A Comprehensive Overview Of Digital Personal Data Protection Act (DPDPA) 2023: The Future Of Data Pr

• A Comprehensive Overview Of Digital Personal Data Protection Act (DPDPA) 2023: The Future Of Data Pr
• admin
• 08 May, 2024

A comprehensive overview of Digital Personal Data Protection Act (DPDPA) 2023: The Future of data privacy in India- This article has been written by Syeda Salma Fathima 

In the rapidly evolving digital era, The idea of protecting personal data has gained significant attention. In India, the Digital Personal Data Protection (DPDP) Act, of 2023 marks an important milestone and step towards addressing data privacy and security concerns  within the digital ecosystem.

This article sheds some light on the historic legislation that aims to safeguard personal data and privacy in India.

Introduction

India being most populated country has a massive amount of personal data to be protected, and the expansion of the digital economy has led to the rise in the use of data and the Government has predominantly come up with the most mandatory Act, whose implementation is very crucial for the wellbeing of the Country. With the constant advancement in technologies new threats have also evolved to data protection and data privacy.

Article 21 of the Indian Constitution safeguards its people by providing the Right to Live with Personal Liberty, and the Right to Privacy was added under it in 2017. The Supreme Court of India recognized the right to privacy as a constitutionally protected right in the Puttaswamy judgment. Right to privacy is a Fundamental Right and Protection of Personal Data is an important aspect of it. To ensure data privacy in India the Parliament had passed its first legal framework, to safeguard individual privacy rights and promote responsible data management practices. It was unveiled in the Official Gazette on August 11, 2023, and will come into effect in mid-2024.

What is The Digital Personal Data Protection (DPDP) Act?

The Digital Personal Data Protection (DPDP) Act, 2023 is an extensive landmark legislation proposed by MeitY in India that aims to safeguard individual privacy rights and promote responsible data management practices in India.

Evolution of the Digital Personal Data Protection (DPDP) Act

In India's DPDPA law journey began in the early 2000s with the Information Technology Act, which provided the first formal step into cybersecurity laws. Then during the 2010s the rapid growth of the internet and the advancement in the digitalized economy had highlighted the need to framework and protect individuals' data from being misused. In July 2017, the Justice B.N Srikrishna Committee was formed to examine the issues surrounding data privacy and recommend appropriate safeguards. The Supreme Court Privacy verdict had further progressed the process to set up a data protection framework. The Justice B.N Srikrishna committee's 2018 report formed the basis for the first draft of the Data Protection Bill, 2019.

The revised draft of the Personal Data Protection (PDP) Bill was introduced in Lok Sabha 2019, with recommendations of the Srikrishna Committee report, aiming to protect digital and non-digital data. After two years the bill was again presented in the Parliament. The new draft was released on July 27, 2023. Lok Sabha approved the Digital Personal Data Protection Bill on August 7th, 2023. The bill was passed by the Rajya Sabha which marked the completion of the Parliamentary approval process on August 9th, 2023. The assent of the Hon’ble President was received on August 11th, 2023.

DPDPA provisions recognize the right of Data Principals (individuals) to protect their data and introduce obligations Data fiduciaries (businesses and organizations) on fostering trust, accountability, and transparency. The entire process must be explained in the Privacy Policy of the Organization. The key features of the DPDPA 2023 are as follows

Scope of DPDPA:

The DPDP Act recognizes the rights of the Data Principal to protect their digital personal data collected by the Data Fiduciary in digital form or non-digital form but later digitalized subsequently. It does not apply to non-digitalized data, the data that is publicly available, and the data which is processed for personal or domestic purposes.

Territorial jurisdiction

The DPDP Act safeguards the personal data processed within or outside of India, in connection with the providing goods and services to data principals within India. The Act requires free and voluntary Consent given by the data principal to collect their personal data for legitimate interest as the legal basis for processing data by data fiduciary within and outside of India

This Act restricts the Cross-border Data Transfers to certain Countries without adequate data protection laws.

Consent

The DPDP Act provides consent-based and purpose oriented processing of personal data by the Data Fiduciary. The consent given by the Data Principal must be free, specific, informed, and unconditional and through clear affirmative action (pre ticked boxes will not be valid consent). The Data Fiduciary must ensure that the personal data is processed fairly and the Data Principal's privacy is protected. The Data Principal can access information made available to them in English language or any other language specified in the Eight schedule of the Constitution.

The Data Fiduciaries must obtain verifiable Consent from the Parent or Lawful Guardian when processing the personal data of a child (an individual below the age of 18 years)

Rights of the Data Principal

There are certain rights granted to the data principal according to the DPDPA 2023.

1. Right to Consent, notice is received from Data Fiduciary when the Personal Information is collected.
2. Right to access the Personal Data collected by the Data Fiduciary
3. Right to correct or delete or erase the personal data through a Consent Manager designated by the Data Fiduciary,
4. Right, to withdraw the Personal data from being shared. The withdrawal process should be as easy as giving consent.
5. Right to data security, the Data Principals can object in case there is any data breach for grievance redressal.
6. Right to nominate an individual, the data principal has the right to exercise their rights on their behalf in the event of their death or incapacitation.

Along with rights the Data principals also have certain duties such as; they must not register any false complaint, and not should they furnish false particulars of another person in specified cases. Violation of duties will be punishable with a penalty of up to INR10,000.

Obligations of Data Fiduciary

The DPDP Act regulates the Data Fiduciary on the processing of personal data; as every Organization is driven by data hence the Organizations should be aware of the following compliances

1. The Data Fiduciary is responsible for the data processing which is done by the Data Processor on behalf of the data fiduciary.
2. The Data Fiduciary must inform the Data Principals about the Third party with whom they will share the personal data for “legitimate use”.
3. The Data Fiduciary must stop processing and delete the personal data collected within a reasonable time if the Data Principal withdraws their consent.
4. The Data Fiduciary must establish a Grievance Redressal Mechanism, where the Data Principal can file complaints regarding the data processing.
5. The Significant Data Fiduciary must appoint a Data Protection Officer, who shall be responsible for undertaking periodic data audits and Data Protection Impact Assessments (DPIA)
6. The Data Fiduciary must obtain consent of the Data Principal if there are further any changes made in their Privacy Policy.
7. In case of noncompliance by the Data Fiduciary the Data Protection Board (DPB) can issue monetary penalties to the data fiduciaries, the Data fiduciary will be liable to pay a maximum penalty of up to INR 250 crores (Two Hundred and Fifty Crore)

Establishment of Regulatory Bodies

The Act establishes the Data Protection Board of India and the Appellate Tribunal to oversee data protection compliance and adjudicate disputes. Businesses need to understand the provisions of the Act and ensure compliance to avoid penalties and reputational damage.

Comparison of DPDPA 2023 with other Countries’ data protection policy

The Comparison of the DPDP Act with GDPR, PDPA, and HIPAA reveals significant variations and similarities in their scope, data protection obligations, principles, cross-border personal data transfers, consent and notification criteria, data protection agencies, penalties, and exemptions. Although these regulations aim to safeguard personal data and privacy, they operate within unique legal structures suited to their specific regions and industries.

Conclusion:

The Digital Personal Data Protection Act, 2023 (DPDPA) provides an essential framework to protect the privacy of the individuals, thus ensuring better privacy and security for Indian citizens. This act ensures trust in digital transactions and helps build the unfolding digital economy in India. However, many necessary clauses are required to be added to provide clarity and comply with the law. The term “as may be prescribed” in the Act indicates the need for compliance requirements which includes consent, notifying cross-border data transfers, Data Principal Rights etc. This shall help the Entities to lower legal risks, build trust with their partners, and protect the privacy of data principals.

FAQ’S

1. Who is a significant data fiduciary?

Ans: The significant data fiduciaries’ (SDFs) are those Data Fiduciaries that Central Government deems to be processing and managing large amount of personal and sensitive information as well as those that may pose a risk to the Data Principal. Significant data fiduciaries are subject to additional federal and state regulations which impose strict requirements for the privacy, security, and disclosure of sensitive information over and above the general duties of Data Fiduciaries.

2. Who is a data protection Officer?

Ans: The Data Protection Officer is appointed by the Data Fiduciary who is responsible for addressing the grievance redressal mechanism and ensuring that the Data Fiduciary complies with the DPDP Act.

3. How long can the personal data be retained by data fiduciary under DPDPA 2023?

Ans: The personal data shall be retained by the data fiduciary as long as necessary to comply with the law

4. What penalty is prescribed under DPDPA 2023 for Data Fiduciary and Data principal?

Ans: In case of non-compliance the maximum penalty cap to data fiduciary is INR 250 crore and for Data Principal INR 10,000.

5. What kind of personal data is protected by DPDPA 2023?

Ans: The data which is collected in digital form or in non-digital form but digitalized subsequently is personal data according to DPDPA 2023.

References:

1. https://www.endpointprotector.com/blog/indias-personal-data-protection-bill-what-we-know-so-far
2. https://www.digitalguardian.com/blog/what-indias-digital-personal-data-protection-dpdp-act-rights-responsibilities-everything-you
3. https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023
4. https://prsindia.org/billtrack/digital-personal-data-protection-bill2023#:~:text=Right
5. https://www.linkedin.com/pulse/comparison-digital-personal-data-protection-act-2023-dpdp-katiyar/
6. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20ProProtect%20Act%202023.pdf
7. https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
8. https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india-ors
9. https://www.ikigailaw.com/article/9/summary-of-indias-digital-personal-data-protection-act-2023

To get free legal advice: click here

For more legal updates visit our Youtube channel: click here