Digital Personal Data Protection Act, 2023 – A statute which was formed mainly for balancing individual privacy and lawful data use

Author: Aishani Bhattacharjee, Bishop Cotton Women’s Christian Law College, Bengaluru

TO THE POINT

Digital Personal Data Protection Act, 2023 (DPDP Act) is an Indian legislation  aimed at regulating the processing of digital personal data, balancing individuals rights which involves rights regarding a person’s data privacy with necessity of data processing for lawful purposes. DPDP Act data processing only with explicit consent, however this can be forgo only in exceptional legitimate cases. Another important aspect of the DPDP act is that this is the first act of its kind to use pronouns like “she/her” instead of usual “he/him”. The Act of  2023 follows certain principles which revolves around the right to access, correct and even delete personal data the DPDP act, 2023 also has provisions for grievances redress under Data Protection Board of India (DPBI) it has power to impose penalties up to Rs 250 crore for non-compliance . The board allows cross-border transfer of data except for restricted countries notified by the government. Data fiduciaries under the act must ensure data security and prevent breaches , must inform users about data usage and significant entities must be appointed as Data protection Officers (DPO). However, there exist certain criticism regarding the act’s functions as the act allows the government to exempt certain entities, raising concern about data misuse. The act does not require for local storage, but some transfers may be restricted. In the DPDP Act, 2023 the rights of the individuals are more restricted compared to international law like GDPR. This article will delve into various important provisions of DPDP Act, 2023 and how this act aided in strengthening digital privacy in India.
Use of Legal Jargons

Digital Personal Data Protection Act, 2023 has several legal jargon describing the need for data privacy. Section 2(j) Data principal is the individual to whom the personal data relates. Essentially, whose data is being collected and processed. This section includes people of all age and if a child is below the age of 18 years, or has disabilities, a legal guardian will act on his/her behalf. Section 2(i) Data Fiduciary any person, company, or government body that determines why and how personal data should be processed. These fiduciaries are responsible for ensuring data protection and compliance with the law. For example, a bank collecting openings is a Data fiduciary. Section 2(t) Personal Data any data of a person through he/she can be identified for instance phone number, aadhar number, email location etc, even browsing history  is also considered personal data. Section 2 (s) Processing of Data basically means any sort of operations performed on personal data like collection, storage, sharing or deletion. Processing includes both manual and automated operations; one such example is when an e-commerce website stores customer purchase history. Section 6 Consent personal data can be processed only with the explicit and informed permission from the data principal. Consent needs to be clear, voluntary, and unambiguous, individuals should be able to withdraw consent at any time and the exception exist under legitimate uses under section 7. Section 7 Legitimate uses data can be processed without consent for government actions like law enforcement and subsidies, emergencies like for medical treatment and public interest, legal compliance or court orders. Section 11 Rights of  Data Principal the principal has the very right to access information regarding how their data is being used they can also request correction or deletion of incorrect data, file complaints if their rights are violated and appoint a representative in case of death or incapacity. Section 15 Duties of Data Principals the duties involve to provide accurate and true information, avoid registering false complaints and restrain from suppressing material facts while providing data. Section 19 Data Protection Board of India is a regulatory authority established to handle complaints and to ensure compliance, impose penalty for data breaches though this body functions independently but operates under government regulations. Section 16 Cross-border transfer rules governs the transfer of personal data outside India. It is the government’s duty to notify countries where data transfer is restricted and companies need to ensure that foreign jurisdictions provide adequate data protection. Section 33 and 34 Data breach and penalties failure to protect personal data can attract fines up-to Rs 250 crore, failure to report data breach results in penalties, non-compliance with Data Protection Board orders can lead to additional fines and restrictions.

The Proof
There have been multiple instances of personal data breach in India that have led to legal actions and heightened discussions for Data protection law and thereby the inception of  Digital Personal Data Protection Act, 2023 came into picture for putting a buffer to such data breaches in future and in present. Instances famous data breach that happened in India is the Aadhar Data breach in 2017 the Jharkhand Directorate of Social Security website inadvertently exposed Aadhar details of over a million people caused due to a programming error. The Tribune has published a report on the unrestricted access to Aadhar  data that was available for a nominal fee, exposing significant potential security issues. HDFC bank data breach in March 2023, HDFC Financial Services, a subsidiary of HDFC Bank, experienced an incident of data breach exposing financial information of 70 million customers which consisted of both personal information and loan details . This incident led to regulatory scrutiny and potential penalties from authorities like the Reserve Bank Of India. Another such instance happened recently in 2024, Star Health, a leading insurance company faced a challenging and significant data leak where the personal and medical information of policyholders were leaked through Telegram chatboats. This incident led to the insurance company suing Telegram, which resulted in the Madras High Court ordering the deletion of chatbots sharing leaked data. Star Health also sued Cloudflare, alleging hosting sites disturbing the stolen data. The Indian Computer Emergency Response Team (CERT-In) under MeitY makes it obligatory for organizations to report cybersecurity incidents, including data breach. The Ministry Of Information Technology (MeitY) issues notifications regarding reports of data breach and this cumulatively serves as a proof for the establishment DPDP  Act, 2023.

Abstract

The DPDP Act, 2023 seeks to balance individual’s privacy rights with the legitimate data processing needs of business and the government.The act applies to digital personal data, covering both online and offline data that is later digitized. It applies  to processing within Indian user’s data. However, this act does take within its ambit non-digital or offline data, which limits its overall scope. For business, the act has introduced strict compliance requirements , while individuals gain greater control over their data. The act’s ultimate success depends upon transparent implementations, enforcement, and judicial oversight as its very recent enactment. This article mainly touches how the act became the call of the hour and what significant provisions have influenced data privacy and protections in India.

Case Laws
United States  v. Joseph Sullivan – Joseph Sullivan, was Uber’s former Chief Security Officer, in this case he was convicted for his involvement in hiding a 2016 data breach that affected millions of users and drivers. Sullivan was found guilty of obstructing an FTC investigation and concealing a felony by paying the $ 100,000 under  Uber’s bug bounty program to hide the breach. This conviction highlighted the corporate responsibility in quickly taking action against data breaches and even disclosing such breaches.

Baer’s Furniture Data Breach Settlement case – Baer’s Furniture Data Breach agreed to a settlement following a 2022 cyber attacker that led to disseminating sensitive customer data. Aggrieved people by this breach could recover $ 5,000 by submitting a claim form. The case highlighted the legal landscape surrounding data breaches, emphasizing the importance of a robust cybersquatting measure.

In re Zappos.com, Inc., Customer Data Security Breach Litigation – In this in the year 2012, an online retailer Zappos experienced a data breach affecting over 24 million customers. This breach exposed data like names, addresses, phone numbers through credit card details that remained secure. Subsequently lawsuits claimed Zappos failed to adequately protect customer data. A key issue here was the company’s “browseweb” term of use, which included an arbitration clause. The court held the these terms were unenforceable due to their obscure nature and Zappo’s ability to change them without notice, setting a precedent for the validity of online agreements.

Conclusion

With all the ways to protect and prevent personal data, the Digital Personal Data Protection Act, 2023 (DPDP Act) is a landmark legislation that changed the course of data protection rules in India. The act introduced a structured framework for data protection, balancing individual rights with business and governance needs. This act is an important step towards a structural data protection regime in India. The GDPR (General Data Protection Regulation) of the European Union and the DPDP Act of India both protect personal data. However, both the acts have main difference as the GDPR covers both offline and online personal data while DPDP act cover only digital data another important difference is that under GDPD there strict rules for data relating health, race and religion but under DPDP Act, 2023 there no such strict rules for sensitive data, but sectoral laws do apply.

FAQS

Who does the DPDP Act apply to ?

The act applies to individuals and entities processing personal data in India and foreign entities processing Indian residents data for providing goods and services but does include offline data which is later digitized.

Are there exemptions for the government under the DPDP Act, 2023?

Yes, the government can bypass certain provisions of the act for reasons such as national security, law enforcement and research and public interest.


How does GDPR act compared GDPR?
Though the DPDP Act, 2023 is similar in certain ways to EU’s GDPR, the DPDP act has broader government exemptions and less strict regulatory framework  for business.

When will the DPDP Act be fully implemented?

The act was passed in August 2023, but the government is expected to implement this act into phases and not wholly with immediate effect to check the efficiency of the act in curbing data breaches. The government aims to implement this act with further rules and guidelines to follow.