In the year 2017, the government of India constituted a Committee to examine the concerns relating to data protection in India, which was chaired by Justice B. N. Srikrishna. The Committee submitted its report in the year 2018 and its recommendations were taken into consideration, while drafting the Personal Data Protection Bill, 2019. The Personal Data Protection Bill, 2019, was introduced in Lok Sabha in December, 2019 and was referred to a Joint Parliamentary Committee, which submitted its report in the year 2021.
The Bill was withdrawn from the Parliament in the year 2022, as the Committee recommended extensive changes to the Bill. In August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in the Lok Sabha and was passed by the Lok Sabha on 7th August, 2023, by the Rajya Sabha on 9th August, 2023 and it received the presidential nod on 11th August, 2023. The main objective of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the Act) is to process digital personal data in a manner that recognizes both, the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
What is personal data?
As per the Digital Personal Data Protection Act, 2023, personal data means any data about an individual who is identifiable by or in relation to such data. India is one of the highest consumers as well as producers of data, per capita, amongst the countries and there are more than 760 million active internet users in India. In the upcoming years, this figure is expected to pass 1.2 billion. Personal data of individuals is used by many platforms and intermediaries which must always pass the muster of law.
On which data will the Act apply to?
The Act will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will also apply to the processing of personal data outside India, if it is for offering goods or services in India.
When does consent need to be obtained under the Act?
Personal data may be processed only for a lawful purpose after obtaining the consent of the individual and a notice must be given before seeking consent which should contain details about the personal data to be collected and the purpose of processing. Consent may be withdrawn at any point in time and will not be required for legitimate uses, including specified purpose for which data has been provided by an individual voluntarily; provision of benefit or service by the government; medical emergency and employment. As per the Act, consent will be provided by the parent or the legal guardian for individuals below 18 years of age.
What are the rights of the person whose data is being processed?
An individual whose data is being processed will have the right to obtain information about processing; seek correction and erasure of personal data; nominate another person to exercise rights in the event of death or incapacity and grievance redressal.
What if the individual to whom the personal data relates, registers a false complaint?
Data principal (the individual to whom the personal data relates), under the Act, must not register a false or frivolous complaint, and furnish any false particulars or impersonate another person in specified cases and any violation of such duties will be punishable with a penalty of up to Rs 10,000.
What is the role of the entity determining the purpose and means of processing data?
The entity determining the purpose and means of processing (data fiduciary), under the Act, must make reasonable efforts to ensure the accuracy and completeness of data, build reasonable security safeguards to prevent a data breach, inform the Data Protection Board of India and affected persons in the event of a breach, and erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.
Can the data be transferred outside India?
The Act also allows transfer of personal data outside India, except to countries restricted by the central government through notification. Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases, which include prevention and investigation of offences, and enforcement of legal rights or claims.
When can the central government exempt activities under the Act?
The central government may, by notification, exempt certain activities from the application of the Act, which include processing by government entities in the interest of the security of the state and public order, and research, archiving, or statistical purposes.
What is the Data Protection Board of India?
The Data Protection Board of India will be monitoring compliance and imposing penalties, directing data fiduciaries to take necessary measures in the event of a data breach, and hearing grievances made by affected persons.
However, the Act does not regulate the risks arising from processing of personal data and does not grant the right to data portability. The right to data portability allows data principals to obtain and transfer their data from data fiduciary for their own use, in a structured and machine-readable format which gives the data principal greater control over his / her data. The right to be forgotten to the individual to whom the personal data relates, also, does not find a mention in the Act. The Srikrishna Committee had observed that the right to be forgotten is an idea that attempts to instiLl the limitations of memory into an otherwise limitless digital sphere. The Act also allows transfer of personal data outside India, except to countries notified by the central government which may not ensure complete data protection in the countries where transfer of personal data is allowed.
Therefore, the Digital Personal Data Protection Act, 2023, is a welcome step for processing of digital personal data, by recognizing both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. However, there are some inadequacies which need to be plugged. A careful balancing of privacy concerns and legitimate State interests, need to be undertaken by the State, coupled with other values and the State has to be sensitive to the opportunities and dangers posed to liberty in a digital world, at all times.
Muneeb Rashid Malik is an Advocate practicing before the Hon’ble Supreme Court of India and tweets @muneebmalikrash.
(The contents of this article are intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.)