The much-awaited Digital Personal Data Protection Act, 2023 has made plenty of headlines since it received Presidential assent earlier this month. Since the Supreme Court delivered the Puttaswamy judgment in 2018, the law has been heavily debated in legal and academic circles as well as in the public discourse over the last six years. The impact of this law on digital businesses has been a recurring theme during the discussions.
While the advent of this law has several significant implications for the academic world, there is no substantial scholarship on how this law would affect issues within the academic world ranging from promoting ethical practices in academic operations of educational institutions to promoting data-driven research. Therefore, it has led to mixed reactions ranging from celebration to unease.
Basic tenets of the new Data Protection Law
The recently enacted law is anchored in the broad framework stemming from the Puttaswamy judgment, most prominently in the judgment authored by Justice D.Y. Chandrachud who observed that a “carefully structured regime for the protection of data” may be created, having “due regard to what has been set out in this judgment”. Justice Chandrachud further noted that privacy has positive and negative features, where it restrains “an intrusion upon the life and personal liberty of a citizen”, and also requires “an obligation on the state to take all necessary measures to protect the privacy of the individual”.
In view of the same, the law as enacted covers a wide range of areas. When it comes to defining the scope of ‘personal data’, it borrows significantly from the approach of the European Union’s General Data Protection Regulation (GDPR). It obligates all data processors including educational institutions to process digital data in a lawful manner. It also adds a corresponding duty to ensure that the right to notice, access and erasure are easily exercisable by the ‘data fiduciaries’.
Fostering cultures of integrity within academic institutions
Over the past decade, several cases of data breaches by ed-tech initiatives of private entities as well as public entities relating to sensitive information about students have been reported. In 2020, CloudSEK- a security firm, discovered that the personal information of 500,000 Indian citizens who appeared for an entrance exam was up for sale on a database-sharing forum.
India has zealously embraced the rapid growth of technology and the digital revolution thereby making it easier to collect and share personal data at a staggering rate. While digital businesses took the lead in this area, academic institutions (both public and private) have also been proactively engaged in collecting and using personal data for a range of purposes. This issue became a growing concern from 2020 onwards with remote teaching platforms becoming more common. While it is granted that there can be a beneficial use of the data, concerns about privacy and data protection have also become increasingly dominant in India’s public discourse. In the absence of effective provisions, these data breaches were left unaddressed and were, in a way, allowed to proliferate to the point of becoming normalised.
The law as enacted seeks to herald a transformational change in the manner in which data breaches can be prevented by all entities, including governments, regardless of their size or private status. In the earlier iterations of the law, a distinct category of “sensitive” personal data was sought to be created so as to ensure more protection for sensitive personal data. The enacted law gives special consideration for heightened protection regarding the processing of the personal data of children. It requires such data to be classified separately to ensure a greater degree of protection from a security and privacy standpoint. The law also prescribes serious penalties for digital entities failing to adequately protect personal data ranging from blocking the platform to imposition of fines to the tune of ₹250 crore.
The above-mentioned provisions have the potential to address the challenges of data leaks which have been a long-standing threat to the legitimacy and quality of the evolving landscape of digital education in India.
The enactment of this law is a welcome step given the long-standing paradoxical position of data protection in the country where privacy was recognised as a fundamental right and yet there was widespread confusion regarding the normative contours of privacy protection. India has finally moved on from a patchwork of sectoral laws that govern the protection of personal data thus far. With this law, there is an opportunity for all entities operating in the education sector to create a culture of integrity when it comes to safeguarding all personal data and protecting learners from unauthorised access and exploitation. For the law to be successful, the education sector, digital and non-digital entities, need to become more aware of their fiduciary responsibilities in considering data breaches to be unacceptable and create a trustworthy environment in which all sides in the digital age including the students can benefit from the same.
Prof. Y.S.R. Murthy is the founding Vice-Chancellor of RV University (RVU), Bengaluru (RVU) and founding Dean of the School of Law, RVU.
Prashant Singh works at RVU as an Assistant Professor of Law.