the_uniform_data_protection_dilemma

The Uniform Data Protection Dilemma: How the DPDP Act Heightens Vulnerabilities

SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email

Beginning

The Digital Personal Data Protection Act, 2023 (DPDPA) marks a significant departure from prior regulatory frameworks by removing the distinct classification of "sensitive personal data" (SPD). This change treats all personal data equally, ignoring the differentiated vulnerabilities associated with various types of data. Drawing on theories of vulnerability by scholars like Malgieri and Nikolas, this article critiques the removal of SPD categorization. It contends that the change undermines protections for Data Principals, fails to address power imbalances between Data Principals and Data Fiduciaries, and disregards the context-dependent harms tied to specific categories of data. By comparing India's approach to global norms and analyzing recommendations of the BN Srikrishna Committee, this article argues for a contextual, vulnerability-aware data protection framework that reinstates heightened protections for sensitive data.

Introduction

The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) represents a paradigm shift in India’s data protection regime. Among its most debated aspects is the elimination of the distinction between "personal data" and "sensitive personal data" (SPD), which earlier drafts of the legislation and global frameworks such as the GDPR had emphasized. SPD refers to data that, if misused, could significantly impact an individual’s privacy, autonomy, and dignity—examples include biometric, health, financial, and sexual orientation data.

The DPDPA replaces this nuanced approach with a uniform treatment of all personal data, dismantling higher protection requirements traditionally afforded to SPD. This article argues that this change introduces systemic vulnerabilities for Data Principals, leaving them exposed to significant risks. It critiques this shift through the lens of vulnerability theory and calls for a reconsideration of India’s data protection strategy to reflect the asymmetrical power dynamics in the digital age.

A Comparative Overview: The Past and Global Practices

India first introduced the SPD concept through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). These rules mandated explicit consent for the collection and processing of SPD and higher safeguards. Building on this, the BN Srikrishna Committee Report recommended categorizing SPD, grounded in potential harm caused by its misuse.

Key considerations included:

  • Likelihood of Harm: The probability of significant harm to Data Principals if SPD was mishandled.
  • Expectation of Confidentiality: Recognizing the inherently private nature of SPD.
  • Contextual Vulnerabilities: Whether specific groups faced uniform risks from SPD breaches.
  • Insufficiency of General Safeguards: Recognizing the need for targeted protections.

The 2018 and 2019 data protection bill drafts incorporated these recommendations, mandating explicit consent and empowering a Data Protection Authority (DPA) to define additional SPD categories as technology evolved.

In contrast, the General Data Protection Regulation (GDPR) in the European Union remains a global gold standard, with heightened protections for “special category data.” Article 9 prohibits its processing except under explicit legal grounds, reflecting the GDPR’s sensitivity to contextual vulnerabilities. Similar protections exist under the UK GDPR, California Consumer Privacy Act (CCPA), and other jurisdictions, emphasizing the global recognition of differentiated data vulnerabilities.

India's departure from these standards raises critical questions about its approach to data protection.

Vulnerability-Aware Perspectives on Data Protection

Theories of vulnerability, particularly those advanced by scholars like Malgieri and Nikolas, provide a framework to analyze the DPDPA's shortcomings. A vulnerability-aware approach acknowledges that data processing affects individuals differently based on their socio-economic context, digital literacy, and the inherent sensitivity of specific data types.

  • Children and Health Data: Data related to children or chronic health conditions requires higher safeguards due to inherent vulnerabilities.
  • Behavioral Advertising and Profiling: Aggregation of personal and behavioral data disproportionately harms marginalized groups by enabling targeted exploitation.

The DPDPA’s failure to distinguish SPD implies a one-size-fits-all regulatory approach that neglects these nuances. The Act’s provisions—such as a uniform consent framework—are insufficient to address the broader societal risks tied to misuse of sensitive information.

Implications for Indian Data Principals

By eliminating SPD categorization, the DPDPA reduces the protections available to Data Principals in several ways:

  • Inadequate Consent Mechanisms: The Act replaces “explicit” consent requirements for SPD with generalized consent, undermining the autonomy of Data Principals.
  • Increased Exploitation Risks: Sensitive data such as biometric or financial information is processed under minimal safeguards, exacerbating risks of harm.
  • Overlooking Contextual Harms: The law fails to account for intersectional vulnerabilities, such as those based on gender, caste, or socio-economic status.

The lack of SPD categorization contradicts the Puttaswamy judgment, where the Supreme Court recognized informational and physical privacy as fundamental rights. The Court highlighted that certain types of data, like biometrics, deserve elevated safeguards. The current DPDPA disregards this precedent by normalizing uniform treatment of all data.

A Case for Reinstating SPD Categorization

The BN Srikrishna Committee’s nuanced approach aligns with Florencia Luna’s Layered Theory of Vulnerability, which advocates for dynamic, context-specific protections. Adopting this approach in Indian data protection law would enable a tailored framework that:

  • Differentiates protections based on harm potential.
  • Empowers the DPA to define evolving SPD categories.
  • Balances individual rights with Fiduciary responsibilities.

Such a model would align India with international best practices while addressing local challenges, such as low digital literacy and cultural diversity.

Conclusion

The removal of SPD categorization in the DPDPA is a regressive step that exacerbates vulnerabilities for Indian Data Principals. It undermines global data protection standards, ignores contextual harms, and weakens privacy protections for marginalized groups. A vulnerability-aware framework, as envisioned by the Srikrishna Committee, offers a viable path to rectify this oversight. Empowering the DPA to adapt SPD classifications as technology evolves could ensure robust and equitable data protection in India’s rapidly digitizing landscape.

References

  1. Malgieri, Gianclaudio. Vulnerability and Data Protection Law. Oxford University Press, 2023.
  2. BN Srikrishna Committee Report on Data Protection, 2018. Available at: meity.gov.in
  3. European Union General Data Protection Regulation (EU GDPR), Recital 51. Available at: eur-lex.europa.eu
  4. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Available at: meity.gov.in
  5. Puttaswamy v. Union of India, (2017) 10 SCC 1 (Supreme Court of India).
  6. UK GDPR. Available at: ico.org.uk
  7. California Consumer Privacy Act (CCPA). Available at: oag.ca.gov
  8. Digital Personal Data Protection Act, 2023. Available at: meity.gov.in
  9. Nikolas, Peter, and Malgieri, Gianclaudio. "Power Dynamics and Vulnerability in Data Protection Law." Journal of Data Ethics, 2020.
  10. Luna, Florencia. "Vulnerability and Human Rights," in Philosophical Perspectives on Vulnerability. Routledge, 2021.

SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email