This Act came into force on August 11, 2023. It was introduced as one an initiative to regulate the ever growing digital realm.
*We do not claim any copyright in the above image. The same has been reproduced for academic and representational purposes only”.
Introduction
In an increasingly digital world, where information flows and interacts at an unprecedented speed, security of personal data has taken the centre stage.According to The mathematician Clive Humby, equates the processes of utilization of oil with that of data. Similar to oil, unprocessed data holds potential but lacks immediate utility and needs processing and analysis, similar to refining oil into usable products like gasoline or plastic, to unlock its true worth and drive impactful results.
The digital age demands constant interaction with websites, apps, and services, leaving a trail of our personal information known as personally identifiable information (PII) or personal health information (PHI). This sensitive data requires robust protection.Data privacy regulations and practices aim to address these concerns, ensuring both convenience and security go hand-in-hand.
The introduction of the Digital Personal Data Protection Act, 2023 (“DPDP Act”/ “the said Act”) marks a pivotal moment in India’s journey to establish a framework for safeguarding citizens’ digital and personal data. This attempt by the legislation not only aims to redefine the boundaries of data privacy but also has the potential to reshape the way in which individuals, businesses, and the government interact with data in this digital era.
Brief History of the Act
In 2017, a landmark decision given by the Supreme Court of India established the right to privacy as a fundamental right, enshrined within the broader right to life and liberty. This landmark judgment, known as Justice K.S. Puttaswamy and Anr.vs. Union of India and Ors., specifically recognized the right to informational privacy as an aspect of this fundamental right. However, the details of this right ought to have been defined, including the precise boundaries of its protection and the practical mechanisms needed to enforce it, following which, the concern of data privacy and protection started taking a legislative form.
The DPDP Actof 2023 isn’t the first attempt at a data privacy law in India. It’s the second iteration introduced in Parliament and the fourth overall. The journey began with the Srikrishna Committee crafting an initial draft in 2018 inspired by the international regulations like the General Data Protection Regulations (GDPR). In 2019, the government presented the firstbill onProtection of Personal Data, which went through parliamentary review and resulted in a committee report in 2021. Interestingly, that bill was withdrawn, and a new draft called the Digital Personal Data Protection Bill emerged in 2022 for public consultations. This latest draft differed significantly from its predecessors, and it forms the basis of the finalized 2023 law.
Essential features and key highlights
- Applicability.
This Act focuses exclusively on Digital Data andis applicable to digitized personal data or data that was originally non-digital but later digitized.Pseudonymized data, when combined with identifier data identifying the Data Principal, falls under Personal Data and is covered by the said Act. Physical forms, anonymized data, and non-personal data are excluded.Processing personal data within India requires compliance with the said Act, irrespective of the processor’s presence or incorporation in India or the origin of personal data. However, the Act is not only confined to the Indian Territory but also has an overseas reach. The Act extends to personal data processed outside India if it involves goods /services being offered to the residents of India. Along with this, the Act also has certain exemptions. The Act doesn’t apply to personal data used for domestic or personal purposes.The Central Government has the authority to exclude certain Data Fiduciaries and state instrumentalities from protected grounds. Further, publicly available data shared by individuals or legally mandated entities is also out of the scope of this Act.
- Principles of data protection
The DPDP Act enshrines two crucial principles governing the use of personal information:
Purpose Limitation: The processing of personal data is permitted only for predefined, legitimate purposes with the individual’s informed approval and in conformity with provisions of the DPDP Act itself. This prohibits using the personal data for unstated or unauthorized purposes.
Consent has been the basis of processing personal data under the Act. The Act (as under Section 6) requires free consent- in consensus with the provisions of the Law of Contracts in India, specific- having specific and identified lawful purposes, informed- that the data fiduciaries must provide the data principals with a notice before or while taking consent, unconditional- providing access to withdrawal mechanisms, unambiguous, and an express affirmative action. However, any legitimate use including: (i) when data is voluntarily provided for a specific purpose by an individual, (ii) for the benefits such as subsidies, certificates, license, permits, etc., provided by the State (iii)employment (iv) in response to an emergency related to health services or a medical treatment, (vi)for the security and interest of sovereignty, integrity and public order of the country, shall not require consent as defined under Section 7 of the Act.
Data Minimization: Only the strictly necessary data relevant to the declared purpose can be collected and processed. This prevents excessive data collection that could invade individual privacy and pose security risks.
- Rights And Obligations of the Data Principal
The data principals i.e., the users/ consumers are entitled to the rights enlisted under Sections 12 through 14.These rights include access a complete summary of collected data, including who it’s been shared with. Requests can also be raised by individuals for corrections, updates, or even the erasure of data from processing entities like the Data Fiduciaries. Additionally, the Act establishes the right to lodge complaints against data misuse and designate an authority to manage personal data in specific situations. These provisions solidify an individual’s understanding of the manner of utilization and processing of their data and ensure accountability for responsible data handling practices.
The Data Principals, as provided under Section 15, will be obligated to refrain from registering a false/ frivolous complaint, and/or suppressing material information during disclosure of data, and/or furnishing any false particulars, the breach of which will attract Rupees 250 crores worth of penalties.
- Obligations imposed on the Data Fiduciaries
The responsibility for the collection, storage and processing of the data has been given to the Data Fiduciaries. These entities are obligated to secure one’s information, ensure its accuracy, inform authorities of breaches, erase data upon request, appoint dedicated data protection officers, and obtain consent from parents/ guardian for children’s information. Further, any data processing that will be detrimental to a child, will not be permitted under the Act.
- Exemptions
The Act allows exemptions in specific scenarios. Government agencies may be exempted from national security concerns, non-individualized researchers may proceed without consent, and specific start-ups or data handlers may have relaxed obligations. Legal matters, international transactions, approved business restructuring, and financial investigations also have potential exemptions under certain defined circumstances.
- The Data Protection Board of India (DPB)
To enforce the DPDP Act, a sturdy DPB wields various powers. The board can react swiftly to data breaches by demanding immediate solutions, investigate and penalize violations, and inspect documents or summon individuals for information. A multi-tiered appeal system has been established, by the virtue of which appeals are taken to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) from the DPB and, ultimately, the Supreme Court within the prescribed manner.
In conclusion, the enactment of the said Act marks a significant step forward in India’s efforts to establish robust data protection. By aiming to balance data privacy and seamless circulation of information, the Act reflects the evolving digital landscape. As technology advances, the Data Protection Act’s role in shaping interactions between individuals, businesses and the Government is pivotal. While it represents a significant stride, its refinement through continuous discussions and amendments will be essential.
Overall, the Act signifies India’s commitment to data protection, setting the foundation for responsible data use and digital trust in an ever-changing landscape.