By Diwanshi Rohatgi and Dr. Asish Kumar
The Digital Personal Data Protection Act, 2023 is a critical legislative framework designed to safeguard individuals’ digital information in an increasingly interconnected world. The Act prioritizes the privacy rights of individuals, acknowledging the significance of personal data in modern digital ecosystems. It establishes stringent guidelines and protocols that organizations must adhere to when handling sensitive information, fostering a culture of accountability and transparency. This research paper would highlight the background as to how Digital Personal Data Protection Act finally came into the existence, what was the history behind the enactment of the same, what was the prior laws existing with respect to Right to privacy and Data protection. After which the researchers made the discussion about the various data protection Bills and lastly, the analysis of the Act.
Keywords: Digital Personal Data Protection Act, Right to Privacy, Data protection, Bills.
The technological advancement has raised serious concerns about privacy issues in the country and it has become a high priority for every individual to secure his or her privacy. According to the Black dictionary privacy is defined as “the right that determines the non-intervention of secret surveillance and the protection of an individual’s information.”[1] In other words, privacy is a desire or will of an individual to be free from the other persons intrusion. It is true that privacy concerns gained significant attention due to the multiple reasons and instances which has happened over the past few years such as the high-profile data breaches in various sectors, including tech companies, financial institutions, and healthcare organizations, have highlighted the vulnerability of personal information, and led to increased concerns about data security and privacy. Incidents involving the unauthorized use of personal data by social media platforms for targeted advertising or political manipulation have brought privacy issues to the forefront. As aforesaid, progress in technology including artificial intelligence, facial recognition, and biometric data collection, have raised concerns about the potential misuse of personal information and its implications for privacy. The increased awareness among the public about the value of personal data and need for privacy protection has driven discussions and demands for better privacy safeguards. [2]
The Indian Constitution does not have any express provision regarding right to privacy but by the virtue of the hon’ble Supreme Court decision in the case J. K.S Puttaswamy v. Union of India, right to privacy is declared as an inherent component of the right to life and personal liberty enshrined under Article 21 of the Indian Constitution. It emphasized that privacy is essential for the existence of the individual, allowing individuals to exercise control over their personal information and choices without interference from the State or other entities, except in specific circumstances defined by law. Both, the citizens as well as non-citizens enjoys right to privacy and no one can be deprived of their personal liberty except by the procedure established by law. This judgment significantly strengthened the position of privacy rights in India, acknowledging its importance in the context of evolving technology, data collection, and government actions. It also laid the groundwork for subsequent discussions and legislative efforts concerning data protection and privacy laws in the country. [3]Apart from this judgment, the ‘Information Technology Act of 2000 (as amendment on 2008)’ covers various aspects of digital communication, electronic governance, and cybersecurity. While the IT Act does not explicitly focus on data privacy, certain provisions within the Act but it touches upon aspects of data protection and privacy. It contains various provisions that ensure the privacy in the data related issues such as need of the certifying authority to conform to safety process to guarantee electronic secrecy and privacy, intrusion of one’s computer or computer framework amounts to compensation and the person concerned to receive compensation for unlawful access to his private and personal data, a body corporate that possesses, distributes, or handles any delicate private data or information in a computer resource that it possesses, monitors or works is negligent in applying and retaining appropriate safety practices and procedures and thus creates any individual unfair loss or unfair benefit, that corporate body is responsible to pay the losses by the way of compensation to the person who is affected. Also, the Act protects sensitive private information residing in a computer resource. If an attacker is hacking into the computer system and copying and transferring sensitive personal information to a rival that may be of very private nature or business importance to the proprietor, the said act results in a decrease in the amount of data located within a computer resource and therefore infringes privacy. Even a government officer can be fined if he transfers in his formal ability any digital information or data which he has obtained about a person. Any person, including an mediator, who, while offering services under a legal contract, has obtained access to any material containing information about another person with the intention of causing him or her or knowing that he/she is ought to cause the unlawful damage or unlawful profit reveals, without the approval of the individual involved or in violation of a legitimate agreement, such work shall be punished with probation for a period of up to three (3) years or a penalty of up to five (5) lakh rupees or both.[4]
However, India lacked a comprehensive data protection law for a very long period. To address this gap, the Government of India had set up a committee of five members headed by former Supreme Court judge, Justice (Retd.) B.N. Srikrishna to review data protection norms in India and make recommendations. The Committee released a white paper on ‘Data Protection in 2017, and a submitted its final report titled, “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” along with a draft law, ‘The Personal Data Protection Bill, 2018’ in July 2018. [5]
The ‘Personal Data Protection Bill of 2018’ was introduced to provide a framework for the protection of personal data. The Personal Data Protection Bill, typically provided for the regulations on how data can be collected, processed, and used. This often includes obtaining consent from individuals before gathering their data. It lays the provision for data security measures like requirements for an organization to implement adequate security measures to protect personal information from unauthorized access, breaches, or misuse. It provided the individuals rights over their data, such as the right to access, correct, delete, or limit the processing of their information. Also, laid down the guidelines on transferring data across borders and ensuring that such transfers comply with specific standards or agreements and lastly, for establishing accountability for organizations handling data and imposing penalties for any sort of non-compliance. However, this bill went through various revisions and discussions.[6] The final version of the ‘Personal Data Protection Bill (PDPB), 2019’, was subsequently introduced in the Indian Parliament. This updated version incorporated changes based on public feedback and further deliberations. It laid down guidelines for the processing of personal data, including explicit consent requirements, lawful grounds for processing, and the obligation of data fiduciaries to ensure data accuracy and accountability. The bill proposed the concept of data localization, suggesting that certain categories of sensitive personal data must be stored and processed only within the borders of India. It granted individuals various rights concerning their personal data, such as the right to access and correct their data, the right to be forgotten, and the right to data portability. The establishment of a ‘Data Protection Authority of India (DPA)’ was proposed to oversee and enforce compliance with data protection laws and regulations. The bill also addressed cross-border data transfer mechanisms, outlining conditions for the transfer of personal data outside India.[7] But, on august 2022 the bill was withdrawn because of the inadequacy of the provisions in meeting global standards regarding data privacy. After which the Ministry of Electronics and Information Technology released a ‘Draft Digital Personal Data Protection Bill, 2022’ for public feedback. It received almost 20,000 submissions regarding the 2022 Bill, and undertaken several dozen consultations. This paved the way for the development and enactment of specifically Indian law that, on the surface, appear to have the capacity to strike the elusive balance between facilitating corporate operations and safeguarding national interests and citizen’s rights.[8]
The proposed bill suggested that before accessing personal data, the data fiduciary must obtain consent from the data principal through a detailed notice outlining what data will be used and for what purpose. This consent can be either express or implied, with express consent needing to be clear, lawful, and accessible to the data principal. Importantly, the data principal retains the right to withdraw consent at any time through a consent manager, prompting the data fiduciary to cease processing the data within a reasonable timeframe. If the data principal voluntarily provides their personal data to the data fiduciary, it will be thus, considered as “deemed consent.” Pertinently, deemed consent can only be provided for limited cases as illustrated in the draft Bill. It imposes some significant responsibilities on the data fiduciaries, to ensure that personal data is processed, stored, or erased in a safe and proper manner. These obligations include: secured measures, deletion of data, appointment of data protection officer, personal data of children and significant data fiduciary. The bill seeks to Bill seems to put more emphasis on the rights of a data principal this time. These rights include: right to information, right to correction or erasure and right to grievances redressal. Bill also provides for setting up of a Data Protection Board (DPB), which will oversee compliance by the data fiduciaries (including data processors) and data principals with the provisions of the proposed Act. Some of the provisions pertaining to the Board includes are stated herein below:
“It involves an online filing and file management system, along with electronic hearings. The Board will derive its powers from the Code of Civil Procedure, 1908. It will act on a complaint received by an affected person (no Suo motu powers) and will, after giving opportunity/hearing to the concerned persons, dispose of the complaint “at the earliest” (no timeframe has been stipulated in the draft Bill). In case of non-compliance, the Board will ascertain whether such non-compliance is significant or not, before imposing penalty and/or directions on the losing party. However, before adjudicating on the merits, the Board will first determine the maintainability of the complaint. In case the Board feels that the complaint is frivolous, it may issue a warning to the complainant or impose costs. Appeals from the Board’s decisions will be preferred to the High Courts, and shall be filed within sixty days from the date of the Board’s order. The Board also has the power to direct the parties to attempt to resolve the dispute through the Alternative Dispute Resolution (ADR) by a body/group designated by the Board.”[9]
Draft bill also proposed imposition of hefty penalties which can extend to maximum penalty of ₹250 crore. Though the draft bill is silent on the rules governing transfer of data outside India. Instead, the draft Bill suggested that it will notify a list of countries to whom a data fiduciary may transfer personal data only in accordance with terms and conditions as may be specified. The draft bill had certain drawbacks such as; the draft bill does not specify when it will take effect to put specific requirements on data fiduciaries. The absence of a deadline for the data fiduciary to delete personal information after the intended purpose has been fulfilled, the absence of a timeframe for the Board to decide on a complaint, and so on. The expansive interpretation of the word “public interest” in relation to “deemed consent” raises several serious concerns. This definition seems to be granting data fiduciaries a broad range of powers because it encompasses, among other things, search engine optimisation (or the running of search engines) and “any fair and reasonable purpose,” which within itself includes “any public interest” in processing personal data. It should ideally establish the Board’s composition, which is not specified in the Bill. It is to be noted that the Board can only act in response to a complaint; it is not empowered to rule on cases involving breaches of personal data on its own. The Board should have the authority to rule on cases involving mass breaches (or significant non-compliance) and impose appropriate fines on the losing parties. The bill seems to focus on the severity of the non-compliance. If the non-compliance is not significant, the board may choose to close the enquiry, and board will only take remedial measures in case the non-compliance is significant. The only problem here lies in the terminology, since “significant” is highly subjective and may lead to a potentially faulty interpretation. Perhaps the severity or significance of the non-compliance can be streamlined, or at least the Board must reserve the power to pass necessary orders or directions (with reduced costs) in case of non-significant non-compliance. Lastly, the draft bill does not address sensitive personal data (which included passwords, financial data, biometrics, caste, sexual orientation, etc) along with the manner of processing such information (under explicit consent).
Therefore, in August 2023, the ‘Digital Personal Data Protection Bill, 2023’ was introduced in Parliament which was a concise and simply written thirty-three (33) page document, accompanied by several useful illustrations, and is a marked as a departure from the dense and prescriptive approaches to personal data protection legislations till date. The DPDP Bill, 2023 also differs in several ways from its 2022 predecessor which the author would discuss in the next heading and subsequently, this bill successfully turned into an India’s first personal data protection law.
OVERVIEW OF DIGITAL PERSONAL DATA PROTECTION BILL OF 2023
The digital personal data protection bill of 2023 applies to processing digital personal data within India where such data is being collected online or offline and is digitised. The bill also applies to such processing done outside India, if it is for offering goods or services in India. Personal data i.e., the information that relates to an identified or identifiable individual may be processed only for a lawful purpose upon consent of an individual. The necessity of consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services. An individual whose data is being processed will have the right to: obtain information about processing, seek correction and erasure of personal data, nominate another person to exercise rights in the event of death or incapacity of the person, and grievance redressal. Data principals will have certain duties such as they must not register a false or frivolous complaint, and furnish any false particulars or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of fine up to Rs 10,000 (ten thousand).[10] It is the duty of the data fiduciaries that it will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met. The bill grants certain rights to individuals including the right to obtain information, seek correction and grievance redressal. It allows transfer of personal data outside Indian territory, except to countries restricted by the central government through notification. The central government may exempt government agencies in the interest of specified grounds such as security of the State, public order, and prevention of offences from the application of provisions of the bill. According to the bill, central government will establish the “Data Protection Board of India” to adjudicate on non-compliance with the provisions of the Bill. The key functions of the Board include: monitoring compliance and imposing penalties, directing data fiduciaries to take necessary measures in the event of a data breach, and hearing grievances made by affected persons. The board members will be appointed for two years and, will be eligible for their re-appointment. The central government will prescribe details such as the number of board members and their selection process. Any appeals against the decisions of the Board will lie with TDSAT. The schedule to the bill specifies penalties for various offences such as up to Rs 200 crore (two hundred crore) for non-fulfilment of obligations for children, and Rs 250 crore (two fifty crore) for failure to take security measures to prevent data breaches. These penalties will be imposed by the board after conducting an inquiry. This bill has received the Presidential assent followed by official gazette notification and has become a law of the land on 11 August 2023 which will be discussing in the next heading.[11]
ANALYSIS OF DIGITAL PERSONAL DATA PROTECTION ACT OF 2023
Every individual living in a society has some personal information about himself such as name, address, profession, age, income, marital status, educational qualification, income, likings, and disliking’s, also information about his family therefore, individual wants to protect this personal information and expect that his or her personal data should not be made public without his or her consent. But it happens that at various places or before the state agencies or business entities require the personal data of individuals to understand the needs and interests of individuals and society to achieve socio-economic growth or to provide them any services.
Under this Act, few new concepts have been introduced which is already discussed earlier such as data principles (section 2(j)), data fiduciary (section 2(i)) & data Processor (section 2(k)). A data principal is a person whose personal data is at stake. It includes children and people with disabilities. A data fiduciary means all kinds of business entities have the custody of digital personal data of other individuals for a specific purpose. A person acting on behalf of the data fiduciary and playing an important role in synthesising digital personal data.
The Act basically, strengthen India’s digital economy and its ecosystem by trying to achieve balance between ease of doing business and protection of people’s privacy.[12] The Act’s apply to personal data only if it is in digital form and non-digital personal data that is later digitalized within or outside of India for an individual residing in India. Any clause in this Act, however, will not apply if the data principle himself divulges his personal information on any digital platform, such as when you remark on a post on Facebook, Twitter, or another such social networking site and reveal your identity and profile.
Let us dwell into Act:
According to the Act, personal data refers to the data about an individual who is identifiable either by such data or in relation to that data. It only applies to data collected in digital form or though collected in non-digital form but that has been subsequently digitized. The Act does not apply to personal data that has been made publicly available, instance, if an individual maintains a public social media profile to which access is not restricted then Act will not to the processing of any personal data that has been made on the available on that profile. Also, the Act does not apply to processing of personal data for any domestic use.
What are the grounds of processing? Data fiduciaries can process data based on consent obtained from data principals that must be free, specific, informed, unconditional and unambiguous. That consent is to be provided clear affirmative action and limited to the personal data that is necessary for the specified purpose. To obtain consent for processing, data fiduciary must present the data principal with a notice that specifies: what personal data is to be collected, the purpose for which it is to be processed and how data principal can make a complaint to the board and how principle can exercise rights under the Act. There will be a reporting requirement even for minor contravention of the provision of the Act. [13]
Notice and consent should be in clear and simple language. Consent can be revoked also. Data fiduciary are obliged to erase personal data when a data principle withdraws consent. The Act even does not restrict data fiduciaries from transferring personal data to other countries however, there are certain exemptions which is already discussed earlier.
Personal data breaches and reporting obligations: Personal data breach is defined to include any unauthorized processing of personal data, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access of personal data that compromise the confidentially, integrity of such data. If the personal data breach occurs, data fiduciaries must promptly inform each affected data principal and board of such a breach.[14] The specific format and method of reporting are yet to be prescribed under this Act.
The board may direct the data fiduciary to undertake urgent remedial or mitigation measures to minimise the impact of the breach, upon receiving intimation of a breach from a data fiduciary. Additionally, the board may investigate a personal data breach and levy penalties based on either an intimation received from the data fiduciary or a complaint lodged by the data principal. [15]Talking about the penalties, it is upto 250 (two-fifty) crore have been prescribed for various significant contravention. While not maintaining adequate security safeguards could attract the highest penalty, non-compliances with other obligations relating to children and personal data breach reporting may result in penalties of up to INR 200 (two-hundred) crore. SDFs may also be fined up to INR 150 (one fifty) crore for not meeting the additional obligations imposed on them. A general residuary penalty of up to INR 50 (fifty) crore has also been prescribed for a breach of any other provision of the Act or any rule issued under it.[16]
CONCLUSION
A simple and easy to understand Act has been created by the Government of India which is made after understanding that individuals have a right to protect their data and the need for processing personal data for specified lawful purposes. Numerous liabilities have been placed on data fiduciaries. The Act ushers in a new phase of technology law in India. All members of this new ecosystem be it data fiduciaries, processors, and data principals, have a long, but insight-filled road ahead of them, as they acclimatize to its requirements, shortcomings and benefits.
The authors of this article are Ms. Diwanshi Rohtagi amd Dr. Asish Kumar, Assistant Professors (Law) at Amity University, Jharkhand, Ranchi.
[1] Shivnath Tripathi, “Right to Privacy as a Fundamental Right: Extent and Limitations” SSRN 1 (2017).
[2] Shiv Shankar Singh, “Privacy and Data Protection in India: A Critical Assessment” 53 Journal of the Indian Law Institute 663 (2011).
[3] Vrinda Bhandar, Amba Kak, et.al., “An Analysis of Puttaswamy: The Supreme Court's Privacy Verdict” SSOAR 1 (2017).
[4] The Information Technology Act, 2000 (Act 21 of 2000)
[5] Key Highlights from Srikrishna Committee Report on Data Protection, available at: https://www.thequint.com/news/india/key-highlights-from-srikrishna-committee-report-on-data-protection#read-more (Visited on December 24, 2023).
[6] Deva Prasad M and Suchithra Menon C, “The Personal Data Protection Bill, 2018: India’s Regulatory Journey Towards a Comprehensive Data Protection Law” 28 International Journal of Law and Information Technology 1-19 (2020).
[7] The Personal Data Protection Bill, 2019
[8] Draft Digital Personal Data Protection Bill, 2022
[9] The Digital Personal Data Protection Bill, 2022
[10] Digital Personal Data Protection Bill, 2023
[11] Digital Personal Data Protection Bill, 2023
[12] Explained: The Digital India Act 2023, available at: https://vidhilegalpolicy.in/blog/explained-the-digital-india-act-2023/ (visited on December 25, 2023).
[13] The Digital Personal Data Protection Act, 2023 - A Scenario of Arising Liabilities, available at: https://www.barandbench.com/law-firms/view-point/the-digital-personal-data-protection-act-2023-a-scenario-of-arising-liabilities-2 (Visited on December 25, 2023).
[14] Digital Personal Data Protection Act (Act 22 of 2023)
[15] Understanding India’s New Data Protection Law, available at: https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624 (Visited on December 26, 2023)
[16] Vaibhav Bhardwaj, Shreya Suri, et.al., “The Digital Personal Data Protection Act, 2023: Key Implications for Employers” Induslaw 2023 (2023).
This article contains the view of the author and the publisher in no way associates with the views or ideologies of the author. All the moral rights vests with the Author(s).