Menu

EVOLUTION AND ANALYSIS OF DIGITAL PERSONAL DATA PROTECTION ACT, 2023

Publications, Research paper

In today’s world where the development of countries is drastic and all the countries are fighting for their own identity, technological development plays a major role in one country’s development and the digital economy is essential for such growth. Nowadays everyone in the country knows how to use technology which can be used for fair and lawful means or unlawful means. The data of every person is digitalized in one or the other way. So, there is a need to protect of data of individuals from misuse, and to protect it the Indian government has brought an act called the Digital Personal Data Protection Act, 2023. This article includes how the data protection bill has been passed and what changes have been made in the evolution from the Draft Personal Data Protection Bill, 2018 to the Digital Personal Data Protection Act, 2023. This article also includes the analysis of the DPDP Act. The Digital Personal Data Protection Act aims to establish comprehensive safeguards for individuals’ digital information. This Legislation focuses on regulating the collection, storage, and processing of personal data by entities operating in digital domains. This act addresses the concerns related to data breaches, unauthorized access and ensures transparency in data handling practices. It outlines stringent measures for data controllers and processors to adhere to and empower individuals with greater control over their digital information. This act fosters a secure digital environment while balancing the privacy rights of individuals. This article it also included a comparative analysis of the DPDP Act with some other countries’ Acts and how the DPDP act has affected the right to information.

KEYWORDS: Personal Data, Data Fiduciary, Data Processor, Data Principal, Processing

INTRODUCTION:

The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. The Union Cabinet has approved the Bill of Digital Personal Data Protection on July 5 and during the Monsoon Session, it was presented before the Parliament on July 20, 2023. Later, it was passed in LokSabha and received the assent on August 7th then it was approved by RajyaSabha on 9th August, 2023. After receiving the assent from both houses the bill was presented before the President and it was approved on 11th August,2023 where the bill officially became an act i.e. Digital Personal Data Protection Act 2023.

                 The Bill was introduced in Loksabha nearly after six of the Puttuswamy case judgement where the Supreme Court held that privacy as a Fundamental Right under the Constitution. Even though the Right to privacy is not explicitly mentioned under Article 21 it is an implied right given to the Citizens of the Country. This bill was first introduced in LokSabha as a financial Bill but then Ashwini Vaishnaw who is a Minister of Electronics and Information Technology denied the bill as a money bill. And the Government sources confirmed it is an ordinary one and needs approval from both houses as in the money bill only the approval of Lok Sabha is required. 

                 This act holds entities responsible for the protection of the personal data of citizens and in every mobile app, business, or the entries made in any book are digitalized. This legislation ensures transparency in the entity operation as to what individual data is used and is answerable in case of a breach in handling personal data. Personal data must be used for lawful means and it can be used without consent if the data provided is a voluntary act and the data provided must be accurate without any false information. The bill will grant certain rights to individuals like obtaining information, seeking correction, and grievance redressal. Data fiduciaries are the entities who are liable to secure and delete the data once the purpose is fulfilled.

Research Methodology:

This paper is descriptive and the research is based on secondary sources for the deep analysis of the Digital Personal Data Protection Act in India. Secondary sources of information like newspapers and websites are used for the research.

LITERATURE REVIEW

The hacking and data leakage of the public caused a major outbreak for the development of this act where on june 12 , 2023 the governments CoWINSs portal was leaked and the individuals registered for covid-19 vaccines were accessed about over billion lives in 18 months and selling their data over for cryptocurrency .As there were data breaches in 2021 & 2022 it raised concerns about india’s cysersecurity system.Where as under General Data Protection Regulation ,Meta was fined with 1.2 billion euros by Irish Data Protection Commission for data breach in EUs rules.So this act came into existence to overcome the lacks and protect ,secure and preserve the data of data fiduciaries .The DPDP act which came into existence with principles of lawfulness ,transparency ,accuracy ,confidentiality ,availability for authorized sources, data minimisation and the punishment for the data breach was made stringent upto two hundread fifty crores .

EVOLUTION:

The journey to introduce an act on Data protection laws started in 2017 when the judgment in the case of Justice K.S.Puttuswamy V. Union of India, the Apex Court held that the right to privacy is a fundamental right. In the same year on 27th November, under former supreme court judge Justice B.N.Srikrishna, a committee was formed and they released a whitepaper on Data Protection Framework for India. The Draft Personal Data Protection Bill was submitted by the Srikrishna Committee in 2018 and it was tabled in LokSabha then the government has set up a Joint Parliamentary Committee to review the bill. The committee consulted various regulatory bodies like the Ministry of Electronics and Information Technology, the Income Tax Department, SEBI (Securities and Exchange Board of India), RBI, Law firms, the National Association of Software and Services Companies, etc.. After 2019 there was a delay in the procedure due to the Covid pandemic which caused lots of disturbances in the country and also in the regulations of the Government. The JPC has tabled its report along with the recommendations and revisions submitted before parliament in December 2021 then the draft of the Digital Personal Data Protection Bill,2022 was released for public consultation and it was open for 30 days from November 17 to December 17 of 2022. Then the Cabinet gave its approval on 5th July and it was presented before Parliament during the Monsoon Session and approved by Loksabha on 7th August whereas by Rajyasabha immediately on 9th August. Finally, the bill got the President’s assent on 11th August and it was published in the official gazette. Then the Bill was transformed into a Digital Personal Data Protection Act,2023.

KEY PROVISIONS OF ACT:

This act has IX chapters and 44 sections, including the preliminary clause, Data Fiduciary obligations, Data Principal Rights and Duties, Data Protection Board of India and their powers and functions, penalties and adjudication. The interpretation clause includes the definitions for various terms used in the act which includes data which is the information of the individual, data fiduciary means the government entities, persons, or companies who process the data, and the person processes on behalf of the data fiduciary is called data processor, the individual whose data is processed is called Data principal it also includes child, disabled persons where their parents or lawful guardian acts for them. In this bill the word she was used instead of he for the first time which refers to an acknowledgment of women in the parliamentary law-making process.

FEATURES OF THE ACT:

APPLICABILITY:

 The provisions of this act apply within the territory of India to the personal data which is collected in digital form or the non-digital data that is digitalized subsequently and this act also applies outside India if it is related to any activity of providing goods or services to data principals within India and not applicable in case data used for personal or domestic purposes or the personal data is made publicly available by data principal or any other person under legal obligation.

OBLIGATIONS OF DATA FIDUCIARY:

  • The data processing of an individual can be done in two ways which include with the consent of data principal or without consent but for legitimate purposes. The data fiduciary must give a private notice to the data principal in English or in any regional language recognized by the Eight Schedule of the Constitution and the notice must include the data collected, for what basis the data is to be used, and the rights of data principal to withdraw the consent and the rights that she can be exercised in case of breach and the manner of approaching the board for complaint.
  • The consent given must be free and specific and it must be used for limited purposes and not beyond that purpose the data principal has the right to manage, review, or withdraw the consent at any time, and this can be done through the consent manager who is registered under Data Protection Board subjected for technical, operational and financial and other conditions.
  • As mentioned the data processing can also be done for legitimate uses like in cases where the data is provided voluntarily and no explicit denial is made to use such data, data provided for state instrumentalities for their benefit in digitalized form, provided for the medical emergency or for the compliance with the order issued under law.
  • It is the responsibility of the data fiduciary to comply with the provisions of the act and to secure the data and the data processing must be used on a correct basis it must be accurate with the free consent notice and the data processor must erase the data in case of withdrawal or purpose does not exist. In case of a breach, the notification must be provided to both the data principal and the board, the breach is not defined and in this case, the penalties are huge is upto 250 crores. There must be a Grievance Redressal Mechanism to redress the complaint of the data principal.
  • In the case of usage of children’s data Parents’ or legal guardians’ consent is compulsory and also the same in the case of disabled persons. In this case, it includes restrictions like no detrimental effect on well well-being of the child, and no tracking or targeted advertisements sent to the child. In case if data fiduciary has notified the safe processing then the government can exempt from the applicability of such obligations.
  • The significant fiduciaries are of a nature that has high-risk management and sensitive data so to protect and secure this data there must a Data Protection Officer who shall be appointed must be a citizen of India and must report to the Board of Directors. An independent Data Auditor must be appointed to comply with SDF but no specific qualifications are provided as of now.

RIGHTS AND DUTIES OF DATA INDIVIDUAL:

  • There are certain rights given to the data principal from sections 11 to 14 under the Digital Personal Data Protection Act and it helps in promoting transparency and accountability. The rights include
  1. Right to access Information: The data principal has the right to ask for information regarding the data fiduciaries to whom consent is given and they ask to whom the data has been shared along with the identity of the data fiduciary and data processors and description of the data shared. However, in the case of authorized data fiduciary certain rights may not be enforceable as the details might be for cyber incident prevention or prosecution.
  2. Right to Correction or Erasure of Personal Data: The data principal has the right to review and correct the information or make any updates which are not included and they can also request to erase the information if the purpose doesn’t exist or upon withdrawal of the consent in a prescribed manner.
  3. Right to Grievance Redressal: The data principal may go to the data fiduciary or to the consent manager in case of any grievances and within a certain period and if not satisfied with the redressal can approach the Data Protection Board. They can also appeal to Telecom Dispute Settlement and Appellate Tribunal within 60 days against the board decisions.
  4. Right to Nominate: It is a special right that refers to the nomination of a member to exercise the data principal rights and the person can be nominated in the event of death or incapacity but there is no procedure provided under this act.
  • As the rights and duties go hand in hand there are certain obligations on the data principal provided that
  1. She must comply with the rules while exercising the rights under this act
  2. Should not suppress any material information while providing to state entities any proof of identity, document, or proof of address
  3. Ensure not to provide any false information to data fiduciary
  4. The information provided must be accurate, correct, and verifiable while using the right of correction or erasure.
  • The Central government by notification may restrict the transfer of data outside the territory and the countries are not specified to which the data cannot be transferred.

DATA PROTECTION BOARD: The board consists of the Chairman and other members and at least one among them must know the law and they are appointed by the Central government. The term of office is for 2 years and eligible for re-appointment. The important functions of the board are to enquire about the complaints from data individuals regarding a breach by either data fiduciary and impose penalties,

the action must be according to the provisions of the act and there must be sufficient grounds to proceed with inquiry. The powers of the board are similar to civil court under the Code of Civil Procedure,1908.

PENALITIES: In the cases of breach of personal data the penalty imposed can extend upto two hundred and fifty crores where as in the case of children the penalty may extend upto two hundred crores. The breach of provisions is fifty crores and a breach in complying with duties the penalty is upto ten thousand rupees. And the penalties will be credited to the Consolidated Fund of India.

COMPARISON OF THE DPDP ACT WITH OTHER COUNTRIES DATA PRIVACY LAWS:

                  International privacy laws have been developing as the importance of privacy and data protection is recognized as social and economic activities become online. As of now out of 194 Countries 137 countries have placed legislation to secure the protection of data and privacy. In all cases, the notice must be provided and the consent provided must be free and explicit and be given with rights of verification, correction, and erasure.

  1. GDPR :

The General Data Protection Regulation 2018 (GDPR) is a European Union regulation that is used in the EU and European Economic Area for data privacy information. This has an extraterritorial jurisdiction that applies to outside organizations also which are beyond the territory. It processes the data of all individuals irrespective of their nationality or citizenship. This act is applicable to both data controllers and processors and must follow the provisions accordingly. The fines imposed for breach are upto EUR 20 million Or 4% of annual returns whichever is higher.

  1. TTDSG:

The data protection laws were scattered and then it merged the data protection laws in Telemedia and telecommunication and brought in Germany’s Telekommunication Telemedian Datenschutz Gesetz which means German Telecommunication and Telemedia Data Protection Act. It protects the user’s data and regulates privacy when using the internet like websites, social media accounts, etc. In addition to GDPR, it implements eprivacy directives. In case of breach, the fine goes upto €300,000.00.

  1. PDPA:

Singapore’s Personal Data Protection Act came into force in 2014 but recently there were amendments made in 2021. This data protection sets a baseline for the private sector. It applies to personal data collected and to data transferred across borders with certain conditions. It imposes the penalty for non-compliance with the provisions upto SGD one million 

  1. CPPA :

Canada’s Consumer Privacy Protection Act is in the implementation stage not an act which is also known as C-27 before it was C-11. This is a privacy law that will replace C-11 which is the Personal Information Protection and Electronic Document Act. The C-27 will create a new tribunal that replaces the role of federal courts under PIPEDA. The penalty for non-compliance is upto $10 million or 3% of total revenue but in case of serious violations, the fines are upto $25 or 5% of global revenue.

  1. PIPL:

China’s Personal Information Protection Law was passed for data security, even though there were laws that were regulating prior like Data Security Laws and CyberSecurity Laws PIPL is a law with international standards which is similar to GDPR.this applies to individuals or organizations processing information within China and Chinese residents outside china. The penalties involve 50 million or 5% of the previous year’s returns.

  1. CPRA:

The California Consumer Privacy Act came into effect in January 2020 then after the ballot voting the California Privacy Rights Act came into enforcement after modifying and extending certain rules by expanding the consumer’s rights. The penalties for the suit filed by consumers may extend upto $750 but in case a suit arose by a state attorney it is upto $7500 for both intentional and unintentional violations.

HOW THE RIGHT TO INFORMATION IS AFFECTED BY THE DPDP ACT:

                   The Right to Information Act, of 2005 gives individuals a right and the citizens must question and ask for any information about government activities and to know about how the government is operating. If the information is about any person who is in the highest position then the information with confidential matters will be deleted before the information is provided but after the data protection bill was passed the rights information was weakened as after the amendment of section (1)(j) the right of asking for personal information is taken away and this will be out of reach. This created a controversial impact on the economy. Under the act of DPDP, they created a data fiduciary who will be appointed by the central government they collect and process the data of individuals and they imposed different restrictions to protect the data and any individual if wants to collect data has to give a written notice and must specify the purpose for that and then the information will be provided with the consent. Even though stringent provisions are made with strict penalties of upto two hundred and fifty crores in the cases of a data breach it goes to consolidated funds of government but according to the Information Technology Act when there is a data breach knowingly or intentionally the individual used to get compensation upto five lakh rupees.

CONCLUSION:

                          India’s Data Protection Act came into enforcement after six long years and the first recognition was started from the right to privacy as a fundamental right.  Even though the act got lots of changes from a draft to an act and made the penalty rules stringent there are certain criticisms of this act as it is fully under the control of the government and all the members including the chairman of the data privacy board are selected by the central government where no qualifications are provided under the act and it is for two years which is short to workout, they are not personally accountable in any of the data breaches. The central government has the power to decide to which countries the transfer of personal data can be made and it is their discretion to decide. And the list of the countries to whom it can be transferred is not listed in the act. The data provided to the government can be retained for unlimited time as no specific time is provided. They are also given the power to exempt certain fiduciaries or a particular class of fiduciaries from obtaining certain obligations. These are the changes that are needed for the act to be more prominent and make the regulation effective.

        Narayanareddy Sripriya 

        Student of BMS College of Law , Bangalore