ARTICLE
6 February 2025

Apprehended Challenges In Using Foreign Precedents To Interpret Cases Under The Indian Digital Personal Data Protection Act, 2023

ThinkLaw Advocates

Contributor

ThinkLaw Advocates logo
ThinkLaw is a new-age law firm, established with an objective of delivering deeply thought-through, high quality research-based & strategy-driven advice with a detail-oriented personalized attention by a team of highly driven professionals living up to our approach of "Navigating the Complex".
Explore Firm Details
While India eagerly awaits the implementation of the Digital Personal Data Protection Act, 2023, in January 2025, MeitY released the draft Digital Personal Data Protection Rules, 2025 for public consultation.
India Privacy
Tushar Ajinkya,Saahil Bijliwala, and Tanya Khandelwal
Your Author LinkedIn Connections

Limited availability of domestic data protection judicial precedents for Indian courts

While India eagerly awaits the implementation of the Digital Personal Data Protection Act, 2023, ("Act"), in January 2025, the Ministry of Electronics and Information Technology ("MeitY") released the draft Digital Personal Data Protection Rules, 2025 ("Draft Rules") for public consultation. The Draft Rules detail certain aspects that were earlier introduced in the Act, including elaborating concepts like consent requirements, minimum qualifications and obligations of consent managers, minimum thresholds for reasonable security safeguards and protocols that would have to be adhered to by parties in the event of a data breach. Prior to this, India's data protection laws were covered under the Information Technology Act, 2000 ("IT Act") and skeletal regulations passed thereunder, which were not as comprehensive as the Act and did not take into consideration many of the safeguards and protocols being implemented through the Draft Rules.

Accordingly, whenever the Act and the Draft Rules are implemented, Indian courts will be operating on an empty canvas of data protection judicial precedents. The question arises therefore, would it be prudent for Indian courts to look to foreign jurisprudence as the courts are saddled with the task of interpreting and enforcing the newly formulated law in a just and equitable manner.

Challenges in using external aids to interpretation in the form of foreign jurisprudence

As and when the Act is implemented, Indian courts will most likely turn towards foreign jurisprudence as an external aid to interpretation of the provisions thereof. While the perils of this approach are manifold, the immediate issues are that it is possible that the corresponding foreign legislations may not be in pari materia with the Act. Further, even where a particular foreign data protection legislation happens to be similar to the Act, the extant foreign legal ecosystem may not be identical. Both these issues could pose serious challenges when Indian courts use these foreign precedents as external aids to interpretation. Additionally, even as a global concept, data protection laws do not have the same legacy as some other, more mature legislations.

To illustrate these issues, in this article, we delve into a decision passed under the European Union's General Data Protection Regulation ("GDPR").

Single Resolution Board ("SRB") vs European Data Protection Supervisor ("EDPS") before the General Court in Europe: Analysing the case

Brief Facts:

  • The SRB adopted a resolution scheme in respect of a bank, and thereafter published a privacy statement relating to the processing of personal data in the context of that process. This privacy statement did not contain any mention of data transmission to third parties.
  • Creditors had to submit identification documents to the SRB in order to verify their credentials.
  • Eligible creditors were given a unique personal link to an online form, which contained several questions with limited space for answering, enabling the affected shareholders and creditors to submit comments on the resolution scheme.
  • Deloitte was appointed by the SRB as an independent third party to assist in evaluation of resolution schemes.
  • SRB transmitted to Deloitte the creditors' comments for the purpose of enabling Deloitte to answer these comments.
  • Some creditors submitted complaints to the EDPS alleging a breach by the SRB of its information obligations as they had not consented to sharing of their data (i.e. their comments) with Deloitte for processing.
  • The EDPS found that though Deloitte was in receipt of the complainants' personal data, this fact of data sharing with Deloitte was nowhere mentioned in SRB's privacy statement and thus constituted an infringement of SRB's obligations under the GDPR.
  • The SRB challenged this finding before the General Court.

Point in issue: What constitutes personal data?

While the General Court discussed several issues in the course of its deliberations, a key question that emerged was whether the information transmitted by SRB to Deloitte related to an 'identified or identifiable' natural person and thus constituted personal data?

To put it slightly differently, for information to constitute personal data, two cumulative conditions must be satisfied: i) the information must 'relate' to a natural person and, ii) that natural person must be 'identified or identifiable'.

Rival submissions

Did the creditors' comments constitute personal data?

The SRB contented that there was no infringement of the GDPR as the information transmitted to Deloitte did not constitute personal data. In support of its contention, the SRB submitted that:

  • The information contained in the complainants' comments was factual and legal information independent of the persons or personal qualities of the complainants and thus unrelated to their private life.
  • The purpose of the right to be heard process was to assess factual and legal arguments concerning the valuation of the resolution scheme from a large number of interested parties, whose personality and identity were not relevant for the purposes of assessing their comments.

The EDPS rebutted these submissions on the following grounds:

  • The comments of the affected shareholders and creditors is information 'relating to' them, given that their responses contained and reflected their personal views.
  • The comments constituted personal data by reason of their effect. The assessment of these comments, the purpose of which was to verify the validity of the valuation of the resolution scheme, was bound to have an effect on the participants' interests and rights regarding financial compensation.

The General Court held that while it cannot be ruled out that personal views or opinions may constitute personal data, however, as the EDPS did not carry out any examination, it could not be concluded that the information transmitted to Deloitte constituted information 'relating' to a natural person.

Did the information transmitted to Deloitte constituted 'identified' or 'identifiable' personal data:

The SRB submitted that:

  • The data given to Deloitte bore an alphanumeric code, using which only the SRB could link the comments to the data received in the registration phase. The alphanumeric code was developed for audit purposes to verify and if necessary to demonstrate subsequently, that each comment had been handled and duly considered. Deloitte had, and still has, no access to the database of data collected during the registration phase.
  • The data is rendered anonymous for a third party, even if the information allowing re-identification is not irrevocably eliminated and resides with the original processor, as long as the form in which the data are shared with the third party does not allow re-identification anymore or where re-identification is not reasonably likely.
  • The data was rendered anonymous by SRB and Deloitte had no means of reversing the anonymization process.

The EDPS, in reply, submitted that:

  • Merely because Deloitte did not have access to the information held by the SRB that would enable re-identification does not mean that the 'pseudonymised' data transmitted to Deloitte became anonymous data.
  • It is not necessary to determine whether the persons who provided the information transmitted to Deloitte were re-identifiable by Deloitte or whether re-identification by Deloitte was reasonably likely. 'Pseudonymised' data remains so even when transmitted to a third party that does not have additional information.

The General Court relied on the decision in Breyer (C-582/14, EU: C:2016:779), wherein it was stated that if identification of the data subject is practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared to be insignificant, it would not be considered as reasonably likely to identify the data subject.

In the present case, the alphanumeric code appearing on the information transmitted to Deloitte did not in itself allow the authors of the comments to be identified. Additionally, Deloitte did not have access to the identification data received during the registration phase which would have allowed the participants to be linked to their comments by virtue of the alphanumeric code.

It was not necessary to determine whether the persons who provided the information transmitted to Deloitte were re-identifiable by Deloitte or whether re-identification by Deloitte was reasonably likely. 'Pseudonymised' data remains so even when transmitted to a third party that does not have additional information.

Accordingly, the General Court held in favour of the SRB and against the EDPS.

Possible issues while using the above principles in the context of Indian law

The Indian Act also defines 'personal data' in a similar vein, to mean "any data about an individual who is identifiable by or in relation to such data"1. The questions raised in the case referred hereinabove are likely to feature amongst the preliminary issues that the Indian Courts may have to decide upon notification and implementation of the Act.

However, it will be interesting to see how the Indian courts approach the same, and whether they follow the same (or similar) interpretation as adopted by the General Court. For instance, the General Court held that comments and personal views can amount to personal data but as the EDPS did not investigate whether the comments and personal views submitted to the SRB could be considered personal data, the SRB could be absolved of liability.

In such a scenario, it is possible that an Indian Court may, on being presented with the same facts, go to the root of the matter, look at the comments and give a finding on the basis of the nature of the comments. Alternatively, an Indian Court would generally also be empowered to remand the undecided question to the EDPS, which the General Court has not done/ could not do.

Additionally, in the Indian legal system, individual creditors and not the EDPS would have been parties, therefore there would still be a right accruing. The ease of deanonymizing data in India, where organisational processes are still in the nascent stages of evolution and development, is much greater and therefore a whole new rationale may be required to be introduced.

Conclusion

While foreign court judgements may serve as reference points for Indian courts when looking into and deciding upon concepts under the evolving Indian data protection laws, these will only have persuasive value and work as starting points for Indian jurisprudence around said issues.

The Hon'ble Supreme Court's reasoning as recorded in the case of Internet and Mobile Association of India vs. Reserve Bank of India2, buttresses this viewpoint:

"6.129. The argument that most of the countries except very few like China, Vietnam, Pakistan, Nepal, Bangladesh, UAE, have not imposed a ban (total or partial) may not take the Petitioners anywhere. The list of countries where a ban similar to the one on hand and much more has been imposed discloses a commonality. Almost all countries in the neighborhood of India have adopted the same or similar approach (in essence India is ring fenced). In any case, our judicial decision cannot be colored by what other countries have done or not done. Comparative perspective helps only in relation to principles of judicial decision making and not for testing the validity of an action taken based on the existing statutory scheme." (emphasis supplied)

This judgement was on the question of whether a circular of the Reserve Bank of India ("RBI"), directing entities to neither to deal in virtual currencies nor to provide services for facilitating any person or entity in dealing with or settling virtual currencies, was liable to be set aside on grounds of proportionality. The court further observed:

"6.130. There can also be no comparison with the approach adopted by countries such as UK, US, Japan, Singapore, Australia, New Zealand, Canada etc., as they have developed economies capable of absorbing greater shocks. Indian economic conditions cannot be placed on par. Therefore, we will not test the correctness of the measure taken by RBI on the basis of the approach adopted by other countries, though we have, for better understanding of the complexities of the issues involved, undertaken a survey of how the regulators and courts of other countries have treated VCs." (emphasis supplied)

Thus, it remains to be seen which approach the Indian courts undertake, as and when presented with such impending issues. The courts may look towards foreign jurisprudence but will eventually have to arrive at an interpretation appropriately suited to the Indian context.

Footnotes

1. Section 2(t) of the Digital Personal Data Protection Act, 2023, states:

(t) "personal data" means any data about an individual who is identifiable by or in relation to such data;

2. (2020)10SCC274

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Tushar Ajinkya
Person photo placeholder
Saahil Bijliwala
Person photo placeholder
Tanya Khandelwal
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More