INTRODUCTION OF THE DIGITAL PERSONAL DATA PROTECTION ACT 2023
In an era dominated by digital advancements and technological innovation, the importance of protecting personal data has become paramount. The year 2023 marks a significant milestone in the evolution of data protection laws, as governments and regulatory bodies around the world continue to adapt to the changing landscape of information management. The Digital Personal Data Protection Act 2023 is founded on safeguarding individual privacy in the digital era, building upon earlier frameworks to address evolving technological challenges. It enhances individual rights, giving users more control over their data, and emphasizing access, rectification, and erasure. The law imposes stricter consent mechanisms, requiring explicit and informed consent with clear purposes and retention periods. It emphasizes data minimization and purpose limitation to curb excessive data collection and retention. Accountability measures, including comprehensive policies and Data Protection Officers, hold organizations responsible. The law also provides guidelines for secure cross-border data transfers, crucial in our interconnected global environment.
KEY FEATURES OF THE DIGITAL PERSONAL DATA PROTECTION ACT 2023
-
Introduction:
- Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023, in early August.
- It’s the first comprehensive law on personal data protection in India after years of deliberation.
-
Legislative Evolution:
- The 2023 act is the second version, following the 2019 bill and a 2022 draft.
- The drafting process involved expert committee, public feedback, and parliamentary committee reports.
-
Applicability:
- Applies to Indian residents and businesses collecting Indian residents’ data.
- Also applies to non-citizens in India using digital goods/services from providers outside India.
-
Data Processing Purposes:
- Allows data processing for lawful purposes with explicit consent or “legitimate uses.”
- Legitimate uses defined include voluntary data provision, government services, sovereignty, security, legal obligations, emergencies, and disasters.
-
User/Consumer Rights:
- Users have rights to access, correction, redress, and data nomination.
- Data fiduciaries must appoint a data protection officer and adhere to security measures.
-
Significant Data Fiduciaries (SDFs):
- Certain entities designated as SDFs based on volume, sensitivity, and risks.
- SDFs have additional obligations, including appointing a data protection officer.
-
Data Localization:
- Reverses data localization requirements from the 2019 bill.
- Allows the government to restrict data flows to certain countries for national security reasons.
-
Exemptions:
- Exemptions for legal rights enforcement, court processing, non-Indian residents’ data, and specific purposes/entities.
- Government can exempt certain classes of data fiduciaries, including startups, from some provisions.
-
Regulatory Structure:
- Establishes the Data Protection Board of India (DPB) instead of an independent regulatory agency.
- DPB oversees data breach prevention, conducts inquiries, and issues penalties.
-
Penalties and Appeals:
- DPB can impose monetary penalties up to 250 crore rupees.
- Appeals go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
- Allows voluntary undertakings as a form of settlement.
-
Government Authority:
- Section 37 allows the government, based on DPB reference, to block public access to information from data fiduciaries with repeated penalties.
-
Concerns:
- Reduced obligations for businesses but grants unguided discretionary powers to the central government.
- Wide exemptions and potential issues with broad government powers for exemptions.
- Novel provision allowing the government to block access based on DPB recommendations after repeated penalties
CONCLUSION
As the Data Protection Law 2023 takes centre stage, individuals and organisations alike must proactively adapt to the new regulatory landscape. By prioritising transparency, accountability, and respect for individual privacy rights, businesses can navigate the complexities of data protection laws and build trust with their users. In this evolving digital era, compliance with these regulations not only safeguards personal data but also fosters a responsible and ethical approach to data management.
SOURCE – PRS
READ – NEW CRIMINAL LAW ACT 2023