Legitimate Uses under the Digital Personal Data Protection Act, 2023 – Imbalance of Power or Furtherance of Rights

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) has been passed by the Rajya Sabha, Lok Sabha and has received presidential assent. The DPDP Act provides a framework to protect the digital data of millions of Indians. In a world where technology is continually advancing, the bill was long overdue.

While the DPDP Act is an achievement in the realm of cyber laws, there are certain concerns regarding some of the sections. This article covers the apprehensions regarding Section 7 which deals with certain legitimate uses by which the data fiduciary could process the data of the data principle without their consent.  Before proceeding with the challenges this section could pose to society, it is necessary to understand certain terms. Data principal is the person whose data is being collected, stored and processed and the data fiduciary is the person or group of people storing and processing the data. The draft DPDP Bill 2022 mentioned that in certain situations consent would be deemed to be given by the data principal for the processing of the principal’s personal data. These situations included medical emergencies, compliance with a judgment etc. Sub-section 8 stated that a data principal is deemed and considered to have given consent in certain special circumstances involving public interest for example detection of fraud, credit scoring and network and information security. As this clause faced backlash, the words “public interest” were removed and the phrase legitimate purpose was inserted instead.

Today, we provide personal information like phone numbers, email IDs, health data, etc., to various online platforms/people raising serious concerns about data privacy. In such a scenario, the legitimate purposes for which the data principal’s data shall be used without consent becomes of utmost importance.

Comparison with Legitimate interests under GDPR.

Legitimate purposes or legitimate interest in not a new concept, and has been enshrined in the GDPR (EU General Data Protection Regulation enacted in 2016). However, legitimate interests in GDPR are slightly different from legitimate purposes under the DPDP Act, 2023. As per Art. 6 (1) (f) of the GDPR processing data without consent is lawful for legitimate interests to the extent that such interests are overridden by the interests or fundamental rights of the data subject. A tripartite test has been followed by the European court of justice to ensure that the legitimate interest does not violate privacy rights of data subjects. The three parts are the Purpose, Necessity, and Balancing test which have also been reaffirmed in the Riga’s case. The Purpose test ensures that there is a legitimate interest for processing data. The Necessity test is to showcase that the processing was necessary to fulfill the legitimate purpose.  The third part, which is balancing the individual's interests and the legitimate interest in processing the data without the principal’s concern, is the most important issue. No particular factors have been given for determining whether an interest is legitimate, the meaning has been kept broad. Art 6 (1) (e) of the GDPR allows processing of data in cases where it is a matter of public interest. The information commissioner's office has provided information as to how the tripartite test works in real-life situations. An analysis of the case laws before the Court of justice of the European Union (CJEU) highlights the manners in which the EU determines legitimate interests. The landmark Riga’s case which dealt with a tram company requesting data about a person involved in an accident due to whom the tram got damaged. The administration did not reveal details about the person stating that it was information regarding an administrative case and could not be provided to a third party. The court left the decision to the national court, however, completed the analysis and stated that Article 7(f) of Directive 95/46 (corresponding provision to Art. 6 (1) (f) GDPR) does not act as an obligation to disclose personal data.

The Google case also holds a mirror on the rights of a data subject when there is a clash between erasure of data and legitimate interests of third parties.^[1] A Spanish citizen had requested the removal of an old article which spoke about his declaration of bankruptcy 10 years ago. He also demanded that Google remove the link to the article. The court then had to decide whether the data subject’s rights outweigh the legitimate interest. It was decided that in such a case, the data subject’s fundamental rights to privacy outweigh the interests of the third party. The right to erasure was recognised and with the balancing of interests it was held that the data subject’s rights outweigh the rights of Google as the data controller in the instant case. The publication of personal data on a website did not meet the requirements of legitimate interest as they affected the data subject’s private life.

An interesting legal aspect of the GDPR however, is that it gives a right to object to data processing without consent enshrined under Art. 21 of the GDPR.  The Indian section however, has stated that data processing would be allowed without the consent of the data principal in certain instances - one of which is Sec 7 (c). Sec. 7 (c) states that data may be processed in the case of national security and integrity of the state. Some examples of arbitrary storing of data from recent times include the Delhi police storing data of persons in Delhi hailing from North eastern states, Ladakh and Darjeeling through a Google form. The reason stated by the Special Police Unit for the North-eastern region (SPUNER)  for collection of data was to ensure the security of the nation. There are concerns that the provisions of the DPDP Act could be misused by the central government which has uncurtailed powers. Further, the provision for data erasure has only been provided for cases where the data principal has given consent. While the DPDP Act has provisions on right to erasure under Sec. 12, the same has only been granted to the data principal in cases where the data principal has consented to the use of data earlier. The DDP Act does not allow the data principal to object in cases where data is being processed for a legitimate interest without their consent. In some instances, ruling governments may misuse the provisions of the DPDP act.

These cases highlight that the approach followed by the European courts is to conduct a case-to-case study on the fundamental rights of the data subject in reference to the legitimate interests of third parties. It ensures that the data disclosure is lawful and necessary. The balancing approach also takes into account multiple factors to ensure that personal data which affects the lives of the data subject are not allowed. The Indian courts have not yet grappled with the DPDP Act and there are few cases regarding data and privacy. The Puttaswamy judgment however, has ensured that privacy is considered a fundamental right under the ambit of Art. 21, which led to the culmination of efforts to ensure that a data regulation legislation is drafted. Recently, in 2021 the Madras High Court dismissed a petitioner's right to be forgotten when he wanted his criminal and court records expunged after his acquittal. It highlights that Indian courts still need to interpret various matters under the right to object, right to be forgotten and general rights of a data principal. The Indian judicial interpretation should use an approach similar to that followed by European courts when enforcing GDPR to ensure that data is only processed without consent in cases involving “legitimate purposes”. It should also ensure that legitimate purposes outweigh the individual’s right to privacy.

Conclusion

While the DPDP Act has been given presidential assent, it will be seen in the next few days as to how is the DPDP Act will be implemented. Further, rules need to clarify the position for what qualifies as legitimate purposes in terms of data, in more detail. It will be cleared once instructions regarding how the DPDP Act is to be implemented will be circulated. Till then, the GDPR and CJEU’s approach towards questions on legitimate interests serve as a good template to understand how the DPDP act can be implemented on a case-to-case basis. While the DPDP act is an achievement and step towards regulating complex issues like data, it still needs clear provisions granting rights to the data principle. The extent of legitimate interests and the rights of the government to use the “legitimate interest” clause needs to be delineated clearly so as to ensure reduced conflicts. Indian courts and legislators are yet to see how the DPDP Act pans out in cases of real-life application. The DPDP Act has potential on streamlining data protection and guaranteeing the fundamental right of privacy of Indians. The similarities between the European and Indian legislation help speculate the manner in which the Indian judiciary can interpret conflicts surrounding data using the DPDP Act, 2023 as the guiding light.

^[1] Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja Gonzalez, judgement of 13 May 2014.