In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023. The new law is the first cross-sectoral law on personal data protection in India and has been enacted after more than half a decade of deliberations. The key question this paper discusses is whether this seemingly interminable period of deliberations resulted in a “good” law—whether the law protects personal data adequately, and in addition, whether it properly balances, as the preamble to the law states, “the right of individuals to protect their personal data” on one hand and “the need to process such personal data for lawful purposes” on the other.
To answer this question, the paper first details the key features of the law and compares it to earlier versions, especially the previous official bill introduced by the government in Parliament in 2019. The second part of the paper then examines the DPDP Act from two perspectives. First, it highlights certain potentially problematic features of this law to understand its consequences for consumers and businesses as well as the Indian state. Second, it places the act in context of the developments and deliberations that have taken place over the last five years or so. The third part speculates on the key factors that will influence the development of data protection regulation in India in the next few years.
The 2023 act is the second version of the bill introduced in Parliament, and fourth overall. An initial version was prepared by a committee of experts and circulated for public feedback in 2018. This was followed by the government’s version of the bill that was introduced in Parliament in 2019—the Personal Data Protection Bill, 2019. This version was studied by a parliamentary committee that published its report in December 2021. The government, however, withdrew this bill, and in November 2022, published a fresh draft for public consultations—the draft Digital Personal Data Protection Bill, 2022. This draft was quite different compared to the previous versions. The 2023 law is based, in significant part, on this draft. However, it has some new provisions that are consequential for the questions this paper seeks to answer.
These four drafts were preceded by a landmark 2017 judgment by India’s Supreme Court in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. The judgment declared that the right to privacy is part of the fundamental right to life in India and that the right to informational privacy is part of this right. The judgment, however, did not describe the specific contours of the right to informational privacy, and it also did not lay down specific mechanisms through which this right was to be protected.
Following this, the first government version of the law, the Personal Data Protection Bill, 2019, was introduced in Parliament in December 2019. This version was expansive in scope and proposed cross-sectoral, economy-wide data protection regulation to be overseen by an all-powerful data protection regulator—the Data Protection Authority (DPA). The 2019 bill provided for a preventive framework. It imposed a number of obligations on entities collecting personal data—to provide notice and take consent from individuals, to store accurate data in a secure manner, and to use it only for purposes listed in the notice. Businesses were also required to delete data once the purpose was satisfied and to provide consumers rights to access, erase, and port their data. Businesses were required to maintain security safeguards and transparency requirements, implement “privacy by design” requirements, and create grievance redress systems. Finally, this bill introduced an entity known as “consent managers,” who were intermediaries for collecting and providing consent to businesses on behalf of individuals.
The bill grouped personal data into different categories and required elevated levels of protection for “sensitive” and “critical” personal data. Certain businesses were also to be categorized as “significant data fiduciaries,” and additional obligations were proposed for them—registration in India, data audits, and data impact assessments. In addition, the bill imposed localization restrictions on the cross-border flows of certain categories of data. The DPA was empowered to impose penalties on businesses for violating these requirements. The bill also proposed to criminalize activities related to the deanonymization of individuals from anonymized datasets.
The 2019 bill exempted certain entities and businesses from notice and consent requirements under certain circumstances—for lawful state functions, medical and health services during emergencies or epidemics, breakdown of public order, employment-related data processing, the prevention and detection of unlawful activity, whistleblowing, and credit recovery, among others.
The 2019 bill also had a provision to empower the government to regulate nonpersonal data. It allowed the government to require private entities to hand over specific nonpersonal data that the government asked for as per conditions it prescribed. In short, the 2019 bill proposed a comprehensive, cross-sectoral framework based on preventive requirements for businesses (defined as “data fiduciaries”) and rights for individuals or consumers (“data principals”).
This regulatory structure was based mostly on the 2018 draft bill proposed by the Srikrishna Committee—the committee, chaired by Justice B.N. Srikrishna, a retired Supreme Court judge, was set up by the Ministry of Electronics & Information Technology in July 2017 to help frame data protection norms. The recommendations of this committee, in turn, were based on major regulatory developments that were popular while the work of the committee was proceeding. Primary among these was the European Union’s (EU’s) General Data Protection Regulation (GDPR). While the general preventive framework of the 2019 bill was welcome, its expansive scope was problematic. It created a number of significant compliance requirements that would have affected both big and small firms in the economy. It also proposed the creation of a DPA that had significant regulation-making and supervisory powers. These regulations would have further detailed the already significant compliance requirements in the bill. The novelty of the law and the lack of prior experience in implementing a data protection law of this nature would have created serious risks of overregulation or under-regulation.
The DPDP Act is based on the draft proposed by the government in November 2022, which adopted a radically different approach to data protection regulation. The next section details the key provisions of the act.
The Information Technology Act, 2000: Foundational Data Privacy Provisions
India’s first major legislation addressing data privacy (particularly in regard to cybercrimes, electronic commerce and data security) was the Information Technology Act, 2000. The designed ordinance laid the foundation to more vigorous data protection laws in the country.
Section 43A – Protection of Sensitive Personal Data
Section 43A of the IT Act is one of the major provisions, which mandates the companies and organizations that handle sensitive personal data to undertake reasonable security practices to avoid any data breach. It makes organizations responsible in case that they fail to secure data, and thus breach their user’s privacy. This applies to all data fiduciaries engaged in processing of sensitive personal data or information (SPDI).
- For example: In 2017 the Hospital market was disrupted when a Fortis Healthcare unit lost a data breach due to failure of proper protection of patient information, which is section 43 A of the IT act. The court found Fortis liable for not taking proper security measures that resulted in large scale data exposure of sensitive health information.
Section 72A – Disclosure of personal information as an offence and Punishment.
Section 72A of IT Act, 2000 deals with unauthorized disclosure of personal data or information. In case of disclosure without the individual consent or by any person or corporates, then that person will be imprisoned up to 3 years or face a fine up to ₹5 Lakh, or both.
The requirement of consent to disclose personal information protects the privacy of individuals and that sensitive information is not disclosed without consent.
- For example: This section allows an employee of a tech company to face penalties if he/she discloses a user’s data to a third party without authorization.
The Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act , 2023 (DPDP) presents even better personal data protection mechanisms compared to GDPR. India aligning with global standards (like GDPR or General Data Protection Regulation) for safeguarding personal data, the DPDP Act will serve as a big leap for securing the personal data.
Section 7: Consent Based Data Processing
Section 7 of the DPDP Act is a fundamental provision because it mandates data fiduciaries to seek the explicit consent of individuals who are the subject of their personal data before processing that data. It has to be given freely, informally, specifically and unambiguously.
Similarly, individuals need a simple way to withdraw their consent at any time.
- In the case of registering for an online service, the individual must be presented with a privacy notice that clearly sets forth how the individual’s data is going to be used; only after the data is processed are they asked for their consent.
Section 12: Rights of Data Principals
Individuals referred to as data principals are given several rights to their personal data under Section 12 of DPDP Act , 2023. They also have a right to access, correct and erase their personal data, amongst other rights.
People must be given control over their data, with a right to request deletion, if they no longer want to have data processed with regard to them.
- For example: Section 12 allows a consumer to request that their account and data be deleted from an e-commerce platform if they would like to delete their personal data. Unless the data is needed for legal reasons, the platform must comply.
Section 18: Data Localization
Specific types of sensitive personal data are required to be stored and processed within India under Section 18 of the DPDP Act, 2023. This goal is to prevent the data of Indians residing in India from being governed by laws from another country.
- For example: companies such as Facebook and Google which are active in India will have to keep some categories of personal data in local data centres to comply with this provision.
This is to prevent foreign governments from accessing Indian citizens data without rightly providing legal oversight.
Section 24: Penalties for Non-compliance
The DPDP Act 2023 carries the introduction of severe penalties for any breach of its provisions. Violations pertaining to the personal data protection can attract fines of up to ₹500 crore as per section 24. If the data fiduciaries protect data inadequately, do not get appropriate consent or use data for other purposes than initially agreed upon, the fines will be imposed on them.
Data Privacy Compliance and Enforcement in India
The data protection framework will be enforced by the Data Protection Authority of India (DPAI) which is envisaged in the DPDP Act . It will also investigate data breaches, mediate between data subjects and data fiduciaries on behalf of data subjects, and enforce compliance with the rules.
Penalties for Non-Compliance
Penalties for violations of DPDP provisions may be quite severe under the DPDP Act. For instance, organizations that do not let individuals know about data breach or misuse of personal data could be fined up to ₹500 crore. The penalties range depending on what kind of infraction has been committed. Besides financial penalties, organizations are sometimes forced into implementing corrective actions like strengthening data security measures or carrying out mandatory audits.
Read More About: Cyber Security and Data Privacy Laws in India
Summary
The story of India’s journey with protective measures concerning data privacy and protection has come quite a long way since the early days of the foundations that were laid in Information Technology Act 2000 which led us to overcome and be ready to jump in the year 2023 to embrace a comprehensive framework of Digital Personal Data Protection Bill. Consequently, these laws target the prohibition of data processing without informed consent, personal data localization, rights with regards to personal data and severe penalties in the event of non-compliance.
In aggregate, these legal instruments attempt to provide the necessary protection of data privacy, raise the awareness and establish standards of accountability including use of personal information on the internet and social media which offers a potent and well-rounded avenue for daily protection of the individual’s privacy for data localization and enforcement mechanisms.
Related Posts:
- Best RERA (Real Estate Regulatory Authority) RERA Lawyers, Advocates in India
- Online Legal Advisory Services
- How to Send a Legal Notice to Tenant to Vacate Premises in India
- Big news for those not paying loan EMIs, Supreme Court delivers
- GST Registration Online
Data Privacy Laws in Indian: FAQs
Q1. What is the Digital Personal Data Protection Act ?
Digital Personal Data Protection Act, 2023 aims to provide for the protection of personal data of individuals, preventing processing of sensitive personal data, including health factors, Aadhaar number and religious and other sensitive matters, without the explicit consent or parental consent, whichever is applicable. It provides provisions for data processing on consent basis; data localization, and rights of individuals on their personal data.
Q2. How does Section 43A of the IT Act secure data privacy?
Section 43A requires organizations to put in place reasonable security practices to protect sensitive personal data. However, if they don’t do this and we experience a breach, they are ultimately liable for invading our privacy.
Q3. What are the penalties for violating Indian data privacy laws?
Failure to comply can attract a penalty of up to ₹500 crore and above depending on the violation. In addition, organizations may need to correct their actions.
Q4. Does the IT Act deal with unauthorized disclosure of personal data?
Section 72A of the IT Act, provides for the criminal action (and penalty) for breaching the unauthorized disclosure of personal data.
Q5. In the DPDP Act, what is data localization?
Certain types of sensitive personal data must be stored and processed within India under data localization laws, such that it is protected by Indian laws.