Critical Examination Of The Digital Personal Data Protection Bill, 2023

Author: S M NAWAZ AHMAD, College: University Institute of Legal Studies, Chandigarh University, Punjab

Introduction

According to data breach occurrences globally in 2018, India was in second place, according to data security company Gemalto. India, which has a population of over 690 million internet users, has seen a notable rise in data breaches in both the public and commercial sectors. To tackle this, the Ministry of Electronics & Information Technology came up with the Digital Personal Data Protection Bill, 2023. This bill was introduced on 3rd August 2023. On 7th of August, 2023 this bill was passed in the Lok Sabha by the Parliament and further approved in the Rajya Sabha on 9th of August, 2023. On 11th August 2023, the bill got the assent of the President. The Central Government withdrew the earlier Personal Data Protection Bills of 2019 & 2022 due to many modifications that included significant concerns about data localization, transparency, compliance requirements, etc.
The aforementioned bill was created following the Supreme Court’s 2017 judgment in the case of Justice K.S. Puttaswamy v. Union of India, in which the “Right to Privacy” was upheld as a component of the fundamental right under the “Right to Life” guaranteed by Article 21 of the Indian Constitution. In doing so, it overturned earlier rulings by the Supreme Court in the cases of M.P. Sharma and Kharak Singh, wherein the latter concluded that the Indian Constitution did not recognize the right to privacy. The court underscored the necessity for enacting fresh legislation on data privacy, broadened the coverage of privacy in personal domains, and deliberated on privacy as an inherent principle.

NEED FOR THE ACT

With India passing a rapid-fire digital transition and growing technology use, there are significant gaps in the protection of particular data that the Digital Personal Data Protection Bill of 2023 attempts to fill. In light of the growing number of data breaches and sequestration contraventions, the law seeks to produce strong procedures for handling, storing, and swapping particular information. It aims to ameliorate responsibility among data processors and regulators by making strict regulations and morals, guaranteeing that people have further control over their particular data. Also, the measure aims to bring India’s data protection structure into compliance with transnational morals, which would promote confidence among businesses, consumers, and foreign mates. All effects considered, its passage is essential to supporting invention, strengthening data security, and guarding people’s sequestration rights in the digital age.
India had 5.3 million compromised accounts in 2023, placing it fifth on the list of nations with the greatest breaches. There were 299.8 million compromised accounts worldwide, with the United States leading the way with 32% of all compromised accounts between January and December. With 12.3 million accounts compromised, India was previously placed seventh on the list in 2022. After ranking third with 31 million compromised online accounts in 2022, behind China and Russia, the United States surged to the top spot in 2023 with about 100 million compromised accounts, a threefold annual gain.

OBJECTIVE AND SCOPE

The Act aims to establish a comprehensive framework for the protection and processing of Personal Data, emphasizing the rights of individuals to safeguard their personal information while acknowledging the lawful necessity of processing such data, along with related and incidental matters. As mentioned in the act itself “An Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their data and the need to process such personal data for lawful purposes and matters connected therewith or incidental thereto.”
It’s applicable to all data in India, whether initially offline and thereafter digitized, and is covered under the DPDP Act. Furthermore, the Act also covers the processing of digital personal data outside of India, especially where it involves providing products or services to people within India.

ADVANTAGES

Concept of Consent: According to section 6 of this act, data can only be processed for legitimate purposes with the individual’s consent, which must be obtained after providing prior notification. This notification should include details about the personal data to be collected and the purpose of its processing. Individuals always have the right to withdraw their consent. Consent is not required for specific legitimate uses, including situations where data is voluntarily provided, government services are provided, there is a medical emergency, or in employment contexts. For individuals under eighteen years old, consent will be given by a parent or legal guardian. “Consent from the Data Principal must be provided voluntarily and free from any sort of force, fraud, or undue influence. It should be specific, informed, unconditional, and clear, requiring a definite affirmative action”.
Concept of Data Principal: Section 2(j) of this act defines the data principal as the individual to whom the data pertains. For children and persons with disabilities, the term refers to their lawful guardian. The legislation enables individuals to access information about the processing of their personal data, seek amendments or deletions of such data, designate a representative for handling their affairs in the event of death or incapacity, and raise complaints regarding the management of their data. Data principals have specific responsibilities they must adhere to. These include refraining from registering false or frivolous complaints and from providing inaccurate information or impersonating others in designated circumstances. Breaching these responsibilities can lead to penalties of up to Rs. 10,000/-.
Liabilities of Data Fiduciary: Section 2(i) of this act defines the Data Fiduciary refers to any individual or entity that, independently or with others, decides the purpose and method of processing personal data. Data fiduciaries are required to take reasonable steps to guarantee the accuracy and completeness of data, put in place suitable security measures to stop data breaches, and inform the affected parties and the Data Protection Board of India if a breach occurs. In addition, they must erase personal data, a practice known as storage limitation, once the reason for collecting it has been satisfied and continuing to retain it is no longer needed by law. The regulations about storage limitations and the data principal’s right to erasure, however, do not apply to government organizations.
Constitution of Data Protection Board and its tenure: Section 18 of this act provides that the central government may by notification appoint a data protection board. The board will keep an eye on compliance, enforcing sanctions, guiding data fiduciaries on what to do in the event of a data breach, and handling complaints from impacted parties. Board members will be appointed to two-year terms with the option to be reappointed. The selection procedure and member count will be set by the government. Decisions taken by the Board may be appealed to TDSAT.

PUNISHMENT

According to section 8(5) of this act, if there’s a breach of obligation in implementing appropriate security measures to stop breaches of personal data, it might result in a fine of up to Rs 250 crores.
According to section 8(6) of this act, if there’s a failure to inform the Board or the affected Data Principal of a breach involving personal data may result in penalties of up to Rs 200 crores.
According to section 9 of this act, if there’s a violation of extra duties about minors may result in penalties of Rs 200 crores.

EXEMPTIONS

Under Section 17 of the Digital Personal Data Protection Act, of 2023, certain exemptions apply to the processing of personal data. These exemptions include:

National Security and Sovereignty: Data processing necessary for safeguarding national security, defense, or the sovereignty and integrity of India.
Public Order: Data processing is required for maintaining public order or preventing incitement to any cognizable offense relating to public order.
Friendly Relations with Foreign States: Data processing is required for maintaining friendly relations with foreign states.
Prevention, Detection, Investigation, and Prosecution of Offenses: Data processing for the purpose of preventing, detecting, investigating, and prosecuting offenses or executing a legal judgment.
Judicial Functions: Data processing is necessary for the performance of any judicial function.
Personal or Domestic Purposes: Data processing carried out by an individual for any personal or domestic purpose.
Research, Archival, or Statistical Purposes: Data processing for research, archival, or statistical purposes, provided it is carried out with prescribed safeguards. These exemptions aim to balance individual data protection rights with the needs of national security, public order, and other critical functions.

CONCLUSION

The Digital Personal Data Protection Act 2023 is a significant step in protecting individuals’ data rights within India’s digital economy. It addresses increasing data generation and cross-border trade but requires stronger consent mechanisms, data portability, the right to be forgotten, and safeguards for cross-border data transfers. The Act mandates a shift in how Indian businesses handle privacy, legitimizing the Central Government’s role in data control and monitoring. The effectiveness of the Data Protection Board of India will be crucial for ensuring transparency and accountability. Although less detailed than the GDPR, the Act’s success depends on its implementation and court interpretations. Future rules and industry consultations will be vital in shaping a robust data protection framework. The Act’s impact will hinge on balancing innovation with individual privacy.