Published On: 10th August, 2024
AUTHORED BY: T. ROSHINI
Chennai Dr.Ambedkar Government Law College, Pudupakkam.
ABSTRACT
In an era defined by an unprecedented proliferation of digital data and the relentless evolution of technology, safeguarding personal data has become a paramount concern for individuals, organisations, and governments worldwide. The effect of social media on individuals’ right to privacy has been the subject of some debate as well as the importance of data protection has skyrocketed in the past couple of decades, reaching new heights that were previously unimaginable due to the digitalization around the globe including in India. With a population of 1.5 billion in the global arena, Protecting this right is crucial in the modern day owing to the fact that the prevalence of digital media. This paper aims to have a strong focus on upholding the ‘Right to Privacy’ through the lens of Digital Personal Data Protection Act, 2023. The necessity for robust data protection and privacy legislation leads to the introduction of the long-awaited Digital Personal Data Protection Act, 2023 which is India’s first cross-sectoral law on personal data protection. There are now copious Data Protection Laws as 137 out of 194 countries had put in place legislation to secure the protection of data and privacy notably The EU’S General Data Protection Regulation (GDPR), The USA’s California Consumer Privacy Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s General Data Protection Law (LGPD) and so on at worldwide along with the India’s Information Technology Act, 2000 and The Right to Information Act,2005. This essay makes predictions on the major variables that will shape India’s data protection laws in the coming years. The heart of the paper is to Safeguard Privacy in the Digital Age and Balancing Privacy Rights as Insights from India’s DPDP Act with the Data Privacy.
KEYWORDS: Right to Privacy, Digital Personal Data Protection, Data Protection Laws, Right to Forgotten.
INTRODUCTION
Everywhere we go online in today’s digital world, a vast quantity of personal data is being gathered. Every action we take, including social media conversations and internet viewing, leaves a trace. Companies use this valuable information for many reasons, like showing us targeted ads, developing new products,and even deciding how risky it is to lend us money[1]. India is the second-largest online market globally with over 560 million Internet users, with an estimate of over 650 million by 2023. This usage stood at 50 % as of 2020, which indicates that about half of India’s population does not have access to the Internet in 2020[2]. The introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act) in India marks a pivotal moment in data protection and privacy. This landmark legislation seeks to establish a new paradigm, one that strikes a delicate balance between the benefits of technological innovation and the imperative of safeguarding individual privacy rights. The ‘right to privacy’ is a fundamental human right that is recognized in the Universal Declaration of Human Rights 1948 (UDHR), the International Covenant on Civil and Political Rights, 1976 (ICCPR), the United Nations Convention on Migrant Workers and the United Nations Convention on the Protection of the Child, 2003 as well as in many other international and regional treaties. Numerous international human rights treaties, agreements, and human rights courts expressly recognise the right to privacy[3]. Even Though it was recognized by many conventions, according to Business Today, India ranked third in data breaches, with 86.63 million users breached as of November 2021[4]. Despite these data leakages, government and private enterprise adoption of various digital services is not slowing down; it has increased by many folds, which is solely based on the Internet’s ability to provide ease of accessibility and convenience to its users[5]. In light of this, the Indian parliament passed the Digital Personal Data Protection Act of 2023 (also known as the “DPDP Act” in this study) in order to protect its residents’ right to privacy.
With the recent enactment of the DPDP Act in India on the 11th August 2023, both digital government initiatives and private businesses in the form of e-commerce or online vendors ought to be regulated. Therefore, the article tries to evaluate how the legislation redefines the contours of data protection and privacy concerns in India.
EVOLUTION OF DATA PROTECTION REGIME IN INDIA
India’s approach to data protection and privacy has been evolving as priorities of India and the world have been. India is known as the world’s largest democracy, but its data policies need some more democratic elements to it[6]. The Evolution of Data Protection in India can be seen under the category of the Right to Privacy because it plays a pivotal role in the Data Protections Laws. The Development of Right to Privacy may be seen as Prior to the year 1950, there were no legally recognized guarantees relating to privacy in India. After the Constitution came into force, there was no specific protection of any basic principle respecting the right to one’s privacy. The Fundamental Rights are guaranteed under Part III of the Constitution from Articles 14-30 of the Indian Constitution. The Constitutional courts’ judicial activism was a major factor in the right to privacy’s inclusion. The Supreme Court, via an expansive reading of the word “personal liberty,” arrived at concluding that the right to privacy is inextricably linked to the right to life and personal liberty, which are both guaranteed by Article 21[7].
Since the adoption of the Indian Constitution, the country’s judicial system views issues relating to personal privacy either from the perspective of basic rights or from the jurisprudence of common law. The debate in relation to it dates back to the decision of the Supreme Court in the cases of M.P. Sharma and Kharak Singh[8], where the SupremeCourt initially ruled against recognizing such a right within the Constitution. In the case of M.P. Sharma, the Court argued that if the framers of the Constitution had not included it, there was no justification for interpreting the Constitution to include the right to privacy. Similarly, in the Kharak Singh case, the Court relied on the privacy doctrine established in the U.S. case of Wolf v. Colorado and rejected the notion that the right to privacy was a fundamental right. In the case Indrakunwar v. The State Of Chhattisgarh[9], Supreme Court Of India Recognizes the inherent right to confidentiality and privacy, particularly in matters concerning personal life. States that privacy is fundamental to human dignity and is crucial for the realisation of human rights. In Association For Democratic Reforms v. Union Of India[10]The Hon’ble Supreme Court discussed the importance of right to privacy and held that Right of privacy is an essential component for effective fulfilment of all fundamental rights or can be held to be a part or a component of Article 21 and Article 19(1)(a) of the Constitution.
However, in 2017, the Supreme Court in a landmark judgement in K.S. Puttaswamy v. Union of India[11], overturned both the M.P. Sharma and Kharak Singh[12] decisions. The central issue in the case was whether the Constitution guaranteed the right to privacy. The Attorney General of India contended that privacy was not encompassed within the fundamental rights guaranteed to Indian citizens. It was held that the right to privacy is a fundamental right. Justice D.Y. Chandrachud, in his opinion, emphasised the necessity of creating a robust framework for data protection to safeguard the interests of both the State and its citizens. Justice S.A. Bobde, affirmed that the right to privacy is an integral aspect of personal liberty and is guaranteed under Article 21 of the Constitution[13].
THE INTERPLAY OF THE RIGHT TO PRIVACY AND DATA PROTECTION
The normative truth that there exists a link between the right to privacy and the data protection legislation which is indisputable under any circumstances. In spite of the fact that these two abstract ideas are likely to be conceptually inextricable from one another, there is a real connection that exists between the right to privacy and the right to data protection. The assertion that data protection laws have advanced significantly is specifically based on the recognition of the right to privacy as a fundamental right. However, for the purposes of the Data Protection law, there has to be a clear and precise definition of the right to privacy[14]. The right to privacy is an abstract notion, and there is a great deal of uncertainty among the legislators of the various countries, when it comes to providing a precise definition of the right to privacy.One of the most widely accepted interpretations of the right to privacy in the context of the protection of personal information is as follows: “Privacy is the claim of individuals,groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”[15]. That is the “Right to self -determination”. It’s an idea that carries a lot of weight in any democratic system and, consequently, a lot of influence over the populace.
Though there is a right to self-determination, the data once shared must be protected from sharing with others thereby respecting the privacy of individuals.
Therefore, it’s critical to understand what data protection is. The term “data protection” refers to the procedures, protections, and legally enforceable laws that have been put into place to secure the personal information you provide and to guarantee that you retain control over it. In summary, it should be up to the individual to determine whether or not to disclose particular information and to determine who should view it, when, and why. Among other things, it should be possible to modify certain sections of the data. According to the opinions of jurists, the phrase “data protection” is a catch-all terminology that is used to describe anything that is linked with the processing of personal data. This is because the word “data protection” is used to denote everything associated with the processing of personal data[16]. Legislation in India currently aims to give informational sovereignty and self-determination primary importance. The right of an individual to choose the conditions under which their personal information may be disclosed in the first place is known as informational self-determination. The right to privacy is another name for this one. With this in mind, the term “data protection laws” can be defined as “a collection of regulations that safeguard the distribution, acquisition, utilisation, erasure, storage, and disposal of all this data.”[17].
THE ROAD TO INDIA’S DPDPA: KEY FACTORS AND INFLUENCES
It wasn’t an abrupt development that the Digital Personal Data Protection Act (DPDPA) was passed.
It stemmed from several key drivers that shaped India’s legal and digital landscape:
- RIGHT TO PRIVACY as a Fundamental Right: The Supreme Court’s landmark Puttaswamy judgement in 2017 established privacy as a fundamental right. This decision underlined the need for strong data protection laws to safeguard individual privacy in the digital age[18].
- INDIA’S DIGITAL BOOM: The rapid rise of digital technologies in India, fueled by initiatives like Digital India, made a legal framework crucial. This approach would foster trust in online settings and guard against the misuse of personal data.[19].
- GLOBAL DATA PROTECTION LANDSCAPE: The European Union’s GDPR set a high bar for data privacy globally. India’s legislation aimed to align with these standards while considering its unique needs and regulatory capabilities[20].
- FOSTERING A THRIVING DIGITAL ECONOMY: With India’s digital economy flourishing, clear data protection laws were seen as essential. These laws would attract foreign investment, promote innovation, and ensure India remains competitive internationally[21].
- STAKEHOLDER CONSENSUS: The 2019 and 2022 draft bills incorporated extensive feedback from industry, civil society, and legal experts. This reflects a broad agreement on the importance of comprehensive data protection legislation in India.[22]
Prior to the passage of the Personal Data Protection Bill 2019, India lacked comprehensive data protection laws. Nevertheless, the Digital Personal Data Protection Bill of 2022 has just superseded this 2019 bill. Furthermore, this bill was enacted into the Digital Personal Data Protection Act 2023 (referred to as ‘DPDP Act’) on August 11th 2023. The Indian Penal Code, 1860; the Protection of Children from Sexual Offences Act, 2012; and the Credit Information Companies (Regulation) Act, 2006 are the only sectoral acts that partially addressed citizens’ rights to privacy prior to the DPDP Act.[23]. Additionally, data protection was covered by sections 43A and 72A of the Information Technology Act, 2000, as well as the Information Technology Rules, 2011. The Information Technology Rules, 2011 require that a corporate body get consent before disclosing any information, which sets them apart from other sectoral Acts and provides some protection for sensitive and personal data[24]. The Supreme Court of India declared “Privacy rights” to be a basic right on August 24, 2017, in the case of Justice K.S. Puttaswamy and Anr. V. Union of India (“Right to Privacy”). This declaration marked the beginning of the development of privacy laws in India. Following that, it was deemed that tighter laws were required, therefore in August 2017, the government formed a committee that Justice Srikrishna, a retired Supreme Court judge, oversaw. After taking into account the suggestions from industry stakeholders, the committee produced the draft bill in 2018, and a year later, the Personal Data Protection Bill (Bill No. 373 of 2019) was presented in the Lok Sabha, the lower house of the Indian parliament17. It was introduced by the Minister of Electronics and Information Technology (MEITY), Shri Ravi Shankar Prasad, on 11th December 2019. The Bill seeks to protect its citizens’ personal data or information and set up a Data Protection Authority (DPA) for the same[25].
On 11th December 2019, the 2019 Bill was referred to a Joint Parliamentary Committee (“JPC”) for further deliberation. On 16th December 2021, after almost two (2) years of deliberation on the 2019 Bill, the JPC tabled its report on the Personal Data Protection Bill 2019. The Personal Data Protection Bill of 2019 underwent several amendments, as outlined in a committee report chaired by Justice B.N. Srikrishna. These modifications ultimately resulted in the proposal of the Digital Personal Data Protection Bill of 2022[26]. On 3rd August 2022, the Centre withdrew the PersonalData Protection Bill 2019 and superseded it with the DPDP Bill which consists of six (6) chapters, thirty (30) sections and one (1) schedule that were more comprehensive to safeguard the personal data of the users in digital contexts. After receiving approval from Lok Sabha and Rajya Sabha, the DPDP Bill 2022 was formally enacted by the president’s of India on 11th August 2023, and thus came into existence the Digital Personal Data Protection Act, 2023. This enactment marked a significant achievement for the protection of personal data, both in digital or non-digital format[27]. Compared to the 2018 draft law and the 2019 bill that was tabled in Parliament, the DPDP Act represents a significant change in the direction of data protection legislation. The November 2022 draft bill was where this change was most noticeable, and it is now a part of the 2023 law. This change is apparent along three primary axes.
- Reductions in obligations and rights as well as compliance
- A sharper focus on data privacy
- The abandonment of a “regulatory” law
THE NEW DIGITAL INDIA UNDER DPDP ACT
The Digital India initiative aims to transform India into a digitally empowered society and knowledge economy by leveraging technology and digital platforms for inclusive growth. The DPDP Act plays a crucial role in safeguarding the privacy and data of individuals in the digital ecosystem. It establishes the framework for how personal data is collected, processed, stored, and shared by organisations. The Act also ensures that individuals have control over their personal data and provides them with measures to protect their privacy online. Overall, the combination of the Digital India initiative and the DPDP Act contributes to creating a secure and transparent digital environment that benefits both individuals and businesses. These are some of the key features of the DPDP Act, 2023, designed to strengthen data protection and privacy rights in the digital age.
- Data Protection Principles – The Act is built on principles that govern the processing of personal data, such as consent, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
- Data Subject Rights – The Act grants individuals certain rights over their personal data, including the right to access their data, correct inaccuracies, delete data, restrict processing, data portability, and object to processing.
- Data Protection Officer (DPO) – Organisations are required to appoint a Data Protection Officer to oversee compliance with data protection regulations and act as a point of contact for data subjects and regulatory authorities.
- Data Breach Notification – The Act mandates organisations to report data breaches to the relevant authorities and affected individuals within a specified timeframe to ensure timely action to mitigate harm.
- Cross-Border Data Transfers – The Act sets out rules for transferring personal data outside the country, ensuring that adequate safeguards are in place to protect the data during international transfers.
- Accountability and Governance – Organizations are accountable for their data processing activities and must implement appropriate technical and organisational measures to ensure data protection compliance.
- Penalties and Enforcement – The Act outlines penalties for non-compliance with data protection regulations, including fines, sanctions, and other enforcement actions to deter violations and protect data subjects.
KEY ISSUES AND ANALYSIS
Exemptions to the State may have adverse implications for privacy Personal data processing by the State has been given several exemptions under the Bill. Article 12 of the Constitution states that the State is made up of the following: (i) the federal government; (ii) the state governments; (iii) local bodies; and (iv) the government-established agencies and businesses. These exemptions can have some problems.
- THE BILL MAY ENABLE UNCHECKED DATA PROCESSING BY THE STATE, WHICH MAY VIOLATE THE RIGHT TO PRIVACY
According to a ruling by the Supreme Court in 2017, any interference with one’s right to privacy must be justified by its necessity. If the State is given exemptions, it may gather, use, and keep more data than is required. This could be inappropriate and violate someone’s right to privacy.
The Bill gives the federal government the authority to waive any or all of the requirements pertaining to processing carried out by government agencies in order to achieve objectives including maintaining public order and state security. In some circumstances, like as processing for the purpose of preventing, looking into, and prosecuting offences, none of the rights under the principles or obligations under data fiduciaries—apart from data security—will apply. The Bill does not mandate that government organisations destroy personal information once the processing goal has been satisfied. For the purpose of monitoring, a government agency may collect data about a citizen under the previously described exclusions in order to create a 360-degree profile.
It might use information kept on file by several government departments for this. The question of whether these exemptions will pass the proportionality test is raised by this.
- WHETHER OVERRIDING CONSENT FOR PURPOSES SUCH AS BENEFIT, SUBSIDY, LICENCE, AND CERTIFICATES IS APPROPRIATE
The Bill overrides consent of an individual where the State processes personal data for provision of benefit, service, licence, permit, or certificate. It expressly permits the use of information processed for one of these uses for another. It also permits the use of personal information that is currently on file with the State for any of these objectives. As a result, it does away with the fundamental tenet of privacy protection: purpose limitation. Purpose limitation dictates that information should only be gathered and utilised for the intended objectives. Whether or not such exemptions are warranted is the question. Profiling of persons may become possible as a result of the combination of data collected for different purposes. Individuals would, however, have the autonomy and control over the gathering and sharing of their personal data if consent were necessary.
- THE BILL DOES NOT REGULATE HARM ARISING FROM PROCESSING OF PERSONAL DATA
The risks of injury resulting from the processing of personal data are not regulated by the Bill. According to the Srikrishna Committee (2018), processing personal data may result in harm.
Harm may include material losses such as financial loss and loss of access to benefits or services. Identity theft, reputational damage, discrimination, and irrational monitoring and profiling are a few more such examples. It had suggested that damages fall under the purview of data privacy legislation.
Harm was defined under the Personal Data Protection Bill, 2019 as follows: (i) psychological distress; (ii) identity theft; (iii) monetary loss; (iv) damage to one’s reputation; (v) unfair treatment; and (vi) monitoring or surveillance that was not reasonably anticipated by the data principal[28]. The 2019 Bill mandated that data fiduciaries take precautions against, attenuate, and minimise potential harm[29]. Among these were conducting audits and impact studies to evaluate these risks.
It also granted the data principal the right to seek compensation from data fiduciary or data processor, where the data principal has suffered harm[30]. When reviewing the 2019 Bill, the Joint Parliamentary Committee suggested keeping the clauses pertaining to harm caused by processing personal data. The European Union’s General Data Protection Regulation (GDPR) governs risks of harm as well as offering compensation to the data principal in the event of harm[31].
4. RIGHT TO DATA PORTABILITY AND THE RIGHT TO BE FORGOTTEN NOT PROVIDED
The Bill does not provide for the right to data portability and the right to be forgotten. The 2018 Draft Bill[32] and the 2019 Bill introduced in Parliament provided for these rights[33]. After reviewing the 2019 Bill, the Joint Parliamentary Committee suggested keeping these rights. GDPR also recognises these rights[34].
- RIGHT TO DATA PORTABILITY: Data principals have the capacity to retrieve and transmit personal data in a commonly-used, machine-readable format from data fiduciary for their own purposes, thanks to the right to data portability. As a result, the data principle has more authority over their data. It could facilitate the transfer of data between data fiduciaries. The trade secrets of the data fiduciaries have been a source of concern. Trade secrets cannot be used as an excuse to restrict the right to data portability; instead, the Joint Parliamentary Committee noted that trade secrets can only be used as a justification for technological viability, as suggested by the Srikrishna Committee (2018).
- RIGHT TO BE FORGOTTEN: The right to be forgotten refers to the right of individuals to limit the disclosure of their personal data on the internet. The Srikrishna Committee (2018) observed that the right to be forgotten is an idea that attempts to instil the limitations of memory into an otherwise limitless digital sphere. However, the Committee also highlighted that this right may need to be balanced with competing rights and interests. The exercise of this right may infringe upon the freedom of expression and the right to knowledge for another person.Its applicability may be decided on factors such as the sensitivity of the personal data to be restricted, the relevance of the personal data to the public, and the role of the data principal in public life.
5. ADEQUACY OF PROTECTION IN CASE OF CROSS-BORDER TRANSFER OF DATA
According to the Bill, the national government may, by notification, limit the flow of personal data to specific nations. Whether this method will offer sufficient protection is the question. Protecting the privacy of Indian people is the goal of the regulations governing the transfer of personal data outside of India. Data held in a foreign nation may be more susceptible to breaches or unauthorised sharing with foreign governments and business entities if that country does not have strong data protection legislation. According to the 2019 Bill, a country’s permission to transmit certain types of data must guarantee a sufficient degree of protection[35]. The 2022 Draft Bill took a different approach, with the central government notifying countries where any personal data may be transferred[36]. A case-by-case assessment of the standards in each nation to which data may be sent is necessary for each of these methods.
- SHORTER APPOINTMENT TERM MAY IMPACT INDEPENDENCE OF THE BOARD
The Bill stipulates that the members of the Indian Data Protection Board will have independent authority. Members will be appointed for two years and will be eligible for re-appointment may affect independent functioning of the Board. The Board’s primary responsibilities include enforcing compliance, conducting investigations, and setting sanctions. The Supreme Court of 2019 noted that the Executive has more power and control over tribunals when they are short-term and have re-appointment provisions[37].
7. ADDITIONAL PROVISIONS FOR CHILDREN
- Taking verifiable parental consent may require verification of everyone’s age on digital platforms – The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child. Every data fiduciary will need to confirm the age of each person registering for its services in order to abide by this requirement. To get permission from the person’s legal guardian, it will be necessary to ascertain whether the individual is a child.This may help avoid instances of children giving false declarations. However, this may reduce anonymity in the digital sphere.
- Lack of clarity on what constitutes detrimental to the well-being of a child – The Bill provides that a data fiduciary will not undertake any processing which has a detrimental effect on the well-being of the child. The Bill has not defined detrimental effects. Furthermore, it hasn’t included any instructions for figuring out this kind of effect.
8. EXEMPTION FROM NOTICE FOR CONSENT MAY NOT BE APPROPRIATE
Under the Bill, the central government will have the authority to exempt specific data fiduciaries, or classes of data fiduciaries, such as startups, from certain duties. The quantity and type of personal data must be taken into consideration when doing this. Consent notice is one of the duties that might be waived. For these entities, obtaining free and informed permission will still be necessary. It can be claimed that a data principal cannot give informed permission if there is no requirement to notify them of the type of data being gathered and its intended use[38].
9. DRAFTING ISSUE
Clause 27 (1) (e) refers to the sub-section (2) of Clause 36, however, Clause 36 does not have any sub-sections.
COMPARISON OF VARIOUS DRAFTS OF THE DATA PROTECTION LAW
Contents |
The Draft Personal Data Protection Bill, 2018 |
The Personal Data Protection Bill, 2019 |
Recommendations of the Joint Parliamentary Committee |
The Digital Personal Data Protection Bill, 2023 |
Scope and Applicability |
Processing of personal data: (i) within India, (ii) outside India if it is for business carried on, offering of goods and services, or profiling individuals, in India |
Expands the scope under the 2018 Bill to cover certain anonymised personal data |
Expands the scope under the 2018 Bill to include processing of non-personal data and anonymised personal data |
Does not cover offline personal data and non-automated processing
|
Reporting of data breaches |
Fiduciary to notify the Data Protection Authority about a breach which is likely to cause harm, the Authority will decide whether to notify the data principals or not |
Same as 2018 Bill
|
All violations have to be notified to the Authority within 72 hours, regardless of the possible impact.
|
Every breach involving personal data must be reported in the required format to both the Data Protection Board of India and the impacted data principal.
|
Right to Data Portability and Right to be Forgotten |
Data principal will have the right to data portability (to obtain data in interoperable format), and right to be forgotten (to restrict disclosure of personal data over internet) |
Provided for both rights
|
Provided for both rights
|
Not Provided |
Regulator |
Provides for establishing: (i) the Data Protection Authority of India to regulate the sector, and (ii) the Appellate Tribunal.
|
Same as 2018 Bill
|
Same as 2018 Bill
|
Provides for the Data Protection Board of India, whose primary function is to adjudicate non-compliance; and TDSAT has been designated as the Appellate Tribunal
|
Exemptions from provisions of the Bill for the security of the state, public order, prevention of offences etc. |
Processing must be authorised pursuant to a law, and in accordance with the procedure established by law, and must be necessary and proportionate |
The central government, by order, may exempt agencies where processing is necessary or expedient, subject to certain procedure, safeguards, and oversight |
Adds that order should specify a procedure, which is fair, just, and reasonable |
The central government may exempt by notification; does not require any procedure or safeguards to be specified |
Sources: The Draft Personal Data Protection Bill, 2018; The Personal Data Protection Bill, 2019 and the Digital Personal Data Protection Bill, 2023 as introduced in Lok Sabha; Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019; PRS.
TWO SENTIMENT ENTITIES – GDPR AND DPDP
In the realm of digital ontology, the Digital Personal Data Protection Act 2023 (DPDA) and the General Data Protection Regulation (GDPR) are two sentient entities that have evolved to safeguard the sacrosanct rights of individuals in the vast expanse of cyberspace. Like a protective force field, these regulations encircle the data trails left behind by human interactions, ensuring that the essence of personal identity remains unbreached and inviolable. The DPDA 2023, a novel paradigm in data governance, provides a robust framework for the protection of personal data, mirroring the GDPR’s emphasis on transparency, accountability, and individual autonomy. Like a symbiotic relationship, both regulations harmonise to create a harmonious ecosystem where data controllers and processors are held accountable for the handling of sensitive information. The DPDA 2023’s stringent provisions on data breaches, consent, and data subject rights echo the GDPR’s alarm bells, warning of catastrophic consequences for non-compliance. As the digital universe continues to expand, these regulations serve as beacons of hope, illuminating the path toward a future where individual privacy is not only protected but also cherished. In this era of hyper-connectivity, the DPDA 2023 and GDPR have become sentinel guardians of digital humanity, safeguarding the very essence of our being in an ever-evolving digital landscape.
The Digital Personal Data Protection Act 2023 is a groundbreaking legislation designed to safeguard the digital footprints of individuals in the ever-evolving landscape of technology. This innovative act aims to provide comprehensive protection to personal data in the digital realm, ensuring that individuals have control over their information and privacy. Through a harmonious blend of legal frameworks and technological advancements, the Act sets forth a new standard for data protection, promoting transparency, accountability, and user empowerment. By establishing clear guidelines for data collection, processing, and storage, it fosters trust between individuals and the entities handling their personal information. Embracing the ethos of data sovereignty, the Act empowers individuals to determine how their data is utilised, granting them the right to access, modify, or delete their information as needed. By prioritising data security measures and encryption protocols, it creates a fortified digital ecosystem where privacy breaches are minimised. In a world where data is currency, the Digital Personal Data Protection Act 2023 stands as a beacon of assurance, guiding individuals and organisations towards a future where personal information is treated with the utmost respect and care. It heralds a new era of digital citizenship, where privacy is not just a right but a cornerstone of a safe and inclusive digital society.
CONCLUSION
Data security and privacy are essential in today’s digital world to protect personal data. Individuals’ personal information is necessary for security purposes. An important step towards establishing comprehensive data protection legislation in India is the Digital Personal Data Protection Act, 2023.
It has been commended as a robust standalone data protection framework. When an individual shares their data with legitimate organisations they may under the pretext that the information is secure and will not be shared with any other third parties or agency without their consent. The DPDP Act is a step forward towards it. Since data privacy is still very important, India needs to catch up with the rest of the world in this area. However, the DPDP Act is hugely criticised for hastily passing the Digital Personal Data Protection Bill, 2023 in both houses of Parliament without any meaningful discussion. Some provisions are subject to Central Government determinations, raising worries about unchecked rule-making and potential gaps in regulation. Moreover, it seems paradoxical that the DPDP Act imposes duties on data principals where its aim was to protect their rights. It includes not to impersonate oneself while sharing the data with others, to comply with law and regulations from time to time, not to suppress any material information, not to file a frivolous complaint against data fiduciary and to furnish the information which is authentic. Hence, this paper speculatively analysed the Digital Personal Data Protection Act, 2023.
Reference(s):
[1] James Manyika et al., “Big data: The new frontier for innovation, competition, and productivity,” McKinsey GlobalInstitute (accessed on 20 June 2024).
[2] Keelery, S. Internet usage in India – statistics & facts. Statista. 2021. Retrieved from, https://www.statista.com/
(accessed on 20 June 2024).
[3]Kuner, Christopher, An International Legal Framework for Data Protection: Issues and Prospects, 25
Computer Law & Security Review 307-317 2009, https://ssrn.com/abstract=1443802 (accessed on 20 June 2024).
[4]Business Today.India ranks third in global data breaches in 2021. https://www.businesstoday.in/latest/ (accessed on 20 June 2024)
[5] Dhiraj R. Duraiswami, Privacy and Data Protection in India, 6 J.L. & CYBER WARFARE 166, 169-172.
[6]SSRG International Journal of Humanities and Social Science, https://www.internationaljournalssrg.org/IJHSS/2024/Volume11-Issue2/ (accessed on 21 June,2024)
[7]Kumar, Rahul, Jurisprudence of Right to Privacy in India, 2020, https://ssrn.com/abstract=3664257
or http://dx.doi.org/10.2139/ssrn.3664257
[8]MP Sharma v Satish Chandra, (1954) 1 SCR 1077
[9]Indrakunwar v. The State of Chhattisgarh, CRIMINAL APPEAL No.1730 OF 2012.
[10]Association for Democratic Reforms v. Union of India, WritPetition (C) No. 880 of 2017
[11]Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[12]Kharak Singh v. State of U.P and others, 1964 SCR (1) 332
[13]PRADIP KASHYAP, DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A NEW LIGHT INTO THE DATA PROTECTION AND PRIVACY LAW IN INDIA, https://www.researchgate.net/publication/380360250 (accessed on 21 June, 2024)
[14]Systems Thinking, Big Data, and Data Protection Law, 18 Eur. J.L. Reform 478 (2016)
[15]Orla Lynskey, Deconstructing Data Protection: The Added-Value of a Right to Data Protection in the EU Legal Order, 63 INTL & COMP. L.Q. 569, 577-81 (2014)
[16]Paul Crocetti, Peterson, Senior, Kim Hefner, What is data protection and why is it important?, TECHTARGET NETWORKhttps://www.techtarget.com/searchdatabackup/definition/data-protection (accessed on 21 June 2024)
[17]Silvia Lucia Cristea & Viorel Banulescu, The Right to Personal Data Protection. The Right to Privacy. A Comparative Law Approach.
[18]Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[19]Digital India Programme Overview Digital India; Visited 21 June 2024.
[20]Impact of GDPR on Global Data Protection Practices. International dimension of data protection – European Commission (europa.eu); Visited 21 June 2024.
[21]Economic Survey of India 2022-23.
[22]Public Consultation Reports on Data Protection Bills.
[23]Manjunathan, M. India: Privacy and Data Protection Laws in India (Part 3). 2022. https://www.mondaq.
(accessed on 21 June 2024).
[24]Chopra, R. & Mansharamani, M. India: Privacy in India: Data Protection Bill and OTT Regulations. 2021, https://www.mondaq.com/ (accessed on 21 June 2024).
[25]Trilegal India: The Data Protection Bill, 2021. https://www.mondaq.com/ (accessed on 21 June 2024).
[26]Alpha Partners. India: Update on Data Protection Law. 2022, https://www.mondaq.(accessed on 21 June2024)
[27]Digital Personal Data Protection Act, 2023. https://prsindia.org/acts/parliamen t (accessed on 21 June 2024)
[28]Clause 2 (20), Clause 2 (38), Clause 15, The Personal Data Protection Bill, 2019, as introduced in Lok Sabha.
[29]Clause 22, Clause 23, Clause 26, Clause 27, The Personal Data Protection Bill, 2019, as introduced in Lok Sabha.
[30]Clause 64, The Personal Data Protection Bill, 2019, as introduced in Lok Sabha.
[31]Recital 75, Article 82, General Data Protection Regulation of European Union
[32]Clause 19, The Personal Data Protection Bill, 2019, as introduced in Lok Sabha.
[33]Clause 26, The Personal Data Protection Bill, 2018, as released by the Ministry of Electronics and Information Technology.
[34]Article 20, General Data Protection Regulation, European Union.
[35]Clause 33 and 34, The Personal Data Protection Bill, 2019, as introduced in Lok Sabha.
[36]Clause 17, The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology, November 18, 2022.
[37] Rojer Mathew versus South Indian Bank Ltd & Ors., 2019 (369) ELT3 (S.C.), Supreme Court of India, November 13, 2019.
[38]The Digital Personal Data Protection Bill,2023, https://prsindia.org/billtrack/ (accessed on 22 June,2024)