In a rapidly evolving digital age, the emergence of the virtual world has dissolved traditional boundaries, providing unprecedented accessibility right at our fingertips. Yet, this limitless realm, while holding potential for both constructive and detrimental technological uses, has greatly diminished the lines of protection. Data security and privacy stand as paramount global concerns, with individuals striving to uphold privacy in all aspects of their lives to ward off unnecessary intrusions. Compromising individual privacy is unjustifiable, particularly in today’s digital landscape, where safeguarding privacy is indispensable for human dignity, safety, and self-determination. The advent of each new technology brings unprecedented intrusions into various spheres, encroaching upon individual privacy. The widespread collection, storage, and utilization of personal data intensifies the need for robust data protection laws, prompted by high- profile data breaches and privacy scandals in the virtual world. Therefore, to construct a secure digital ecosystem, striking a balance between protecting individual privacy rights and fostering innovation is imperative.

This article delves into the intricate dynamics of digital privacy, examining the infringement of privacy through technology and highlighting key provisions of the Digital Personal Data Protection Act, 2023, to ponder its concrete existence or illusory nature.

BREACH OF PRIVACY THROUGH TECHNOLOGY

Living in the information-technology era, digital connectivity through websites, social media, and payment apps underscores the paramount importance of privacy. Scott McNealy’s (founder of Sun Microsystems) assertion that any digital ‘secret’ is subject to instant distribution highlights

the vulnerability of digital data. Even with users agreeing to terms and conditions, worries about data collection and selling remain evident, as seen in recent Whatsapp -Facebook data sharing controversy. Online presence and digital technology are major contributors to privacy breaches today, but they’re not the only ones. Privacy breaches can stem from government surveillance, like with the ‘Aadhar’ Card system, and from social media platforms, which, originally intended for free expression, now pose risks due to extensive data collection, potentially resulting in exploitation.

The rise of technology has ushered in a new era of enhanced communication and faster information exchange. However, along with its benefits, there are drawbacks. The rapid growth of technology has led to a surge in its misuse, particularly with the increasing use of the internet to share private information. Several methods through which technology has encroached upon privacy include :

• Deepfake : Deepfakes, a fusion of “deep learning” and “fake,” craft hyper-realistic videos through digital manipulation, often depicting individuals in compromising scenarios. Utilizing neural networks, they mimic facial expressions, voice, and mannerisms by analyzing extensive data sets. Emerging in 2017, deepfakes exploit real footage and authentic-sounding audio, making detection challenging. Recently, an AI-generated video of actress Rashmika Mandana circulated widely, exemplifying the spread of false information facilitated by deepfake technology. According to the 2023 State of Deepfakes report by Home Security Heroes, there has been a 550% surge in deepfake videos since 2019. Alarmingly, 98% of these are pornographic, with 99% featuring women’s faces.ⁱ This technology is increasingly being weaponized against women and posing substantial threats to society, politics, and business by complicating the task of journalists in distinguishing between authentic and fabricated news. Moreover, they endanger national security by spreading propaganda and interfering in elections. Additionally, they erode public confidence in reliable sources of information, and they also raise cybersecurity issues for both individuals and organizations.¹
• Aadhaar Debacle: The Aadhaar project, launched in January 2009, has issued over 1.38 billion Aadhaar cards by September 2023². Despite its status as one of the largest biometric identification systems globally, serious concerns have been raised in a 2021 report by the Comptroller and Auditor General (CAG)³. The report highlights issues such as poor data quality leading to faulty Aadhaar generation, the issuance of Bal Aadhaar cards without children’s biometric details, and the absence of a Data Archiving Policy by UIDAI. The expansion of surveillance power, including biometric data collection in Aadhaar, is evident globally, with governments in the USA, UK, and India seeking to legalize and broaden this capability. Dismissing these concerns as conspiracy theories may have serious consequences.
• Pegasus spyware : In a startling revelation in July 2021, it was disclosed that over 300 individuals from India, comprising journalists, politicians, activists, and government officials, were targeted by the Pegasus malware. Developed by the Israeli cybersecurity company NSO Group, Pegasus is sold to governments and law enforcement agencies without adequate oversight. Ostensibly designed to track criminals and terrorists, this spyware surreptitiously infiltrates electronic devices with their zero-click methods to commandeer devices, meaning no action is required by the phone owner for Pegasus to infiltrate its system, covertly collecting and transmitting data to a third party without the user’s consent or awareness. Capable of infecting millions of phones, Pegasus flagrantly violates individuals’ right to privacy.
• Social Media : With the emergence of the Internet, it is important to remember that privacy should be respected in the physical world and cyberspace. With the abundance of user data on social media, scammers can exploit it to spy on individuals, steal identities, and perpetrate scams. Additionally, social media platforms serve as potential vectors for malware delivery, leading to compromised computer performance, intrusive ads, and theft of sensitive data. Cybercriminals may hijack social media accounts to distribute malware to both the targeted account and its network of friends and contacts. Detailed analysis show that globally there are 4.95 billion social media users and social media penetration rate at 59.4%.⁴ In India, the widespread adoption of smart devices, coupled with reduced internet expenses and global connectivity, has fueled a surge in internet and social media usage. Social media platforms serve as dynamic hubs for digital communication, offering individuals a powerful platform to express themselves to vast audiences. Although individuals often share personal information online willingly, the expectation of privacy remains crucial. Nonetheless, there exists a troubling risk of exposing sensitive personal data. While certain users may be aware of social media platforms’ data collection practices, others may inadvertently leave uncontrollable digital footprints. This vulnerability poses a significant threat, potentially empowering malicious actors and their needs, while endangering an individual’s privacy.

PARADIGM SHIFT IN DATA PROTECTION LAWS IN INDIA

Individual privacy stands as a fundamental social and psychological need. The pivotal K.S Puttaswamy v Union of India⁵ verdict, authored by Justice DY Chandrachud and involving a nine-judge bench, underscored that privacy is inherent to an individual’s dignity and is enshrined as a natural right under Article 21 of the Constitution. This recognition solidifies privacy as a cornerstone of the Constitution’s basic structure. Examining both the positive and negative aspects of privacy, the verdict emphasized that positive elements prevent the state from unjustly intruding on individuals’ privacy, while negative elements necessitate the government to establish suitable legislative measures to counteract them.

• Information Technology Act, 2000 (I.T Act) – While initially hailed as comprehensive legislation, India’s Information Technology (IT) Act primarily focuses on privacy-related matters, offering compensation for those impacted by data breaches (Section 43A)⁶ and allowing the government to restrict public access to information (Section 69A).⁷ However, despite its enactment over two decades ago, the Act fails to adequately address contemporary data protection challenges. It lacks provisions governing businesses’ handling of personal data, clear standards for consent and control over data, and fails to tackle issues like cross-border data transfers and advanced technologies. Moreover, the absence of a dedicated regulatory body and limited recourse options for individuals further weaken its effectiveness in safeguarding digital rights.⁸ In light of these deficiencies, there arose a pressing demand for a modernized and all-encompassing legislation, exemplified by the Digital Personal Data Protection Act, 2023. This Act aims to adapt to the changing technological environment and fill the loopholes present in the existing legal framework.
• Digital Personal Data Protection Act, 2023 (DPDP Act) ⁹– The primary purpose of the Act is to regulate the processing of digital personal data and respect individuals’ right to protect their data while recognising the necessity of processing and using such data for lawful purposes. The Act sets the groundwork for additional legislation like the Digital India Act and industry-specific laws regarding privacy and data protection, furthering India’s progression toward embracing technologies like Artificial Intelligence (AI) while ensuring the protection of Personal Data. It may also facilitate Indian businesses in fostering collaborations with international counterparts under mutual agreements, all while prioritizing the safeguarding of Personal Data.

DEFINITIONS AND SALIENT FEATURES OF DPDP ACT, 2023 :

® Definition of Data: The Act defines data as any representation of information, fact(s), concept(s), opinion(s), and instruction(s) capable of being communicated, interpreted, and processed by human beings or automated means. Personal data pertains to any data about an identifiable individual (Data Principal).¹⁰

® Processing of Personal Data: Processing involves a set of operations performed wholly or partly by automated means on digital personal data, including collection, storage, sharing, and erasure. It can only occur with the lawful consent of the Data Principal or for legitimate uses specified in the Act.

® Applicability: The Act applies to digital personal data processed within India, whether in digital form or digitized from non-digital sources. It also extends extraterritorially to data processing activities related to offering goods or services to Indian Data Principals.

Certain exemptions apply, such as personal data processed for personal or domestic purposes.¹¹

® Consent: Processing of personal data requires explicit, informed, and unambiguous consent from the Data Principal. Consent must be obtained through affirmative action and can be withdrawn at any time. However, legitimate uses outlined in the Act do not require explicit consent.

® Rights and Duties of Data Principals: Data Principals have rights to access, rectify, and erase their personal data, nominate representatives, and file grievances. They are also obligated not to register false complaints or provide misleading information.¹²

® Obligations of Data Fiduciaries: Data Fiduciaries must process personal data only with consent or for legitimate uses, ensure data accuracy and security, respond to Data Principal requests, report data breaches, and delete data when no longer necessary.¹³

® Transfer of Personal Data outside India: Extraterritorial processing and transfer of personal data are permitted, except to countries restricted by the Central Government.

® Exemptions: Certain provisions related to Data Fiduciary obligations and Data Principal rights are exempted in specified cases, such as for law enforcement purposes or research.

® Data Protection Board of India: A Data Protection Board will oversee compliance with the Act, investigate breaches, and impose penalties. Appeals against Board decisions can be made to the Telecommunications Dispute Settlement and Appellate Tribunal.¹⁴

® Penalties: Penalties for non-compliance range from INR 200 to 250 crore, depending on the severity of the offense, and are imposed by the Data Protection Board after conducting an inquiry.¹⁵

The Digital Personal Data Protection Act, 2023 offers significant promise in tackling India’s privacy and data protection concerns, setting the stage for future legislation and international collaborations. Continuous adaptation and refinement of the law are vital to address evolving challenges and ensure the protection of individual rights while fostering innovation and digital growth in India.

CONCLUSION

Privacy is intrinsic to human dignity, safety, and trust in societal norms. However, in today’s digital era, maintaining privacy faces numerous challenges, blurring the line between the virtual and real worlds. While government laws like the DPDP Act 2023 aim to protect citizens’ privacy, individuals must also exercise caution online. However, maintaining a balance between privacy rights and innovation is crucial for India’s digital future. Adopting a “less is more” approach to sharing personal information and remaining vigilant against digital threats are crucial steps toward safeguarding privacy. By embracing shared responsibility and adhering to guidelines, both citizens and governments can work together to preserve the essence of privacy in the digital age.

---

Author: Jahanavi P

---