Author: Gayatri Desai, Navalmal Firodia Law College[FergusonCollege], Pune
Introduction
In today’s digital world, personal information has become one of the most valuable resources. Every online activity, from social media usage and online shopping to internet banking and digital governance, involves the collection and processing of personal data. While technological advancements have improved convenience and accessibility, they have also increased concerns regarding data breaches, unauthorized sharing of information, and violations of individual privacy.
India’s rapid digital transformation has created an urgent need for a comprehensive legal framework to protect personal information. Recognizing this necessity, the Government of India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act). The Act aims to protect the privacy of individuals while ensuring the lawful and responsible use of personal data by organizations and government entities.
Data privacy refers to an individual’s right to control how their personal information is collected, used, stored, and shared. Personal data includes any information that can identify an individual, such as name, address, phone number, email address, financial details, and identification numbers.
The concept of privacy gained constitutional significance in India through the landmark judgment of *Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)*. In this case, the Supreme Court unanimously recognized the Right to Privacy as a fundamental right under Article 21 of the Constitution of India. This judgment laid the foundation for India’s modern data protection framework.
Need for the Digital Personal Data Protection Act, 2023
Before the enactment of the DPDP Act, data protection in India was primarily governed by provisions under the Information Technology Act, 2000 and related rules. However, these provisions were inadequate to address the challenges posed by the modern digital economy.
The need for a dedicated data protection law arose due to:
* Increasing use of digital platforms and online services.
* Rising incidents of data breaches and cybercrime.
* Unauthorized collection and sharing of personal information.
* Growing concerns regarding surveillance and misuse of data.
* The need to establish accountability among entities processing personal data.
The Digital Personal Data Protection Act, 2023 was enacted to address these concerns and establish a comprehensive legal framework for personal data protection in India.
Objectives of the DPDP Act, 2023
The Act seeks to:
* Protect the privacy of individuals.
* Regulate the processing of digital personal data.
* Establish rights and obligations concerning personal information.
* Promote transparency and accountability among organizations.
* Provide remedies and penalties in cases of violations.
* Foster trust in India’s digital ecosystem.
A Data Principal is the individual to whom the personal data relates. In the case of children or persons with disabilities, their lawful guardian may exercise rights on their behalf.
A Data Fiduciary is any person, company, organization, or government entity that determines the purpose and means of processing personal data.
Personal data means any data about an individual who is identifiable by or in relation to such information.
Processing includes collection, storage, organization, sharing, use, disclosure, or deletion of personal data.
Consent means a free, informed, specific, unconditional, and unambiguous indication by the Data Principal agreeing to the processing of personal data for a specified purpose.
The DPDP Act grants several important rights to individuals.
Individuals have the right to know what personal data is being processed and the purpose for which it is being used.
Right to Correction and Erasure
A Data Principal may request correction of inaccurate personal information and deletion of data that is no longer necessary.
Individuals may seek redressal of grievances relating to the processing of their personal data.
The Act allows a Data Principal to nominate another person who can exercise their rights in the event of death or incapacity.
Individuals may withdraw their consent at any time, after which the Data Fiduciary must stop processing their data unless otherwise authorized by law.
Obligations of Data Fiduciaries
To ensure responsible handling of personal data, the Act imposes several obligations upon Data Fiduciaries.
Organizations must implement reasonable security measures to protect personal data from unauthorized access, disclosure, loss, or misuse.
Data Fiduciaries must ensure that personal data remains accurate and updated whenever necessary.
In the event of a personal data breach, the concerned authority and affected individuals must be informed as prescribed under the Act.
Personal data should be deleted once the purpose for which it was collected has been fulfilled unless retention is required by law.
The DPDP Act contains special provisions for protecting children’s personal data. Data Fiduciaries are required to obtain verifiable parental consent before processing a child’s personal information.
The Act also seeks to restrict practices that may be harmful to children, including certain forms of behavioural monitoring and targeted advertising. These provisions demonstrate the legislature’s commitment to creating a safer digital environment for minors.
Data Protection Board of India
The Act provides for the establishment of the Data Protection Board of India. The Board is responsible for addressing complaints, monitoring compliance, and imposing penalties for violations of the Act.
The Board plays a crucial role in enforcing data protection standards and ensuring accountability among organizations handling personal data.
One of the significant features of the DPDP Act is its strong penalty framework. Organizations that fail to comply with the provisions of the Act may face substantial monetary penalties.
The imposition of penalties serves as a deterrent against negligence and encourages organizations to adopt responsible data management practices.
Despite its importance, the Act has attracted certain criticisms.
Some experts have expressed concerns regarding exemptions granted to government agencies under specific circumstances. Others argue that businesses, particularly smaller enterprises, may face challenges in complying with the Act’s requirements.
Additionally, the effectiveness of the legislation will depend upon proper implementation, regulatory oversight, and public awareness regarding privacy rights.
The Digital Personal Data Protection Act, 2023 represents a landmark development in India’s legal framework for privacy and data protection. By recognizing the rights of individuals and imposing responsibilities on organizations, the Act seeks to create a secure and trustworthy digital environment.
As India continues to advance towards a technology-driven future, the protection of personal information will remain a crucial concern. The DPDP Act, 2023 provides a strong foundation for safeguarding digital rights, promoting responsible data governance, and strengthening public confidence in the digital ecosystem.
Frequently Asked Questions (FAQs)
Q1. What is the Digital Personal Data Protection Act, 2023?
The Digital Personal Data Protection Act, 2023 is India’s primary legislation governing the collection, processing, storage, and protection of digital personal data. It aims to safeguard individual privacy while enabling lawful data processing.
Q2. Who is a Data Principal under the DPDP Act, 2023?
A Data Principal is the individual to whom the personal data relates. In the case of a child or a person with a disability, their lawful guardian may exercise rights on their behalf.
Q3. What is the role of a Data Fiduciary?
A Data Fiduciary is any person, company, organization, or government entity that determines the purpose and means of processing personal data and is responsible for complying with the provisions of the Act.
Q4. What rights are granted to individuals under the DPDP Act?
The Act grants rights such as access to information, correction and erasure of personal data, grievance redressal, nomination, and withdrawal of consent.
1. Digital Personal Data Protection Act, 2023.
2. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
3. Information Technology Act, 2000.
4. Constitution of India.
5. Ministry of Electronics and Information Technology (MeitY) publications and reports.
