Menu

DIGITAL PERSONAL DATA PROTECTION ACT 2023: THE KEY TO SAFEGUARD THE RIGHT TO PRIVACY 

Publications, Research paper

ABSTRACT

The Digital Personal Data Protection Act, 2023 (DPDPA 2023) is landmark legislation introduced by the Indian government to regulate the processing of personal data. It seeks to balance between individuals’ right to safeguard their personal data and the necessity of processing data for legitimate purposes. The foundation for the enactment of this act was laid by previous drafts, such as the Personal Data Protection Bill of 2019 and the Data Protection Bill of 2022. The act is rooted in the 2017 Supreme Court judgment in the  K.S. Puttaswamy case, where the Court recognized the right to privacy as a fundamental right under Article 21 of the Indian Constitution.

The DPDPA incorporates several key features from the EU’s General Data Protection Regulation (GDPR), such as an individual’s right to notice, access, erasure, purpose limitation, and breach notification. Key features of the DPDPA include its broad scope, a comprehensive consent framework, and robust individual rights, such as access, rectification, and erasure. It imposes strict obligations on data fiduciaries regarding the collection, processing, storage, security, and disclosure of personal data, all overseen by the Data Protection Board (DPB). The DPB is vested with investigative and enforcement powers to ensure compliance with the act. The law also includes specific exemptions to balance various competing interests.

The goal of this research is to analyze the provisions of the DPDPA, examine its enforceability, explore the challenges associated with its implementation, and assess whether the act will effectively strengthen the right to privacy in India.

KEY WORDS

Digital personal data protection act, General data protection regulation, Personal data, data principal, data fiduciary, data privacy. 

INTRODUCTION

In today’s digital age, every online activity, from shopping to social media interactions, leaves behind a digital footprint, resulting in the collection of vast amounts of personal data. This data is gathered across various platforms, websites, apps, and services, often without users being fully aware of it. It includes information such as our search history and purchase behaviour, which together create detailed profiles of our habits, interests, and even financial status. Companies use this valuable data for various purposes, such as delivering targeted ads. By analyzing it, they can personalize our online experiences, predict our actions, and influence our decisions.

The growing collection of personal information highlights the urgent need for strong privacy protection laws. Without such laws, individuals face the risk of their data being misused for harmful purposes, including identity theft, financial fraud, and data breaches that expose sensitive information, leading to financial loss and reputational damage. Data breaches remain a major issue in India. The World Economic Forum’s 2019 Global Risk Report identified India as the country most affected by such breaches. Moreover, if individuals feel they have no control over their personal data, it could lead to a loss of trust in online services.

Keeping these concerns in mind, the Indian government made a significant move in 2023 with the introduction of the Digital Personal Data Protection Act (DPDPA). This law marks a major step in safeguarding people’s privacy, offering a comprehensive framework for data protection. It empowers individuals with greater control over their personal data and establishes clear rules for both the government and private organizations regarding how they can use the data.

RESEARCH METHODOLOGY 

The methodology used in this study is descriptive and fundamental legal research. Descriptive legal research involves examining the legal framework of the act, including the collection, storage, and processing of personal data, to ensure compliance with privacy and security standards. Fundamental legal research includes exploring the foundational principles, rules, and legal interpretations that shape data protection laws. It aims to build an understanding of the legal concepts and framework of the act.

This research has been conducted using primary sources, such as the legislative text of the Digital Personal Data Protection Act and other government websites and databases, including SCC and Manupatra. Secondary sources, such as journal articles from recognized sources, have also been used in this study.

REVIEW OF LITERATURE 

Legislation like the Digital Personal Data Protection Act allows individuals to have control over their personal data. It aims to regulate how personal data is collected, stored, processed, and shared in the digital age. 

RIGHT TO PRIVACY AND DIGITAL PERSONAL DATA PROTECTION ACT-:

DEVELOPMENT OF RIGHT TO PRIVACY UNDER LEGAL SYSTEM:

The Supreme Court of India, through a series of landmark decisions, has facilitated the organic growth and expansion of the right to privacy. The legal development of this right over the years has been significant.

  • M.p. sharma v. Satish Chandra (1954): It is one of the first cases in India that dealt with the right to privacy in India. An eight-judge bench was convened to decide on the constitutionality of the search and seizure provisions of the CrPC. The court did not recognize any right to privacy and ruled that the search and seizure provisions did not violate the right to privacy, as there is no explicit provision in the Indian Constitution addressing the right to privacy.
  • Kharak Singh v. State of UP:A seven-judge bench of the Supreme Court addressed the fundamental issue of whether it was appropriate for the police to conduct surveillance on individuals with criminal records and carry out domiciliary visits under Regulation 236(b) of the UP Police Regulation. The petitioner challenged this practice, arguing that it violated personal liberty, which is protected under Article 21 of the Constitution. The Court observed that the police’s domiciliary visits during night were unconstitutional, infringing upon the petitioner’s fundamental rights. Consequently, the Court ruled that the domiciliary visits violated the petitioner’s right to live a dignified and free life.
  • Another landmark decision pertaining to the matter was that of People’s Union of Civil Liberties v. Union of India (1996).This decision in 1997 was decided in favour of the right to privacy of an individual. It was held that phone tapping in the name of executive surveillance is an infringement of the fundamental right, throwing light on the right to privacy in the Indian legal regime. Therefore, it was held that the very act is an infringement of rights provided under Article 21 of the Constitution of India.
  • However, in 2017, the Supreme Court in a landmark judgment in K.S. Puttaswamy v. Union of India, overturned both the M.P. Sharma and Kharak Singh decisions. The central issue in the case was whether the Constitution guaranteed the right to privacy. The Attorney General of India contended that privacy was not encompassed within the fundamental rights guaranteed to Indian citizens. It was held that the right to privacy is a fundamental right. Justice D.Y. Chandrachud, in his opinion, emphasized the necessity of creating a robust framework for data protection to safeguard the interests of both the State and its citizens. Justice S.A. Bobde, affirmed that the right to privacy is an integral aspect of personal liberty and is guaranteed under Article 21 of the Constitution.

EVOLUTION OF DIGITAL PERSONAL DATA PROTECTION ACT 2023

Use of personal data is regulated under the Information Technology (IT) Act, 2000. In 2017, the Supreme Court of India, in the case of Justice K.S. Puttaswamy vs. Union of India and Others, recognized the right to privacy as a fundamental right under Article 21.  Following this ruling, the Government of India constituted a committee of experts in 2018, chaired by Justice B.N. Srikrishna,   The committee submitted its report in July 2018. Based on the recommendation of the committee, the personal data protection act, 2019 was introduced in Lok sabha in 2019. The act was referred to the joint parliamentary committee which submitted its report in 2021. In august 2022, the act was withdrawn from parliament. In November 2022, the Ministry of Electronics and Information Technology released a draft legislation on the data protection framework for public consultation. In July 2023, the Cabinet approved the revised Digital Personal Data Protection Bill, 2023, based on the 2022 draft. The bill was introduced in the Lok Sabha in August 2023, passed by the Lok Sabha, and subsequently approved by the Rajya Sabha. After receiving the President’s assent on August 11, 2023, the Digital Personal Data Protection Bill, 2023 officially came into force, concluding a lengthy process of discussions and debates.

PROVISION OF THE DIGITAL PERSONAL DATA PROTECTION ACT 

PURPOSE OF THE ACT

It aims to regulate how personal data is collected, stored, processed, and shared in the digital age.
The act’s main goal is to enhance data security and give individuals more control over their personal information.

APPLICABILITY 

According to Section 3, the scope of the DPDP Act extends to the processing of digital personal data within India, where such data is:

  • Collected online, or
  • Collected offline and subsequently made available in a digital form.

It will also apply to the processing of personal data outside India if goods or services are being offered in India.

According to Section 3(c)(i), the Act does not apply to personal data processed by an individual for any personal or domestic purpose.

(ii) The Act also does not apply to personal data that is made publicly available:

  • (a) by the data principal to whom such personal data relates, or
  • (b) by any other person who is under an obligation to make such personal data publicly available.

CONSENT UNDER DPDP ACT

According to Section 6, the DPDPA mandates that data fiduciaries—organizations that handle personal data—may process it only for lawful purposes after obtaining consent from individuals before processing their information. The consent must be free, for a specific purpose, informed, unconditional, and unambiguous. The DPDPA allows for both express and implied consent.

For individuals below 18 years of age, consent must be provided by the parent or legal guardian.

EXCEPTIONS TO CONSENT

The DPDPA states that there may be situations where obtaining consent for data processing isn’t always necessary:

  • When the data is provided voluntarily by an individual for a specified purpose.
  • When it is essential to comply with the law.
  • When it is carried out in the public interest.
  • When it is required to protect the vital interests of the individual whose data is being processed.

WITHDRAWAL OF CONSENT

The DPDPA provides a provision for individuals to withdraw their consent at any time. Once consent is withdrawn, the data fiduciary must stop processing the individual’s data unless there is another lawful basis for doing so under the Act.

RIGHTS OF DATA PRINCIPAL

A data principal whose data is being processed will have the following rights:

  • A data principal has the right to obtain information from organizations (data fiduciaries) regarding processing of their personal data.
  • A data principal has the right to correction, completion, updating, and erasure of their personal data.
  • A data principal has the right to nominate another person to exercise their rights in the event of death or incapacity.
  • A data principal has the right to have readily available means of grievance redressal provided by a data fiduciary in respect of any act or omission regarding the performance of its obligations.

DUTIES OF DATA PRINCIPAL 

  A data principal shall perform the following duties:

  • They must not register a false or frivolous grievance or complaint.
  • They must not furnish any false particulars or impersonate another person in specified cases.
  • They must comply with the provisions of all applicable laws.
  • They must not suppress any material information while providing their personal data for any document, unique identifier, or proof of identity issued by the state or any of its instrumentalities.

OBLIGATION OF DATA FIDUCIARY

Obligations of Data Fiduciaries Regarding Data Collection, Storage, Security, and Disclosure:

  • A data fiduciary must make reasonable efforts to ensure the accuracy and completeness of data.
  • They must implement reasonable security safeguards to prevent a data breach.
  • They must inform the Data Protection Board of India and affected individuals in the case of a breach.
  • They must erase personal data as soon as the purpose for processing has been fulfilled, and retention is no longer necessary for legal purposes (storage limitation). In the case of government entities, storage limitations and the right of the data principal to erasure will not apply.

CROSS BORDER DATA TRANSFER

The DPDPA allows the transfer of personal data outside India, except to countries that are restricted by the central government through notification.

EXEMPTION

The DPDPA exempts certain data processing activities from some of its regulations:

  • The act allows the processing of personal data to comply with legal obligations or enforce legal rights. This ensures that data can be used for court proceedings without unnecessary restrictions.
  • The act exempts the processing of personal data by government agencies when essential for India’s sovereignty, security, or strategic interests.
  • The act exempts the processing of personal data to prevent disorder, investigate crimes, or prosecute criminals.
  • The act exempts the processing of personal data necessary for mergers, acquisitions, or similar activities approved by authorities.

It is important to note that these exemptions are not absolute. Even when processing data under an exemption, the DPDPA still requires data fiduciaries to implement reasonable security safeguards. Additionally, the right to data erasure and the principles of data minimization still apply.

DATA PROTECTION BOARD (DPB)

The central government will establish the Data Protection Board of India (DPB). This independent body acts as a watchdog, overseeing the implementation and enforcement of the Act. The Board shall consist of a chairperson and other members appointed by the central government. The Board members will be appointed for two years and will be eligible for reappointment. The central government will prescribe details such as the number of members on the Board and the selection process.

KEY FUNCTIONS OF THE BOARD:

The Board shall perform the following functions:

  • The DPB directs data fiduciaries to take necessary measures in the event of a data breach.
  • The DPB has the power to monitor compliance and impose penalties.
  • The DPB hears grievances made by affected individuals regarding data breaches.

THE DPB’S INVESTIGATIVE POWERS:

The DPB has the authority to investigate violations of the DPDPA. During an investigation, the Data Protection Board shall have the following powers:

  • Summoning and questioning witnesses.
  • Demanding information or documents from data fiduciaries.
  • Conducting inspections of data processing facilities.

ENFORCEMENT POWERS:

The DPB shall have the following enforcement powers to address violations of the DPDPA. These powers include:

  • Issuing directives to data fiduciaries, instructing them on how to achieve compliance with the Act.
  • Imposing penalties on data fiduciaries for violations. These penalties can be substantial.

APPELLATE TRIBUNAL 

Any person aggrieved by an order or decision made by the Board under this Act may file an appeal before the Appellate Tribunal. The appeal must be filed within sixty days from the date of the order or direction being appealed. However, the Appellate Tribunal may accept an appeal after the expiry of the period if there is a sufficient reason for not filing the appeal within that time frame. When an appeal is filed against the order of the Appellate Tribunal under this Act, the provisions of Section 18 of the Telecom Regulatory Authority of India Act, 1997 shall apply. Orders passed by the Appellate Tribunal under this Act shall be considered as a decree of a civil court. For this purpose, the Appellate Tribunal shall have all the powers of a civil court.

ALTERNATE DISPUTE RESOLUTION

If the Board believes that a complaint can be resolved through mediation, it may direct the parties involved to seek resolution through mediation. The mediator shall be chosen by mutual agreement between the parties or as prescribed by any applicable law in India.

PENALTIES 

If the Board concludes, after completing an inquiry, that a person has committed a significant breach of the provisions of this Act or the rules made under it, it may impose the following monetary penalty, provided the person is given an opportunity to be heard:

  1. A violation of the Data Fiduciary’s obligation to implement reasonable security safeguards to prevent personal data breaches shall result in a penalty of up to two hundred and fifty crore rupees.
  2. A failure by the Data Fiduciary to fulfill the obligation of notifying the Board or the affected Data Principal about a personal data breach shall result in a penalty of up to two hundred crore rupees.
  3. A violation of the additional obligations related to children shall result in a penalty of up to two hundred crore rupees.

LOOPHOLES OF THE ACT:

1. The Act applies to the processing of personal data within India, whether the data is collected digitally or digitized later, as well as to processing occurring outside India. However, data that is collected and processed non-digitally is excluded from the scope of the Act, leaving out large volumes of personal data that continue to be collected physically or offline.

2. A key concern with the DPDP Act is the provision for exemptions. The Act grants broad exemptions to state actors or instrumentalities, allowing the processing of personal data by notified state entities to be exempt from the Act’s provisions. The grounds for such exemptions are vague and poorly defined, raising concerns about the potential for unchecked state surveillance. The Act fails to implement meaningful safeguards to prevent excessive state surveillance.

3. The Act also violates the doctrine of proportionality. In its judgment in the case of Justice K.S. Puttaswamy, the Supreme Court of India established that any infringement on the right to privacy must be proportionate to the necessity of such interference. In this case, the unchecked data processing by the state violates this proportionality principle, and as a result, it infringes upon the fundamental right to privacy under Article 21 of the Indian Constitution.

4. The Data Protection Board of India will have adjudicatory powers only, with no regulatory functions. The board members will be appointed by the central government for a term of two years and will be eligible for reappointment, which could impact the board’s independence in its functioning.

5. In practice, the Act appears to prioritize the processing of personal data rather than focusing on strengthening the individual’s right to privacy.

6. Under the provisions of the Act, data can be transferred outside India, except to countries banned by the central government through notification. In such cases, data can be transferred without restrictions, and the Act does not provide any protective measures to safeguard the data in the event of breaches occurring outside India.

RESEARCH METHOD 

The research method used in this study is qualitative. The data for this study is derived from the Digital Personal Data Protection Act, with the aim of developing a deep understanding of its implementation and effects.

SUGGESTION

Overall, the Digital Personal Data Protection Act is a significant piece of legislation aimed at safeguarding individuals’ right to privacy and protecting personal data in the digital age. It seeks to enhance data security and provide individuals with more control over their personal data. The following suggestions are based on an analysis of the provisions of the DPDP Act:

  1. The Act should also include provisions for the protection of non-digital data, such as healthcare records and credit card information. Protecting non-digital data has become increasingly important in today’s world.
  2. The DPDP Act establishes the Data Protection Board, which currently has only adjudicatory powers. The Act should grant the Board some regulatory powers to ensure the efficient implementation of the law.
  3. The DPDP Act 2023 does not provide for the right to portability or the right to be forgotten. Previous drafts of the 2018 and 2019 Data Protection Acts included these rights. GDPR also recognises these rights. The current Act should incorporate provisions for these rights.
  4. The Act should establish guidelines for protecting data during cross-border data transfers, particularly in the event of a data breach outside the country. The 2019 act required that for certain categories of data, transfer to a country should be allowed only if it provides for adequate level of protection. 
  5. The Act should clarify rules regarding purpose limitation, specifying the exact purposes for which personal data is used.

By incorporating these recommendations, the Digital Personal Data Protection Act can better safeguard individuals’ right to privacy and ensure their trust in the digital transformation.

CONCLUSION 

The Digital Personal Data Protection Act is a major milestone in the development of data protection laws. It aims to protect individuals’ personal data and strengthen their right to privacy. The Act seeks to give individuals more control over their personal data through the rights to access, rectification, and erasure. A striking feature of this Act is its comprehensive consent framework, broad applicability, strict regulations on data fiduciaries regarding data security, and penalties imposed in the case of a data breach.

In conclusion, the Indian government’s initiative to safeguard personal data is a positive step forward in this digital era, especially during the Fourth Industrial Revolution. However, in the context of digital governance, simply enacting a strong law is not enough. The government must also create legislation that addresses cybersecurity and artificial intelligence, while aligning with the European Union’s General Data Protection Regulation (GDPR).

AUTHOR

Mahak gupta 

BALLB(Hons.)

Government new law college, Indore