India's newly introduced Digital Personal Data Protection Act aims to establish a comprehensive framework for data protection in an increasingly digital world. However, as the country anticipates the release of supplementary rules for the DPDPA, contradictions with pre-existing laws such as the Right to Information Act, Reserve Bank of India Regulations, Telecom Regulatory Authority of India Act, and the Information Technology Act, 2000 are coming to light.
The advent of the DPDPA has been a transformative step in India's journey towards regulating personal data in the digital age. There's a lot of buzz around the DPDPA in India and its upcoming rules, which will affect approximately 1.4 billion people.
While businesses are a bit anxious about the potential complications for trade, some government bodies, like NITI Aayog, are concerned about balancing privacy with public interest. A big part of the discussion is how the DPDPA intersects with existing laws and regulations.
As highlighted at the IAPP Asia Privacy Forum 2024, the DPDPA promises to strengthen privacy protections while facilitating the growth of India's digital economy. However, its implementation may introduce conflicts with existing statutes designed for transparency and public accountability, posing significant legal and compliance challenges for businesses, government bodies, and individuals alike.
The Right to Information Act and DPDPA
The Right to Information Act, which went into effect in 2005, empowers Indian citizens to request information from public authorities, thereby promoting transparency and government accountability. Section 8 of the RTI Act outlines exemptions to the disclosure of sensitive information, including national security concerns, judicial restrictions and personal privacy.
The DPDPA introduces a new layer of complexity by proposing amendments to Section 8(1)(j) of the RTI Act. Specifically, the amendments would exempt the disclosure of personal information of public officials, even if doing so serves a larger public interest. This shift, intended to protect personal data under the DPDPA, may limit the RTI Act's effectiveness in promoting transparency.
The proposed changes underscore a growing conflict between the two laws. On one hand, the DPDPA seeks to protect individual privacy and mitigate the risks of data misuse, while on the other, the RTI Act advocates for the public's right to information. The broader question is whether the public's right to access information will be diluted by the right to privacy, and how a balance can be achieved between the two.
It remains to be seen whether the final rules under the DPDPA will clearly define "personal information" and provide guidelines to resolve this conflict.
Reserve Bank of India Regulations and DPDPA
The Reserve Bank of India governs the financial sector with stringent regulations aimed at safeguarding financial information and preventing unauthorized data transfers. One of the key areas of overlap between RBI regulations and the DPDPA is in the realm of cross-border data transfers.
While the RBI imposes strict localization requirements, mandating that certain types of financial data be stored within India, the DPDPA takes a more flexible approach. The DPDPA permits cross-border data transfers, but with certain restrictions, such as the government blacklisting specific countries deemed to have inadequate data protection laws.
This divergence between the RBI's stringent requirements and the DPDPA's more permissive framework could result in compliance challenges for financial institutions operating in India, particularly in navigating the storage and transfer of sensitive financial data.
Another area of conflict is in the consent framework. Both the DPDPA and RBI regulations require explicit consent from data principals, customers, to process their data. However, the DPDPA introduces additional layers of security, retention guidelines and processing limitations, which may necessitate further alignment between RBI regulations and DPDPA.
The TRAI Act: A telecommunications perspective
The Telecom Regulatory Authority of India Act, 1997, regulates the telecommunications sector and provides for the Telecom Disputes Settlement and Appellate Tribunal to adjudicate disputes within the sector. Under the DPDPA, the TDSAT’s mandate is expected to expand to cover data protection issues in the telecommunications domain, where vast amounts of personal data such as call records, location data, and usage patterns are collected by telecom service providers.
The DPDPA introduces obligations on telecom providers to obtain explicit consent from customers before processing their personal data, ensure robust data security, and provide data principals with control over their personal information. This enhancement in the regulatory framework for data protection may lead to an increase in disputes brought before the TDSAT, particularly in cases of data breaches or the misuse of personal data by telecom operators.
While the DPDPA strengthens the protection of personal data, it also raises questions about regulatory overlap. Given the TRAI's established role in overseeing telecom operations, coordination between TRAI and the new Data Protection Board under the DPDPA will be essential to avoid jurisdictional conflicts.
The IT Act, 2000: Redundancies and overriding provisions
The Information Technology Act, 2000, was India's first legal framework governing electronic transactions, cybersecurity and data protection. Section 43A of the IT Act was introduced in subsequent amendments and required organizations to implement reasonable security practices for the protection of sensitive personal data. Noncompliance led to financial penalties and compensation to affected individuals.
However, the DPDPA provides a more comprehensive and updated framework for data protection, rendering Section 43A of the IT Act redundant. The DPDPA's provisions, including its emphasis on data principals' rights, penalties for noncompliance and cross-border data transfers, offer a more robust system of safeguards aligned with global privacy standards.
Moreover, Section 81 of the IT Act gives the law overriding authority in case of conflicts with other legislation. However, the DPDPA introduces an exception to this provision, stipulating that in matters concerning personal data protection, its provisions will take precedence. The alignment of these two laws will require a reworking of provisions that currently overlap, such as those relating to data security and cross-border data transfers.
Conclusion
India's Digital Personal Data Protection Act presents a forward-thinking framework for data protection that aligns with global standards. However, as the act intersects with existing regulations significant challenges remain in harmonizing these laws to avoid legal ambiguity and compliance burdens.
Future regulations accompanying the DPDPA must address these overlaps and provide clear guidance on balancing privacy, transparency and public interest. As India continues to refine its data protection framework, it is essential to establish inter-regulatory coordination mechanisms to ensure smooth and consistent enforcement across sectors.
By acknowledging and addressing these contradictions, India can successfully navigate the complexities of privacy protection in a diverse and dynamic legal landscape.
Ankita Kaw, CIPP/US, is a data privacy analyst at GE HealthCare.