In a world where data is often referred to as the new oil, the Digital Personal Data Protection Act (DPDPA), 2023, passed by the Indian Parliament, represents a significant step towards protecting the private data of Indian citizens. This Act, receiving presidential acceptance on August 12, 2023, establishes guidelines for data processing, consent management, and charges strict penalties for non-compliance.
The Digital Personal Data Protection Act 2023, a landmark legislation passed by the Indian Parliament, embodies a commendable and forward-thinking approach to safeguarding personal data in the digital age. It reflects a deep understanding of the importance of data privacy in an increasingly interconnected world. This Act, which has garnered presidential acceptance, is a testament to India's commitment to protecting the rights and freedoms of its citizens in the digital realm. By establishing comprehensive guidelines for data processing, ensuring informed consent, and imposing stringent penalties for non-compliance, the DPDPA sets a new standard for data protection. It is a significant achievement that underscores India's role as a leader in digital innovation and governance, serving as a model for other nations to follow in the quest to balance technological advancement with the fundamental right to privacy.
Key Characteristics of the DPDPA, 2023:
- The Act defines the 'Data Principal' as the individual to whom personal data relates, where ‘individual’ also refers to – (i) children, including the parents and lawful guardians of the child; (ii) persons with disabilities, including their lawful guardian acting on their behalf.
- It aims to ensure that the consent of the Data Principal is explicitly obtained and that this consent is properly informed.
- The purpose of processing data is clearly defined, restricting Data Fiduciaries from processing data for purposes other than those specified. In the DPDPA, a ‘Data Fiduciary’ is defined as any person who – either alone or in conjunction with other persons – determines the purpose and means of processing personal data.
- The Act mandates the establishment of the Data Protection Authority to administer its implementation, with a consent manager registered with the Board to act as the singular point of contact for the Data Principal.
Obstacles and Criticisms:
- There are concerns that the law may be used as a tool to undermine informational independence and privacy.
- The distinction between personal data and sensitive personal data has been blurred, raising questions about appropriate protection for sensitive data.
- Critics argue that the law provides broad exemptions for administrative data processing, potentially normalizing unwarranted data collection.
- The Act has been critiqued for potentially hampering press freedom with concerns about the lack of exemptions for journalists and the impact on the Right to Information Act.
- The composition and independence of the Data Protection Board have been questioned, as its members are appointed by the Union government.
Implications for Society and Technology:
- The Act's implementation could affect investments in India's technology sector, challenging companies that process data extensively.
- It does not stop the government from mandating linking Aadhaar to create comprehensive profile databases, nor does it restrict the sharing of data with other monitoring institutions.
- There are concerns about the unrestricted use of facial recognition and biometric technologies, and the collection of health data during health emergencies.
Authors’ Suggestions:
- Revise Definitions: Clarify and refine definitions within the Act, particularly the distinction between ‘personal data’ and ‘sensitive personal data’, to provide clear and unambiguous protection for all categories of data.
- Secure Press Freedom: Incorporate provisions to safeguard press freedom and journalistic activities, including exemptions and protections for journalists to perform their vital role in a democratic society.
- Independent Board Appointments: Consider reforms to ensure the independence of the Data Protection Board, potentially involving independent bodies in the appointment process.
- Iterative Amendments: Establish a framework for iterative amendments, allowing the Act to evolve in response to technological advancements and emerging challenges.
Conclusion:
The Digital Personal Data Protection Act, 2023, has undergone an arduous journey of debate and adaptations. While it marks the beginning of the fight for data privacy in India, especially in the context of India's digital advancements, it is not without its concerns. The Act's ambiguity regarding data transfer between fiduciaries and impact on press freedom and information access highlight the need for thorough consideration and potential revisions. As the Act is supposed to be implemented in phases, it is important to observe how it progresses and addresses the challenges and concerns raised by stakeholders.
References:
Authors:
Palakshi Nerkar, Jeet Sawardekar