Centre has passed Digital Personal Data Protection Act, 2023 in the parliament. Critics have fixated on the speed with which it was passed in the parliament and have claimed this to be the end of the privacy of data. Here’s a copy of the Act
It has been 6 years since the Ministry of Electronics and Information Technology (MeitY) formed a 10-member expert committee under the chairmanship of Justice BN Srikrishna to send a detailed report on data privacy and draft a bill on the protection of data privacy which after years of evolution has finally been passed in the parliament on the 9th of August and gained the president’s assent on the 12th of August.
In 2018, the MeitY released the Srikrishna committee report and proposed a draft bill which was revised and introduced in the Lok Sabha and referred to a Joint Parliamentary Committee. The Joint Parliamentary Committee made certain changes to the draft and sent the PDP bill, 2021 to the parliament which the government withdrew from the Lok Sabha. The government later in 2022 released the Digital Personal Data Protection Bill, 2022 for public consultation and based on the responses they received, drafted the Digital Personal Data Protection, 2023 which has now officially been transformed into an act after it was finally published in the official ‘Gazette of India’.
But enough of the history of the act, the biggest question in your mind will be ‘What is in the act?’. So, to quench your thirst of curiosity, we will now look into and analyse what is included in the act and what the provisions could mean.
Highlights & Analysis of the Digital Personal Data Protection Act
Firstly, this Digital Personal Data Protection Act specifically deals with personal data which is collected from people in digital form or in non-digital form but which was subsequently turned into digital. This act also has extra-territorial jurisdiction which means that the companies or firm which will processing the data outside of India will come under the ambit of this act. A very clear loophole which also appears is that the provisions of this act will only apply to data collected digitally or non-digitally but which was digitised later, however, if you collect data non-digitally, process it as is and do not digitise it, then the act will not be applicable to such data collected.
Secondly, the Digital Personal Data Protection Act speaks about the circumstances under which the digital data collected voluntarily from the data principal can be processed. Under the act a few instances where the data can be used are: for provision or issuance of subsidies, benefits, etc. by the State, fulfilling legal obligations, compliance with judgment/ decree, responding to medical emergency, certain employment purposes and so on. However, as previously stated that the basis for this is that the data has to be collected from the data principal in the prescribed format only and additionally, there are conditions under which the data can be processed for legitimate uses. This has made not just processing but even the collection of data a bit more complex and technical than before and has made an effort to make the law ‘people-friendly’ more than industry friendly. This law also states the data principal shall have the right to correction, completion, updating and even erasure of data for which they had previously given consent through the given procedure under the law for the time being.
Thirdly, this Digital Personal Data Protection Act makes the data fiduciary responsible for compliance to the law and prescribes penalties in case of the breach of laws related to either collection or processing of data. If any data fiduciary is handing over data to a third party for processing the data, it should strictly be under a valid contract. Data fiduciaries are also required to implement appropriate technical and organisational measures, ensure an effective mechanism for grievance redressal, report personal data breaches to the Data Protection Board of India and the impacted individuals, etc.
Fourthly, this Digital Personal Data Protection Act has included provisions for the collection of data from children/minors or any person with any disability or of unsound mind who has a legal guardian. Under this act, if the data fiduciary wants to collect and process any data belonging to such group of people, they will strictly need the consent of the parents or legal guardians. The act also casts a duty on the data fiduciary for not undertaking behaviour tracking and targeted advertising which may be detrimental for the health (physical and mental) and well-being of the child. The law also states that the age of children may be lowered for only those processing activities which are deemed verifiable by the central government. This is in all circumstances a very good move as children have always been a more vulnerable group who could be exploited through their personal data and since, it is also a well-known fact that children are one of the most vulnerable groups when it comes to data leaks and cybercrime.
Fifthly, under this Digital Personal Data Protection Act, the central government will form a data protection board of India, whose main job will be to determine non-compliance of data fiduciaries and impose penalties on them. The board will be an independent body but the powers given to it are massive and the orders given by them are alike decrees given by the civil court. In case of any appeals, any aggrieved person can file an appeal against any order within 60 days of the order to the Telecom Disputes Settlement and Appellate tribunal. This makes for a fair feature to ensure that injustice of all kinds does not take place either on the data fiduciary or on the data principal.
Sixthly, this Digital Personal Data Protection Acthas also cleverly tackled the long-standing issue of personal data from India being sent abroad to other countries through companies or firms. The biggest example for the same is the Indian government banning certain Chinese apps amongst was the very popular multiplayer game PUBG for sharing the personal data of Indian users to China. This act has now given the government the power to restrict the data fiduciary from transferring and sharing the personal data collected for processing to any such country or territory outside India which the government feels fit as may be notified. However, it is also evident from the law that this power cannot override the power given to any other law which offers for a much superior degree of protection and restriction on the transfer of personal data.
Seventhly, this Digital Personal Data Protection Act has also provided for certain exemptions in relation to the collection and processing of data where the central government by notification within 5 years may exempt certain start-ups or other certain categories of data fiduciaries from certain obligations. This law has also given the government a free hand when it comes to data processing as even though it sets standards and restrictions for collecting and processing of personal data for private organisations, there are no real restrictions on the government, since major governmental entities will be exempted from the provisions of the act. In addition, if we are to look at the provisions from a critical point of view, we can see that the central and state governments along with the data protection board and its members who are exempt from the provisions of this act can pose a threat to the right of privacy and personal data of millions of Indians.
Eighthly, to promote deterrence from breaching of any provisions or non-compliance to the Digital Personal Data Protection Act, the government has taken a decision to impose high penalties of up to Rupees 250 crores for failure to take reasonable security precautions to prevent the personal data breach. While the amount has been reduced to 250 crores in the current act from the original 500 crore in the draft bill which was circulated, due to requests from industry leaders. It is still a huge amount for companies to pay as fine, which in itself serves as the biggest deterrent against violating any provisions.
Last but not the least, the Digital Personal Data Protection Act provides that upon a reference by the Board in writing and in the interest of general public, the central government can block a data fiduciary’s platform. Further, the central government may require the Board and any data fiduciary or intermediary to furnish such information as it may call for. This again creates a sense of accountability for the data fiduciaries and that they have someone to answer to. This also acts like another form of deterrent action, where if the data fiduciaries do not function well and in accordance to the law, the board and the government, they will lose suffer losses and not just monetarily.
Digital Personal Data Protection Act is now being called as a crucial step in the evolution of protection of personal data and despite concerns or criticisms regarding the quickness with which it was passed in the parliament, the refusal of sending this act to the Joint Parliamentary Committee before passing and the almost entire exemption given to the government entities from the provisions of the act, the Indian digital industry is welcoming the act with many founders saying that it is simple and easier to implement and that by embracing data protection, they can forge stronger user relationships and propel responsible innovation. It is also believed that the act will set the stage for a new era of data privacy and accountability in the country’s digital landscape.