Digital Personal Data Protection Act 2023
The Digital Personal Data Protection Bill, 2023, was introduced in the Lok Sabha on August 3, 2023, by the Minister of Electronics & Information Technology. It successfully passed through the legislative process, getting approved by the Lok Sabha on August 7, 2023, and later receiving unanimous support from the Rajya Sabha on August 9, 2023. The bill then obtained Presidential assent on August 11, 2023.
Aim of the Digital Personal Data Protection Act 2023
The central aim of the Act is to establish a comprehensive system for safeguarding and handling personal data. It applies to the processing of personal data, both online and offline, within India’s borders and even extends to the processing of such data abroad if it pertains to goods or services offered within India. The Act lays the groundwork for related laws, such as the Digital India Act, and sets a framework for privacy and data protection laws to accommodate emerging technologies like Artificial Intelligence.
This new bill replaces the previous iterations of the Personal Data Protection Bills from 2019 and 2022, which faced challenges due to amendments and issues regarding data localization, transparency, and compliance complexity. The creation of the Digital Personal Data Protection Act, of 2023, was prompted by a 2017 Supreme Court ruling that recognized the fundamental right to privacy and urged the government to establish a legal framework for personal data protection.
One notable aspect is that the Act is the first central law in India to use gender-neutral pronouns when referring to individuals.
Key definitions and features of the Act include
Any information that can be interpreted or processed by humans or machines. Personal data pertains to information about identifiable individuals.
Processing of Personal Data
This encompasses a range of automated operations on digital personal data, including collection, storage, sharing, use, and erasure. Such processing is allowed only for lawful purposes, with consent from the data subject, and for specified legitimate reasons.
The Act applies to digital personal data processed within India, in both digital and digitized non-digital forms. It also applies extraterritorially to data processed outside India that relates to offering goods or services within India. However, it doesn’t apply to data processed for personal or domestic purposes or data made publicly available under legal obligations.
Personal data processing requires explicit, informed, and unambiguous consent from data subjects. Some legitimate uses don’t require consent, such as data processing for specific purposes, security, and certain public interests.
Rights and Duties of Data Principal
Individuals whose data is being processed have rights, such as obtaining information about processing, correcting data, and withdrawing consent. They also have duties not to submit false information.
Data Fiduciary Obligations
Those handling data must process it only for specified purposes, ensure data accuracy, protect data, respond to data subject requests, report breaches, and erase data when no longer needed.
Transfer of Personal Data
The Act allows for extraterritorial processing and transfer of personal data, with restrictions.
Some provisions relating to the obligations of data fiduciaries and data principal rights are exempted in certain cases, such as for the prevention of offenses and legal enforcement.
Data Protection Board of India
The Act establishes a Data Protection Board with powers to address breaches, conduct inquiries, and impose penalties.
Appeals and Penalties
Appeals against Board decisions go to the Telecommunications Dispute Settlement and Appellate Tribunal. Penalties are imposed for various offenses under the Act.
The Act necessitates companies to develop procedures, comply with regulations, appoint data protection officers, and establish mechanisms for data handling. However, questions remain about how companies will be classified as data fiduciaries, especially in terms of criteria like net worth and size.
While the Act is aimed at protecting personal data, concerns exist about its practical implementation. The Act empowers the government with the authority to gather information and grants exemptions, potentially raising surveillance-related concerns. Also, certain amendments affect the balance between privacy and the Right to Information Act.
The Act addresses the need for data protection amid the rise of technology and cross-border data flows. While implementation details require clarification, the Act reflects India’s unique approach to data protection, which differs from the European Union’s GDPR. It signals a significant shift for Indian businesses regarding privacy and data protection practices and legitimizes government control over citizen data.
frequently asked questions
What is India’s 2023 Data Protection Act?
India’s 2023 Data Protection Act, officially known as the Digital Personal Data Protection Act, is a comprehensive framework aimed at protecting and regulating the processing of personal data in the country. The Act sets guidelines for how personal data should be collected, used, shared, and protected by various entities, both within and outside India.
When was the Act introduced and passed?
The Act was introduced in the Lok Sabha on August 3, 2023. It was subsequently passed by the Lok Sabha on August 7, 2023, and then unanimously by the Rajya Sabha on August 9, 2023. The Act received Presidential assent on August 11, 2023.
What prompted the creation of this Act?
The Act was developed in response to concerns regarding data protection, privacy, and the need for a legal framework in line with the Supreme Court’s recognition of the right to privacy as a fundamental right (F.R) in the Justice K.S. Puttaswamy vs. Union of India case in 2017.
What is the primary objective of the Act?
The main goal of the Act is to establish a comprehensive framework for the protection and processing of personal data. It aims to balance the rights of individuals to protect their personal data with the need for lawful data processing.
How does the Act define “Personal Data”?
Personal Data, as defined in the Act, refers to any data about an individual (Data Principal) that can identify or relate to that individual. This includes information such as facts, opinions, concepts, or instructions that can be processed by humans or automated means.