Author: Harsh Yadav, Banaras Hindu University
INTRODUCTIONIn today’s digital age, personal data has become one of the most valuable assets and you must have heard about the expression that “Data is the new oil”. It means that the data is the valuable asset that is being used by businessmen and corporation to get huge profits. Every interaction online from browsing websites to using social media and making online purchases leaves a trail of personal information that can be collected, stored, and shared by organizations. This surge in data collection has raised concerns about privacy, security, and misuse of personal information. To address these concerns, governments around the world have introduced data privacy laws to regulate how organizations handle personal data. These laws aim to protect individuals’ rights, ensure transparency, and hold businesses accountable for safeguarding sensitive information. As data becomes central to both innovation and economic growth, understanding and complying with data privacy laws is essential for both individuals and organizations.
What is data privacy?
Data privacy is the branch of data management that deals with handling personal data in compliance with the data protection laws, regulations, and general privacy best practices. To maintain data privacy there is need to setting access controls to protect information from unauthorized parties, getting consent from data subjects when necessary, and maintaining data integrity.
The evolution of data privacy laws in India:
India’s journey toward data privacy legislation began with the Information Technology Act, 2000, which introduced basic provisions for securing electronic data. However, the need for a comprehensive data protection framework became evident with the rise of digital services.
The landmark moment came with the Puttaswamy judgment in 2017, where the Supreme Court of India declared the Right to Privacy as a fundamental right under Article 21 of the Indian Constitution. This judgment set the stage for drafting a dedicated data protection law, eventually leading to the Digital Personal Data Protection Act, 2023.
What is digital personal data protection act, 2023?
The digital personal data protection act, 2023 also known As DPDP act is an act of the parliament of India to provide for the processing of digital personal data in a way that recognises Both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes. It outlines the responsibilities of the organisations that handle personal data.
Key Objectives of the DPDP Act:
Safeguard individuals’ personal data
Regulate the processing of data by organizations
Ensure accountability and transparency
Protect national interests and security.
Scope and Applicability of the DPDP Act
The DPDP Act applies to both Indian and foreign organizations that process personal data of individuals residing in India. It covers digital personal data collected online or offline and later digitized.
Who Does It Apply To?
Data fiduciaries: entities responsible for defining the purpose and method of data processing.
Data principals: people whose personal information is being handled.
The Act applies to various sectors, including e-commerce, social media, healthcare, banking, and telecommunications.
Key provisions of DPDP Act:
1. Consent-Based Data Processing
Organizations must obtain proper consent from people before collecting and processing their personal data. The consent must be Informed: Individuals should know how their data will be used.
Freely Given: Consent should be voluntary
Consent should be obtained for a particular reason or objective.
2. Rights of Data Principals (Individuals)
The DPDP Act provides several rights to people for their personal data:
Right to Access: Individuals can request information about their data being processed.
Individuals have the right to request corrections for any inaccurate or incomplete data.
Individuals have the right to request the removal of their personal information.
Individuals have the right to obtain a copy of their data in a format that can be easily transferred to another service provider.
3. Obligations of Data Fiduciaries (Organizations)
Data fiduciaries are required to:
Safeguard personal data: implement measures to ensure its security.
Notify Breaches: Inform authorities and affected individuals in case of data breaches.
Limit Data Collection: Collect only the data necessary for a specific purpose.
Provide Transparency: Inform individuals about how their data will be used.
4. Data Protection Board
The Act establishes a Data Protection Board to handle grievances, enforce compliance, and impose penalties for violations.
Penalties for Non-Compliance:
The DPDP Act imposes hefty penalties for non-compliance, depending on the severity of the violation:
Failure to Protect Data: Up to ₹250 crore
Failure to Report Data Breaches: Up to ₹200 crore
Processing Data Without Consent: Up to ₹150 crore
Impact of Data Privacy Laws on Businesses
Impacts of data privacy law on businesses:
The DPDP Act impacts businesses significantly, especially those that rely on personal data for their operations.
1. Increased Compliance Requirements
Businesses need to implement robust data protection measures, conduct regular audits, and ensure transparency in data processing activities.
2. Appointment of Data Protection Officers
Significant data fiduciaries are required to appoint Data Protection Officers (DPOs) to oversee compliance with the law.
3. Cross-Border Data Transfers
The Act allows cross-border data transfers to specific countries approved by the government. However, businesses must ensure that data recipients comply with data protection standards.
4. Impact on Startups and SMEs
While larger corporations may have the resources to comply, startups and small businesses may face challenges in meeting the compliance requirements.
Challenges in implementation:
1. Lack of Awareness: Many businesses and individuals are unaware of their responsibilities and rights under the law.
2. Technological Readiness: Organizations need to invest in technology to ensure secure data management practices.
3. Balancing Privacy and Innovation: maintaining a balance between privacy and technological advancements is a bit challenging.
4. Enforcement Mechanism: Ensuring effective enforcement of the law across diverse sectors is a complex task.
Conclusion
Act, 2023, mark a significant step toward protecting individuals personal information in the digital age. India’s data privacy laws, particularly the DPDP While the law provides individuals with greater control over their data, businesses must take proactive steps to ensure compliance. As the digital landscape continues to evolve, a strong data privacy framework will be essential to build trust, protect national interests, and promote responsible innovation.
FAQS
1.What sectors are impacted by DPDP act?
The DPDP act affects sectors that handle personal data, such as:
Social media platforms
e-commerce
healthcare
telecommunication
banking and financial services
2.What is the role of data protection board?
The data protection board is established under the DPDP act to handle grievances, enforce compliance and impose penalties for violation of law.
3.What are the consequences if a business neglects to report a data breach?
It can face penalties of upto 200 crores.
