Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA), 2023 is a landmark legislation passed by the Indian Parliament in August 2023, aiming to regulate the collection, processing, and storage of digital personal data while balancing privacy rights with the needs of businesses and governments. In today’s digital era, where personal data is often shared freely and frequently, this law represents India’s significant move to protect individuals’ rights over their personal information. It mirrors global data protection standards like the European Union’s General Data Protection Regulation (GDPR) while tailoring its provisions to India’s unique challenges.

This article provides a comprehensive overview of the DPDPA, 2023, focusing on its key features, the rights and responsibilities of stakeholders, the regulatory framework, and the potential challenges and recommendations for improvement.

Introduction to the Digital Personal Data Protection Act, 2023

The rapid digitisation of services—from e-commerce to social media and online banking—has brought convenience but also increased concerns about privacy. Every online transaction involves sharing personal data, often without users fully understanding how this data might be used, shared, or even exploited. As data became central to business operations, it also became more valuable, earning it the title of “the new oil.”

In India, where internet penetration is growing rapidly, safeguarding individuals’ personal data is critical. Recognising this, the Indian government introduced the Digital Personal Data Protection Act, 2023 to regulate the use of digital personal data and ensure that privacy rights are respected.

The DPDPA is designed to protect personal data in digital form, introduce a consent-based model for data usage, and establish penalties for data breaches. It aims to bring India on par with global data protection frameworks while considering the country’s socio-economic realities and digital aspirations.

The Evolution of Data Protection Laws in India

Before the DPDPA, 2023, India lacked a comprehensive data protection law. The journey toward a robust data privacy framework began with the Information Technology Act, 2000, which provided some provisions for protecting sensitive personal information. However, as data privacy concerns grew, these measures were deemed inadequate.

In 2017, the Supreme Court of India in the landmark case Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India, declared the right to privacy a fundamental right under Article 21 of the Constitution. This judgment created the foundation for developing a dedicated data protection regime. Following this, several drafts of the Personal Data Protection Bill were introduced, beginning with the PDP Bill 2018, followed by the Personal Data Protection Bill 2019 and the Digital Personal Data Protection Bill 2022. These earlier versions faced challenges and were withdrawn after extensive public consultation.

Finally, in August 2023, the Digital Personal Data Protection Act was passed, marking a significant milestone in India’s data protection journey.

Scope of the Digital Personal Data Protection Act (DPDPA), 2023

The DPDPA, 2023 applies to the processing of digital personal data within India. It also covers entities outside India that process personal data of Indian citizens, ensuring a comprehensive scope for protecting Indian users’ data regardless of where it is processed.

Unlike its predecessor drafts, the DPDPA, 2023, does not cover offline or non-digitised personal data, making it specific to the digital world. This reflects the focus on protecting data in the online space, where risks of misuse and breaches are more prevalent.

Key Principles Underlying the DPDPA, 2023

The Act is based on several foundational principles that guide its implementation:

Consent-Based Processing

The core principle of the DPDPA is that data can only be processed with the informed, specific, and unconditional consent of the individual, referred to as the Data Principal. This ensures that individuals have control over how their data is collected and used.

Purpose Limitation

Data collected for one purpose cannot be used for another unless explicit consent is obtained. This principle limits the misuse of personal data by ensuring it is processed only for the purposes for which it was collected.

Data Minimisation

Organisations, referred to as Data Fiduciaries, are required to collect only the data necessary to achieve the specified purpose. The Act prohibits the collection of excessive or irrelevant personal information.

Data Accuracy

The Act emphasises the need to ensure that the personal data collected is accurate and up-to-date. Data Fiduciaries are responsible for taking reasonable steps to maintain data accuracy.

Data Security

The DPDPA mandates organisations to implement reasonable security safeguards to protect personal data from breaches, unauthorised access, and misuse.

Accountability

The principle of accountability requires organisations to be responsible for complying with the Act’s provisions, including securing consent, maintaining data accuracy, and responding to breaches.

Rights of Data Principals (Individuals)

The DPDPA grants several rights to Data Principals, empowering individuals to have greater control over their personal data:

Right to Access Information

Individuals have the right to know what personal data is being collected, the purpose of the data collection, and how it is being used. This transparency enables individuals to make informed decisions about data sharing.

Right to Correction and Erasure

Data Principals can request corrections to inaccurate or misleading data. They also have the right to request the deletion of data that is no longer necessary for the original purpose.

Right to Data Portability

While the DPDPA does not explicitly include the right to data portability, a right seen in other jurisdictions like the GDPR, it provides some degree of flexibility in how individuals can manage their data across platforms.

Right to Object to Processing

Individuals can object to the processing of their data in certain situations, especially when data is used beyond the purposes for which it was collected.

Right to Grievance Redressal

Data Principals have the right to file complaints with the Data Protection Board of India (DPBI) if they believe their data has been mishandled or their rights violated.

Right to Nominate

In case of death or incapacity, the Data Principal can nominate another individual to manage their data and exercise their rights.

Obligations of Data Fiduciaries (Organisations)

The DPDPA imposes several obligations on organisations, ensuring that they handle personal data responsibly and transparently:

i. Obtaining Valid Consent

Data Fiduciaries must obtain the Data Principal’s consent before processing personal data. This consent must be free, specific, informed, and unambiguous.

ii. Data Breach Notifications

In the event of a data breach, Data Fiduciaries must notify both the Data Protection Board and the affected individuals within 72 hours. This requirement ensures timely action and transparency in mitigating the damage caused by breaches.

iii. Data Security and Safeguards

Organisations are required to implement appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, or destruction.

iv. Additional Obligations for Significant Data Fiduciaries

Organisations that process large volumes of data or sensitive data are classified as Significant Data Fiduciaries. These entities must appoint a Data Protection Officer (DPO) and conduct regular data protection impact assessments to ensure compliance with the Act.

Data Protection Board of India (DPBI)

The Data Protection Board of India (DPBI) is the central regulatory authority established by the DPDPA to oversee the implementation of the Act, handle grievances, and impose penalties for non-compliance. The DPBI is empowered to:

• Monitor compliance with the Act.
• Conduct inquiries into data breaches and violations.
• Impose penalties on organisations for non-compliance.
• Resolve disputes related to data protection.

The DPBI is an independent body, with members appointed by the Central Government for a term of two years, renewable at the discretion of the government. However, concerns have been raised about the short tenure of the DPBI members, which may affect the board’s independence and long-term effectiveness.

Penalties for Non-Compliance

The DPDPA introduces strict penalties for organisations that fail to comply with its provisions. The fines are based on the severity of the breach, the nature of the data affected, and whether the breach was intentional or due to negligence. Some of the key penalties include:

• Failure to implement security measures: Fines of up to ₹250 crore ($30 million).
• Failure to notify data breaches: Fines of up to ₹200 crore ($24 million).
• Non-compliance with children’s data protection rules: Fines of up to ₹200 crore.
• Failure to meet obligations as a Significant Data Fiduciary: Fines of up to ₹150 crore ($18 million).

These penalties serve as a deterrent to organisations, encouraging them to adopt robust data protection measures.

Conclusion

The Digital Personal Data Protection Act, 2023, marks a significant step forward for data protection in India. It balances the need to protect individuals’ privacy with the growing demand for data in the digital economy. The Act provides a comprehensive framework for the collection, processing, and storage of digital personal data, empowering individuals with rights and imposing responsibilities on organisations.

However, while the DPDPA is an important step in the right direction, it is not without its challenges. The ambiguities around cross-border data transfers, consent management, and the short tenure of the DPBI members need to be addressed to ensure the Act’s effectiveness.

As India continues to navigate its journey in the digital era, the DPDPA, 2023, will likely evolve, with amendments and refinements made in response to technological advancements and the changing digital landscape. This legislation sets the foundation for a robust data protection regime, ensuring that individuals’ rights are protected while supporting India’s vision of a Digital India.