Introduction

In an era defined by digital innovation and the seamless exchange of information, the need to protect individuals’ privacy and personal data has become paramount. Recognizing this, governments around the world are enacting comprehensive legislation to address these concerns. Indian lawmakers on 09.08.2023 passed a data protection law that will dictate how tech companies process users’ data amid criticism that it will likely lead to increased surveillance by the government. The law obtained the assent of the president on 11.08.2023. The Data Protection Bill of 2023 stands as a significant milestone in this endeavor, aiming to establish a robust framework for safeguarding data and ensuring digital rights for all citizens.

The Digital Personal Data Protection Act, 2023 gives the government powers to exempt state agencies from the law and gives users the right to correct or erase their personal data. Indian data privacy law purpose is to restrict the cross-territory data transfer (considering from past few years data theft by Chinese companies being among the top most concern of Government), penalize for data breach and set forth framework for establishment of data protection body to ensure compliance.

Law even restricts companies from collecting random data unless it’s not aligning with its business purpose. Law provides multiple rights to citizens being the owner of data as data principle. It is the responsibility of one who is collecting the data to ensure that processed data is accurate and has been secured. Law states that no data can be shared unless contract has been signed with the data fiduciaries or data processors.

Interestingly CIVIL COURTs have no jurisdiction in any case of data breach and neither any injunction order can be passed by the civil court, it is only the Data Privacy Board (Central Government will notify) who will monitor compliance and can impose penalty

DATA PROTECTION AROUND THE WORLD:

According to the United Nations trade agency UNCTAD, around 70% of countries worldwide have some type of data protection legislation. The EU’s General Data Protection Regulation (GDPR), which took effect in 2018, is billed as the “toughest privacy and security law in the world,” and is widely regarded as the global standard. Several countries, like China and Vietnam, have lately tightened regulations controlling the transfer of personal data abroad, while Australia introduced legislation in 2018 granting Police access to encrypted data.

APPLICABILITY

The new law applied to digital personal data within the territory of India where the personal data is collected in digital form or in non-digital form and digitized subsequently it is also applied to when the processing of digital personal data outside the territory of India if such processing is in the connection with any activity related to the offering of goods or services to Data Principals within the Territory of India. This law is not applicable when the personal data is processed by an individual for any personal or domestic purpose and when the personal data is made or caused to be made publicly available.

DATA FIDUCIARY:

Data Fiduciaries means any persons, companies, and government entities who alone or in conjunction with other persons determine the purpose and means of processing of personal data.

The Data Fiduciary must be Responsible for complying with the Provision of the Act and implementing appropriate technical and organizational measures to ensure effective adherence to the provisions of this Act. The Data Fiduciary is also liable to protect the data in his possession, in case of any kind of Breach the data fiduciary shall notify the Board.

The Data Fiduciary must cease to retain personal data and shall have in place a procedure and effective mechanism to redress the grievances of Data Principles.

NOTICE AND CONSENT:

The Data Fiduciary Must Notify the Data Principal through an itemized Notice While obtaining the data and the consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.and the contract between both should be Confidential.

OBLIGATIONS IN RELATION TO CHILDREN:

The Data Fiduciary in relation to obtaining the Data of a Child will have to take the Consent of his Parents. The Data Fiduciary shall not undertake the Processing of such data that is likely to cause harm to a Child and shall not Practice tracking, Behavioral monitoring of the Child, or targeted advertising at Children.

RIGHTS AND DUTIES OF THE DATA PRINCIPLE:

  1. Right to information about Personal Data: The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given, for processing of personal data
  2. Right to correct and erase Personal Data: Data Principal shall have the right to correct, complete, update, and erasure of her personal data for the processing of which she has previously given consent, in accordance with any requirement or procedure under any law for the time being in force.

A Data Fiduciary shall, upon receiving a request for correction, completion, or updating from a Data Principal, — (a) correct the inaccurate or misleading personal data; (b) complete the incomplete personal data; and (c) update the personal data

  • Right to grievance redressal: A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.
  • Right to Nominate:  Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.
  • Duties of Data Principle: The Data Principle performs the following duties;
    • Duty to Comply with all the Provisions of the Act
    • Duty not to impersonate other people
    • Duty not to suppress any material information.
    • Duty not to register false or frivolous grievances or complaints with a Data Fiduciary or the Board.

DATA PROTECTION BOARD OF INDIA:

The Central Government by way of Notification establishes a board for the purpose of this act and the Board is to be called the Data Protection Board of India. The Board Consist of the Chairperson and such number of other Members as the Central Government may notify.

The Chairperson and other Members shall hold office for a term of two years and shall be eligible for re-appointment.

POWER AND FUNCTIONS OF THE BOARD:

The Data Protection Board of India can conduct an inquiry in the following circumstances:

  1. On a complaint made by a Data Principal in Respect of a personal data breach or
  2. On a breach in observance by a Data Fiduciary of its obligations in relation to her personal data or
  3. On a breach in the exercise of her rights under the provisions of the Digital Personal Data Protection Act 2023,
  4. on a reference made to it by the Central Government or a State Government, or in compliance with the directions of any court

And, the data protection board can Impose penalties upon the data fiduciary as prescribed by the Act if the board found them guilty.

APPELLATE TRIBUNAL

  • COMPOSITION: The Appellate Tribunal consists of a chairperson and other members appointed by the Central Government.
  • ROLE: The Appellate Tribunal is responsible for hearing appeals against orders made by the Data Protection Board or Adjudicating Officer.
  • POWERS: The Appellate Tribunal has the power to hear appeals, pass orders and initiate Suo moto proceedings.

PENALTIES

If the Board determines on the Conclusion of an inquiry that a breach of the provisions of this Act or the rules made thereunder by a person is significant, it may after giving the person an opportunity of being, impose such monetary penalty specified in the schedule

All sums are realized by way of the penalties imposed by the Board under this Act shall be credited to the Consolidated Fund of India

Noncompliance and failure to take reasonable precautions to prevent data breaches can result in penalties for entities. Entities that violate the criteria can face fines of up to Rs 250 crore and a minimum of Rs 50 crore and if individuals found guilty, can face imprisonment of up to Three years.

COUNTER ARGUMENTS:

However, it has drawn criticism from opposition lawmakers and rights groups over the scope of exemptions. including weakening the landmark Right to Information law — passed in 2005 — that allows citizens to seek data from public officers, such as salaries of state employees. It is noted that law specifically prohibits that government can not be sued for any breach under this law.

The Internet Freedom Foundation, a digital rights group, has also said that the law does not contain any meaningful safeguards against “over-broad surveillance”, while the Editors Guild of India has said it affects press freedom and dilutes the Right to Information law.

Deputy Minister for information technology Rajeev Chandrasekhar has said that the law will protect the rights of all citizens, allow the innovation economy to expand, and permit the government legitimate access in the case of national security and emergencies like pandemics and earthquakes

STEPS INDIVIDUALS CAN TAKE TO PROTECT THEIR DATA

  • Check Privacy Settings: Review privacy settings on social media and other online platforms to ensure that data is not shared without permission.
  • Be Cautious When Sharing Data:Avoidsharing sensitive information such as banking details, passwords, and other personal information unless absolutely necessary.
  • Use Encryption Software:Encrypt emails, messages, and other communications to prevent interception and unauthorized access.

CONCLUSION AND CALL TO ACTION

  • Wrap-up: The Digital Personal Data Protection Act 2023 is a step towards securing personal data and provides a framework for businesses to comply with the laws
  • Importance of Compliance: Compliance with the act is critical for businesses to avoid penalties, maintain customer trust, and demonstrate their commitment to data protection.
  • Our Role: Let’s work together to ensure data privacy and compliance with the Digital Personal Data Protection Act 2023 in India.

Written By: Deepanshu Kaushal

Edited By: Ductus Legal

Unknown's avatar

Published by DUCTUS EDGE-A KNOWLEDGE ATLIER

This blog is a medium adopted to exchange ideas and to draw attention to the modern laws, business laws, startup laws, miscellaneous legal and other issues and policies which have become omnipresent in our day to day life. We believes in, "An Idea can change your Life and echoes through your living."

Leave a Reply