You are currently viewing The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023

Share It!

Click here to download the full paper (PDF)

Authored By: Ms. Ankita Makan (B.B.A.LL.B (Hons)), Chanderprabhu Jain College of Higher Studies and School of Law,

Click here for Copyright Policy.

Click here for Disclaimer.

I. INTRODUCTION:

“The article aims to critically analyze the Digital Personal Data Protection Act, 2023 which has been inspired by the European Union General Data Protection Regulation. The Digital Data Protection Act,2023 is based on privacy principles and focuses on recognizing the hindrances in processing of digital personal data and laying down regulations to avert such hindrances”.

II. BACKGROUND:

K.S. Puttaswamy v/s Union of India:

Justice K.S. Puttaswamy (Petitioner), a retired judge of the High Court of Karnataka in the year 2015 filed a petition before a 3-judge bench of the Hon’ble Supreme Court challenging the constitutional validity of the Aadhar Card Scheme for infringing the privacy of an individual. Later in 2017, the 3-judge bench concluded that the issue should be resolved by a Bench of 9 judges.

The 9-judge bench of the Hon’ble Supreme Court vide judgment dated 24.08.2017 unanimously recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India in K.S. Puttaswamy v/s Union of India. Further, the bench also recognized the need for legislation protecting individuals’ privacy.

As a result, The Srikrishna committee chaired by Justice B.N. Srikrishna was constituted by the Ministry of Communications, Electronics, and Information Technology in 2017 to submit a detailed report on data protection as well as draft the data protection legislation in India. The Digital Personal Data Protection Bill, 2023, was first introduced in Lok Sabha by the Ministry of Communications, Electronics, and Information Technology on 3rd August 2023. It was approved by Lok Sabha on 7th August 2023 and by Rajya Sabha on 9th August 2023. The bill finally received the president’s assent on 11th August 2023.  

III. WHAT IS PERSONAL DATA?

Personal data can be referred to as an attribute of one’s identity. Personal data is not only the address, phone number, or credit card information, it is the unique attributes of a person’s personality such as their preferences, habits, gender, caste, thoughts, or the information that helps differentiate him/her from others. The personal data of individuals is usually utilized by companies to analyze a person’s likes, dislikes, and habits allowing them to increase customer satisfaction, and identify their target markets, some companies may even sell the data in return for financial incentives.  

The personal data of a person can be broadly classified into the following types: 

  1. Financial Data: It is information relating to the financial status of a person such as their bank details, financial transactions, debts, and assets possessed by him/her.
  2. Sensitive Personal Data: Race, gender, ethnicity, health, thoughts, beliefs, likes, and dislikes of a person may be referred to as sensitive personal data.  
  3. Educational Data: It includes the academic history of a person, their grades, schools, universities, etc.

Processing personal data means using a person’s data in any manner, it includes collection of personal data, transmission of data, and storage of data, typically deriving relevant information from data clusters such information is then used by organizations for their benefit. The Digital Data Protection Act, 2023 lays down provisions for the lawful processing of personal data, which is closely based on the person’s control over his/her information and ensuring the privacy of the person. 

IV. PRIVACY:

In the 21st century, there has been a splurge in the number of Internet users, according to the White Paper on Data Protection in India, the growth rate of Internet users in India is approximately 7-8%, because of which India is on the path of becoming a digital economy. With the rapid growth of technology, large amounts of information can now be easily stored and accessed by various business organizations hence, transforming the decision-making processes and conduct of businesses by such organizations. The data collected and stored can be used for many positive purposes, but unregulated use of the personal data of an individual can have serious implications and raise concerns with respect to their privacy. The right to privacy is an intangible, legal right and hence it can be a challenge to identify it and protect it. Preventing disclosure of one’s personal information, and its use for unauthorized purposes is what one means when referring to privacy. Privacy can be broadly classified into three categories as per the white paper report on digital personal data protection: 

  1. Spatial Privacy relates to physical spaces, bodies and things.
  2. Decisional Privacy relates to the choices made by an individual.
  3. Informational Privacy relates to the personal information of an individual.

Procuring an individual right to privacy in the digital era is ensuring that the individual has the right to decide what part of the information available about him/her can be accessed by others.  

The right to privacy is closely related to the secrecy of one’s personal information, it allows a person to have control over their information and prevent it from being used unlawfully. The right to privacy is, however, subjected to certain reasonable restrictions. Use of information for unlawful purposes may lead to risks that can be classified on the following basis: 

  1. Subjective Harm refers to actual damage caused due to the use of personal information, such as fraud, identity theft, loss of reputation, etc.
  2. Objective Harm refers to the apprehension of harm that may be caused if the personal information was to be used for unlawful purposes. 

V. DATA PROTECTION:

From telegraphs to mobile phones, for so many years people have tried to protect their personal information such as private messages, documents, photographs, etc. Data protection is primarily linked with the concept of informational privacy, ensuring that the information provided is only used for the purpose for which it was provided, and no other unauthorized use of such information is made. This has become equally important in today’s era where the information available on digital platforms can be easily accessed, and this is what one means by protecting data. Day-to-day activities such as ordering food, taking a cab, navigating ways, ordering groceries, and banking transactions now can be done within a few minutes through mobile phones, as much as these digital advancements have made our lives more comfortable and easier, they also leave us more vulnerable towards cyber-attacks, one may say that the comfort comes at the expense of one’s privacy. The big companies holding and storing personal data cannot be expected to voluntarily protect it. It must be ensured that these companies acknowledge that they are storing the sensitive personal data of individuals and protect it effectively. Companies tend to retain this sensitive information for long periods, i.e., data accumulation which poses a severe threat to data protection. 

VI. PARTIES INVOLVED IN EXCHANGE OF THE DATA:

1. Data Principal:

The act defines the data principal as the individual to whom personal data is related. A data principle is a natural person who can be identified through information directly or indirect. 

2. Data Fiduciary:

The act defines data fiduciary as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. Entities with which the data principal shares the information are known as Data fiduciaries. The Act further states that some data fiduciaries may be notified by the central government as significant data fiduciaries based on an assessment, and they are required to fulfill additional obligations. 

The relationship between data principal and data fiduciaries is governed by trust, the data principal shares his/her personal information with the data fiduciary, trusting that the data fiduciary will make no unauthorized use of the information and take all necessary measures to protect it. Data fiduciaries must only use the information to further the goals of the public good and for the flourishing of the digital economy. 

 

VII. OBLIGATIONS OF THE DATA FIDUCIARY UNDER THE ACT:

  1. Consent And Notice:

The Act requires the data fiduciary to obtain the consent of the data principal for processing her personal data for a specific purpose. Such consent should be free, unambiguous, unconditional, and clear. The fiduciary can process the data unless the consent is withdrawn by the data principal. After the withdrawal, the data fiduciary is required to delete all the personal data of such data principle. Every request made to the data principal for consent should be accompanied by a notice informing the data principal of the purpose for which such information will be processed, and the way she may exercise the rights conferred upon her and file a complaint to the board in case of any infringement. 

  1. General Obligations:

The act requires the data fiduciary to fulfill certain general obligations to ensure that the personal data of the data fiduciary remains protected and only used up to the extent of authorization such as: 

  • A data fiduciary can appoint a data processor to process the personal data on behalf of him only after entering a valid contract with him. 
  • The data fiduciary shall take reasonable safeguards to protect the personal data of data principal from any sort of data breach. And in case of the occurrence of a breach, the same shall be intimated to the board and all the affected data principals. 
  • The data fiduciary shall establish a grievance redressal mechanism for addressing the concerns of the aggrieved data principals. 
  1. Processing The Personal Data Of Children Or Person With Disability:

It is assumed that children are more vulnerable to crimes and hence it is our duty to protect children and provide them with a safe and secure environment promoting growth and development. Keeping this in mind the act requires the data fiduciary to obtain the consent of the parent or lawful guardian before processing the personal data of children (below the age of 18) or persons with disabilities. Hence barring them from processing any such personal information of a child which may have a negative effect on the child’s well-being. 

  1. Additional Obligations of Significant Data Fiduciary:

            Significant data fiduciaries are required to: 

  • Appoint an India-based Data protection officer, who shall represent the significant data fiduciary under the Act.
  • Appoint an independent data auditor who will conduct the data audit and evaluate compliance with the provisions of the Act.
  • Conduct a periodic Data Protection Impact Assessment.

VIII. RIGHTS OF DATA PRINCIPAL UNDER THE ACT: 

The act confers certain rights upon the data principal to protect them from any harm that may be caused due to the unauthorized use of their personal data such as: 

  • The right to obtain a summary of personal data being processed by the data fiduciary, the processing activities in which the data fiduciary utilizes the data, and the identities of other data fiduciaries with whom their data is shared. 
  • The right to require the data fiduciary to erase, complete, update, or remove their personal data, even if they had previously given consent for the processing of such data. 
  • The right of access to grievance redressal or consent manager provided by the data fiduciary immediately, in case of any grievance. 
  • The right to nominate a person who may exercise his rights in respect to the personal data in the event of death or incapacity. 

IX. DUTIES OF DATA PRINCIPAL UNDER THE ACT:

The duties of the data principal under the act are as follows: 

  • To comply the all the provisions of the act applicable to them.
  • Ensure that they do not impersonate another person while providing the personal data.
  • Ensure that they do not hide any material facts while sharing their personal information.
  • Ensure not to register any false or malicious complaints before the board.

In case the data principal fails to fulfill any of the above-mentioned duties, he/she shall be liable to pay a fine extending up to ten thousand rupees. 

X. THE DATA PROTECTION BOARD OF INDIA:

The Act requires the central government to appoint a Data Protection Board, which shall function as an independent body and a body corporate having a common seal, perpetual succession, with the power to sue or be sued in its own name. The chairperson and members of the board shall be appointed by the Central Government and be a person possessing special knowledge or practical experience in fields such as data governance, dispute resolution, consumer protection, etc., holding the office for a term of two years. The board has been conferred with various powers and functions such as directing urgent remedial or mitigation in case of a personal data breach, referring any dispute to be resolved by mediation, enquiring into personal data breaches, and imposing penalties. While conducting the enquiries the board shall possess all the powers of a civil court as per the civil procedure code and follow the principles of natural justice. All the penalties imposed by the Board are to be credited to the Consolidated Funds of India. 

XI. THE APPELLATE BODY UNDER THE ACT:

The act provides that any person aggrieved by the order of the board may file an appeal within sixty days from receipt of the order with the Appellate Tribunal (Telecom Disputes Settlement and Appellate Tribunal). The Appellate Tribunal shall dispose of the appeal within a period of six months. The appellate tribunal has been conferred with the powers of the civil court for the purpose of this Act. It may pass such order as it deems fit in respect of the order appealed and send a copy of the order made by it to the board and other parties of the appeal. The appeal against the order of the appellate tribunal except in case of interlocutory order shall lie with the Supreme Court. 

XII. BARS JURISDICTION OF CIVIL COURTS:

The act bars the civil courts from entertaining any proceedings in respect of any matters which are under the jurisdiction of the board as per the provisions of the DPDP Act. It also specifies that no court or any other authority shall grant an order of injunction in respect of any action taken for the pursuance of this Act.  

XIII. EXEMPTIONS:

TABLE 1: Exemptions granted under the DPDP Act, 2023. 

Provision of the act  Provisions of the Act in respect of which exemptions are granted.  Exemptions 
17(1)  Provisions to obligations of data fiduciary in chapter II of the act except Section 8 (1), 8(5) and section 16  Where the personal data of a data principal not within the territory of India, is being processed under a contract entered into outside India by any person based in India. 
17(2)  All the provisions mentioned within the Act.  ·       Where information is processed by such instrumentality of the state as may be notified by the central government in the interest of integrity, sovereignty of India, security of state, relations with foreign states, etc. 

·       Where the processing of information is necessary for research, archiving, or statistical purposes, personal data is not used to take any decisions relating to the data principal. 

17(1)  Provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16  Where the processing of personal data is: 

·        Necessary for the enforcement of a legal right of claim. 

·       Done by any court or tribunal or any other body entrusted by law, where such processing is necessary for the performance of their functions.  

·       Necessary for prevention, detection, investigation, or prosecution of any offense. 

·       Necessary for the merger, or arrangement of two or more companies, reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more companies to another approved by the tribunal, court or any other competent authority. 

·       Necessary for ascertaining the financial information, assets, and liabilities of any person who has made a default in payment of a loan or advance taken from a financial institution. 

17(3)  Provisions relating to Obligations of data fiduciaries in section 5, section 8(3) and (7), Significant data fiduciaries in section 10, and the right of data principal to access information about personal data in section 11.  The act empowers the central government to exempt certain data fiduciaries from these provisions based on  
17(4)  Provisions relating to the obligations of data fiduciary under section 8(7) and provisions relating to the right of data principal for erasure of the personal data as per section 12(3).  Where the processing of personal data is done by the State or an instrumentality of the state. 

 

XIV. DIFFERENT APPROACHES TOWARDS DIGITAL DATA PROTECTION:

  1. The United States of America follows a Laissez fair approach. There are no provisions in the US that confer the right to privacy on its citizens. Whereas provisions have been made protecting the personal space of the citizens from the government. The US the approach is based on strict regulations in respect of government processing data and consent based in respect of private sector processing data. 
  2. The European Union follows a rights-based approach. The European Union General Data Protection Regulation (EU GDPR) recognizes the right to privacy and the right to the protection of personal data. It makes provisions for regulating control during the processing of personal data as well as post-processing of personal data. The Indian legislation for digital data protection is closely similar to the EU model.

TABLE 2: Key differences between EU GDPR and DPDP Act, 2023.

S.NO  BASIS  EU GDPR  DPDP Act, 2023 
 

1. 

 

Definitions 

 

Personal Data

 

 

 

Consent

 

 

Child

 

 

 

 

Data Fiduciary/ Controller.

 

 

 

 

 

Gives a more precise definition  

 

 

 

Defines consent. 

 

 

Refers to a child as an individual under the age of 16. 

 

 

 

Defines controller as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 

 

 

Confines personal data to any data about an individual who is identifiable by or in relation to such data. 

 

Doesn’t define consent. 

 

 

Defines child as an individual who has not completed the age of eighteen years. 

 

 

Defines Data Fiduciary as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. 

 

2. 

 

Classifications 

 

Data Fiduciary/ Controller 

 

 

 

 

 

Personal Data 

 

 

 

 

 

Doesn’t provide for any further classifications of controllers. 

 

 

 

 

It further classifies personal data as Special personal i.e., information relating to one’s race, ethnicity, religious beliefs, and political opinions. 

 

 

 

Classifies certain data fiduciaries based on an assessment as Significant Data Fiduciary, requiring them to fulfill additional obligations. 

 

 

No such classification. 

 

 

 

3. 

 

Appointment of Supervisory Authority  

 

Provides for the Appointment of one or more Supervisory authorities by each member state. 

 

Doesn’t empower the states to appoint supervisory authorities. 

 

 

 

4. 

 

 

Impact Assessment 

 

The controller is required to conduct an impact assessment where processing is likely to result in a high risk to the rights and freedoms of natural persons. 

 

Requires the impact assessment to be conducted by significant data fiduciaries only. 

 

 

5. 

 

 

Certification 

 

Provides for the establishment of a data protection certification mechanism to demonstrate the compliance of the provisions by the controller and processors. 

 

Doesn’t empower the Central or State government or provide any certifications. 

6.  The Board   

 

Name 

 

 

Chairperson 

 

 

 

Term of chairperson 

 

 

Members  

 

 

 

 

 

Secretariat of the Board 

 

 

Known as European Data Protection Board. 

 

One chair and two deputy chairs. 

 

 

5 years (including 2 deputy chairs). 

 

 

Head of one supervisory authority of each Member State and of the European Data Protection Supervisor.  

 

The European Data Protection Supervisor provides a secretariat to the board. 

 

 

Known as Data Protection Board of India. 

 

One chairperson 

 

 

2 years (eligible for re appointment). 

 

 

 

Yet to be notified by the central government. 

 

 

 

 

Doesn’t empower the central or state government to make any such appointments. 

 

7. 

 

Maximum Penalty 

 

Up to 20,000,000 EUR. 

 

Up to 2,50,00,00,000 Rupees. 

 

XV. CONCLUSION:

It is important for the laws to keep pace with the needs of the dynamic society, and in today’s tech-oriented society, laws governing and regulating the digital spheres are the need of the hour. The challenge is to regulate and control the use of information once it has been made available online. Big companies such as Uber, Ola, Zomato, banking apps, etc., have access to the personal data of their customers. While this data has various beneficial uses, the possibility of arbitrary use of such personal data raises concerns regarding the privacy of an individual. In a survey conducted by IBM, it was concluded that almost 71% of the users were ready to give the apps access to their personal information to access the technology. It cannot be assumed that all these businesses holding personal data voluntarily make provisions for the protection of the data held by them, India accounted for approximately 20% of the worldwide data breach incidents, in 2021 and 2022. The Digital Personal Data Protection Act 2023 is a positive step taken by the Indian Government toward the protection of the personal data of individuals available online and to ensure that the personal data held by businesses is appropriately safeguarded to prevent any data breaches. It can be concluded from the analysis that the legislation is inspired by the European Union General Data Protection Regulations (EU GDPR). Both legislations have followed the notice and consent-based approach. The area of concern is that the act remains silent as to what amounts to reasonable protection of personal data and the extensive control conferred upon the Central Government under the act, but the impact of the legislation cannot be accessed just yet. 

This article is intended only as a general discussion of issues and is not intended for any solicitation of work and shouldn’t be regarded as legal advice.     

Cite this article as:

Ms. Ankita Makan, “The Digital Personal Data Protection Act, 2023”, Vol.5 & Issue 3, Law Audience Journal (e-ISSN: 2581-6705), Pages 212 to 227 (27th Nov 2023), available at https://www.lawaudience.com/the-digital-personal-data-protection-act-2023/.

Leave a Reply