Data Protection Laws in India: A critical analysis of the digital Personal Data Protection Act 2023
Category: Cyber Crime Law
「 ✦ Content ✦ 」
ABSTRACT
The introduction of the Digital Personal Data Protection Act (DPDPA), of 2023 begins an important era towards the protection of data and privacy laws in India. The requirement to introduce robust data protection laws was increasingly felt after the Supreme Court’s recognition of the right to privacy as a fundamental right in the judgment of Justice KS Puttaswamy vs Union of India 2017. The Personal Data Protection Bill was introduced in 2019 and faced criticism and backlash due to excessive exemptions and arbitrary powers to the government. It also lacked sufficient safeguards to protect the personal data of citizens. With an objective to address these concerns, the Digital Personal Data Protection Act, of 2023 was introduced. This article aims to critically evaluate this act and its implications for society.
Keywords
Digital Personal Data Protection Act, 2023 Information Technology Law Digital Rights India Data Privacy Legislation India Data Protection
Introduction
India is a developing country and the evolution of digital technology lies at the core of transforming India into a developed country. It has over 800 million internet users due to its huge youth population and robust information technology sector. However, this also makes Indian citizens vulnerable to the concerns of cybercrimes, privacy violations, and data theft. Before the introduction of DPDPA 2023, India’s data protection was governed by the Information Technology Act, of 2000 and its amendments which were felt to be inadequate to address the reality of current technological development. The first Personal Data Protection Bill was initiated in 2018 and was subsequently referred to the joint parliamentary committee for discussion. After 5 years of thorough discussion, the final draft of the DPDP was presented and passed by both houses of the Parliament. The bill also received the Presidential assent and became the law of the land on 11 August 2023.
KEY PROVISIONS OF THE DPDPA 2023
The introduction of DPDPA 2023 brings changes in several principles and obligations for data protection. The important aspect of the current act is the introduction of principles of consent for obtaining the processing of personal data provided under section 6 of the Act. This implies that data fiduciaries are now required to obtain consent from individuals before collecting and processing their personal data. The notice is also required to be given by the data fiduciary before obtaining consent which should contain the details about the personal data to be collected and the purpose of the data processing as per Section 5 of the act. This new act also defines personal data as any information about an individual who can be identified through this information or any other related information. The other crucial facet of this act is the introduction of the Data Protection Board of India (Chapter V of the Act) which is envisaged as an independent body to oversee the compliance of the measures and for addressing the grievances. The act provides the board with the power to investigate complaints, impose penalties, and take measures to ensure the implementation of the provisions of the act. The Act also introduces the concept of “deemed consent” which means personal data can be retrieved even without consent in the circumstances of medical emergencies and compliance with the orders of the court.
Rights of Data Principles and Obligations of Data Fiduciaries
The act also aims to provide control of personal data to the individuals and provides various rights to data principles. The data principles imply the individual whose data is being processed. The rights provided under Sections 12 to 14 of the act are the right to information about personal data processing, the right to correction and erasure of personal data, the right to grievance redressal, and the right to nominate another individual to exercise these rights under the circumstances of death and incapacity. These rights help to exercise greater control over personal data and also address the concerns of violation of privacy.
At the same time, this act also imposes obligations on data fiduciaries to comply with certain measures for the protection of the personal data of individuals. The data fiduciaries are the entities that determine the purpose and means of the processing of personal data. This act brings the concept of “significant data fiduciaries”, this concept aims to divide the data fiduciaries on the basis of the volume, sensitivity of personal data, and risk of harm to data principles. The act under Section 8 introduces the obligation to data fiduciaries such as implementation of reasonable security safeguards to prevent the breach of data, notification to the data protection board in cases of data breaches, adequate measures to ensure transparency in the processing of data, appointment of data protection officers by significant data fiduciaries and regular conduct of audits of their data protection measures.
Cross-border transfer of data
One of the debatable issues with DPDPA 2023 is the introduction of cross-border transfer of data which marks a deviation from the data localization proposed in the earlier versions of the legislation. Section 16 of the act now allows the cross-border transfer of data of personal data outside India to government-specified countries and territories. This new provision has received mixed responses, it has been welcomed by multinational companies and the technology sector and simultaneously received concerns about the government’s discretionary powers in specifying the countries.
Penalties and enforcement measures
The DPDPA 2023 also provides stringent penalties in cases of non-enforcement compliance. The act provides financial penalties of Rs 200 crore for non-compliance with obligations relating to children and 250 Rs crore in cases of failure to take measures to prevent the security of personal data breaches which makes this act one of the most stringent in terms of monetary penalties. The act has also faced criticism due to the excessive concentration of powers in the hands of the executive because the members of the Data Protection Board are appointed by the central government which raises concerns about impartiality and transparency in handling complaints.
Critical analysis and challenges
The introduction of DPDPA 2023 points towards an important chapter in India’s efforts towards the protection of personal data. There also exist certain challenges which merit attention. The success of the act depends largely on the effective functioning of the Data Protection Board. The excessive involvement of the executive in the appointment of Data Protection board members has the potential to cause implementation challenges. The development of supporting rules and regulations will be crucial to ensure transparency.
The act grants blanket exemptions to government agencies to process personal data in the interest of sovereignty, security, and public order which may raise concerns about the effectiveness of this act. These broad powers also cause the threat of surveillance and misuse of personal data by the state authorities. The other concern with the present act is its sole focus on digital personal data which may cause obstruction in regulation of the non- digital personal information.
The implementation of the present act also requires resources, technical expertise, and infrastructure building, small and medium enterprises may face challenges in the effective implementation of the present act due to inadequacy of the resources and technical knowledge.
Recommendations
The effective implementation of DPDPA 2023 requires the introduction of several measures to strengthen data protection. There is a need to develop sector-specific guidelines for the effective implementation of the act, there is also a requirement to create digital awareness among the common people, and there should be a clear timeline for the implementation of this act. The abrupt enactment will also open the scope of non-compliance with no real dividend of this act. There is a need to strengthen the Data Protection Board and change the appointment process to make it more transparent and impartial. There is also a need to review the current status of the protection of personal data and analyze the current issues at the ground level for the successful implementation of DPDPA 2023.
CONCLUSION:
The new act marks a crucial beginning in India’s journey towards the protection of the personal data of individuals. The act introduces several important provisions such as rights of data principles and obligations of data fiduciaries, the success of the act will depend considerably on the effective implementation, trust building, and participation of various stakeholders.
As India has embarked on the path of digital transformation, the DPDPA will hold significant importance in the coming time. After a detailed analysis of this act, it can be concluded the provisions of this act are not as comprehensive as the European Union’s GDPR. There is a need to evolve this act through amendments and supporting regulations to overcome the challenges. However, this beginning shows a big shift in the approach of policymakers toward privacy and personal data laws in India.
