The New Data Privacy Laws for a Digital India: Digital Personal Data Protection Act, 2023 

This research paper aims to envisage the concept and provisions of the newly enacted legislation of the Digital Personal Data Protection, 2023. This act was enacted on 11th August 2023. The contents of this act have been in deliberations and debates for  approximately the past 4-5 years, and have been tweaked and modified. Finally after this long duration India was given its first comprehensive data privacy laws. This legislation resembles  the General Data Protection Regulations of the European Union. The DPDP Act, 2023 was a much needed reform for India in this new age of digitalisation. Before the enactment of the DPDP act, 2023, India had laws like the Information Technology Act, 2000 which were not as holistic as the need of the hour. Secondary sources such as journals, professional commentaries, blogs etc have been used for the research of this document. This paper strives to provide a simplified and conclusive research  of the Digital Personal Data Protection Act, 2023.

Keywords: Data, Digital personal data,  Data Fiduciary, Data Principal, Data Protection Officer, Consent Manager.

Introduction

The 21st century has seen the advent of technology. And this rise of technology has inevitably led to the digitisation of information, including vulnerable personal information. All major companies such as Google, Amazon, etc have everyone’s data stored with them. This development has also led to the rise of cyber crimes, hacking confidential data and then demanding ransom has become a common phenomenon. With increased reliance on digital technology for storing personal data, it is imperative to safeguard and secure that data from exploitation. In August 2023, the Indian Parliament enacted the Digital Personal Data Protection Act, 2023 (referred to as the ‘ Act’ or the ‘DPDP act’ thereafter in the paper). The DPDP act came into being after long deliberations, and marks an appreciable milestone in the realm of privacy related legislations.

Research Methodology

The research for this paper was descriptive in nature. The research relied on secondary sources such as journals, blogs, articles etc, to understand the concept and provisions of the Digital Personal Data Protection Act, 2023. 

Review of literature

The Digital Personal Data Protection Act, 2023 came into existence after a long period of deliberations and discussions. The legislation has had its fair share of positives and negatives. Although it is appreciated for addressing the pressing issues of privacy laws especially in the digital realm, it has also been credited with ambiguity. As the European firms faced difficulty to comply with the GDPR initially, it is plausible that Indian firms may find it difficult to comply with the complexities of the legislation. Recently the digital marketing sector has been on the rise. With the introduction of these laws it is bound to get impacted, which may lead to losses for many. But it is imperative to understand that it is this very reason why there is a need for comprehensive data privacy laws. With the exponential rise of digitisation it has become essential to regulate this and introduce stringent rules when dealing with vulnerable personal data. It is important to note that the Digital Personal Data protection Act, 2023 has been enacted but it has not come into effect or force yet. It is only a matter of time till when the DPDP Act, 2023 comes into effect. Hence, it is necessary to understand the rules and regulations of the newly enacted legislation. 

Decoding the Digital Personal Data Protection Act, 2023

Before the enactment of the DPDP Act in 2023, the General Data Protection Regulation (GDPR) was considered to be one of the most comprehensive and toughest legislation passed on data privacy laws. The GDPR was drafted and enacted by the European Union. Earlier there was less awareness about data privacy among the masses yet there was legislation present to address the issue. The Information Technology Act, 2000 (IT Act) introduced Section 43A through the amendment made in 2008. Section 43A of the IT Act states that any body which possesses, deals, or handles any “sensitive personal data” or information should be handled with reasonable security practices and procedures, and the organisation will be liable to compensation in case of negligence. This provision was further elaborated in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, also referred to as the IT Rules 2011. Even though there were legislations present, these legislations were not as comprehensive and robust in addressing the issues of data privacy. 

Tracing the evolution of data privacy laws in India

  • 2017
  • For the first time, the concern for the Right to Privacy was discussed in the landmark case of Justice K.S. Puttaswamy (retd.) and Anr v. Union of India and Ors, 2017. In this judgement it was held that the Right to Privacy came under the Right to Life under article 21 of the constitution. 
  • 2018
  • Justice B.N. Krishna Committee submitted  the Draft Personal Data Protection Bill, 2018 to MeitY.
  • 2019
  • The Personal Data Protection Bill 2019 was tabled in Lok Sabha. The Joint Parliamentary Committee suggested certain recommendations to the 2019 Bill, hence it was withdrawn from the Lok Sabha.
  • 2022
  • The draft of Digital Personal Data Protection Bill 2022 was released for public consultation.
  • 2023
  • The draft for the DPDP Bill 2022 was tabled in the Parliament. The 2022 Bill was passed by the Lok Sabha on 7th August 2023, and by the Rajya Sabha on 9th August 2023. The Digital Personal Data Protection Bill 2023 received the President’s assent on 11th August 2023, and it was consecutively published in the Official Gazette of India.

Key Definitions

Personal Data- Any personal information used to identify an individual, or any data in relation to the identifiable person. 

Data Fiduciary- The entities which determine the purpose and means of processing personal data including in conjunction with other entities. 

Data Processor- The entity which processes personal data on behalf of the data fiduciary. 

Data Principal- The individual to whom the data relates to i.e., the person whose data is being processed.

Significant Data Fiduciary (SDF)- Among the data fiduciaries, some will be defined as significant data fiduciaries by the central government. Significant data fiduciaries have to fulfil certain categories to be called “significant”, the checklist is as follows:

  • The amount and degree of sensitivity of the personal data processed.
  • The risk of the rights of the data principal involved.
  • The potential impact on the sovereignty of the nation.

Consent Manager- A person is appointed as the single point of contact between the data principals and the data fiduciaries. They enable the data principals to give, manage, withdraw and review their consent on an accessible and transparent platform. The consent manager has to be registered with the Data Protection Board of India.

Key features of the DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 envisages to protect the individuals’ privacy rights. It emphasises on the regulation of personal data collected, stored and processed by the data fiduciaries. The DPDP Act 2023 aims to provide a robust framework for addressing the issues of personal data being handled in the digital realm.

Applicability

The DPDP Act, 2023 has the power of jurisdiction over any data. The data may have been collected digitally or the data may have been collected in a non-digital form but it was later digitised. The act is also extra territorial i.e., exercises its jurisdiction beyond the Indian borders. It can also be applied to those foreign entities which offer goods and services to India in an electronic mode. The DPDP Act, 2023 applies to the Indian residents and firms collecting the data of Indian citizens. Similarly, it also applies to the non-citizens of India residing in India and availing digital services from a non-Indian provider. For example, a British citizen residing in India who avails the services of an entity based out of India, will be protected under the DPDP Act, 2023.

Consent Request 

Before collecting, storing, or processing an individual’s data, it is imperative to obtain the consent of that data principal. The consent of the data principal, so obtained, should be “specific, informed, unconditional, and unambiguous”  in nature with a clear affirmative action and should be bound only for specified purposes. The consent manager is the one who enables the individuals (data principals) to give their consent. The contact details of the Data Protection Officer, in the case of significant data fiduciaries, should be provided to the data principals. In general, the contact details of any authorised person should be provided to the data principals for the communication of exercising their rights. The data principals also have the option to access the consent request in English or any language mentioned under the Eighth Schedule of the Indian Constitution. The individuals or the data principals have the right to withdraw their consent at any given time. 

Privacy Notice

The consent request has to be accompanied by a privacy notice as well. This privacy notice may precede the consent request i.e, the notice should be issued before seeking the consent of the data principal. The privacy  notice should include the following information:

  • Details about the personal data being collected.
  • The purpose of the data collection.
  • The steps to withdraw consent at any time and the process of grievance redressal.
  • The steps involved to communicate the complaints to the Data Protection Board of India.

The data principals have the option to access the privacy notice in English or any other language specified under the Eighth Schedule of the Indian Constitution.

Increased obligation for children’s data

According to the DPDP Act, 2023, any individual who has not completed the age of 18 years is considered to be a child or minor. There are more strict obligations when it comes to the protection of data privacy rights of the children. These obligations are as follows:

  • Obtaining legitimate consent of the minor’s parent or guardian is mandatory.
  • There should be no monitoring or tracking of the browsing behaviour of the children.
  • There will be a complete bar on targeted advertisements directed towards children.
  • No data will be processed if it is found to be detrimental to the health and well-beig of the child.

Exemptions of the DPDP Act, 2023

Certain kinds of data are excluded from coming under the ambit of the DPDP Act, 2023. The law exempts certain bodies from the purview of the act. Any data processed by an individual for domestic or personal purpose are excluded from the jurisdiction of the act. The data made by any person who is legally obliged to make such data public is also excluded from the act. For notified agencies, who produce data in interest of security, sovereignty, and public order do not fall under the purview as well.

Obligations of the Data Fiduciaries

The data fiduciaries have a certain set of obligations under the DPDP Act, 2023. These obligations make the data fiduciaries accountable for the actions of the data processors. These obligations include:

  • Maintenance of the security safeguards.
  • Ensuring the completeness and accuracy of the personal data.
  • Obtaining consent of the parents or guardians for children below the age of 18 years is mandatory for the data fiduciaries. There are maximum restrictions on the children’s data and a complete bar on the targeted ads or tracking of their browsing habits, according to the DPDP Act, 2023.
  • If the data fiduciary comes across any data breach on their side, it should be reported to the Data Protection Board of India, and report the same to the data principal whose data has been breached.

Obligations of Significant Data Fiduciaries (SDF)

The obligations of the Significant Data Fiduciaries are as follows:

  • It is the duty of the Significant Data Fiduciaries to appoint a Data Protection Officer in India, to act as a medium of contact for the grievance redressal mechanism.
  • It is also the Significant Data Fiduciaries duty to appoint an Independent Data Auditor who is tasked with the evaluation of the compliance of the Significant Data Fiduciaries. 
  • The Significant Data Fiduciaries also undertake the Data Protection Impact Assessment or audits as prescribed.

Rights of the Data Principals

The data principals have certain rights provided to them under the DPDP Act, 2023. Some of them are mentioned below:

  • Right to access information about personal data- This right provides the data principals to obtain information regarding their data being processed, like, all the names of the data fiduciaries and data processors with whom the data has been shared.
  • Right of grievance redressal- The data principals have the right to easily accessible platforms for grievance redressal. The data principal can take up the issue of the grievance straight with the data fiduciaries and not the Data Protection Board to avoid time-taking redressal of their issue.
  • Right to nominate- The data principal has the right to nominate any individual, who in case of the death or incapacity of the data principal, may exercise their rights.
  • Right to correction and erasure- The data principal may request the data fiduciaries for any modification of their personal data.

Penalties for non compliance with the Digital Personal Data Protection, 2023

The Digital Personal Data Protection Act, 2023 employs heavy penalties for non-compliance of its rules and regulations. Few of them have been illustrated in the below table:

Subject matter of PenaltyPenalty
Data Fiduciary fails to take the necessary procedures to prevent the breach of personal data.May extend to INR 250 crores
Failure to notify the Data Protection Board of India and the concerned Data Principals in case of a personal data breach. May extend to INR 200 crores
When the additional obligations in the case of minor data is not fulfilled May extend to INR 200 crores
Non-fulfilment of the additional obligations of the Significant Data Fiduciaries.May extend to 150 crores

Method

The methods of  content and data analysis were employed during the research of this paper. This research also included legal research focussing on the legal implications of the Digital Personal Data Protection Act, 2023. As mostly secondary sources were used in the research, the main methodology of this research  was concerned with analysing and interpreting secondary sources.

Suggestions and Conclusion 

It is a well established fact that India was in a dire need for a comprehensive legislation on data privacy, especially with the Indian government’s active focus on “Digital India”. In this new age of technology where almost everything is conducted digitally. The Digital Personal Data Protection Act, 2023 strives to bring reforms to the digital realm of India. It is noteworthy that with the introduction of this legislation, India will benefit during trade negotiations. The DPDP Act, 2023 is in accordance with the global standards, taking inspiration from the GDPR of the EU and China’s PIPL. Hence, it is imperative that the entities dealing with the vulnerable personal data of data principals, comply with the provisions of the Act. The act should be brought into force as soon as possible to improve the quality digital procedures in the nation, respecting the citizen’s Right to Privacy.

References

  • The Gazette of India- Digital Personal Protection Act, 2023 

Vidushi Srivastava 

Vivekananda Institute of Professional Studies, GGSIPU, Delhi