Digital rights and privacy in India reached a new milestone with the Digital Data Protection Act 2023 (DPDP). Personal data has become precious in our digital age. From online shopping to social media, our data is gathered, processed, and shared without our consent. Governments worldwide have started passing data protection laws to protect digital identities. Digital Personal Data Protection Act 2023 is one key endeavor.
I. Understanding the Digital Personal Data Protection Act 2023 (DPDP)
- Data Fiduciary:
- A Data Fiduciary is an entity that determines the purpose and means of processing personal data. This can be an organization, government agency, or any other entity that collects and processes personal data.
- Data Principal:
- A Data Principal refers to the individual to whom the personal data belongs. In other words, it’s the person whose data is being collected and processed.
- Data Processor:
- A Data Processor is a third-party entity that processes personal data on behalf of the Data Fiduciary. They act under the instructions of the Data Fiduciary and might include service providers, cloud platforms, or other entities involved in data processing.
- Consent Manager:
- The Consent Manager is responsible for managing and recording user consent for data processing activities. They ensure that Data Principals provide informed and explicit consent for their data to be processed.
- Data Protection Officer (DPO):
- A Data Protection Officer is an individual appointed by the Data Fiduciary to ensure compliance with data protection laws. The DPO monitors data processing activities, provides guidance, and acts as a point of contact for Data Principals and regulatory authorities.
- Children’s Data:
- Children’s Data refers to the personal data of individuals under a certain age (usually minors). Special provisions are often in place to protect the privacy and rights of children’s data.
- Significant Data Fiduciary:
- A Significant Data Fiduciary is a Data Fiduciary that meets certain criteria specified in the DPDP Act. These criteria might include factors like the volume of data processed, the sensitivity of the data, and the potential risk to Data Principals’ rights.
- Data Protection Impact Assessment (DPIA):
- A DPIA is an assessment conducted by a Data Fiduciary to evaluate the impact of a particular data processing activity on individuals’ privacy and rights. It helps identify and mitigate potential risks.
- Personal Data Breach:
- A Personal Data Breach refers to a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Key Definitions for DPDP Act
The terminology used in India’s data privacy legislation may not always conform to other international rules, even if many of its concepts and requirements are the same as those in the GDPR. India’s bill refers to specific individuals as “data principals” rather than the more common “data subject” wording used in Europe and the United States.
Similar to the GDPR, it refers to businesses as “data fiduciaries” and “significant data fiduciaries” (SDF) rather than “data processors” and “data controllers” respectively. The fact that DPDP does not discriminate between different levels of personal data is another significant departure from the majority of the legislation being released globally.
Applicability of DPDP
The processing of digital personal data is covered by the new law’s application threshold if it is associated to activities related to “offering of goods or services to data principals within India,” including processing of digital personal data extraterritorially outside of India. Since it does not distinguish between public and private enterprises, each will be equally covered.
It is also significant to note that neither term explicitly mentions residents or citizens, leading some to believe that the legislation also applies to foreigners who are present in India. This would resemble the extraterritorial application of the GDPR.
India’s data privacy legislation does not impose any restrictions on data flows to other nations, in contrast to the GDPR. Contrast this with the overwhelming majority of current data privacy laws, which often state that only nations with sufficient data protection procedures in place can accept data transfers.
DPDP only includes digital data and data that has been converted to digital form (personal information that was originally written down but later typed up and preserved in some way online). The law does not specify a minimum amount of processed data or the number of persons for whom it must be processed, thus if a firm processes personal data about customers in India or in connection with the sale of goods there and is not specifically excluded, it must abide by the DPDP.
The following data rights are provided under India’s data privacy law:
- The right to get information about personal data processed
- The right to have data corrected and erased
- The right to withdraw consent at any time.
- The right to redress of grievances
- The right to appoint someone to exercise rights in the event of death or incapacity.
There is no right to data portability, no right to object to processing on grounds other than permission, and no right to be subject to exclusively automated decision-making.
Protections against targeted advertising and automated decision-making are only extended to children, who are defined as anybody under the age of 18 in this context (as opposed to the GDPR’s 16-year-old definition). Parental approval is required before processing a known child’s data, the same as it is under other privacy regulations.
India established the Data Protection Board of India (DPB) to implement the Digital Personal Data Protection Act. While the DPB will not have the legislative ability to change the rule, it will be able to sanction both data fiduciaries and data principals.
While data privacy experts in India do not anticipate the DPB issuing sanctions in the near future until the Board takes shape, the lack of a precise enforcement date complicates matters. The fines range is likewise extremely broad. Fines for violations with the DPDP now range from $120 USD to almost $30 million USD.
Analysis of the Key Issues
- If the government is not required to process data for reasons like national security, it may gather, process, and keep more data than it needs to. This could go against the basic right to privacy.
- The Bill doesn’t say anything about how risks of harm from handling personal data should be dealt with.
- The Bill does not give the data owner the right to transfer data and the right to be ignored.
- Personal information can be sent outside of India, but only to countries that the central government has approved. This mechanism might not give a good enough look at the data protection rules in places where personal data can be sent.
II. Real-World Examples: Why the Act Is Essential
- Cambridge Analytica Scandal (2018): While this was a global incident, it had implications in India. It was revealed that the personal data of millions of Facebook users, including Indians, had been improperly harvested and used for political purposes without their consent. This sparked debates about data privacy and protection in India.
- Dominos India Data Breach (2020): In March 2020, the data of around 18 crore (180 million) orders placed on the Dominos India website was reportedly breached. This breach included sensitive customer information such as names, phone numbers, and delivery addresses.
- LIC Data Breach (2020): The Life Insurance Corporation of India (LIC) faced a data breach in June 2020, which compromised the personal data of millions of its customers. This breach exposed policyholder information, including their names, dates of birth, and policy details.
- Zee5 Data Breach (2019): In February 2019, the Indian streaming service Zee5 suffered a data breach where the personal information of over 150,000 users was exposed. The breach included names, email addresses, and device information.
III. Comparison with GDPR
The Information Technology Act 2000 was enacted to facilitate e-commerce and provide legal recognition to electronic documents. However, it lacks specific provisions for comprehensive data protection. Let’s compare some key aspects of both acts:
Scope and Applicability:
GDPR: The GDPR applies to the processing of personal data of individuals within the EU, regardless of the location of the data controller or processor.
DPDP Bill: The DPDP Bill applies to the processing of personal data of individuals within India, as well as the processing of personal data by data fiduciaries located outside India, if they are targeting individuals in India.
GDPR: The GDPR defines terms such as data subject, data controller, and data processor.
DPDP Bill: The DPDP Bill introduces its own definitions, including data principal (similar to data subject), data fiduciary (similar to data controller), and data processor.
GDPR: The GDPR emphasizes the importance of obtaining freely given, specific, informed, and unambiguous consent from data subjects for processing their personal data.
DPDP Bill: The DPDP Bill also requires data fiduciaries to obtain consent from data principals for processing their personal data, but it provides additional provisions for certain exemptions and conditions for valid consent.
Rights of Individuals:
GDPR: The GDPR grants individuals various rights, including the right to access their personal data, the right to rectify inaccurate data, the right to erasure (right to be forgotten), and the right to data portability.
DPDP Bill: The DPDP Bill also grants similar rights to individuals, including the right to confirmation and access, the right to correction, the right to erasure, and the right to data portability.
GDPR: The GDPR does not have specific requirements for data localization.
DPDP Bill: The DPDP Bill introduces provisions for data localization, requiring certain categories of personal data to be stored and processed only in India.
Penalties and Enforcement:
GDPR: The GDPR imposes significant fines for non-compliance, with penalties of up to 4% of the global annual turnover or €20 million, whichever is higher.
DPDP Bill: The DPDP act includes provisions to penalize private and government entities up to ₹250 crore per instance for data breaches.
IV. Ending Remarks
The Digital Personal Data Protection Act of India establishes a framework for the management of electronic personal data and defines the rights and obligations of individuals and organizations involved in overseeing such data. The main provisions of the law consist of prerequisites for acquiring consent for data processing, the privileges of individuals to reach and manage their personal information, responsibilities for data trustees to handle data responsibly, and the creation of a regulatory entity for supervision and implementation.
The legislation aims to find a middle ground between safeguarding personal privacy and facilitating legal data handling for diverse objectives. The instances we’ve examined illustrate that the requirement for strong data-safeguarding measures is increasingly crucial. In the end, the Digital Individual Information Security Bill 2023 is a move in the correct path to find a middle ground between advancement and confidentiality in the digital age.