Due to technological advancements in the digital era and the virtualization of everything, the need for safeguarding personal data became essential. TheApex Court’s ruling in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors[1]. declared Right to privacy as a fundamental Right which has laid the foundation for the enactment of a comprehensive privacy law framework in India. In the midst of extensive discussions on the Digital Personal Data Protection Act of 2023 (DPDP Act) lies a provision of significant importance from a litigant's standpoint. The jurisdictional intersection between Privacy Laws and other legal domains has emerged as a challenge. In Section 38 of the Act, it is stated that the "provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force". The significance lies in the interdependence of data protection laws with other legal domains. For instance, the connect between data protection and other legal domains like cyber security laws, consumer protection laws or competition laws.
The DPDP Act which has been passed by both the houses of the Parliament and received President’s assent is yet to be enforced by the Central Government. Following the DPDP Act, the requirements will be further elaborated by notification of Rules by the Central government. Although the introduction of the DPDP Act is a positive development, it could potentially give rise to concerns about jurisdictional conflicts. The Data Protection Board of India (DPB) is set to function as the adjudicating authority, empowered to identify violations of the DPDP Act and levy penalties[2] . The actual extent of overlap between the DPB and authorities under different laws will only be clear when the DPB is established and the rules for its operations are notified.
Privacy laws aims at ensuring the security and privacy of individuals' personal information, thereby providing them with a sense of confidence that their data will be treated appropriately. Consumer protection legislation on the other hand endeavors to prevent individuals from being deceived or subjected to unfair practices when engaging with businesses and services. In the present age of the Internet, where personal data is frequently used as a means of online transactions. The question of whether regulatory bodies overlap with each other is a source of concern. There lies a jurisdictional overlap between Central Consumer Protection Authority (CCPA) under the Consumer Protection Act, 2019 (CPA) and the DPB established under DPDP Act, 2023.
Unfair trade practice under CPA involves the unlawful disclosure of personal information within its scope[3]. The CCPA under Section 10 of the Act has various powers that include overseeing unfair trade practices. Hence, it is apparent that the CCPA has jurisdiction to handle matters related to the unlawful release of personal information provided by the consumers. Any disclosure of personal information will not constitute an unfair trade practice if permitted under any law.In addition, the DPDP Act is likely the general law along with sectoral laws that regulates the lawful processing, collection and disclosure of personal data.
Personal data breach is defined as the unauthorized processing, accidental disclosure or sharing of digital personal data under the DPDP Act. Further, the authority to investigate and impose penalties for any violation of the provisions of the Act lies with the DPB. Thus, the provisions for lawful collection and disclosure of personal data under DPDPA somehow intersects with the domain of Consumer Protection laws.
Both the DPB and CCPA seems to have jurisdiction to investigate the illegal/unauthorized dissemination of personal information. However, the DPB has the jurisdiction to handle matters that involve personal data of individuals who did not purchase goods or use services for consideration. Thus, it can be said that the DPDP Act is more comprehensive than the CPA because its definition of data principal is wider than that of consumer. In the case of Consumer Online Foundation vs. Tata Sky[4] , Dish TV challenged the jurisdiction of Competition Commission of India (CCI) as the matter was already pending before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and Telecom ReguIatory Authority of India (TRAI). According to the CCI, TRAI's role as market regulator is acceptable but competition in the market is the exclusive domain of CCI.
Therefore, it can be argued on the similar lines that the DPB is the appropriate and capable agency to determine issues pertaining to the unauthorized collection and dissemination of personal data.Despite having similar jurisdictions in cases of unauthorized disclosure of personal data, the CPA and the DPDP Act differ on certain areas and organizations should be aware of potential liabilities that may arise from these sectoral laws.
Data protection and Cybersecurity laws are closely intertwined thereby making it an intricate relationship as the protection of personal data is closely linked to the establishment of strong cybersecurity practices. Consequently, delineating the exact boundaries that separate data protection and cybersecurity poses a challenging endeavor.
This gives rise to a jurisdictional intersection between the Adjudicating Officer under the Information Technology Act, 2000 (IT Act) and the DPB under DPDP Act, 2023. The Central government has the authority to appoint an Adjudicating Officer who will be responsible for resolving disputes related to rules, regulations or directions issued under it, as well as breaches of IT Act provisions. The exclusion of Section 43A in the IT Act not only resolves any potential conflict between the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 and the DPDP Act, but also removes the authority of the Adjudicating Officer in cases involving data breaches by companies. Despite this, the extensive scope of Section 43 of the IT Act may result in situations where access to data without consent comes under the domain of IT Act. Similarly, The DPDP Act requires data principals to provide informed and voluntary consent before their personal data is collected or processed under Section 4 of the Act. Nevertheless, the question of whether the term 'permission' in accordance with Section 43 of the IT Act aligns with the standard of 'consent' specified in the DPDP Act remains open ended.
When dealing with personal data without the individual's consent, determining which adjudicatory body has jurisdiction is a complex task. Thus, it can be argued that the Adjudicating Officer's powers, such as being able to grant compensation to individuals who are affected may overlap with those of the DPB which mainly focuses on imposing penalties on the data fiduciary. Consequently, due to the changing legal landscape, various legal interpretations will be introduced in the Indian legal Regime.
While the Data Privacy Laws are focused on lawful collection, storage, processing and disclosure of personal data, the Competition Act holds the responsibility of preventing the abuse of dominant status of an enterprise for manipulation of personal data of the individuals by seeking consent through unfair means. The CCI in its Whatsapp’s Privacy Policy Order[5] initiated suo moto proceedings and directed to investigate into the updated 'Terms of Service and Privacy Policy' introduced by WhatsApp Inc. It was noted that the 2021 privacy policy that needs to be agreed to resume the services required the consent of users for sharing their account data with the Meta companies and did not offer any “opt-out” option making the policy “take-it-or-leave-it” in nature for the users. Thus, obtaining consent through the unfair means by abusing the dominant position in the Market is seen as violation of Section 4 of the Competition Act, 2002. It is noteworthy that the CCI stressed for the first time that user data sharing consent must be voluntary, free or optional, as it could result in being viewed as an unfair imposition by a dominant undertaking.
DPDP provides for ‘free consent’ from the data principal before using or processing personal data. Both the DPDP and the Competition Act failry encompass the requirement of consent for the collection and processing of user data. For instance, in the abovementioned Whatsapp Order, services may be discontinued if its users do not adhere to or accept the Privacy Policy. Even though it may meet the DPDPA criteria, the matter is still considered anticompetitive under the Competition Act. Alternatively, DPDPA has the ability to address CCI's concerns as it mandates seeking consent in "clear and plain language"[6]. The Act specifically provides that such a request must include a notification from the Data Fiduciary, providing details about the personal data, the purpose of processing, and how the Data Principal can exercise their rights. When applied to the WhatsApp Order, this requires a need to inform its users about the updated privacy policy, including purpose and manner of data collection and sharing practices.
The Apex Court's approach in the case of Competition Commission of India v. Bharti Airtel Limited[7] could offer guidance in resolving the current conflict. This pertains to determining jurisdiction between the TRAI and the CCI in cases involving the telecom market, particularly when practices within a regulated sector are implicated. The Supreme Court ruled that TRAI, as the specialized regulatory body for the telecom sector, should have primary jurisdiction to address issues leading to a preliminary finding of anti-competitive practices. While the DPDP Act has a specific focus on safeguarding digital personal data, it's important to acknowledge the potential for parallel allegations under the Competition Act. Both the DPDP and the Competition Act aim to regulate the disclosure of personal data to digital entities and ensure its lawful use. .
Essentially, as India's data protection framework undergoes legal developments, the complex intersections between the DPDP Act and other legal domains are anticipated to give rise to numerous legal challenges in Indian courts. The outcomes of these challenges will not only impact the landscape of data governance but will also establish crucial precedents for the coordinated functioning of various regulatory bodies.
As these regulatory frameworks undergo further evolution, a cooperative relationship between data protection authorities and regulatory authorities under other laws coupled with an informed public, will play a pivotal role in shaping a digital environment that is both fair and secure. This collaboration is essential for navigating the dynamic and intricate legal landscape surrounding data protection in India. Ultimately, finding a balance between the objectives of different legal domains and data privacy laws is essential for a comprehensive and effective regulatory framework in the evolving digital landscape of the country.