The Digital Personal Data Protection Act 2023, a significant addition to Indian legislation, aims to enhance data protection, privacy, and cybersecurity. This act establishes rights and duties concerning personal data in the digital realm, ensuring the safeguarding of individual privacy. With India’s rapid economic growth and the increasing reliance on technology, this act acknowledges the importance of protecting personal information and upholding fundamental rights in the digital era.
In this digital age, where every sunrise heralds a new advancement, your online presence isn’t just a reflection of yourself—it’s a proactive extension of your identity. So if you’re reading this, you’re one of the 820 million Indians active on the Internet today. Your digital footprint is a vital part of your existence, and safeguarding it is paramount to preserving your dignity, autonomy, and liberty. This makes the topic of discussion about your fundamental rights- your right to life & personal liberty.
However recent findings by Tenable, a cybersecurity company based in the US, stated that India suffered from the second-most tech exposure breaches in 2022 with around 450 million records compromised. Indian organizations, according to it, cannot even prevent 42% of cyberattacks. This takes us to an urgent requirement to address privacy infringements.
Early 2023 saw the Indian government allocating INR 600 Crore in its budget to enhance cybersecurity. It’s the same year, that India joined the club of countries which have brought legislation against digital data protection. The Digital Personal Data Protection (‘DPDP’ hereinafter) Act is India’s first regulation on lines of digital personal data privacy. While the government announced that the rules (DPDP Rules) regarding compliance will be notified only after the 2024 Lok Sabha elections, this development has been eagerly awaited in a nation boasting the world’s third most favourable startup ecosystem, and housing nearly 18% of the global population.
For a country that has long been a hub for innovation and technological advancement, addressing issues like data privacy infringement, data mining, and data scraping has become imperative. Until now, India relied solely on the Information Technology Act of 2000 to navigate the digital realm, highlighting the pressing need for comprehensive and updated legislation to protect the digital space of its vast population.
The right to privacy has been recognised as a fundamental right by the Constitution of India and reiterated by the Honorable Supreme Court of India in the case of K.S. Puttaswamy v. Union of India, popularly known as the Aadhar Judgement.
The DPDP Act defines its scope, applying specifically to “digital personal data” which means any data collected in digital form or non-digital data which is digitalized subsequently. The Act extends its jurisdiction to the processing of digital personal data linked to any activity related to the offering of goods or services to data principals in India, even if such processing is done outside the country but involves the data of Indian citizens. However, any personal data processed by individuals for any personal or domestic purpose or data publicly disclosed by the data principal or others under legal obligation falls outside the purview of this Act. It means that if I share any personal information via this blog, I cannot claim protection under the DPDP Act.
This legislation features some crucial provisions including but not limited to the rights of data principals, duties of data fiduciaries, legitimate use of consent, grounds for processing personal data, and regulations concerning the transfer of such data outside the country. Data Principals have certain rights and duties against the personal data they provide to a data fiduciary, which are discussed below.
RIGHTS & DUTIES AS A DATA PRINCIPAL
You as a data principal, have the right to be fully informed about how your data is used by a data fiduciary, including its purpose and usage. In case of any data breaches, the data fiduciary is obligated to promptly inform you. Additionally, you possess the right to rectify any inaccuracies in personal data you have provided and to request its deletion from the platform at any time.
You can nominate individuals to act on your behalf regarding decisions concerning your personal data. Furthermore, if you find the handling or processing of your data unsatisfactory, you have the recourse to seek grievance redressal from the Data Protection Board of India.
However, it’s essential to recognize that with rights come responsibilities. When providing personal data to a data fiduciary, it’s imperative not to impersonate others or withhold material information. Authenticity is key, especially when exercising your right to data correction or erasure. While the DPDP Act empowers you to file complaints with the Data Protection Board, it’s crucial to refrain from submitting false or frivolous complaints.
Failure to uphold these duties may result in penalties, with breaches carrying a fine of up to INR 10,000 for non-compliance by the data principal.
YOUR ROLE AS A DATA FIDUCIARY
As a Data Fiduciary, you play a pivotal role in determining the purpose and methods of processing personal data. Your primary responsibility lies in ensuring compliance with the DPDP Act, whether you’re directly processing digital personal data or engaging third parties to do so on your behalf. Accountability is key, necessitating clear, concise, and comprehensive notices to be provided to data principals, the individuals to whom the data pertains.
Key Responsibilities:
- Notice Requirements: The Act mandates the provision of requisite notice by a data fiduciary, either during or before seeking consent from a data principal. This notice must encompass essential elements, including a description of the personal data to be collected, its processing purposes, and the rights of the data principal. Withdrawal of consent shall not, at any time affect the legality of processing of personal data before the withdrawal. Such notice should also include the contact details of the Data Protection Officer/authorised representative to handle related communications.
- Lawful Processing: Personal data may only be processed for lawful purposes, contingent upon obtaining consent through distinct affirmative action. This consent must be free, specific, informed, unconditional, and unambiguous.
- Ensuring Accuracy and Completeness: It’s imperative to collect accurate, complete, and consistent data, processing only the data consented to for legitimate purposes. Data must be promptly erased unless its retention is essential.
- Technical and Organizational Measures: Implementation of robust technical and organizational measures is vital to effectively adhere to the law and mitigate risks. Any personal data breaches must be reported promptly to both the Data Protection Board and the affected data principals.
- Penalties for Non-Compliance: Non-compliance with notice requirements may result in penalties of up to INR 200 Crore under the DPDP Act.
Additional Considerations:
- Limited Consent: If consent obtained by the Data Fiduciary extends beyond the specified purpose, the Data Principal is deemed to have given limited consent, restricting the processing of additional personal data. So if you have permitted a data fiduciary to access your contact list along with your address, say, an online clothing platform, only the information crucial for it to complete the task, i.e., to deliver the goods to your address, shall be processed.
- Penalties for Breach: Breaches in observance of additional obligations concerning children or failure to notify data principals of personal data breaches may incur penalties of up to INR 250 Crore under the DPDP Act.
I also spoke on the Digital Personal Data Protection Act 2023 at WordCamp Mumbai. Read more here.
In summary, the Digital Personal Data Protection Act of 2023 stands as a pivotal response to the pressing need to safeguard the privacy and rights of individuals over their digital personal data in India. Drawing inspiration from the GDPR in Europe, this legislation marks a significant milestone in addressing long-standing gaps in data protection regulations in the country.
While the DPDPA addresses several urgent issues and represents the first step towards establishing a protected space for personal data processing, there are lingering concerns and unanswered questions. The legislation leaves certain areas, such as Generative AI and data scraping from public spaces, unaddressed, necessitating further deliberation. Additionally, the right to designate a data fiduciary as a “significant data fiduciary” and decisions regarding the non-transfer of personal data of Indians to certain countries has been reserved with the central government.
The concentration of powers with the central government raises apprehensions about the potential arbitrary use of personal data for political purposes, too. Recent incidents, such as messages circulated on platforms like WhatsApp during election campaigns, underscore the importance of addressing such concerns to safeguard individual privacy and democratic principles.
As the compliance notification is set to be released after the Lok Sabha elections, it becomes imperative to monitor & review its implications. The evolution of data protection laws in India must prioritize the preservation of individual rights and democratic values in the digital age. Time will unveil the efficacy of the DPDPA in balancing the need for data protection with governmental powers, ensuring that personal data remains shielded from misuse and exploitation.