Authors: Akshat Angrish, a Student of 5th Year students at Vivekananda Institute of Professional Studies, New Delhi
Co- Author: Laqshyaa Saluja, a Student of 5th Year students at Vivekananda Institute of Professional Studies, New Delhi
ABSTRACT
This article examines the Digital Personal Data Protection Act (DPDPA) of 2023 in detail and offers a critical analysis of its main features and ramifications. In response to the escalating concerns surrounding privacy breaches and the increasing digitization of personal information, governments worldwide have been compelled to enact robust data protection legislation. The DPDPA, enacted in 2023, stands as a pivotal piece of legislation aimed at safeguarding individuals’ digital privacy rights.
The article commences with an overview of the legislative backdrop that necessitated the enactment of the DPDPA, examining the global trends in data protection and the challenges posed by the evolving digital landscape. A detailed exploration of the Act’s salient features follows, encompassing the definition of personal data, the scope of application, and the rights conferred upon individuals.
The analysis also scrutinizes the responsibilities imposed on data controllers and processors, evaluating the measures they must adopt to ensure compliance with the stringent data protection standards outlined in the Act. Additionally, the article explores the enforcement mechanisms incorporated within the DPDPA, including penalties for non-compliance and the role of regulatory authorities in overseeing adherence to the legislation.
By critically evaluating the Digital Personal Data Protection Act of 2023, this article aims to contribute to the broader discourse on digital privacy legislation, providing insights into the evolving legal landscape and providing an extensive understanding of the rights and responsibilities granted by this historic act.
INTRODUCTION
The legal foundation for processing an individual’s digital personal data in India is provided by the Digital Personal Data Protection Act, 2023 (also known as “the Act” or “DPDP Act, 2023”). The Indian Government has been working on a comprehensive data protection law since 2018. The present Act is a significant departure from former drafts that were made to establish this Act by various panels of experts.
The Act, which was first a Bill, was approved by the Indian Union Cabinet on July 5, 2023, bringing India one step closer to enacting the nation’s first Data Protection Law. Later, on August 07, 2023, and August 09, 2023, respectively, the Lok Sabha and Rajya Sabha separately introduced and passed the bill. Later, after receiving the Hon’ble President of India’s assent, the Act became operative on August 11, 2023, when it was published as the Digital Personal Data Protection Act, 2023 (No. 22 of 2023) in the Legislative Department of the Ministry of Law and Justice in India.
The present Act does away with distinct orders of datasets (such as sensitive or important data) and is more open-ended, leaving more to be determined by the Central Government. The entity that makes decisions about the implementation of the Act’s provisions is the Data Protection Board of India, or “Board.” The safe and secure storage of user data by the person in possession of it is referred to as Data Protection. It’s a protocol that outlines several programs for evading the stoner’s specific data operations and protecting it from data breaches.
‘Personal Data Protection (PDP)’ refers to a set of tools and programs for practising, regulating and measuring the privacy and security of an individual’s particular information. It includes the collection, use, storing, and sharing of particular data by associations and governments while ensuring that individuals have control over their particular data.
The primary goal of the Act is to protect people’s privacy and prevent third parties from abusing or gaining illegal access to their personal data.
Financial information, medical records, names, addresses, phone numbers, dispatch addresses, phone numbers, and other identifiers that may be used to identify an existing person are among the various sorts of information that are generally included in personal data. The Act establishes compliance guidelines for “Data Fiduciaries,” which are defined as those who, either independently or in concert with others, choose how and why to process and use a specific person’s personal data.
Technologies like Data Loss Prevention (DLP), which guarantees end-to-end encryption, firewalls, built-in data protection, and other measures are the foundation of personal data security. In corporate activities like research and development, financing, etc., it is crucial.
WHAT THE ACT IS ABOUT
The Digital Personal Data Protection Act, of 2023 defines the compliance regulations for Persons taking responsibility for using users’ particular data.
The Act lays forth guidelines for how companies must handle and manage personal information while protecting individual rights. Its primary goals are to prohibit cross-border data transfers, penalize individuals for financial data breaches, and provide guidelines for the creation of a data protection authority to guarantee compliance. Failure to comply and non-compliance can result in fines for Persons as they would also have to stop keeping user data if it no longer supports the original business purpose.
Reusing personal information that has “any detrimental effect” on the welfare of the Data Principal—the person to whom the specific data relates—will not be permitted by anybody.
Data Principals are endowed with the following rights under the Act:
• Right to Information- Data Principals are entitled to get information on the processing of their specific data, as well as a summary of the data.
• Right to Withdraw Consent- People can revoke their consent to data processing at any time, and they have the right to know whether or not their information has been shared with a third party.
• Right to Correction and Erasure- Data Principals can seek the erasure of related data when it is no longer needed and to correct errors in their Personal Data.
• Right of Grievance Redressal- The Data Fiduciary might receive complaints from data principals through the Grievance Redressal Right. Grievances may be brought to the attention of the Board if they get inadequate or unacceptable answers. The Act specifies a number of points for Data Principals, such as not providing inaccurate information or filing fraudulent complaints.
Contemporaneously, the Act lays down several liabilities for Data Fiduciaries:
• Transparency- Data fiduciaries are required to provide a clear explanation of the specific data they want to gather, as well as the rationale and methods underlying the acquisition.
• Informed consent- obtaining an individual’s specific data without prior consent would be a violation of the Act’s requirements.
• Data Accuracy- To guarantee the absoluteness and correctness of data that is reused, measures should be put in place.
• Security Measures- To assist with data breaches, appropriate security measures must be in place. No fiduciary should use the data improperly as this might result in legal retaliation.
• Data Retention- Information should only be kept for as long as necessary to fulfill its intended function. The fiduciaries should block the specific data so that it is no longer accessible to the public when it has served its intended function or the user has deleted the application or website.
• Data Breach Notification- In the case of a data breach, notice must be given to both parties.
• Data Sharing- Before sharing or transferring data to other fiduciaries or data processors, data fiduciaries should draft contracts.
For larger data associations, the Act authorizations the appointment of a Data Protection Officer and an Independent Adjudicator for periodic compliance.
If user data is no longer needed for the intended business purpose, businesses and institutions must delete it. Processing of personal data that is likely to have “any detrimental effect” on Data Principal will not be allowed for any organization or group.
DATA PROTECTION BOARD OF INDIA
The Data Protection Board of India, often known as “the BOARD,” would be created in accordance with this Act and will consist of a chairman and any other board members who may be selected by the Central Government. The headquarters will be located at the discretion of the central government The members and the speaker will be appointed to the board for a two-year term, after which they will be eligible for reappointment.
The Board shall serve as an independent body and shall serve digitally as important as possible and shall borrow the techno-legal styles of functioning of the Board.
The Chairperson has been given the right to exercise his powers in the ensuing matters:
- of general superintendence and giving direction concerning the executive matters which may concern the Board.
- He may also authorise an officer of the Board to entertain any complaint or any other function that he may suppose fit.
The Act gives the Board the following authority to perform the following duties.
- The Board has the power to direct any critical remedial or mitigation measures in the event of any breach of personal data
- The Board has the authority to penalize the malefactors.
- The Board shall give a Person an effective occasion of being heard
- The Board has been vested with the power to modify, suspend, or withdraw any direction that it may suppose fit
The civil courts will not have any governance to entertain any suit in respect of any matter which the Board is empowered to arbitrate upon and no instruction shall be granted by any other court in respect to any action taken by the Data Protection Board of India.
APPEAL & ALTERNATE DISPUTE RESOLUTION
In case a Person is aggrieved by the orders of the Board, also he or she has a right to put forth an appeal before the Appellate Tribunal within 60 days after the Board’s date of passing the order. The reasonable occasion of being heard shall be given by the Appellate Tribunal to the parties on damage of an appeal before passing any order. The Tribunal shall have the same powers as that of a Civil Court and all orders or decrees passed by it shall be executable in the same manner as that of a Civil Court.
The Board believes it has the authority to order parties to resolve disputes amicably. Should a disagreement arise, the matter will be reintroduced to the Board for further deliberation. Act’s Restrictions Designed to be digital According to the Act, the Data Protection Board must handle complaints and handle harm in a “digital by design” manner. In the most up-to-date National Family Health Survey, just thirty-three Indian women reported having ever used the Internet.
Millions of individuals, particularly in Tier 2 or Tier 3 metropolises and rural areas, lack meaningful access to the Internet, and as a result, the Act essentially fails to reach them. Regulation: Risks of harm resulting from the processing of personal data are not regulated under the Act.
Personal data outside of India: In nations where the transfer of personal data is permitted, this medium might not guarantee an adequate assessment of data protection laws. Self-reliance The Data Protection Board of India’s members’ two-year terms and their ability to be reappointed may have an impact on the Board’s ability to operate independently. Not reimbursed Corporate entities are required by Section 43A of the IT Act, 2000 to compensate impacted parties for negligent handling of their confidential information. Nevertheless, the Act forbids Section 43A from operating, which is extremely detrimental to all individualities.
DATA PROTECTION ACT – BOON OR BANE
An vital and demanded Act The Act requires Data Fiduciaries to handle individuals’ personal data legitimately and gives Data Principals the authority to control their own specific (digital) data. Businesses operating outside of India that provide services to people in India will be expected to abide by the Act’s provisions due to its extraterritorial scope.
People will need to evaluate their working styles in order to be able to fulfill their individual rights, such as the right to access, amend, and remove their personal data. This is especially true for the specific data of people like their employees, visitors, merchandisers, and so forth. Failure to comply with the Act’s requirements might result in forfeitures and possible fines of up to Rs 250 crore. Moving toward transparency and compliance
The Act is thought to be a major step in the right direction toward resolving the long-standing dispute over data protection corporations. The complete framework of the Act ensures responsible processing of digital personal data by imposing reasonable criteria on data fiduciaries and processors. The emphasis on free and informed concurrence supports citizens’ basic right to sequestration. By enforcing compliance, corrective action, and warrants when requested, the conformance of a data protection board enhances the Act. The total efficacy and transparency of the process are enhanced by the Board’s capacity to function as a digital office, recycling complaints, allocating cases, and rendering decisions in accordance with techno-legal norms.
CONCLUSION
All things considered, the Act is a step in the right direction toward encouraging transparency in data practices, safeguarding data sequestration, and paving the way for India’s digital future. further individual rights The Ministry of Electronics and Information Technology (MeitY) created the Act, which is seen as progressive legislation affecting enterprises of all sizes and spanning many industries. The Act creates a crucial balance between protecting the rights of drug users and promoting the creation of innovative digital businesses.
Among other things, it has the important business-friendly rudiments of facilitating overseas data transfers and doing away with felonious consequences for opposition. However, it also ensures that data headliners will have all the rights necessary to establish a future data governance organization that is accountable and transparent. We applaud the DPDP Act for taking a big step in the right direction and creating a new legal framework for digital businesses in India.
