In August 2023, the Indian government notified the Digital Personal Data Protection (DPDP) Act of 2023, marking a significant milestone in the nation’s data protection journey. This was done after more than five years of deliberations, sparking critical discussions about the effectiveness of this new law in balancing individual data protection and the necessity to process data for lawful purposes, as stated in the law’s preamble.
The journey to the DPDP Act of 2023 began with an initial version prepared by a committee of experts in 2018, followed by the government’s 2019 Personal Data Protection Bill. The 2019 Bill was referred to a parliamentary committee that published its report in December 2021. The government, however, withdrew this bill, and in November 2022, published a fresh draft for public consultations—the draft Digital Personal Data Protection Bill, 2022. This draft was quite different compared to the previous versions. The 2023 law is based, in significant part, on this draft bill of 2022.
This extensive bill proposed comprehensive data protection regulations, including the establishment of an all-powerful Data Protection Authority (DPA) with preventive mechanisms. It placed substantial obligations on entities collecting personal data and introduced concepts like consent managers, data localization, and penalties for non-compliance. Notably, it also included provisions to regulate non-personal data, setting a broad regulatory framework that drew inspiration from the EU’s General Data Protection Regulation (GDPR). However, this approach raised concerns about its impact on businesses and the potential for overregulation.
The DPDP Act of 2023 takes a different route, largely based on the government’s 2022 draft. This approach significantly alters data protection regulation, emphasizing a narrower mandate and a focus on the prevention of data breaches. It replaces the proposed DPA with the Data Protection Board and revises the regulatory framework. The Act introduces a distinct set of provisions that seek to strike a balance between protecting personal data and facilitating its lawful use.
Under the DPDP Act of 2023, the scope of application is significantly broadened. This Act pertains to both Indian residents and businesses involved in the collection of personal data. Additionally, it extends its jurisdiction to non-citizens residing in India, specifically in cases where their data processing is linked to the use of digital services from outside India.
Data Collection and Purpose
The Act permits personal data collection for any lawful purpose, contingent on obtaining consent from the individual or establishing legitimate reasons as prescribed in the law. Consent, in particular, is to be freely given, specific, informed, unconditional, and unambiguous, and should be sought for a clearly defined purpose. It necessitates data collectors to provide clear notices detailing the specifics of data usage, the rights of the individual, and grievance redress mechanisms. Crucially, individuals retain the right to withdraw their consent if data processing relies on consent as a legal basis.
In contrast to the 2019 version, the 2023 Act revises data localization requirements. While the previous bill imposed strict rules, the new Act allows the government to control the flow of data to specific countries, primarily for reasons of national security. Existing sector-specific localization rules, such as those set by the Reserve Bank of India, continue to hold legal validity.
Rights of Individuals
The DPDP Act introduces several rights for individuals regarding their personal data. These rights encompass the ability to access a summary of their collected data, knowledge about data fiduciaries and data processors who have access to their data, and the details of shared data. Individuals can also request corrections or the deletion of their data. Furthermore, they have the right to seek redress for grievances and can nominate representatives to access their data.
Obligations of Data Fiduciaries
Entities collecting personal data, termed data fiduciaries, are tasked with specific responsibilities under the DPDP Act. These include maintaining data security, ensuring data accuracy, reporting data breaches to the Data Protection Board of India, erasing data upon consent withdrawal or the fulfillment of the specified purpose, appointing data protection officers, and establishing grievance redress mechanisms. For data collected from children or minors, parental or guardian consent is mandated, and stringent prohibitions are placed on tracking, behavioral monitoring, and targeted advertising directed at this demographic.
Exemptions from Obligations
The DPDP Act offers exemptions from certain rules and requirements. These exemptions encompass cases where consent and notice requirements do not apply, as well as cases in which data fiduciaries are not bound by specific obligations. These exceptions are pertinent in legal contexts, court proceedings, and cases involving non-Indian residents’ data. Furthermore, specific activities are entirely exempt from the purview of the Act, particularly those serving India’s sovereignty, security, and public order, and activities related to research or statistical purposes. The Act also grants the government the power to introduce additional exemptions, which has raised concerns due to the broad discretion it holds in this regard.
The DPDP Act significantly alters the regulatory framework for data protection. Instead of the independent regulatory agency proposed in the 2019 bill, the 2023 Act establishes the Data Protection Board. This board, in contrast to its predecessor, does not function as a regulatory entity and has a narrower mandate. Its primary focus revolves around the prevention of data breaches, the investigation of data-related issues, and the imposition of penalties for non-compliance with the law. Notably, the government appoints board members, and their terms and conditions of service are determined by government rules. The board is authorized to impose substantial monetary penalties, with appeals directed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Additionally, the Act introduces a novel provision, Section 37, allowing the government to block public access to information that facilitates data fiduciaries in offering goods or services in India, subject to specific conditions and after providing the data fiduciary an opportunity to be heard.
Under the Act, the central government possesses substantial authority to formulate rules for the law’s implementation, encompassing vital areas like consumer notifications, the operations of consent managers, reporting data breaches, obtaining parental consent for processing children’s data, and establishing procedures for the Data Protection Board (DPB). While these powers are considerable, they are notably less stringent than those initially proposed for the now-replaced Data Protection Authority (DPA) in the 2019 bill. This judicious approach fosters increased adaptability and ingenuity within India’s technological landscape compared to the previously envisioned rigorous regulatory framework.
Moreover, the development of regulations will be influenced by the DPB’s decisions when initiating investigations into regulated entities. These decisions, contributing to the establishment of principles in data privacy regulation, will serve as a guide for businesses in adhering to DPDP Act compliance. The composition and qualifications of DPB members conducting investigations become crucial for ensuring effective implementation. However, addressing the law’s deficiencies in this area necessitates the government’s adoption of best practices in appointments and selections.
The next important aspect is the DPB’s authority to issue directives under the law, which currently lacks specific guidance on procedural rules, presenting challenges in terms of imposing compliance costs. The trajectory of these regulatory pathways, along with the broader imperatives of sovereign control over data, will profoundly influence India’s technology markets and policies related to data. It is paramount for the central government to integrate best practices and address concerns about sovereignty and security in determining the impact of the DPDP Act on the continually evolving data protection regulatory landscape in India.
It’s a topic of discussion whether the 2019 bill provided superior privacy protection compared to the new Act. However, since the current form of the law imposes lesser financial cost on businesses as compared to 2019 bill, it is seen as more pragmatic and practical. However, in some instances, its practicality might go too far, potentially risking privacy interests. The fact that the central government has a lot of power to make decisions on important issues means that how well the government is committed to protecting privacy will play a big role in how the law actually works.
•Posted on 25 December 2023
•Laws are constantly changing, either their substance or their interpretation. Even though every attempt is made to keep the information correct and updated, yet if you find some information to be wrong or dated, kindly let us know. We will acknowledge your contribution.Click here to know more.