Digital Personal Data Protection Act 2023 (India)


Technology now has the highest amount of control over human beings than ever before in the history of mankind and in this era, one common thing that disturbs all of us is the privacy of our personal data. 

Every app or software has access to our personal data, and we don't even properly read the clauses before giving them that access. All these things make us stand at the edge of having a data breach anytime, but now you can have control over your data. 

The new Digital Personal Data Protection Act 2023 ("DPDPA") is going to help everyone to include the common man to be in the driving seat of their data. 

If we talk about the little background around the Act, it was a long impending move. With the advancement of technology and everything moving virtual, the demand for the protection of individual data became prominent. The Apps and websites were collecting user data and using it to their own advantage, majorly because our Jurisdiction was lacking any legislation pertaining to the protection of data. The data controller was being set cross-border by companies who were prominent, breaking the provisions of GDPR when it came to handling personal data within Indian Jurisdiction.  

The most recent example is Instagram, transferring our entire data to threads with just a click. The worst part is that we cannot even delete it without deleting our Instagram account. The platform has been created to collect data in some or the other way, and that was the reason Threads was never launched in the European Union (EU) countries where GDPR is applicable.

The Ministry of Electronics and information technology set up a committee in July 2017 to study issues related to the protection of digital personal data. The committee was chaired by Justice B.N.Srikrishna, a retired judge of the supreme court. The committee submitted the draft of the personal data protection Act in July 2018. The bill was approved by the cabinet on December 4 2019 as the personal data protection bill, 2019 and the bill was introduced in Lok Sabha on December 11, 2019. But the bill was withdrawn from Loksabha. In November 2022, a new bill was brought up by the Ministry of Electronics and information technology for public consultation. 

The digital data protection Bill, 2023 was passed by the Lok Sabha on 7th August, 2023 and was passed by Rajya Sabha on 9th August, 2023. The president of India gave assent to the bill on 11th August 2023 making it into an Act. 

But why is the Act getting so much coverage? 

The DPDA is bringing a great revolution in the field of information technology and data safety. A lot of prospects are discussed in the Act, and it also comes up with several solutions for you in case of any data breach. 

The prominent features of this Act are: 

Security from data breach: 

The bill is focusing on providing safety and security to all users from data breaches. The Act clearly dictates that every organization must save the data of their users by implementing different safety measures. Even if some leaks happen, then the user must be notified as soon as possible so that necessary actions can be taken. The authority of the Act is not only limited to the borders of India, but now it can encompass the processing of cross-border digital personal data.

Bringing transparency:

One of the most important features of this DPDPA is that it is bringing transparency about how your data will be used by the companies. Not only that but which data is collected and how it will be used, everything will have to be informed to you which gives you great control over your data. 

Giving importance to consent: 

The data fiduciaries are only able to access the data of the users with their consent and that is only for lawful purposes. The request for consent must be presented to the user in English or any of the other 22 languages mentioned in the Eighth schedule of the Indian Constitution. The request will also have to provide the contact details of an officer or representative for data protection. Another thing to mention is that the DPDPA introduces the parental consent of a lawful guardian at places where applicable. 

Privacy for kids:

The DPDPA also discusses the safety of data of children. In today's data, children are also users of the internet and technology, but the bill ensures that the companies don't get to exploit their innocence and misuse their data. Further parental consent is required for the processing of data of a young child. But certain data fiduciaries can be exempted from this by lowering the age limit for parental consent, and that authority belongs to the central government. 

Data Fiduciary:

The Data Fiduciary is introduced by this DPDPA which will ensure that all the rules mentioned in the DPDPA are followed by the required party. It will work as a digital guardian who will look over how your data is being used and make sure it's fair.

Financial penalties:

To make sure that the companies feel the heat of the DPDPA, it also mentions monetary penalties for those who will not obey the rules. A hefty amount of fine can be imposed on a company if they try to violate the law. The financial value of the penalties can go up to 2.5 billion rupees or 30 million dollars for trying to abuse the trust of the users. 

Criticism of the Act:

Although the bill has such great features to safeguard your personal data from leaks, the DPDPA has also received a lot of criticism from different people. It is also important to understand the drawbacks of the bill while doing a DPDPA analysis. The criticisms are mainly based on the scope of exemptions. 

The exemptions provide in the bill are :

For research and statistical purposes, enforcing legal rights, performing regulatory and judicial functions, locating defaulters and their financial assets etc. 

Another exemption is for startups, the government has given access to the startups other than government bodies. This step is to consider the challenges faced by the startups and help them in bringing more innovations. 

A digital rights group called The Internet Freedom Foundation has pointed out that the law doesn't provide any particular solution against “over-broad surveillance”. Also, the bill receives criticism for increased control of the government. 

Like any other bill, this bill also has its pros and cons. But providing security of our data from these multinational organizations was genuinely a need of the hour as the use of different unknown technologies is rapidly increasing, and we don't even know for what purpose they will use our data.