Have you ever looked to purchase something in a relevant website, and then been haunted by the myriad of selections of similar products wherever you go on the web ?!
Have you ever given your mobile number on a prominent job searching portal but been getting all kinds of unwanted deals from across the country ?!
Have you ever logged into websites owned by any European concern and been bombarded with toggle switches for multiple options of protecting your personal information and controlling how to manage the cookie data but wondered why we were missing the same features on Indian websites ?
These are all bound to change, fingers crossed !!🤞
On 11th August in the year 2023, the Indian Parliament enacted a revolutionary piece of legislation: Digital Personal Data Protection Act 2023 (the DPDPA), which is going to be the prominent regulation in India, in the realms of Data Protection and Privacy. There is going to be felt the ripples of this regulation across businesses and lives in future. Nevertheless, the law is not yet in effect; neither an effective date nor a formal implementation plan have been set. Stakeholders anticipate that the law would be implemented gradually over the course of the next six to twelve months, following the establishment of the Data Protection Board of India (the Data Protection Board), an independent body tasked with enforcing the DPDPA, and the formulation of legislation or subordinate rules by the Indian government, only then the interpretation, procedure and enforcement could be exercised. Organisations in India are already taking steps to be in line and change their operating principles to avoid any future ramifications.
When digital personal data is processed in India, the DPDPA is activated. Additionally, the law has an extraterritorial effect in that it applies to the processing of digital personal data outside of India if that processing is related to the provision of goods or services to individuals within India who are referred to as "data principals" (also known as "data subjects" under the EU and UK General Data Protection Regulations, or GDPR). The DPDPA outlines guidelines for data fiduciaries—which are comparable to “controllers” under the GDPR—and data processors, as well as rights for data principals—which are comparable to “data subjects” under the GDPR. These principles are mostly similar to those outlined in the GDPR. Under the DPDPA, there are fines for noncompliance ranging from ₹500 million (€5.7 M) to ₹2.5 billion (€28 M). In the case of a breach involving personal data, the Data Protection Board is also authorised to enforce immediate corrective action or mitigation strategies.
The Indian Supreme Court's historic ruling in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. from 2017 came before these four drafts.The ruling stated that the right to informational privacy is a component of the fundamental right to life in India, which includes the right to privacy. Nevertheless, the ruling did not define the precise parameters of the right to informational privacy or provide certain safeguards for this privacy right.
Subsequently, in December 2019, the Personal Data Protection Bill, 2019, the initial government version of the law, was presented in Parliament. This version was broad in scope and suggested a data protection law that would apply to the entire economy and cross sectors. It would be supervised by the Data Protection Authority (DPA), a highly influential data protection authority. A preventive framework was established for by the 2019 bill. It placed certain requirements on organisations that gather personal data, including notice and consent-giving, safe storage of accurate data, and limited use of the data for the purposes specified in the notice. Businesses also had to give customers the ability to access, erase, and transfer their data, as well as to destroy it once its intended use was fulfilled. Companies have to meet "privacy by design" criteria, maintain security measures and transparency standards, and set up grievance redress procedures. Lastly, this statute created a new organisation called "consent managers," who served as middlemen for gathering and granting consent to companies on behalf of individuals.
The bill mandated "sensitive" and "critical" personal data to have higher levels of security and classified personal data into various categories. Additionally, some companies were to be designated as "significant data fiduciaries," and they were to be subject to extra requirements, such as registration in India, data audits, and data impact assessments. Furthermore, the bill enforced localisation limitations on the international transfer of specific data types. Businesses which disobey these regulations may face penalties from the DPA. A further proposal in the law was to make it illegal to work with anonymised datasets to de-anonymise persons.
Under certain circumstances, including lawful state functions, medical and health services during emergencies or epidemics, disruption of public order, employment-related data processing, the prevention and detection of unlawful activity, whistleblowing, and credit recovery, the 2019 bill exempted certain entities and businesses from notice and consent requirements.
A clause enabling the government to regulate non-personal data was also included in the 2019 bill. It gave the government the authority to impose requirements on commercial organisations, requiring them to provide certain non-personal data upon request and under predetermined guidelines. To put it briefly, the 2019 bill offered a thorough, cross-sectoral framework built on rights for persons or customers (referred to as "data principals") and preventive obligations for enterprises (referred to as "data fiduciaries").
The Srikrishna Committee, which was established by the Ministry of Electronics & Information Technology in July 2017 to assist in defining data protection standards, was led by retired Supreme Court judge Justice B.N. Srikrishna and produced a draft bill in 2018 that served as the main model for this regulatory framework. In turn, the committee's recommendations were founded on significant regulatory advancements that gained traction during the committee's work. The General Data Protection Regulation (GDPR) of the European Union (EU) was the most important of these. The 2019 bill's broad reach presented challenges, even though the overall preventive structure was appreciated. It resulted in several important compliance requirements that would have had an impact on businesses of all sizes operating in the economy. Additionally, it suggested the establishment of a DPA with strong regulatory and oversight authority. These restrictions would have added more information to the bill's already stringent compliance requirements. There would have been grave dangers of either over- or under-regulation due to the novelty of the law and the absence of prior experience in putting such a law into practice.
Information pertaining to an identified or identifiable person is known as personal data. Personal data is processed by both government and business organisations in order to provide goods and services. Processing personal data enables the knowledge of users' preferences, which is helpful for suggestions, targeted advertising, and customisation. Processing personal data could benefit law enforcement as well. Unrestricted processing can have negative effects on people's privacy, which is acknowledged as a fundamental right. People could suffer from things like financial loss, reputational damage, and profiling as a result.
India does not yet have a stand-alone data protection law. Data protection regulations are outlined in the Information Technology (IT) Act of 2000. A Committee of Experts on Data Protection was established by the national government in 2017 to look into matters pertaining to data protection in the nation. Justice B. N. Srikrishna serves as the committee's chair. In July 2018, the Committee turned in its report. In December 2019, the Personal Data Protection Bill, 2019 was presented in the Lok Sabha, based on the Committee's recommendations. A Joint Parliamentary Committee was assigned the Bill, and it turned in its report in December 2021.2. The Bill was removed from Parliament in August 2022. A draft bill was made available for public comment in November 2022. In August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament.
Although, the DPDP Act has been enacted, there needs a lot to be done in terms of deliberations and crafting rules and stipulations with consultations with a lot of stakeholders too. However, we could draw parallel using the existing framework and the other data regulations in power elsewhere, which were also subjected to analysis during the preparations of this framework.
While not all of the rights granted by other international data privacy rules apply to data principals, they do have some. Among them are:
It should be mentioned that, unlike the GDPR, the right to erasure does not include the entire "right to be forgotten." Additionally, although data principals may seek compensation from responsible parties for a breach, the Act does provide a schedule of penalties for various types and degrees of violation or negligence, data principals do not have the right to data portability, to opt out of automated decision-making, or to pursue a private right of action against a data fiduciary in the event of a breach.
Data principals have several duties under the DPDP Act, especially with regards to exercising their rights, including:
Requests made to a data principal for consent to process personal data must be preceded by or accompanied by a notice from the data fiduciary providing information about:
Valid consent must be “free, specific, informed, unconditional and unambiguous, with a clear affirmative action”. Consent signifies an agreement for processing of personal data for a specified purpose, and is limited to the personal data that is necessary to fulfil that purpose.
A data principal can withdraw their consent at any time, and it must be as easy to do so as to give consent. At the point when consent is withdrawn, the data fiduciary (or data processor) must stop processing their personal data. If requested, and if legally possible, that personal data must also be deleted.
What are companies’ responsibilities under the Indian privacy law?
Under the Act, entities are accountable for a number of things, such as data principals, the data itself, and any third-party data processors they use—which they may only do under a contract. In the event of a data breach involving the data processor, or for any other reason, the data fiduciary is legally ultimately liable for all activities performed on its behalf by any data processor under contract. Additionally, data fiduciaries are required to maintain documentation of all processing-related activities, such as the goals of processing, types of data principals, and data transfers.
Consent for marketing or advertising purposes:
The DPDP Act does not contain specific clauses outlining requirements for or prohibiting the processing of personal data for marketing or advertising purposes for adults, including data use for targeted advertising or profiling. Targeted advertising to children is prohibited, however,
Exemptions to the State may have adverse implications for privacy:
Personal data processing by the State has been given several exemptions under the Bill. As per Article 12 of the Constitution, the State includes: (i) central government, (ii) state government, (iii) local bodies, and (iv) authorities and companies set up by the government. There may be certain issues with such exemptions.
The Act gives the Union government the authority to waive any or all of the requirements pertaining to processing carried out by government agencies in order to achieve objectives including maintaining public order and state security. Except for data security, none of the duties and rights of data fiduciaries and data principals will apply in specific situations, such as when processing is necessary for the avoidance, detection, and prosecution of offences. The Bill does not mandate that government organisations destroy personal information once the processing goal has been satisfied. Under the aforementioned exclusions, a government agency may gather information about a citizen in order to compile a 360-degree profile for monitoring purposes on the grounds of national security.
The Bill does not regulate risks of harms arising out of processing of personal data. The Srikrishna Committee (2018) had observed that harm is a possible consequence of personal data processing. Harm may include material losses such as financial loss and loss of access to benefits or services. It may also include identity theft, loss of reputation, discrimination, and unreasonable surveillance and profiling. It had recommended that harms should be regulated under a data protection law.
The DPDP Act, which represents the beginning of statutory personal data protection law, is the result of over five years of discussion and consideration. The degree to which personal data privacy is safeguarded will depend on the institutional arrangements and regulatory developments that occur over the course of the next few years. Although the new law offers the required framework, it is insufficient to bring about de facto data privacy.
Whether the previous iterations of the bill would have improved privacy protection in any appreciable way is up for debate. Nonetheless, the evolution of the law's text across its various iterations reflects the government's shifting stance on privacy protection.
It is advantageous for Indian enterprises as the present version of the law imposes far lower charges than the previous versions.
The law itself is often reasonable and practical. I'm glad to have this. To the possible damage of privacy interests, it is, nevertheless, incredibly so in certain situations. Much will depend on how well the government upholds private rights, given that the central government has a large amount of discretionary control over substantive matters.