Author: Ralph Anand L, School of Excellence in Law, TNDALU, Chennai
To the Point:
Usage of social media and other websites is similar to entering into a maze of user data. Almost impossible to understand about the mechanism of collection of user data. Living in an era of internet, one can witness a huge shift from traditional methods over online right from Shopping groceries and medicines, everyday essentials to registering certificates online. This remarkable change has led to an atmosphere where without agreeing to the terms & conditions of a website, one cannot use the facilities of the website nor download the application. Apart from these terms and conditions, there are other users data also being collected by the service providers without the consent of the users. These poses a huge threat to identity theft of the users and have the potential for an irreversible damage. The Digital Personal Data Protection (DPDP) Act, 2023 was formulated to address this issue. The act provides a regulatory framework protecting users from personal data breach by data fiduciary with penalties ranging up to INR250 crore.
Abstract:
The Current regime of soaring digitalisation has an impeccable impact in the collection, storage and utilisation of users’ data. Few data though collected are with the consent of the user are utilized for various other purposes without the knowledge of the user and this includes selling of user datas to corporates institutes and MNCs. The Union government to fight against these unlawful and unfair online trade practices has brought in The Digital Personal Data Protection (DPDP) Act, 2023 after several discussions and proper research. This article revolves around the viability and essence of DPDP Act in the present digital environment. This article also introduces various jargons used under the framework with brief understanding. This article also lays a broader comparison against Europe’s General Data Protection Regulation (GDPR)
Use of Legal Jargons:
The Digital Personal Data Protection Act, 2023 uses various key terminologies used in the digital environment. Understanding these terminologies unambiguously would be helpful while resolving disputes. A few of these include
Consent – The act mandates that organisations must seek free consent from the user. The consent made must be specific and informed by the data principal. The consent given must reflect through an affirmative action. (e.g. Clicking ‘I Agree’ on the website)
Consent Manager – They represent the user/ data principal. Their actions include granting, managing, reviewing and revoking the consent given by the data principal.
Data Fiduciary – They are individuals or group of individuals who decides upon purpose and processing means of the personal data collected from users.
Data Principal – The act defines that Data Principal are the persons whose personal data is being collected. In simple terms, it synonym the user. The act also clarifies that Data principal includes the parents or lawful guardian of a child and lawful guardian of a disabled person since they are incapable of representing themselves.
Data Processor – This means any individual who represent the data fiduciary and act on their behalf while processing personal data.
Children Data – Any person below 18 years of age is considered as a Child. When it relates to processing personal data of a child, parents/guardians’ consent is required. The Act also prohibits behavioural monitoring and targeted advertisement seeking to protect the privacy and welfare of the child.
The Proof
The Digital Personal Data Protection (DPDP) Act, 2023 is an extensive framework drafted by the Ministry of Electronics and Information Technology (MeitY) in 2022. In July2023, the union cabinet approved the draft and in August 2023, the bill was consolidated as an Act and was assented by the President of India. The act was made applicable to people both within the territory of India and also outside India comprehensively dealing with data principal/users requirements. The act lays down key terminologies used in the digital world. The act mandates free consent by the data principal to use their personal data by the Data Fiduciary in course of their business except in certain circumstances. These exceptions include instances
There was a voluntary disclosure of personal data by the user
A reasonable expectation to consent is made by the user
The law mandates to collect such information from the user. This also includes compliance to the decrees passed by any court in India
If there were any medical emergency situations, consent is not warranted
When the data fiduciary feels the user or any information is a threat to public health
At times of disaster, the data fiduciary can collect personal data to ensure safety.
In case of children below 18 years of age and disabled persons, their parents/guardians can give their consent.
The act mandates the data fiduciary to strictly adhere the guidelines such as ensuring valid contract between data processor and fiduciary in processing personal data, providing a comprehensible notice to the user and obtaining parental consent in case of children/disable. The act provides mechanisms for assessing the data fiduciary backed up with obligations. The acts also provide provisions making the data fiduciary liable for breaches and penalises upto Rs.250 crore for non-compliance of the provisions. The act seeks to establish an independent body called The Data Protection Board to govern and resolve disputes between user and service provider.
The General Data Protection Regulation (GDPR) of Europe is a similar legislation of DPDP Act,2023 in India. The GDPR is applicable to personal data which are automated. The act mandates that breaches should be reported within 72 hours and denies the right to nominate whereas the DPDP does not have a time frame and protects the right to nominate. Another significant feature of GDPD is that it covers aspects such as corporate rules and standard contractual clauses while dealing with transfer of data to other countries whereas DPDP has been silent in this.
Case Law
Google LLC V. CNIL (2019)
This case is a notable one which discussed on the territorial applicability of the GDPR Act. CNIL (france’s data protection authority) ordered Google to ensure “Right to be forgotten” exceeding its territorial limits. Google complied only in the EU domains (google.fr, google.ge) and refused to enforce it globally. The Court of Justice of the European Union (CJEU) ruled that Google is not required to apply the regulations of GDPR as it does not impose global delisting obligations. But if the member states choose to legislate, they can be adhered.
Facebook Ireland Ltd V. Schrems (Schrems II, 2022)
The case was filed by privacy activist Max Schrems challenging Facebook’s Standard Contractual Clauses (SCC) which was used to transfer data to the US. Again the CJEU held that though GDPR ensures privacy shield, it changes when the data is transferred to another counter outside the European Union. Hence SCC’s are valid only if accepted and regulated with equivalent data protection laws in third countries. This is a landmark judgement which had impacted international data transfers and established EU-US Data Privacy Network.
Amazon Europe Core S.a.r.l (2021)
This case is a notable one as it involved largest penalty given under GDPR till today. The Luxembourg Data Protection Authority fined the giant tech-company Amazon for processing personal data without valid consent resulting in behavioural advertising and targeted ads. The authority found amazon to be guilty of non-compliant data processing and insufficient transparency violating the core principles of GDPR
Internet Freedom Foundation V. Union of India (2021)
The Internet Freedom Foundation (IFF) filed a writ petition challenging the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 at the Supreme Court of India. The petitioners pleaded that tracing originators of messages on platforms like WhatsApp could violate citizen’s fundamental rights to privacy and encryption rights. Though the case has not yet been decided it forms very influential and raises concerns equivalent to GDPR.
Conclusion
In an era of digitalisation, personal data has become a valuable commodity and has achieved a market of its own. At this juncture, safeguarding the privacy of individuals is both a legal necessity and a fundamental right. The Digital Personal Data Protection (DPDP) Act, 2023 marks a significant step towards establishing a transparent and accountable data governance regime in India. The act seeks to simplify the process by defining the basic the terminologies along with obligations and penalties, the Act not only aims to empower users but also to insists greater responsibility among service providers. It is remarkable to note that though it is inspired from EU’s GDPR, it has also tailored its provisions to suit Indian users and its digital landscape. With further refinement, . Effective implementation, coupled with public awareness and regulatory vigilance, will be key to realizing the true essence of this legislation.
FAQS
What is the DPDP Act, 2023?
The Digital Personal Data Protection (DPDP) Act,2023 is a legislation enacted by the Indian government. It regulates the collection, processing, storage and sharing of personal data in the digitalised environment. It aims to protect users from data misuse and identity theft.
Why was the DPDP Act introduced?
The Act was introduced in response to the increasing personal data misuse as many service providers often collect sensitive user data without proper consent or transparency. It aims to ensure that the users privacy is legally protected.
Does the Act cover children’s data?
Yes. The Act defines any person under 18 years of age as a child mandating that parental/guardian consent is required before collecting the data. The act seeks to prohibit behavioural monitoring and targeted advertising towards them.
Who is a Data Principal and Data Fiduciaries under the Act?
A Data Principal is the individual whose personal data is being collected. This includes users of websites, apps, and online services. A Data Fiduciary is the person or entity that decides how and why personal data will be processed.
What penalties are prescribed under the Act?
The Act imposes penalties of up to ₹250 crore for non-compliance by Data Fiduciaries. This includes unlawful processing, data breaches, or failure to meet user rights and transparency obligations.
References
