The Digital Personal Data Protection Act, 2023—Key Highlights, Features, Issues, and Analysis

Aug 24, 2023 | Polity

Introduction

The Digital Personal Data Protection Act, 2023 is aimed at providing a framework for processing the digital personal data of individuals in a legal manner, which ensures the rights of the individuals to protect their personal data and the processing of such data for matters connected therewith or incidental thereto.

The law also focuses on bringing the necessary changes in the way the data is processed by data fiduciaries without any disruption. Besides, facilitating the digital economy of the country and its ecosystem, the Act also aims to improve the ease of doing business and the ease of living.

Digital personal data refers to any online data that is used to identify a person or is associated with him/her in some way. Processing of the data means any automated operation(s) that are carried out on digital personal data, such as collecting, storing, using, and sharing the data.

Key Highlights of the Act

  • All government agencies and institutions have been exempted from following the provisions of the Act on certain grounds, including the public order, the security of the state, and curbing offences. 
  • It is permitted by the Act that the digital personal data of Indian citizens can be transferred to other countries around the world, barring the countries banned by the central government. 
  • The Act seeks free, informed, unambiguous, specific, and unconditional consent, supported by an affirmative action. However, if the consent breaches any provision of the Act, it will be invalid in proportion to the breach.
  • The consent should be in English language or any other official language of the country.

Salient Features

Some of the salient features of the Act are as follows:

  1. Applicability The law is applicable to the processing of digital personal data within India whether it is collected online or offline, and is later fed into the computer system. It is also applicable to the processing of the data outside our India, if it is related to the trading of goods and services between India and other countries.
  2. Consent The concerned authorities can process personal data only for legitimate purposes with the consent of the individual. Prior to seeking consent, the authorities must send a notice, mentioning the personal data to be collected and the reason for processing it. The individuals may withdraw their consent as per their will. The parents or legal guardians must provide their consent for individuals below 18 years of age. Thus, the Act aims to protect the children’s personal data as well.

However, it is not necessary to take the individual’s consent in case of the sharing of data by him/her voluntarily for a specific purpose, or the requirement of such data by the government for providing licences, permits, benefits, etc., to the individuals, or medical emergency, or employment purposes.

  1. Data principal’s rights and duties Data principals (the individuals or the companies with whom the data is related) have been granted several rights, such as the right to acquire information about processing; to get their personal data corrected and erased; to nominate another individual to use the rights in case of death or incapacity; and to redress any grievance related to digital personal data processing/protection. Besides, data principals have to fulfil certain duties, i.e., providing any false particulars, impersonating another person or family member, and filing a false complaint are strictly prohibited.
  2. Responsibilities of data fiduciaries It is the obligation of data fiduciaries (individuals or companies or government agencies who process the data) to ensure the accuracy and completeness of data, to keep the data safe by creating reasonable security safeguards, to remove the data from the systems after it has served the purpose and is not required any longer, and in case of a breach, to intimate the Data Protection Board of India and the affected individuals. However, if the data fiduciaries are government entities, the data principals cannot exercise their right of data erasure and its storage limitation.
  3. Exemptions In some situations, the Digital Personal Data Protection Act will be exempted from its applicability. These situations include the following:
  • When some notified agencies of the State process the data for the benefit of the sovereignty and integrity of the country, maintaining public order, etc.   
  • When data processing is mandatory for archiving, research, and statistical purposes.
  • When processing of personal data becomes essential for implementing a legal right/claim, in case of merger or demerger, investigation, or hearing of an offence, etc.
  • When the central government exempts some notified categories of data fiduciaries or startups from certain obligations, including the fulfilment of notice and retention requirements, etc.
  • When processing is necessary to carry out regulatory or judicial functions and to identify defaulters and note down their financial assets.
  • When processing of personal data of non-residents is done in India owing to a foreign contract.
  1. Data Protection Board of India The Data Protection Board of India will be set up by the central government of the country for
  • supervising compliance;
  • imposition penalties;
  • instructing the data fiduciaries to follow the necessary steps in case of a data breach; and
  • addressing the grievances of the affected individuals.
  1. Penalties The Act provides, among others, the following penalties, enforceable by the Data Protection Board of India for breach of rights, duties and obligations after an investigation.
  • For any breach of duty done by data principals, such as providing false particulars, they will be imposed a penalty of up to Rs 10,000.
  • If the obligations for children are not fulfilled, a fine of Rs 200 crore can be imposed.
  • If proper security measures are not taken by the data fiduciaries to prevent the data breach, a fine of Rs 250 crore can be imposed on them.

Main Issues and Analysis

The major issues and analysis related to this Act, are as follows:

  • When government agencies get exemptions to data processing in several circumstances, such as in the case of national security, they may collect data, process it and retain it for a longer time than what is required. This might result in the violation of the fundamental right to privacy. Earlier, in 2017, the Supreme Court declared that the need for such interference should be proportionate to any breach of the right to privacy. In case of national security, if a government agency collects data to develop a complete profile for surveillance and uses the data retained by other agencies for the same purpose, the question arises if these exemptions would pass the proportionality test.    
  • The consent of the individual is not required when the personal data of individuals is processed by the State for providing benefits, licences, permits, services, etc. Besides, the State can also process the personal data already available for any of these purposes. So, the Act ignores ‘purpose limitation’, which is cited as one of its major principles. Now, the question arises if such exemptions are relevant.

The Act enables the profiling of citizens, as the data obtained for different purposes could be collated. However, individuals would be able to better control the collection and sharing of their personal data, if their consent was vital.

  • The harmful effects of the processing of personal data, such as financial loss, loss of access to benefits or services, discrimination, loss of reputation, identity theft, and unrestrained surveillance and profiling, are not regulated by the Act. However, the Personal Data Protection Bill, 2019 included the above-mentioned as harms, and proposed that proper measures should be taken by data fiduciaries to mitigate them or they should compensate the data principals who had suffered harm during the data processing. So, the Joint Parliamentary Committee (JPC) suggested retaining these provisions. 
  • The data principals do not have the right to data portability and the right to be forgotten as per the Act. But the JPC recommended including these rights as an essential part of the data protection law. The right to data portability lets data principals attain and transfer their data for their own use, thereby giving them more control over their data. This transfer of data between different data fiduciaries might disclose their trade secrets. However, the right to data portability cannot be denied owing to trade secrets.

 The right to be forgotten lets data principals post their personal data on the Internet in a limited manner. It may be applicable depending on the factors such as how the personal data is relevant to the public, how sensitive the personal data is, and what role the data principal plays in public life.  

  • According to the provisions of the Bill, the personal data of Indian citizens can be transferred to all other countries except some countries prohibited by the central government. But it does not ensure that the data protection standards are being implemented in the countries where the data has been transferred. As per the 2019 Bill, the government should allow such a transfer only if adequate protection is provided. 
  • The Data Protection Board of India will have members appointed for a term of two years. However, they may be re-appointed, depending on their service. Consequently, the independent functioning of the Board may be hampered apart from the Executive having more control and influence.   
  • As per the Act, any processing that is detrimental to the well-being of a child shall not be done by data fiduciary. However, the Act does not explain what the detrimental effect is.

© Spectrum Books Pvt Ltd.

error: Content is protected !!

Pin It on Pinterest

Share This