenously, India has always been a community-governed society. Grass-root level governance has always been integral to our community-driven, participative societal and legal framework. These can be identified within traditions such as temple archives preservation which contained personal records of that particular village or community. However, the said act relies extensively on the central government for all major policy concerns and establishment. The Western emphasis on “individualism” and “centralization” is unnatural to our society, and over-reliance on these ideologies may erode our indigenous traditions. The said act also closely replicates the European Union’s General Data Protection Regulation (GDPR) model for framing its structure, without taking into consideration the principles on which the GDPR is based is naturally rooted in their cultural context, which vastly differs from our Indian context. For instance, individuals in India have uneven digital literacy. This results in uninformed decisions in information self-determination to protect privacy, effectively negating the aim and objective of the act. Therefore, what India needs is contextual legal solutions based on its indigenous principles rather than a replicated adaptation of foreign laws.

Proposed Alternative Model

India requires its own set of digital laws which is inclusive and equitable in its society. As such a model of data protection law can effectively be visualised taking into consideration the Indian context. This model of law can be based on the idea of community-driven self-governance and decentralization. It could include:

• Grass-root level data governance – Local governance institutions such as Panchayats and Municipal Corporations can have a say in how data is collected, processed, and used to ensure participatory oversight. This also ensures that data is not used based on the uninformed consent of individuals.
• Community Data Holders – Instead of entire individual control, certain spheres of data can be controlled communally with community data holders, which manage shared data of this community.
• Transparency – Open access can be provided to all citizens on data regarding how their personal information is being collected, processed, utilized, or shared. This creates accountability on the part of the government.

All these effectively place significant importance on the community rather than state or an individual. This perfectly aligns with the historically Indian model of governance as against the Western emphasis of “individualism”, ensuring the collective-welfare of people.

Conclusion

While DPDP Act, 2023 has finally given Indians a legal framework to protect their data privacy, the government also needs to take into consideration the Indian socio-cultural context to ensure that this enactment can truly achieve its aim in our society. We need to remember that successful governance of shared resources does not always require privatization or state control but can be achieved through local, participatory institutions (Ostrom, 1990).

References

1. M.K. Gandhi, Hind Swaraj (Navajivan Publ’g House 1909), https://www.gandhiheritageportal.org/gu/bookdetail/MTEwOTg=/hind-swaraj.
2. John Locke, Two Treatises of Government (Peter Laslett ed., Cambridge Univ. Press 1988) (original work published 1690), https://www.gutenberg.org/ebooks/7370.
3. John Stuart Mill, On Liberty (Longman, Roberts & Green 1859), https://www.gutenberg.org/ebooks/34901.
4. Alan F. Westin, Privacy and Freedom (Atheneum 1967), https://press.princeton.edu/books/hardcover/9780691181270/privacy-and-freedom.
5. Elinor Ostrom, Governing the Commons: The Evolution of Institutions for Collective Action (Cambridge Univ. Press 1990), https://www.cambridge.org/core/books/governing-the-commons/1C22D502E5E14A7208DC8E3A56E0D8E6.
6. The Digital Personal Data Protection Act, 2023, No. 30, Acts of Parliament, 2023 (India), https://www.meity.gov.in/content/digital-personal-data-protection-act-2023.
7. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (GDPR), 2016 O.J. (L 119) 1, https://eur-lex.europa.eu/eli/reg/2016/679/oj.
8. Image Source: https://www.cyberbaap.org/wp-content/uploads/2023/11/The-Digital-Personal-Data-Protection-Act-2023-A-Simplified-Overview-300x144.jpg

Note:

The author affirms that this article is an entirely original work, never before submitted for publication at any journal, blog or other publication avenue. Any unintentional resemblance to previously published material is purely coincidental. This article is intended solely for academic and scholarly discussion. The author takes personal responsibility for any potential infringement of intellectual property rights belonging to any individuals, organizations, governments, or institutions.