Digital Personal Data Protection Act, 2023

v Introduction of DPDP Act

Digital Personal Data Protection Act, 2023 is an act of India to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. Act received the assent of the president on the 11^th August, 2023.

Important milestones in DPDP Act

v Aug-2017 – Supreme Court of India declares Right to Privacy as fundamental right.

v July-2018 – Draft Personal Data Protection (PDP) bill proposed

v Dec-2019 – PDP bill proposed in parliament and was referred to JPC (Joint Parliamentary Committee)

v Dec-2021 – JPC release report and new version of DPA (Data Protection Act)

v Nov-2022 – Draft DPDPB(Digital Personal Data Protection Bill) was shared and withdrawn PDP bill

v July-2023 – Cabinet approves DPDP bill

v Aug-2023 – The President of India assents to the bill to make DPDP an Act

DPDP Act is an important act of India which protect individual’s personal data privacy and implementation of appropriate data processing methodologies.  

It is a comprehensive data protection law in India that regulates collection, storage, processing and transfer of personal data. DPDP Act is applicable to all entities that process personal data of individuals of India, regardless of their location.

It’s applicable to all entities that offer goods or services to individuals in India, even though they are located outside of India. 

DPDP Act gives individuals right to access their personal data and to obtain a copy of it, right to rectification, erasure.

DPDP Act is not applicable to processing of personal purposes by individuals. DPDP Act is also not applicable for personal data that was made public by data principal.

v Key features

v Consent - DPDP Act requires organizations to obtain the consent of individuals before collecting, storing, processing, or transferring their personal data. Consent must be freely given, specific, informed, and unambiguous.

v Personal data - DPDP Act prohibits the collection and processing of personal data outside of specified purposes and limited the use of such personal data as is necessary for such specified purposes. Consent or notice provided for processing of data shall be free, specified, informed, unconditional and unambiguous with a clear affirmative action.

v Processing of personal data outside of India - Under DPDP act storing of personal data outside of India is permissible. Government of India to notify countries to which transfer is not permissible. 

v Data fiduciaries - DPDP Act creates the concept of data fiduciaries. Data fiduciaries are organizations that control or process personal data. Data fiduciaries have a number of obligations under the DPDP Act, including the obligation to protect the personal data that they process. A Data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. Government of India will classify Significant Data Fiduciary through notification under section 10 of DPDP act. 

v Data protection authority - DPDP Act establishes a Data Protection Authority to oversee the implementation of the law. The Data Protection Authority has the power to investigate complaints, issue orders, and impose penalties for violations of the law.

v Data Principal – It’s an individual to whom the personal data relates and where such individual is a child, includes the parents or lawful guardian of such a child, a person with disability, includes her lawful guardian, acting on her behalf.

v Data Processor – Any person who processes personal data on behalf of Data Fiduciary.

v She – DPDP Act refers she in relation to an individual includes the reference to such individual irrespective of gender.

v Consent Manager – means a person registered with the Data Protection Board of India, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

v Notice – Data fiduciary shall give Data Principal Option to access the contents of notice in English or any language specified in the Eight Scheduled to the Constitution.

v Children’s data – For processing of data for child means an individual who has not completed the age of eighteen years, consent from Parents/Guardians is required. Tracking or behavioural monitoring or targeted advertisements is prohibited.

v Legal use of processing of personal data without explicit consent –

v Voluntary disclosures by data principal;

v information shared for subsidy, benefit, service, certificate, license or permit by State or its instrumentalities notified by central government;

v Compliances with any judgement under any law;

v Interest of sovereignty and integrity of India or security of the State;

v Medical emergency;

v During epidemic, outbreak of disease or any other threat to public health;

v Safety during disaster or breakdown of public order.

v Benefits

Creation of DPDP Act is an important milestone in managing digital personal data of citizens of India. Implementation has number of benefits, including:

v Increased privacy - The Act gives individuals more control over their personal data by requiring businesses to obtain consent before collecting or processing personal data. Individuals also have the right to access, correct, and delete their personal data.

v Improved data security - The Act requires businesses to take steps to protect personal data from unauthorized access, use, or disclosure. This includes implementing appropriate security measures and conducting regular data audits.

v Reduced data breaches - The Act's data security requirements will help to reduce the risk of data breaches. This will protect individuals from the harmful consequences of data breaches, such as identity theft and financial fraud.

v Enhanced consumer trust - The Act's privacy and security protections will help to build consumer trust in businesses. This can lead to increased customer loyalty and revenue growth.

v Boosted innovation - The Act's focus on privacy and security can create a more conducive environment for innovation. Businesses will be more likely to develop new products and services that rely on personal data if they know that they can do so in a privacy-compliant manner.

Overall, DPDP Act is a positive development for individuals, businesses, and the government. It will help in innovation, protect national security and public order.

v Challenges in implementation

Like any new law, DPDP Act has some limitations, future amendment to act will take care of such challenges. DPDP rules or regulations should address all the challenges in its implementation including timelines.

v Broad Exemptions - As discussed above in key features of DPDP Act, there are various exempts of consents. While these are necessary exemptions, adequate safeguards are required for safe processing of personal data under these exemptions.

v Data Protection Board - Board needs to have more enforcement mechanism. With current version of law, DPB can initiate investigation based on complaint filed by data principals. This means that DPB is reliant on data principals to come forward and complaint, which may not always happen.

v Data Portability – DPDP Act needs to have more detail guidelines on data portability and data transfer between different data fiduciaries.

v Processing of Children’s data – Section 9 of act talks about prohibition of children’s data. However it doesn’t define what is considered as detrimental effect on the well-being of child. It creates an ambiguity in terms of processing the data.

By addressing this limitations and challenges, government can make the DPDP Act a more comprehensive and effective law for protecting the privacy of Indian citizens.

v Impact

DPDP Act has a wide-ranging impact on businesses and individuals alike.

v Obligations of Organizations

v Process data through Data Processor through valid contract.

v Provide clear, free, specified, informed, unconditional and unambiguous notice to Data Principals with a clear affirmative action.

v Special provisions of children’s personal data.

v Protection of data.

v Report data leak to Data Protection Board and Data Principals.

v Obligations of Significant Data Fiduciary

v Appoint a Data Protection Officer (DPO) based in India.

v Appoint an Independent Data Auditor

v Conduct Data Protection Impact Assessment (DPIA) and periodic audits.  

v Rights of individuals

v Right to Information – Data Principals have the right to inquire on how their data is processed, available in clear and understandable way.

v Right to correction and erasure

v Right to nominate

v Data Protection Board

v Task of enforcement

v Determination of non-compliances

v Imposing Penalties

v Issuing directions and mediations

DPDP Act increases accountability for data fiduciaries, gives greater control for individuals over their personal data, gives enhanced trust in digital economy.

v Comparison to other data privacy laws

India’s DPDP is a landmark legislation that aims to protect privacy of individual’s personal data. It is one of most comprehensive data privacy laws in the world. It can be compared with European Union’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

All three laws share a number of similarities

v Definition of personal data.

v Right to access, correct and erase personal data.

v Consent

v Data breach notification and obligations of organizations.

There are some key differences between different laws

v GDPR categorizes personal data into sensitive and non-sensitive. Current version of DPDP Act doesn’t categorize personal data in that way.

v GDPR has strict requirements for international data transfers. DPDP Act does not outline any specific requirements currently, but may be introduced in future regulations.

v Penalties under GDPR extend to 20 million euros, or 4% of firm’s worldwide revenue. DPDP penalties extend up to INR250 crore.

v GDPR parental consent age is 16 years (in some cases 13 years). DPDP parental consent is 18 years of age.

v Under GDPR data breach notification timeline is 72 hours. DPDP currently does not mention any such timeframe.

v Conclusion

Digital Personal Data Protection Act of India, 2023 (DPDP Act) is a comprehensive data privacy law that aims to protect the personal data of Indian citizens. It is one of the most comprehensive data privacy laws in the world, and is comparable to the General Data Protection Regulation (GDPR) of the European Union.

DPDP Act applies to all organizations that collect, process, or transfer the personal data of Indian citizens, regardless of whether the organization is located in India or abroad. It is also applicable to data collected online or collected offline which will be later digitized. The Act also applies to the Indian government, but with some exceptions.

References

bard.google.com

bing image creator

https://www.india.gov.in/

law app - https://play.google.com/store/apps/details?id=com.rachittechnology.lawapp

law app - https://itunes.apple.com/us/app/law-app/id1351638463?ls=1&mt=8

**This content was created with the help of AI.**