DPDPA 2023: The fundamentals

Abstract

The Digital Personal Data Protection Act 2023 (DPDPA 2023) was motivated by concerns regarding Privacy worldwide and the requirements of processing personal data. The scope of protection and limitations depend on the underlying concepts and definitions made in the Act. It is seen that this suffers from serious flaws and derogates from the Privacy and concomitant rights and protection given to the individual.

Introduction

The Right to Privacy led to the genesis of Personal Data Protection Frameworks worldwide. In India, pursuant to the Puttaswamy judgment[1], the right to privacy is protected as a Fundamental Right[2]. Subsequently, various efforts culminated in the Digital Personal Data Protection Act 2023.[3]

An analysis of various features of the DPDPA 2023 by the author is available here [4].

This analysis, in two parts, examines the core definitions & underlying principles that form the basis of DPDPA 2023, how it affects the fundamental rights, including privacy and her personal space.

Digital & its implications

The first word in the Act is “Digital”. However, “Digital” is not defined in the Act. So what is digital and its impact on what is personal and the privacy of the individual is the issue.

The purpose of the Act is not only to meet the present requirements of “digital computers and processing” but also to cater to other technologies that are likely to come in the future. In this respect, Technological neutrality is important. This is stipulated by the Justice AP Shah report, also quoted in the Puttaswamy judgement. The requirements of protecting Privacy would not change if other technologies, e.g., Quantum, Biological Computing, Augmented Reality, Cyber-Physical systems, or Analog-to-Digital converters, are brought into the matrix. In addition, Article 19 of the Universal Declaration of Human Rights[5], states that “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” The phrase “any media” indicates technological neutrality amongst others, in the absence of which the rights would get affected adversely. India’s commitments to the UDHR are incorporated in the detailed Puttaswamy judgment.

As a comparison, the GDPR (General Data Protection Regulation) of the European Union “protects personal data regardless of the technology used for processing that data. It is technology-neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example, in alphabetical order). It also does not matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR”.[6]

An illustrative example

Consider a person’s activity in the bedroom and a peeping Tom, who “captures personal data using the most sophisticated biological computer & sensors, ie, the human body & brain, and processes it in some unknown data format“. Alternatively, he makes an audio/video capture using a digital camera/ cellphone or an old-fashioned non-digital/analog camera. Whether it is the peeping Tom himself, or the camera or sensors which pick up and record the activities, and the corresponding personal data, the privacy and the breach of privacy of the individual exist irrespective of the agent and method, or the technology of access and capture. So, digital and privacy are independent concepts. Furthermore, whether something is considered digital or not is irrelevant to and independent of privacy or its breach & vice versa.

Confusion & contradictions regarding “Digital”

Some entities may simultaneously be considered both digital and continuous or analog. Signals in the first mile before capture and input into a digital computer, e.g., light waves, are a continuous phenomenon. However, light also arrives in discrete packets called quanta, so the signals are digital as well as continuous. This is a particular case of Quantum Mechanical wave-particle duality, which ensures that many kinds of incoming signals are discrete & hence digital, as well as continuous, before capture and processing by a “digital computer“.

Observe that the “analog” output after processing from a digital computer, e.g. a printout on paper, or tape, or a record physically engraved on lac discs, is within the scope of DPDPA: per section 2(x) processing of personal data is defined as “… storage, use, adaptation, …, or otherwise making available”.

Furthermore, note that one obtains a contradictory position for the same analog output –
The paper print from a digital camera or device v/s the same output from an analog camera. Or a sound recording, which may be digital or analog, cut into an old-fashioned gramophone disc, which is considered analog. However, the first output is within the scope of the Act because it is subsequent to processing by a digital camera, whereas the second remains outside the scope of the Act.

Understanding what is digital

Digital computers or logic gates can be implemented variously, e.g., using mechanical artifacts or water, not necessarily electronic artifacts or flip-flops. If a variable like temperature is written on paper, it is in decimal notation and hence digital, so this should also come within the scope of the Act. Money is a representation of economic value, where the storage medium is for notes, and metal for coins, and the denominations are decimal digits, so the economy and money are also digital. A vote and the outcome of an election are the result of some fuzzy preferences in each person’s mind, digitised into a vote, whether electronic or on paper, then processed digitally to declare the winner, again a digital outcome. An ordinary mercury thermometer, though not called digital, gives a digital output because the markings on it are at discrete intervals and the temperature is recorded in decimal digits. Analog in the real world is digital with an extremely fine and high degree of granularity.

Observe that extremely high bit rates or pixel density practically make digital become analog or continuous, so is it within the scope of the act? This leads to the anomaly that data capture by the peeping Tom at low bit rates is within the scope of the Act, whereas at ultra-high resolution or bit rates providing more clarity and detail, is outside the Act. Plotting a graph may be continuous, whereas reading off that line at discrete intervals, however fine, makes it digital.

Does Digital matter?

The real issue is how or why should all this affect the privacy or diminish the protection given to the person whose personal data and privacy is at stake. The answer is the negative.

Legal position in intellectual property protection & other rights

The rights in copyright subsist irrespective of the mode of expression or the technology used and any transformations from one to another. The rights do not appear then diminish or disappear from analog to digital or binaries which is just a string of 1s and 0s, or vice versa. Nor do your rights in money or shares diminish if they are changed from real, physical to demat or digital form.

Conclusions and way forward

From the above account, it is clear that introducing the word “Digital” in the Act, apart from being undefined, is an unnecessary, untenable, self-contradictory, curtailment of the protection & rights when privacy or its breach are independent of it. T

Hence, the word “digital” must be dropped from the Act.

In the next part, we examine the concepts relating to the definition of Personal Data, Privacy, and the remedy in law as per DPDPA 2023.

To be continued…

Note:
1. Text in Blue points to additional data on the topic.
2. The views expressed here are those of the author and do not necessarily represent or reflect the views of PGurus.

Reference:

[1] Supreme Court Reports (SCR) – SCR

[2] Constitution of India – India gov

[3] THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 – Meity

[4] New Data Law Is Too Full Of Holes To Protect Either Privacy Or National Interest – Aug 10, 2023, Swarajya

[5] Universal Declaration of Human Rights – UN

[6] Data protection explained – European Commission

For all the latest updates, download PGurus App.

The post DPDPA 2023: The fundamentals appeared first on PGurus.