The Digital Personal Data Protection Act, 2023

Digital personal data protection

An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

About the Act, 2023

The Act aims to regulate the processing of digital personal data, balancing individual rights to data privacy with the legitimate needs for data processing. It establishes guidelines for Data Fiduciaries, encompassing individuals, companies, and government entities handling data, outlining their responsibilities in data collection, storage, and related activities. The Act possessed several features like-
(a) The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
(b) The rights and duties of Data Principals (that is, the person to whom the data relates); and
(c) Financial penalties for breach of rights, duties and obligations.
(d) Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
(e) Enhance the Ease of Living and the Ease of Doing Business; and
(f) Enable India’s digital economy and its innovation ecosystem.
(g) By using the word “she” instead of “he”, for the first time it acknowledges women in Parliamentary law-making.

The Bill safeguards the personal data of children

(i) The Act allows a Data Fiduciary to process the personal data of children only with parental consent.
(ii) The Act does not permit processing which is detrimental to well-being of children or involves their tracking, behavioural monitoring or targeted advertising.

Data fiduciary

The Act provides for following obligations on the data fiduciary:
a. To have security safeguards to prevent personal data breach;
b. To intimate personal data breaches to the affected Data Principal and the Data Protection Board;
c. To erase personal data when it is no longer needed for the specified purpose;
d. To erase personal data upon withdrawal of consent;
e. To have in place grievance redressal system and an officer to respond to queries from Data Principals; and
f. To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure higher degree of data protection.

The Act is based on the following seven principles:

a. The principle of consented, lawful and transparent use of personal data;
b. The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
c. The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
d. The principle of data accuracy (ensuring data is correct and updated);
e. The principle of storage limitation (storing data only till it is needed for the specified purpose);
f. The principle of reasonable security safeguards; and
g. The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).

Exemptions
The exemptions provided in the Act are as follows:
a. For notified agencies, in the interest of security, sovereignty, public order, etc.;
b. For research, archiving or statistical purposes;
c. For startups or other notified categories of Data Fiduciaries;
d. To enforce legal rights and claims;
e. To perform judicial or regulatory functions;
f. To prevent, detect, investigate or prosecute offences;
g. To process in India personal data of non-residents under foreign contract;
h. For approved merger, demerger etc.; and
i. To locate defaulters and their financial assets etc.

Data Privacy in other countries

• About 70% of countries worldwide have some form of legislation for data protection, according to the United Nations trade agency UNCTAD.
• The EU’s General Data Protection Regulation, which came into effect in 2018, is claimed to be the “toughest privacy and security law in the world,” and seen as the global benchmark.
• Several nations including China and Vietnam have recently tightened laws governing the transfer of personal data overseas.
• Australia in 2018 passed a bill that gave police access to encrypted data.

Positive aspects of the Digital Personal Data Protection Act, 2023

The Bill adopts an easily comprehensible and accessible writing style, minimizing legal terminology while incorporating helpful illustrations to make it more understandable for the general public. It takes a principles-based approach, focusing on fundamental concepts and outcomes rather than rigid processes, which ensures its relevance amidst rapid technological advancements and grants businesses adaptability in achieving compliance. The Bill also employs a light-touch strategy, fostering a trusting relationship between the government and private sector by promoting responsible management of personal data by businesses. This approach is anticipated to attract international tech investments due to its balanced and streamlined data protection measures, and startups stand to benefit significantly through exemptions from certain obligations upon notification. This is projected to invigorate the startup ecosystem, elevating its global competitiveness.

Issues with 2023 act

• Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy.
• The Bill does not regulate risks of harms arising from processing of personal data.
• The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
• The Bill allows transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
• The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment. The short term with scope for re-appointment may affect the independent functioning of the Board.