Home Technology and Privacy Digital Personal Data Protection Act: A Brief Explainer

Digital Personal Data Protection Act: A Brief Explainer

The Digital Personal Data Protection Act, 2023, marks a significant step forward in India’s data protection landscape. It addresses many of the challenges posed by the digital age, providing a robust framework for the protection of personal data. However, it is not without its flaws. The broad exemptions for government agencies, ambiguity around data ownership, and potential overreach in data localization are areas that require careful consideration and possible revision.

By
Roshan Mohiddin
-
200
0

The Digital Personal Data Protection (DPDP) Act, 2023 is a comprehensive piece of legislation that aims to safeguard the privacy and personal data of individuals in India. It builds on the Supreme Court of India’s recognition of privacy as a fundamental right in the landmark case Justice K.S. Puttaswamy (Retd) vs. Union of India, which set the stage for a robust data protection framework. Here’s a summary of the key aspects and implications of the Act.

Introduction to Privacy and Data Protection

Privacy has always been a critical concern for ensuring an individual’s safety, liberty, and well-being. It allows people to control their personal information, express themselves freely, and make decisions without fear of external judgment or intervention. In the digital age, data privacy—an essential component of informational privacy—has become increasingly significant. This is due to the massive amounts of personal data collected and processed by various entities. Data privacy involves ensuring that individuals maintain control over their data, preventing unauthorized access or misuse.

India’s Legal Framework Before 2023

Before the enactment of the DPDP Act, India did not have a specific data protection law. Data protection was governed by the RSP-SPDI Rules, 2011, under the Information Technology Act, 2000, and some sector-specific regulations. However, these were deemed insufficient given the evolving landscape of data and privacy concerns.

The Supreme Court’s 2017 judgment in Justice K.S. Puttaswamy (Retd) vs. Union of India recognized the Right to Privacy as a fundamental right under Article 21 of the Indian Constitution. Following this, the Government of India formed the Justice B.N. Srikrishna Committee to draft a comprehensive data protection framework, which led to the proposal of the Personal Data Protection Bill, 2019. Despite the effort, the Bill was withdrawn in 2022 due to significant criticism and challenges, leading to the development of the DPDP Act, 2023.

Key Definitions and Concepts

The DPDP Act, 2023 introduces several important definitions that form the foundation of the legislation:

  1. Data: Information in any form, suitable for processing or communication
  2. .Personal Data: Information related to an identifiable individual.
  3. Personal Data Breach: Unauthorized or accidental processing, disclosure, or loss of personal data.
  4. Data Fiduciary: The entity that determines the purpose and means of data processing.
  5. Data Principal: The individual to whom the personal data relates.Data Processor: An entity that processes personal data on behalf of a data fiduciary.
  6. Consent Manager: A person registered with the Board who manages consent for data processing.
  7. Processing: Any operation performed on personal data, including collection, recording, storage, and sharing.

Scope and Applicability

The DPDP Act, 2023 applies to the processing of digital personal data, as well as personal data initially collected in non-digital form but later digitized. This means that any data fiduciary, whether operating within or outside India, that processes data related to offering goods or services to individuals in India, must comply with the Act.

Obligations of Data Fiduciary

The Act outlines several obligations for data fiduciaries, including:

  1. Lawful Processing: Data must be processed legally, with explicit consent from the data principal or for legitimate reasons such as public order or employment-related matters.
  2. Transparency and Accountability: Data fiduciaries must provide clear and detailed notifications to data principals about data collection and processing activities. These notifications should be available in multiple languages and be easy to understand.
  3. Appointment of Data Processors: Data fiduciaries can engage data processors but are responsible for ensuring their compliance with the law.

Rights of Data Principals

The DPDP Act grants several rights to data principals, ensuring they have control over their data:

  1. Right to Access: Data principals can request access to their personal data.
  2. Right to Correction and Erasure: Data principals can request the correction or deletion of their data.
  3. Right to Data Portability: Data principals can request the transfer of their data to another service provider.
  4. Right to be Forgotten: Data principals can request the deletion of their data from a data fiduciary’s systems.

Challenges and Criticisms

Despite its comprehensive nature, the DPDP Act has faced criticism, particularly regarding:

  1. Broad Exemptions for Government Agencies: The Act provides exemptions for government agencies in the name of national security, which some argue could lead to state intrusion into citizens’ private lives.
  2. Data Localization: The requirement for data to be stored locally has been criticized by technology giants like Facebook and Google, who fear it may lead to similar laws in other countries.
  3. Ambiguities in Ownership: The Act does not clearly define the ownership of user data, leading to potential misuse.
  4. Handling of Non-Personal Data: The Act primarily focuses on personal data, leaving non-personal and anonymized data outside its scope, which could be problematic given the difficulties in achieving true anonymity online.
  5. Government Access to Data: The Act allows the government to access anonymized or non-personal data for policy-making, raising concerns about transparency and accountability.
  6. Inadequate User Rights: The Act presents challenges for users in exercising their rights, with data fiduciaries having the power to refuse requests without a clear mechanism for challenging such decisions.

Conclusion

The Digital Personal Data Protection Act, 2023, marks a significant step forward in India’s data protection landscape. It addresses many of the challenges posed by the digital age, providing a robust framework for the protection of personal data. However, it is not without its flaws. The broad exemptions for government agencies, ambiguity around data ownership, and potential overreach in data localization are areas that require careful consideration and possible revision. Nonetheless, the Act represents a critical evolution in India’s approach to privacy and data protection, aligning with global standards while addressing the unique challenges of the Indian context.

SHARE
Previous articleThe Narrowing Scope of Religious Freedom in India
Roshan Mohiddin
Roshan hails from Giddalur, Prakasam district of Andhra Pradesh. He has completed his B.V.Sc.& AH from Pondicherry University and his M.V.Sc. from NDRI, Karnal. He is currently pursuing his PhD along with serving as the Director of Centre for Educational Research and Training (CERT).

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY