When DPDPA 2023 was enacted, the focus of legislation was “Digital personal Data” and the way the industry is expected to collect and process. The law was drafted as a “Principle based draft and did not find it necessary to state that it was meant to protect the Right to privacy of an individual as envisaged under the Puttaswamy judgement.
The draft also surprised many because it did not provide personal compensation to data principals and instead indicated a possible fine of Rs 10000/- for data principals making false complaints.
Even now when the rules are being finalized, there is a continued demand that it should be more prescriptive and also that a percentage of the fine imposed on the data fiduciary should be paid to the data principal who raises a complaint.
The logic is that Government will impose a fine of Rs 250 crores based on the complaint of the Data Principal and enriches itself but does not provide any compensation to the data principal.
We have repeatedly clarified that the approach of the Government has been innovative and not making the law very prescriptive was a deliberate strategy. We have also further held that the Rules should also follow the “Minimal” principle and should continue to be principle based and not try to address all possibilities of issues that may arise in the implementation.
We are also in principle not supportive of providing “Explanations” within the law or rules which only restrict the applicability and create more avenues for breaking the law rather than following the law.
As regards the compensation to the data principals, we have insisted that Section 43 of ITA 2000 may be invoked by data principals for their personal compensation in case of data breach and the adjudication process under ITA 2000 maybe invoked.
Similarly we have reminded that several sections of ITA 2000 will continue to be relevant even after Section 43A is removed after the notification of Section 44 of DPDPA 2023 out of which Section 43 will be most relevant for claiming of personal remedy.
In the S Umashankar Vs ICICI Bank case, the TDSAT had clarified that Section 43(g) can be invoked when there is “Negligence” in following the “Reasonable Security Practices” prescribed by RBI. Extending this ruling, DPDPA 2023 is already considered as the “Due Diligence” and is applicable for interpreting both Section 79 and Section 85 of ITA 2000 and fixing responsibilities under Section 43(g).
Another lacuna which many point out in DPDPA 2023 is that it does not classify personal data as “Sensitive” and has removed the definition of “Harm” which was present in earlier versions.
However, DPDPA 2023 uses “Sensitivity” and “Risk to the Data Principal” while classifying organizations as “Significant Data fiduciaries”. Hence all those organizations which are processing “Sensitive Personal Data” as we generally understand will now be considered as “Significant Data Fiduciaries” (SDF)and will need to appoint a DPO, Conduct a DPIA and annual Data Audit.
This is better than merely classifying some of the data as “Sensitive” and leave the organization as an Non-SDF. Further the Government has so far refrained from giving definition of who will be an SDF and has left it to the discretion of the organizations to self assess themselves as SDF based on their own assessment of the “Sensitivity” of data processed and the “Likely harm that may be caused to the data principal from their processing”.
In this context of “Harm to the data principal”, the Consumer Protection Act 2019 (Notified on 9th August 2019) comes into prominence. Just as ITA 2000, BNS (New IPC) , BSA (New IEA) are to be considered as an associate law of DPDPA 2023, both Telecom Act and the Consumer Protection Act 2019 (CPA2019) are considered associate laws compliance of which is essential to fulfil the compliance of DPDPA 2023. In this context we can highlight the notification of 30th November 2023 where the Government highlighted the practice of “Dark Patterns” with a list of practices as examples.
The notification defined “Dark Patterns” as any practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights.
In the Privacy Concept this can be considered as a “Practice that is harmful to the data principal” and is similar to the harm “manipulating the intention of the data principal” and “Deceiving the data principal to do things which he would not otherwise do”. This will apply to many E Commerce platforms who are all “Data Fiduciaries” under DPDPA 2023 and AI algorithms which process personal data.
The dark patterns singled out includes False Urgency, Basket Sneaking, Confirm shaming, Forced Action, Subscription trap, Interface interference, Bait and Switch, Drip Pricing, Disguised advertisement, Nagging, Trick question, Saas billing, Rogue malwares etc. (Kindly refer to the notification for explanations on each of these types of dark patterns).
The notification clearly prohibits use of dark patterns by stating “No person, including any platform, shall engage in any dark pattern practice”. The “Offences and Penalties” prescribed under the CPA 2019 include imprisonment and fine. A possible imprisonment of 6 months and fine of upto Rs 20 lakhs may be envisaged for most of the dark pattern practices provided that a complaint is filed by the Central authority authorized under the Act. (Similar to the powers of the DG of CERT In).
In view of these “Cross legislative Provisions”, DPDPA Compliance includes compliance of multiple laws as has been recognized by the DGPSI framework for compliance. This ensures that the “DPDPA 2023 as an Act and the rules to be framed thereunder” will continue to cover topics such as “Sensitive Personal Information ” and “harm to data principal” as well as “personal remedy” under different provisions of other laws.
