The legal analysis of the Personal Digital Data Protection Act, 2023, has focused on the large-scale exemptions that have been provided to both State and private entities.
This analysis focuses on the language used in the Act itself to make the point that the Act facilitates data appropriation rather than data protection.
Recall that the context of legislating this Act was the recognition of the right to privacy as a fundamental right by the Supreme Court in 2017. An intervening period of half a decade was spent on a public deliberation on the nature and shape of this legislation.
Interestingly, the word “privacy” does not find any mention in the Act, and this gives us a first clue to the aims of this legislation.
Biometric information, which is classified as sensitive personal information and accorded a higher degree of protection in many jurisdictions, including previously under the Information Technology Act, 2000 in India, finds
no mention.
It is useful to focus on the conjunctive use of terms like ‘both’ and ‘and’ in critical spaces in the Act. Chapter III is on the rights and duties of the data principal.
Privacy has been recognised, is now established as a fundamental right, and therefore does not come with any conjunctive duties.
Nevertheless, statutory rights recognised in the Act are conditioned on the performance of duties by the data principal and, in effect, impoverish the fundamental right to privacy.
In a similar vein, the Act mentions that it recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. The use of the conjunctive ‘both’ seems to suggest these aims are equally valid.
Surely, the recognition of privacy as a fundamental right demands that the restrictions in terms of mandatory data processing be reasonable and that
such processing should not be given the same status as upholding the right to privacy.
The use of the conjunctive ‘both’ creates a false equivalence between these two dichotomous objectives of processing and protecting data.
Data principal is preferred as a term to refer to individuals whose personal information is processed. The choice of the term data instead of personal information and principal instead of individuals or persons is deliberate and is intended to dehumanise persons by reducing their identity only to legitimate sources of data. This intuitively establishes the moral validity of data as a valuable resource.
Further, by naming the person whose data is appropriated as the principal, the Act implies that the relationship between the person and the entity processing their data is a relationship like that of a principal-agent. In the sense that it will be informed and consensual and that the agent will act in the interest of the principal.
Similarly, the naming of the entity as a ‘data fiduciary’ is supposed to buffer this presumption that there is a relationship of trust between the individual and such entities taking and processing the data and that such entities are expected to act on behalf of and in the interest of the former, something that is not borne out of the substantive provisions of the Act.
In fact, the word trust is not mentioned in the text of the Act. Although it is named as such, there are no specific provisions clearly enunciating and mandating that there exists a privileged relationship between individuals and these entities, requiring a duty of confidentiality and care.
Finally, the Act chooses to use loss or gain, eschewing the use of more well-established common-law terms like harm, injury, or damages, which can accrue to individuals or to the general public due to abuse of data practices.
The use of such legal terms would have been more appropriate since they would not only be flexible enough to capture evolving jurisprudence on privacy violations triggered by data practices, but they would also provide legal certainty in terms of interpretative practices given their long usage.
In essence, the Act seeks to facilitate data appropriation to meet the objectives of private industry and the State by undermining the rights and interests of individuals.
It should therefore be renamed the Personal Digital Data Appropriation Act, as that would be a more faithful and correct representation of its aims.
Maybe that would miss the entire point. Language is revealing only if we are attentive to it. If not, then language may also help camouflage the true aims that it hopes to achieve.
(The writer is a legal academic)