NET PACKING INDIA’S DIGITAL PERSONAL DATA PROTECTION ACT

India’s pursuit of a data protection framework can be traced back to the initial proposal in the India Parliament in 2008, when an amendment to the Information Technology Act, 2000 was suggested. The Amendment introduced a new section 43A under the information Technology (Amendment) Act, 2008 which mandated the companies to safeguard all sensitive personal data and information they possessed, handled or dealt with computer by implementing reasonable security practices and procedures

Noncompliance with these obligations would result in penalties. Subsequently, the information Technology (Reasonable security practices and procedures and sensitive personal Data or information) Rules 2011 were introduced which setting minimum standards for data protection of sensitive personal data or information and inform individuals about the recipients of such data.

Over time, sector specific regulation and rules have also introduced appropriate remedies and preventive measures for data protection.

The groundwork for comprehensive data protection legislation in India was laid in 2017 through the landmark Supreme Court Judgment in K. S. Puttaswamy vs. Union of India. This judgment recognized the eight to privacy as an inherent part of the right to life and liberty guaranteed by Article 21 of the constitution of India. This judgment addressed the protections that should be afforded to individuals in private sphere.

Supreme Court emphasized the importance of privacy and its value with individually dignity.

Supreme Court judgment not only established a prohibition against privacy –violating state actions but it has also given the state the responsibilities to regulate private contracts and data sharing in order to protect Individual privacy.

This led to establishment of the Sri Krishna committee which drafted the personal data protection Bill in 2018. After that ministry of Electronics and information technology presented the personal data protection Bill 2019 in Rajya Sabha in December 2019.

Owing to various challenges with respect to its implementation the PDPB was sent for review to Joint committee of the parliament (JPC) in 2019. The JPC spent around 2 years in between global pandemic to examine and deliberate the nuances of the PDPB.

In November 2021 the JPC finally submitted its revised report and draft of the Bill. Now it change from PDPB to DPB (Data protection Bill) 2021 and it brought various significant changes and now its cover not only personal data but also not personal data as well. But this legislation attracted strong criticism from various stakeholders

Justice puttaswamyJudgement and data protection law:

Prior to the Justice puttaswamy Judgement India’s Data protection laws were limited to information Technology (Reasonable serenity practices and procedures and sensitive personal Data or Information) Rules, 2011, a set of rules framed under the provisions of the IT Act, 2000 These rules provide a set of data protection rules with obligations for corporates who collects personal information to provide a privacy policy. Obtain consume before collecting personal data and put place the prescribed security standards and procedures. After that committee constituted in 2017 and presented Draft personal Data Protection Bill, (2018) to Ministry of Elrmics and Information technology which further amended and formed the personal Data Protection Bill, 2019 The PDPB 2019 was presented in Parliament where it referred to Joint parliamentary Committee for Further inputs. The JPC in 2021 published its report along with a new Draft date Protection Bill, 2021 which contained Amendments to the PDPB, 2019 digitalized in India. This Act applies to the processing of digital personal data beyond India’s border’s borders particularly when it Eco compasses the provision of goods or services to individuals within the Indian Territory.

Personal Data breach – ( Key provision of DPDA Act. 2023) This means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

Individual Consent to use data and consent data principal rights:

Under the new law personal data will be included and processed by only with explicit consent from the individual unless specific circumstances pertaining to national security, law and order require otherwise.

under data principal rights, individuals also have right to information, right to correction, right to excuser, right to grievance redressal and right to nominate any other person to exercise these rights in the event of individual’s death or incapacity.

Regarding consent of use of personal data – user has right to revoke their consent at any time. The other basis includes Cases where individuals voluntarily provide personal data to data fiduciary and do not necessarily imply that they do not want their data to be processed. These al rules provide under section 6 of DPDP Act, 2023.

Under Section 6 – every consent shall be accompanied by a notice by Data fiduciary to the Data principal informing her that -

(a) Personal data and purpose for which same is proposed to be processed

(b) The manner in which she may exercise her rights

(c) Manner in which data principal make a complaint to the Board.

Every significant data fiduciary is repaired to appoint a Data protection officer (DPO) responsible for addressing the inquires and concerns of data principals – those individuals whose data is collected and processed.

Establishment of Data Protection Board:

It will function as a impartial adjudicatory body responsible for resolving privacy related grievances and disputes between relevant parties. As all independent regulator, it will possess the authority to ascertain instances of noncompliance with Act’s provisions and impose penalties accordingly.

Offence and Penalties –

Data fiduciaries can face penalties of upto INR 2.5 billion for failing to comply with the provisions. These include:

 Penalties of upto 10000 ₹ for breach of duty towards data
 Penalty upto 2.5 billion ₹ for failing to take reasonable serenity safeguards to prevent breach of personal data.
 Fines upto 2 billion ₹ for failure to notify Data Protection board and affected data principals in case of personal data breach.
 Penalty of 500 million ₹ for breach of any other provision of notice the DPDP Act, 2023 and rules made there under.

Privacy notice – Under DPDR Act, data fiduciaries must provide a privacy notice along with the repast for consent the notice and request should include details regarding –

(a) Categories of personal data collected
(b) specific purposes for which personal data is collected
(c) the process of exercising consumer rights
(d) the procedure tolerate consent
(e) The procedure tofile complaints with data protection board.

Consent – Data fiduciaries cannot process personal data without the consent of data principals unless it is for legitimate use or is exempted by the Act. Data principals can withdraw their consent at any time make the process of revocation of consent easy and convenient.

Report of breaches – Data fiduciaries must report all data breaches to Data protection Board as well as to the affected person. The intimation must be made within a reasonable time.

Right of data principles under the DPDP Act:

Chapter III deals with rights of data principles –

(a) Right to access – A data principal can obtain the summary of their personal data processed, activities of the data fiduciaries or any other information regarding the processing of such data. They can also request the details of all data fiduciaries and data processors with whom their personal data is shared.

(b) Right to correction – A data principal can request the data fiduciaries to do the following of there personal data collected by them:
 Correct any in accuracies
 Update their personal data
 complete their personal data

(c) Right to erasure - A data principal has the right to get them personal data deleted. Nowever a business / data fiduciary is not obliged to erase such personal data if it is necessary for fulfilling the specific purpose for which it was collected or for legal compliance.

(d) Right to grievance reedressal – Data, principals are entitled to an accessible grievance redressal mechanism to resolve any issues regarding an area or omission of data fiduciaries obligations or the enforcement of the data principal’s rights.

Right to revoke consent – A data principal can revoke consent anytime. However, data principal should bear any consequences arising from such revocation.

Personal Data breach under DPDP Act – It is any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access of personal data, that compromises the confidentiality, integrity or availability of Personal Data, all breaches need to be reported whether or not damage was caused.

Potential challenges in implementing and enforcing the DPDP Act, 2023 effectively –

The Act specific consequences for non – compliance, however its enforcement mechanisms face red world obstacles. Data fiduciaries may be subject to fines of upto Rs. 250 crores for not adhering to the regulations to investigate and penalize entities for data breaches or violations, a deep understanding of emerging cyber threats and data protection practices is essential. Enhancing the enforcement framework entails enhancing the capacities of regulatory bodies, promoting partnerships with cyber security specialist and adopting preventive measures to avert data breaches.

Finding the equilibrium between privacy and innovation is a key issue in the Act. It is important to have strict regulations to protect the personal data but being overly restrictive could impede technological progress and the creation of data driven solutions. To ensure the Act keeps pace with technological advancements. Policy makes must communicate regularly with industry stakeholders, innovators and privacy advocates. It is essential to implement mechanisms for regular reviews and updates to address the ever changing digital landscape while upholding the core principles of data protection.

Scope of Digital Personal Data and its distinction from non-digital data:

Personal Data- data about an individual that can identify them. This includes identifiers like name phone number email address, postal address and Aadhaar number. It also includes proofing data or usage data for e.g., a user’s preferences. It also covers ‘digital data’ and not offline record’s unless they are digitized. It does not once non personal data.

Non digital data – Data which is in physical form as a hard copy of a document. But this can also convert into a digital data by various processes. This Act also apply on any data that is made or caused to be made publicly available;

Balancing the right to privacy with legitimate interests of businesses and the government

The balancing test is a crucial tool for evaluating the proportionality between a company’s legitimate interests and the rights of individuals whose personal data is involved. It takes into account the potential impacts and risks to their rights and freedoms. It plays a vital role in ensuring compliance with the principles of responsibility and accountability. Promoting transparency is the handing of personal data. Legitimate interests are one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency principle.

Legitimate interests is male friable and could in principle apply to any type of processing for any reasonable purpose. Because it could apply in a wide range of circumstances it puts the once on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual taking into account the particular circumstances.

Conclusion: 2023 Marks a significant milestone in India’s privacy laws with the introduction of DPDPA. This comes after the puttaswamy v. UOI judgement, which paved the way for this development. These legal and regulatory advancements are relatively recent the Governments, industry and stake holders are actively working towards understanding and adapting to these changes. It is wooing noting that Indian courts have been urging the Government to expedite the enactment of the new data law. There are also ongoing litigations regarding the Whatsapp privacy policy and Government surveillance, and it will be intriguing to observe how the implementation of the new law will influence the court’s divisions.

Regarding the future of privacy is India, industry regulators take on a more proactive role and with the DPDPA set to be enforced soon, 2024 to be a momentous year. The regulations under the DPDPA will be transformative in shaping the landscape of personal data protection laws and finding a balance between business interacts and individuals privacy. 2024 might also witness a heightened regulatory forces on previously unexplored areas like privacy in AI – based applications, children’s data privacy, consumer privacy rights, and more.