Digital Personal Protection Act, 2023: A Great Breakthrough or A Slow Catastrophe?!

/ General Awareness / By
DPDP ACT 2023

The Digital Personal Data Protection Act (DPDPA) of 2023 marks a significant milestone in India’s legislative landscape, aiming to safeguard individuals’ digital personal data while balancing the necessity for lawful data processing. This article delves into the Act’s timeline, background, evolution from previous bills, comparison with international regulations, establishment of regulatory bodies, and its key rights, provisions, and exemptions.

Timeline of the Passing of the Act

  • November 18, 2022: The Ministry of Electronics and Information Technology (MeitY) released the Digital Personal Data Protection Bill, 2022, for public consultation.
  • December 17, 2022: The deadline for public comments was extended to January 2, 2023.
  • July 5, 2023: The Union Cabinet approved the revised version, naming it the Digital Personal Data Protection Bill, 2023.
  • August 3, 2023: The Bill was introduced in the Lok Sabha, the lower house of Parliament.
  • August 7, 2023: The Lok Sabha passed the Bill.
  • August 9, 2023: The Rajya Sabha, the upper house, passed the Bill.
  • August 11, 2023: The President of India gave assent, enacting it as the Digital Personal Data Protection Act, 2023.

Background of the Act

India’s journey toward comprehensive data protection legislation has been evolving over the past decade. The Supreme Court’s recognition of the right to privacy as a fundamental right in 2017 underscored the need for robust data protection laws. Subsequently, the Personal Data Protection Bill, 2019, was introduced but faced criticism for various shortcomings, leading to its eventual withdrawal. The government then released a revised draft in 2022, culminating in the enactment of the DPDPA in 2023.

Personal Data Protection Bill, 2019

The Personal Data Protection Bill of 2019 was India’s initial attempt to establish a comprehensive framework for data protection. It sought to regulate the processing of personal data by the government and private entities, emphasizing user consent and data localization. However, the Bill faced criticism for its broad exemptions granted to the government, potential impacts on the ease of doing business, and concerns over surveillance. These criticisms led to extensive deliberations and the eventual withdrawal of the Bill in 2021, paving the way for a more refined approach.

Digital Personal Data Protection Bill, 2023

The Digital Personal Data Protection Bill of 2023 was introduced to address the shortcomings of its predecessor and align with global data protection standards. Key features of the Bill include:

  • Data Principal Rights: Empowering individuals (Data Principals) with rights such as access to information, correction, erasure, and grievance redressal.
  • Data Fiduciary Obligations: Mandating entities (Data Fiduciaries) to process data transparently, ensure data security, and obtain explicit consent from individuals.
  • Cross-border Data Transfer: Allowing data transfers to countries notified by the government, ensuring adequate data protection measures are in place.
  • Penalties: Imposing significant financial penalties for non-compliance, with fines up to ₹250 crore for certain breaches.
  • Data Protection Board of India: Establishing an adjudicatory body to oversee compliance and address grievances.

Comparison with EU’s General Data Protection Regulation (GDPR)

The DPDPA draws inspiration from the European Union’s GDPR but incorporates provisions tailored to India’s unique socio-economic context. Key similarities and differences include:

  • Consent: Both regulations emphasise informed consent; however, the DPDPA places additional emphasis on consent managers to assist individuals in managing their data.
  • Data Localization: Unlike the GDPR, which does not mandate data localization, the DPDPA allows the government to specify countries where data can be transferred, reflecting concerns over national security and data sovereignty.
  • Regulatory Body: While the GDPR is overseen by independent supervisory authorities in each member state, the DPDPA establishes the Data Protection Board of India as a central adjudicatory body.
  • Penalties: Both regulations impose hefty fines for non-compliance, though the specific amounts and criteria differ, with the DPDPA setting fines up to ₹250 crore.

Data Protection Board of India

The Data Protection Board of India (DPBI) is established under Section 18 of the DPDPA as an adjudicatory body responsible for enforcing the provisions of the Act. Its primary functions include:

  • Grievance Redressal: Addressing complaints from individuals regarding data breaches or violations of their rights.
  • Compliance Monitoring: Ensuring that data fiduciaries adhere to the provisions of the Act, including data processing obligations and data security measures.
  • Adjudication: Investigating violations and imposing penalties for non-compliance with the Act. The Board has the authority to conduct inquiries, call for documents, and summon individuals to testify.
  • Advisory Role: Offering guidance to the government and stakeholders on data protection practices, emerging technologies, and amendments to the Act.

The Data Protection Board is designed to operate as an independent body, ensuring that it can act impartially while balancing the interests of data principals and fiduciaries.

Rights, Provisions, and Exemptions

Rights of Individuals (Data Principals)

The Act empowers individuals with several key rights to maintain control over their personal data:

  1. Right to Access: Data principals can request access to their personal data held by data fiduciaries and understand how it is being processed.
  2. Right to Correction and Erasure: Individuals can request corrections to inaccurate data or deletion of their personal data if it is no longer required for the intended purpose.
  3. Right to Consent Withdrawal: The Act allows individuals to withdraw their consent at any time, ensuring continued control over their personal information.
  4. Right to Grievance Redressal: Individuals can file complaints with data fiduciaries and escalate unresolved issues to the Data Protection Board.
  5. Right to Portability: Though not explicitly stated in the Act, this principle is partially covered through access rights that allow individuals to request their data in a structured and machine-readable format.

Provisions for Data Fiduciaries

Data fiduciaries, including businesses and government entities that process personal data, must comply with several obligations:

  1. Transparency and Accountability: Fiduciaries must provide clear privacy notices explaining the purpose, scope, and method of data processing.
  2. Data Security: Fiduciaries are required to implement appropriate security safeguards to prevent data breaches.
  3. Purpose Limitation: Data must be processed only for specific, clear, and lawful purposes.
  4. Consent Management: Fiduciaries must obtain explicit and informed consent from individuals before processing their data, except in certain lawful exemptions.
  5. Reporting Data Breaches: Fiduciaries are mandated to report data breaches to the Data Protection Board and affected individuals promptly.

Exemptions

The Act includes exemptions to balance privacy rights with public and national interests:

  1. Government Exemptions: The government can process personal data without consent for purposes such as national security, public order, and law enforcement.
  2. Research and Statistical Purposes: Data can be processed without consent for research, statistical, or archival purposes if it is in the public interest.
  3. Emergencies: Processing without consent is permitted in emergencies involving the individual’s health, safety, or welfare.
  4. Small Data Fiduciaries: The Act offers relaxed compliance requirements for small businesses classified as “small data fiduciaries,” provided they meet certain criteria.

Conclusion

The Digital Personal Data Protection Act of 2023 signifies a pivotal step in India’s journey toward securing digital privacy in an era of rapid technological advancement. It strikes a balance between safeguarding individuals’ data and enabling lawful, innovative use by businesses and the government. By establishing rights, clear obligations, and a dedicated regulatory body, the Act aims to foster trust in India’s digital ecosystem.

While the Act draws inspiration from international frameworks like the GDPR, its tailored approach reflects India’s unique socio-economic landscape and priorities. Moving forward, the success of the Act will depend on effective implementation, awareness among stakeholders, and adaptability to address emerging challenges in data protection and privacy.