The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant
milestone in India's journey towards safeguarding individual privacy in the
digital age. This Act, passed after years of deliberation and numerous draft
iterations, promises to reshape the data landscape in the country. To fully
grasp the significance of this legislation, we must delve into its historical
context, examining the evolution of data protection bills in India and their
eventual culmination in the current Act.
The Genesis of Data Protection Legislation:
India's journey towards a comprehensive data protection law began in the early
2010s. The rapid growth of the internet and the burgeoning digital economy
highlighted the need for a framework to protect individuals' personal data from
misuse. In 2011, the Justice Srikrishna Committee was formed to examine the
issues surrounding data privacy and recommend appropriate safeguards. The
committee's 2018 report formed the basis for the first draft of the Data
Protection Bill, 2019.
The Road to the DPDP Act:
The Data Protection Bill, 2019, sparked widespread debate and underwent
numerous revisions. Concerns regarding government access to data, the potential
impact on innovation and economic growth, and the need for stronger data
localization requirements were amongst the key points of contention. The Joint
Parliamentary Committee (JPC) constituted in 2019 reviewed the bill extensively
and submitted its report in 2021. The JPC's recommendations addressed several of
the original concerns, paving the way for the revised Digital Personal Data
Protection Bill, 2022.
The DPDP Act: Key Features and Implications:
The DPDP Act, 2023, builds upon the foundations laid by the previous drafts. It
grants individuals significant control over their personal data, including the
right to access, rectification, erasure, and restriction of processing. The Act
also imposes stringent obligations on data fiduciaries, such as corporations and
government agencies, to ensure the lawful and ethical handling of personal data.
Key features of the DPDP Act include:
- Classification of Personal Data: The Act classifies personal data into "personal data" and "sensitive personal data," with the latter requiring stricter protection.
- Data Principal Rights: Individuals have the right to access, rectify, erase, restrict processing, and object to the processing of their personal data.
- Data Fiduciary Obligations: Data fiduciaries must obtain informed consent, implement robust security measures, and adhere to data minimization and retention principles.
- Cross-border Data Transfers: The Act restricts the transfer of personal data to certain countries without adequate data protection laws.
- Establishment of Regulatory Bodies: The Act establishes the Data Protection Board of India and the Appellate Tribunal to oversee data protection compliance and adjudicate disputes.
- Analysis and Implications:
The DPDP Act represents a significant step forward in protecting individual privacy in India. It empowers individuals with greater control over their data and imposes accountability on data fiduciaries. However, the Act's effectiveness will depend on its implementation and enforcement. Key challenges ahead include:
- Building Capacity: The Data Protection Board of India will require adequate resources and skilled personnel to effectively regulate the vast and complex data landscape.
- Balancing Interests: The Act must strike a balance between protecting individual privacy and enabling innovation and economic growth.
- International Harmonization: India's data protection regime needs to be compatible with international standards to facilitate cross-border data flows and promote global trade.
The DPDP Act, 2023, marks a new era for data protection in India. Its impact on
individuals, corporations, and the digital economy will unfold in the years to
come. Ongoing monitoring, analysis, and adaptation will be crucial to ensuring
that the Act fulfills its intended purpose of protecting individual privacy
while fostering a thriving digital economy.
In 2017, B.N. Srikrishna Committee constituted to deliberate on a data
protection framework headed by retired Srupreme court judge B.N.Srikrishna.This
committee was formed to draft a regulatory framework on Personal data protection
in India. In the same year, Right to privacy is declared as fundamental right
under Constitution of India by Supreme court of India in KS Puttaswamy V. Union
of India (2017).
Beginning for the data protection Act
In 2018, B.N. Srikrishna Committee prepared a Draft report titled A Free and
Fair Digital Economy: Protecting Privacy, Empowering Indians to the Ministry of
Electronics and Information Technology in July 2018. Draft Personal Data
Protection Bill,2018. This proposed bill is similar to European Union General
Data Protection Regulation, this is the regulation in European Union for
protection of Data.
Analysis on the Draft Personal Data Protection Bill,2018
This draft was proposed by B.N.Srikrihna Committee.
- The proposed Bill centers data sharing on individual consent, grants users rights, and places duties on data fiduciaries (Any persons, companies, and government entities who process data). Individual consent will be a lawful way to process the data, and data fiduciaries will be made liable for the harm caused to personal data of Data principal.
- Right to be forgotten is the major point in this Draft. Here, Right to be forgotten gives the power to individuals to restrict, remove, delink, or amend the disclosure of inaccurate, humiliating, irrelevant, or outdated personal information online.
- Data Protection Authority (DPA) will be constituted; it will be an independent regulatory body to implement the law strictly in India.
DPA Functions:
- Enforcing and monitoring of personal data protection law.
- Legal policies, affairs, and standard setting of the framework.
- Spreading awareness and conducting research on updating technology.
- Handling grievances, inquiry on grievances, and adjudication.
- The law will apply to all public and private entities that process
personal data in India.If personal data has been acquired, utilized, exchanged,
disclosed, or processed in any other way within India, the law will have
jurisdiction over such processing. Important personal information belonging to
Indian nationals is handled within India.
Passwords, financial information,
health information, official identification, information about one's sexual
life, sexual orientation, biometric and genetic information, and information
revealing one's transgender or intersex status, caste, tribe, religious or
political affiliations, or caste are included in sensitive personal data.
Nonetheless, the DPA will have the residual authority to notify additional
categories based on the established law. As well, regardless of where the
personal data is handled in India, it will be protected if it is gathered,
utilized, shared, revealed, or processed in any other way by entities
established under Indian law.
The Central Government may, however, be able to
exclude these entities -which solely handle the personal data of abroad
companies who are not physically present in India-under the data protection
legislation. The bill mandates that the data collected by companies should
strictly stored in India.
- The order of DPA is subjected to appeal. The appellant tribunal will be set
up to decide appeals on DPA order or the power will be given to existing
tribunal.
- Those who violate the data protection law may face penalties. Penalties
up to the predetermined maximum limit or a proportion of the global turnover
of the previous fiscal year would be applied, whichever is greater.
As per Committee suggestion, Any data gathering or processing entity that
violates the terms faces a penalty of Rs. 15 crore or 4% of its entire worldwide
revenue. Penalties for failing to respond quickly to a data security breach can
exceed Rs. 5 crore, or 2% of its turnover.
This penalties, which are paid by this violated entities will be deposited in
Data Protection Fund and it will be used for the welfare and functioning of DPA.
- Obligations on Fiduciaries under this Law:
- Stored Data should only be used for clear, specific and lawful purposes.
- Only Data necessary for the purpose will be stored.
Duties of fiduciaries are to ensure user safety through openness and security
measures; before introducing new technologies, a data protection
impActassessment is conducted; Data auditors audit data policies, and data
protection officers are part of the team.
- The Actwould include data processors who are not physically present in India
as well as those who conduct business there or engage in other activities like
profiling that can endanger the privacy of data principals there.
- This law won't have Retrospective effect in nature.
- The committee Report even mentioned the impact of this legal framework on other laws in India. Mainly, Aadhar Act and RTI Act which require Personal data for different purposes.
-
Committee noted that the Aadhar Act has no mention about the power UIDAI to take action against wrongdoer (respective company). � Aadhar Act should be amended to strengthen the Data protection in India.
-
Committee recommended amendment to RTI Act to strengthen Data Protection that disclosing information by public authorities could lead to private harm being caused.
- Exceptions in this Act:
- Public welfare
- Law and Order
- Emergency situations where an individual is not in a stage of providing consent to State.
- Employment
- Reasonable purposes
- Security of State
- Legal Proceedings
- Research and Journalistic purpose But the data taken should not be misused.
- Cross Border Data Transfer: The transfer of Data between servers across country borders.
Transfer of Personal Data is allowed other than Critical Personal Data and this will be through key obligation of contract clause that the transferor will be liable if the data is misused and if any harm is caused to the principal because of transferee.
Critical Personal Data can only be processed in India, not subject to Cross Border Data Transfer.
- The Committee shown greater interest while recommending protection of Data of Children by prohibiting companies from doing activities like monitoring and tracking of Child's activities and targeted advertising and other any other type of processing which is not in the interest of the child.
-
DPA have authority to appoint online service providers or websites which process large amount of Children's personal data as Guardian data fiduciaries.
-
The committee stated that this strategy, which places the burden of appropriately handling a child's data on the company, is better than the current regulatory strategy, which is mostly dependent on a system of parental approval.
The parental concern can worry easily disregarded. Without fulfilling the intended goal of protection, it runs the danger of inciting kids to fabricate their age.
Concerns raised on Draft Personal Data Protection Bill, 2018:
- Despite addressing a number of the problems that the Indian data ecosystem is facing, the draft law lacks several fundamental ideas that form the foundation of a strong data security regime.
- According to the bill, any governmental function may be carried out through the processing of an individual's personal data. As long as the person is the beneficiary or receives a service, this can be done without their consent. This obviously contradicts the Puttaswamy ruling from 2017, which outlined informed consent as being essential to informational privacy.
- The draft bill neglects important information, one of which is the modification of monitoring legislation. There is virtually little legal and judicial control on surveillance actions carried out in India.
- The Bill's requirement that all companies retain their data in India without changing the country's surveillance administration might eventually lead to even more serious privacy problems.
Government made few revisions to address the shortcomings in Draft bill and
introduced Personal Data Protection Bill in 2019 ( After making changes to the
Committee's Draft ).
Analysis on Draft Personal Data Protection Bill, 2019
This bill was brought to establish a framework for organisational and technical
measures in data processing, lay down standards for social media intermediaries,
cross-border transfer, accountability of entities processing personal data,
remedies for unauthorised and harmful processing, and to provide for the
protection of individuals' personal Data and to specify the flow and usage of
personal data, build trust between individuals and entities processing the
personal data, and protect their Data which is fundamental Right.
The Bill
requires data protection for the majority of Indian operating companies. In
addition to technology, e- commerce, and social media firms, the bill also
targets real estate, healthcare, brick-and-mortar, and pharmaceutical
industries. This Bill is similar to other general data protection regulations
like GDPR, PIPEDA, CCPA, The SHIELD Act, and FIPA.
Key objectives of the Bill:
- Right to privacy is a Fundamental Right and Protection of personal Data
is an important aspect of it.
- The expansion of the digital economy has led to an increase in the use
of data as a vital tool for interpersonal connection.
- To ensure empowerment, advancement, and innovation through digital
governance and inclusion, as well as for matters related or incidental to
it, it is important to establish a collective culture that supports a free
and equitable digital economy while protecting individuals' right to privacy
about their personal information.
The Bill seeks to take the place of the provisions of the Information Technology
Act, 2000 (Section 43-A) pertaining to the compensation that businesses must pay
for breaches of data privacy and other data security breaches.
According to the Bill:
- Before processing a data principal's data, data fiduciaries and processors must have their consent (Data fiduciaries means any person, entity, the State, a company, or any individual who alone or in collaboration with others determines the purpose and means of processing the Personal Data). Exceptions to the Consent:
- There are several circumstances under the bill when data fiduciaries are exempt from obtaining consent in order to gather personal data about Indian individuals. Consent exemptions apply, for example, when the State or other organizations carry out court-mandated compliance, law enforcement, public benefit or service provision, or Medical emergency.
- To collect Data of the children, Data collectors should take permission of their Parents or Guardians.
- Duties of Data fiduciaries and Data processors:
- Should notify Data principals for collecting their Data.
- Should seek consent from the Data principals for processing of Data about the Data subject.
- Should collect evidence and store with them that the notice was served and consent was taken from the Data principal.
- Should allow Consumers to withdraw their consent and also to correct or erase their Data.
- Consumers should be allowed to Transfer their Data.
- Should bring organizational changes according to changing society to protect the Data by following Privacy rules.
- Sensitive Data (confidential information that must be kept safe and out of reach from all outsiders) should only be stored within India and Critical Data (data that must be retained for regulatory purposes) should not be shared outside India.
- DPA will consider a Data fiduciary as significant Data fiduciary, based on the following factors:
- Amount of Personal Data processed by them.
- Sensitivity of Personal Data that they are processing.
- Turnover of respected Data fiduciary.
- Risk of harm to principal by Data processing from the side of Data fiduciary.
- Technology using to process the Data.
- Other factors that cause harm from processing of Data.
- Data fiduciary should carry out other ways to Protect Personal Data like doing audits by appointing capable officers.
- In case of Data breach, concerned Data Fiduciary should intimate the DPA as soon as possible if the breach of data may cause harm to the data principle and DPA may also direct the Responsible Data fiduciary to notify about the Data breach on their website.
- This bill also included rules related to Non personal Data. According to the bill, Any business may be required by the government to provide useful nonpersonal data to them, such as aggregated mobility data gathered by Uber or Google Maps.
- Division of Data according to the Personal Data Protection Act, 2019:
- According to Bill, Personal data is classified into two types. They are Sensitive Data and Non-Sensitive Data. There is increasing importance to General data protection laws all over the world. So, Personal Data is considered as Sensitive Data.
- Personal Data: Data which is related to characteristics, traits, or attributes basically the Data helps to identify an individual is called personal data.
- Non-personal Data: On the other hand, aggregated data that is unable to identify a specific person is considered non-personal data.
- Lets understand this with an example: A person's location, for instance, would be deemed personal data, while information gathered from hundreds of individual locations, such data used to examine traffic patterns, is not.
- The bill grants the DPA the authority to impose fines on any company that violates its provisions or any rules established by the DPA or the Indian government. The maximum penalty as mentioned in bill for violating the rules is 150 million Indian rupee or 4 percent of the respected company's global turnover for the previous financial year.
Major Criticisms on this Bill:
- Section No. 35 of this bill gives supreme power to government to process
the data without consent of the individual in case of "necessary or
expedient" in the "interests of sovereignty and integrity of India, national
security, friendly relations with foreign states, and public order."
- In this bill the government have removed the safeguards. That is most
dangerous. The government can at any time access private data or government
agency data on grounds of sovereignty or public order. This has dangerous
implications.
- There are many loopholes in this bill which may bring many problems in
future to users and companies.
This Personal Data Protection Bill, 2019 is withdrawn by the Central government
because the Joint Committee of Parliament (JCP) suggested 81 amendments and 12
recommendations in 2021 with a new Draft Data Protection Bill, 2021 because of
delay caused due to pandemic. I In 2022, Central government after taking JCP's
recommendations into consideration and deciding to withdraw this current bill
and bring new bill with Comprehensive legal framework.
In 2022, A new Draft of Digital Personal Data protection Bill, 2022 was released
for Public Consultations. The feedback of public on this bill was not made
public.
In 2023, Indian government introduced Digital Data Protection Bill and this time
the Bill became Act with the Presidents assent on Aug 11, 2023.
Analysis of Digital Personal Data Protection Act, 2023
After the President of India's assent on August 11, 2023, the Digital Personal
Data Protection Act, 2023 (also known as the "DPDP Act") was announced and
published in the Indian Official Gazette
- DPDP Act is brought to govern Digital Personal Data in India. DPDP Act
governs Protection of Digital Personal Data in two outlines:
- Data which is collected with is collected from Data Principals in Digital
format.
- Data which is collected in Non-digital format ( Initially ) and later
converted into Digital format.
This clearly says that DPDP Act wont be applicable on processing of Non-digital
formatted Data. In addition, the law's purview has been expanded. It can now be
used extraterritorially to process digital personal data outside of India's
boundaries as long as it's related to providing goods or services to data
principals based there.
Interestingly, the DPDP Act does not state clearly
whether processing of personal data belonging to data principals located outside
of India is covered by its provisions. The DPDP Act has a more expansive
approach than the GDPR, which restricts its application to the processing of
personal data of people who are physically present in the EU or who are citizens
of the EU.
The DPDP Act does not restrict the meaning of "data principal" to
those who are Indian nationals or to those who are just inside India's borders.
This can cause confusion about the entire range of the DPDP Act's authority. The
clarification of this uncertainty about the extraterritorial applicability of
the DPDP Act would presumably come from the Central Government in the form of
rules created under the Act.
- The DPDP Act, a clear emphasis is placed on adjusting to the changing needs
of start-ups. Apart from the exclusions that are allowed to the state, its
agencies, research, and statistical reasons, the DPDP Act
presents a customized strategy by suggesting specific sections that might
potentially exempt start-ups. This strategic initiative aims to foster
innovation while adhering to strong data protection norms, considering the
unique challenges and dynamic nature of startups.
- The DPDP Act requires data fiduciaries to protect the personal information
under their control by putting in place "reasonable security measures" to avoid
breaches. The data fiduciary is required to notify the Board and the impacted
data principals in the case of a data breach.
The precise notification method is
not mentioned in the Act. Though presently covered by the "Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules 2011
(SPDI Rules)" and Section 43A of the IT Act, the precise definition of
"reasonable security measures" is not specified in the DPDP Act. Nevertheless,
serious consequences are carried out for noncompliance that leads to a breach of
personal data.
- Processing of Personal Data under this Act:
The definition of "processing" as "a whole or partially automated operation or a
series of operations conducted on digital personal data" is provided by the DPDP
Act, which carefully defines the term. This broad term covers a wide range of
activities, such as gathering, logging, organizing, structuring, storing,
modifying, retrieving, using, aligning, combining, indexing, sharing, and
disclosing via transmission or another method. In addition, the term also
includes actions like limiting, deleting, or destroying data.
Processing Data of the Child:
Although the DPDP Act doesn't define "verifiable" consent specifically, it does
need parental approval that may be verified. If the processing is deemed safe,
the Central Government may reduce the age at which parental consent is required
for specific data fiduciaries, exempting them from this obligation. Furthermore,
data fiduciaries have to refrain from handling personal information that might
be harmful to a child's wellbeing.
The transfer of personal data to countries outside India is also permitted under
the DPDP Act, unless explicitly restricted by the Central Government.
It is interesting to observe how closely the concept of "processing" matches to
the GDPR's definition. A minor difference does exist, though, in that the DPDP
Act limits the scope of processing to "automated" processes alone, but the
GDPR's definition include both automated and particular non-automated
procedures. Despite its apparent subtlety, this distinction may have significant
implications for the data processing industry, requiring a thorough examination
of the possible practical impacts.
A few areas of personal data processing were listed in the 2022 Bill as being
outside of its scope. With the exception of the exception pertaining to personal
data processed by an individual for domestic or personal purposes, the DPDP Act,
in contrast, removes the most of the exclusions proposed by the 2022 Bill.
Moreover, the DPDP Act adds another exception, removing from its purview any
personal information that has been made publicly available by the data principal
or by any other entity required by Indian law to make such information publicly
available.
- Data principal as per DPDP Act:
The term "data principal" has become much more expansive. It includes not only
persons, but also parents or legal guardians of minors for whom the personal
data is relevant. Furthermore, the term "persons with disabilities" has been
expanded to include legal guardians of those individuals. Although there isn't a
clear definition of "person with disability" in the DPDPB.
- Rights of Data principal:
- Right to Information about their Personal Data.
Data principals are entitled to get a description of the categories of personal data shared, the identities of the entities with whom their data has been shared, and a summary of the personal data processed.
- Right to Correct and erase their Personal Data.
Data principals have the right to request that any personal information handled by a data fiduciary be updated, corrected, completed, or erased. The data fiduciary is required to update and modify the data as needed. If erasure is mandated by law, it may be refused. The DPDP Act also requires the data principal to use their right to data erasure while providing only authentic information, and to refrain from using false information or impersonating someone else while requesting any kind of record or evidence from the state.
- Right for Grievance Redressal.
- Right to Nominate
A Data Principal has the right to Nominate an individual to exercise their rights over the Personal Data after the Death of Data Principal.
- Data fiduciary as per DPDP Act:
- A "data fiduciary" is a person, business, or other organization that decides why and how to process personal data.
- Certain "legitimate uses" that allow data fiduciaries to handle personal data without express consent are outlined in the DPDP Act. One such situation is when a data principal willingly gives personal information when requesting or using a service and does not explicitly state that they do not agree. In circumstances involving contracts or civil disputes, legitimate use also includes processing data in accordance with foreign or Indian laws.
- When it is reasonable to believe that the purpose for which the data was obtained is no longer being fulfilled and its retention is no longer essential for legal or business reasons, data fiduciaries are also expected to stop retaining personal data.
- The DPDP Act restricts data fiduciaries from tracking, monitoring children's behavior, or running targeted advertisements for minors. This ban, which was once limited to "guardian" data fiduciaries, now covers all kinds of data fiduciaries. This action highlights the DPDP Act's commitment to preserving children's digital wellbeing by defending their privacy and forbidding their exploitation for profit.
- Significant Data fiduciaries:
-
Significant data fiduciaries are required to fulfill 'extra' responsibilities, including:
-
Designating an Indian-based data protection officer.
-
Hiring an outside data auditor to assess compliance.
-
Performing impact analyses on data security.
-
Going through regular compliance audits.
-
Penalties for breaking these commitments can be severe and go up to INR 250 crore.
- Data fiduciary - Consent:
Data fiduciaries are only permitted to process personal data for legitimate
reasons after gaining consent. This permission needs to be characterized by
being free, specific, informed, unconditional. To indicate consent for the
processing of their personal data for the intended and required purpose, the
data principal must express their approval in agreement.
Request for consent should fulfill following criteria:
-
The Central Government is authorized by the DPDP Act to designate specific data fiduciaries or groups of them as "significant data fiduciaries." Data volume, sensitivity, risk to data principals, electoral democracy, and state security are some of the criteria that determine this categorization.
-
The government was permitted to take into account "other factors" under the 2022 Bill; however, this has since been removed.
Request Guidelines:
i. Easy-to-read Format
- Choice of viewing request in any of the 22 languages in the Eighth Schedule of the Indian Constitution or in English.
ii. Contact Information
- Contact details for the data protection officer or an authorized representative must be included for communication purposes.
iii. Detailed Notice Elements
-
An explanation of the personal information to be gathered and the purpose of its processing.
-
Explanation of the data principal's rights, including the ability to rectify information, withdraw permission, and file complaints with the Board.
-
Detailed instructions on how to file a complaint with the Board.
When consent was granted before the DPDP Act was passed, the data fiduciary is
required to provide this notice "as soon as it is reasonably practicable." The
Notice must to Data principal in plain English, electronically, via an
additional document, or in accordance with the guidelines.
- Data Principal - Consent:
According to the DPDP Act, data principals must use a "consent manager" to
provide, manage, evaluate, or withdraw their consent. These Board-registered
consent managers provide easily accessible, transparent, and interoperable
consent management tools. The exact responsibilities and role of consent
managers are yet unknown, as is the requirement for all data fiduciaries to
communicate with them in order to get consent, as well as the methods by which
they carry out their duties. Additionally, data principals are always free to
revoke their permission. Such a withdrawal has no impact on the validity of
previously consent-based data processing. Unless retention is mandated by
relevant regulations, the data fiduciary and its processors shall destroy and
stop processing the personal data upon withdrawal.
- Parental Consent
The term "consent of the parent" is introduced by the DPDP Act, and it includes,
if appropriate, the consent of a legal guardian.
- What is Data Protection Board:
The noteworthy modifications made to the DPDP Act, the most important one
concerns the creation and makeup of the Board. The establishment of the Board
was subject to upcoming rules mandated by the Central Government, according to
the 2022 Bill. But this new version clearly lays out the foundation for the
Board's constitution. Furthermore, there have been substantial changes made to
the Central Government's ability to make regulations as well as the particular
circumstances in which organizations might avoid complying to the bill's
requirements.
- Dispute Resolution:
- A major change in the field of dispute resolution is facilitated by the DPDP
Act, which reflects the complex interaction between the legislative framework
and well-established legal systems.
- One difference is that the Board has the authority to impose the
financial penalties listed in the Schedule. The 2022 Bill included a maximum
penalty limit of Rs. 500 crores, which has been removed, indicating a purposeful recalibration
of penalty imposition. This recalculation shows a careful methodology that
aligns fines with the seriousness of violations, exemplifying the
proportionality principle. The Telecom Disputes Settlement and appeal Tribunal
provides a dramatic transformation for the appeal procedure as well. This
modification streamlines the procedure by defining a clear 60-day window for
appeals of the Board's rulings.
- Penalties to be Imposed:
Schedule 5, Digital Personal Data Protection Act, 2023 : Penalties for specific
breaches, like as failing to prevent a breach of personal data, can reach an
incredible INR 250 crore. The INR 500 crore ceiling on fines for a single
occurrence was removed by the DPDP Act. The DPDP Act, in contrast to earlier
drafts, prohibits impacted data principals from suing data fiduciaries for
breaches. Rather, in the event that data principals fail to perform their
obligations, the Board may now impose fines of up to INR 10,000.
Concerns on Digital Personal Data Protection Act, 2023:
Not all is as it seems, despite the DPDP Act receiving appreciation for its
ability to function as a stand-alone data protection framework. The fact that
the Central Government still has the authority to decide on a number of DPDP Act
clauses raises concerns. This feature brings up legitimate worries about the
possibility of arbitrary and unrestrained rule-making, which can result in
misunderstandings and possible flaws in the regulatory system. Furthermore, it
is odd that the DPDP Act places obligations on data principals for a piece of
legislation meant to safeguard their rights.
The DPDP Act has the same capacity to grant the Central Government exemptions as
the 2022 Bill. Nevertheless, these exclusions have been expanded even further in
this version, maintaining the lack of meaningful standards to prevent overly
broad monitoring operations. Additionally, the Central Government is still able
to exclude individual fiduciaries or classes of data fiduciaries from specific
laws, which includes start- ups. "A private limited company, partnership firm,
or limited liability partnership incorporated in India, which is eligible to be
and is recognised as such in accordance with the criteria and process notified
by the department to which matters relating to startups are allocated in the
Central Government" is what the Act defines as a startup in Section 17(3),
Digital Personal Data Protection Act, 2023.
The 2022 Bill did not provide data principals with a refuse option; instead, it
empowered the Central Government to presume their permission in specific
circumstances. This clause has been kept in the DPDP Act and is now referred to
as "certain legitimate uses."
Establishing a transition time is essential to enable firms to adjust smoothly.
Data fiduciaries may need to make major modifications as a result of the DPDP
Act's new, strict requirements. If there is no transition time, there may be
widespread non-compliance with the DPDP Act. Giving companies enough time to
adjust their procedures and comply with the provisions of the DPDP Act will help
to minimize any potential interruptions and guarantee a smooth transition to the
new data protection environment.
Conclusion:
The Digital Personal Data Protection Act (DPDP Act) of 2023 undoubtedly marks a
crucial step in India's journey towards safeguarding individual privacy in the
digital age. While it is not without its flaws and limitations, the Act
undeniably strengthens data protection in the country, empowering individuals
with greater control over their personal information and holding data
fiduciaries accountable for its ethical handling.
The Act's emphasis on user consent, data minimization, and individual rights
empowers citizens to make informed decisions about their data and hold
institutions responsible for its misuse. This shift in power dynamics fosters
greater transparency and builds trust within the data ecosystem, ultimately
benefiting both individuals and businesses.
The DPDP Act's impact transcends individual privacy. By establishing clear data
governance standards, it promotes responsible data practices that are essential
for fostering innovation and economic growth. This fosters a conducive
environment for businesses to operate efficiently, compete effectively, and
contribute to the nation's economic development.
Despite its positive contributions, the Act's implementation and enforcement
require ongoing attention. Building a robust regulatory framework and addressing
concerns regarding government access to data will be crucial in ensuring its
effectiveness. Adapting the Act to the evolving digital landscape will also be
vital in maintaining its relevance and effectiveness.
The DPDP Act, despite its limitations, represents a significant step forward for
data protection in India. It balances individual privacy rights with the need
for a thriving digital economy, offering a framework for responsible data
practices that benefit both citizens and businesses. By continuously addressing
challenges and adapting to the changing landscape, the Act can solidify its
position as a cornerstone of India's digital future, ensuring that personal data
is protected while innovation and progress continue to flourish.
Please Drop Your Comments