Digital Personal Data Protection Act, 2023: A missed opportunity for horizontal equality

In 2010, professor Ramachandra Siras was suspended by Aligarh University after three journalists, thought to be aided by university staff, had barged into Siras’ flat and filmed him being consensually intimate with a man. The Allahabad High Court stayed Professor Siras’ suspension but did not stop the departmental enquiry. He died by suicide a few days after the court order.  

Siras was penalised for his sexuality, and punished by making its fact public in a society which was not ready to accept it. His heart wrenching story, which also inspired a movie, suggested the importance of the right to privacy, particularly when it comes to vulnerable attributes like sexuality. 

With India’s data protection law, there was a golden opportunity to bolster the right to privacy, especially of the marginalised and vulnerable. The Digital Personal Data Protection Data Act, 2023 (DPDPA, 2023) whose development has been shrouded in secrecy, received presidential assent earlier this month. It is safe to say that the Act has squandered the opportunity. 

This is all the more disappointing because the 2019 draft of the law had a special category of “sensitive personal data” that included the following attributes for protection: sex life, sexual orientation, transgender or intersex status, caste or tribe and religious or political belief or affiliation. 

India’s highly vulnerable sexual minorities live in fear of the kind of forced outing that Siras had to experience. Facebook’s advertising business had previously faced criticism for allowing companies to target users based on sensitive data. Companies could target Brahmin users, for instance, or political parties could show ads to certain users based on their religion or political beliefs. Personal data of this sort would have received special protections under the 2019 draft. Unfortunately, the government is yet to put on record its reasons for scrapping the 2019 version of the bill.

Horizontal equality law: A subject-specific approach?

Although Articles 14, 15 and 16 of the Constitution guarantee the right to equality and prohibit discrimination on the basis of religion, race, caste, sex or place of birth, those rights are mostly enforceable against the State. These fundamental rights have since been interpreted by the Supreme Court to include the right to gender identity and sexual orientation. However, a majority of these rights are not yet directly enforceable within the private sector of the country, leading to active legal discrimination. 

Supreme Court lawyer and researcher Thulasi K. Raj, who specialises in equality and anti-discrimination law, believes that equal treatment in the private sector (‘horizontal equality’) is necessary. “I would think that horizontal equality protections are significant in a society that has a history of discrimination especially based on sex and caste,” Raj said, “Private interactions at educational institutions and in employment are of great magnitude in determining one’s quality of life.”

The United Kingdom and South Africa have anti-discrimination laws that address claims of inequality in the private sector. Attempts have been made in the past to put together draft equality bills. Parliamentarian Shashi Tharoor introduced a draft bill in the Lok Sabha in 2017, and also championed similar initiatives at the state level for Delhi and Kerala. The Centre for Law & Policy Research released text for a draft bill in early 2021. Yet, no government has taken up a dedicated horizontal anti-discrimination law. A comprehensive equality law does not appear to have political mileage. (Disclaimer: The Centre for Law & Policy Research is a sister organisation of SCO.) 

In its absence, one approach has been to look at incorporating horizontal equality provisions in subject-specific legislation like the Mental Healthcare Act 2017 and the Transgender Persons (Protection of Rights Act) 2019 (Trans Act). 

“Though it’s far remote from what an Equality Act could possibly achieve,” Raj said, “the inclusion of protected grounds for access to mental healthcare under, say, Section 18 of the Mental Healthcare Act is helpful in providing a certain level of anti-discrimination protection.” 

But, overall, these laws are not just limited in scope, but also have varying mechanisms for enforcement. The Trans Act provides for a Complaint Officer at each establishment. However, without clarity on the rank, powers or authority of such an officer, and without penalties for failing to appoint an officer, there has been a very slow uptake in an indifferent private sector. Petitioners have even had to approach High Courts for the setting up of government complaint mechanisms.  

While there is a lot to be desired, laws like the Mental Healthcare Act and Trans Act do provide civil society and government a legal framework to work with. The complaint mechanisms could be used to proactively develop a quasi-legal horizontal equality jurisprudence. It will require deeper thinking about how equality can be built into subject-specific laws. It will also mean granting institutions genuine independence, financial resources and expanding the scope of their powers. But if the story of the DPDPA 2023 is anything to go by, equality thinking doesn’t seem to be on top of the Union government’s agenda. 

From Bill to Act: Where did the “sensitive personal data” provisions disappear? 

The 2019 draft of the Personal Data Protection Bill, which incorporated some of the recommendations of the Srikrishna Committee Report, classified data related to sex life, sexual orientation, transgender or intersex status, caste or tribe and religious or political belief or affiliation as sensitive personal data (SPD). 

“A higher level of compliance was necessary for processing such SPD,” explained Arjun Adrian D’Souza, Volunteer Legal Counsel at Software Freedom Law Centre, India. “The basis of classifying SPD was also well-founded under the Personal Data Protection Bill, 2019. Depending on factors such as potential risk, expectation of confidentiality and potential to suffer ‘significant harm’, data could fall under the category of SPD and thereby be amenable to higher protections.” 

The SPD provisions in the 2019 bill seemed to have been inspired by the European Union’s General Data Protection Regulation as well as India’s IT (Sensitive Personal Data) Rules, 2011. Notably, while Section 43A of the Information Technology Act 2000 also allowed compensation due to negligence in processing sensitive personal data, SPD was defined differently in it and had no explicit link to discrimination or equality. But the definition of “harm” in the 2019 draft went further: it included not just physical or mental injury but “any discriminatory treatment” and “denial or withdrawal of a service, benefit or good resulting from an evaluative decision about a data principal.”

The 2019 draft acknowledged that inequalities often occur on certain axes of oppression which require special protection. SPD required more explicit and informed consent, its use was prohibited in some matters related to employment, and special data assessments were required in cases of potential significant harm. 

D’Souza said that the data processed by an online dating app would have been covered by the definition, as it relates to an individual’s sexual orientation and preferences. The identification and financial data an individual fed on government portals would also have fallen under the definition of SPD. Raj noted that the “inclusion of political belief would have enabled a user to identify the harms of data breach more clearly and efficaciously.” 

While the 2019 bill did not expressly provide for protection against discrimination, it was able to locate and prevent methods by which discrimination can take place. This was a great advance for the subject-specific approach, particularly since it was backed by the Data Protection Authority of India, which is empowered to hear complaints and declare financial penalties and compensation. 

However, not only is the eventual DPDPA purged of any reference to the idea of harm or discrimination, it doesn’t feature the provision for compensation suggested in the 2019 draft. By also repealing the claim for compensation under Section 43A of the IT Act, it deprives vulnerable groups of other existing remedies apart from approaching the Data Protection Authority of India. 

The DPDPA is among the first legislations to use the pronouns “she” and “her”, instead of “he” and “him”, to signify all persons. Yet, even as the Act’s “transition” of pronouns receives applause, a transgender person’s status in the material world remains exposed to institutional discrimination, both public and private. 

“At present, the DPDPA 2023 doesn’t have provisions which effectively promote an inclusive perspective of privacy,” D’Souza said. Unfortunately, the stories of people like Siras have not moved the hearts of those who drafted India’s data protection law. The ghosts of Aligarh 2010 continue to cast a shadow on the right to privacy.