Authored By: Adarsh Saji
Parul Institute of law Parul University
ABSTRACT
The growth of digital technologies has changed radically the manner in which personal data is gathered, processed, and used in the planet. Personal data has become essential to governments, corporations and digital platforms in order to deliver services, create technologies and drive economic progress. In India, an accelerated rate of digitalization has been achieved by the work of digitalization bodies like Digital India, services under Aadhaar and the growth of online commerce platforms, which have generated enormous amounts of personal information that are being processed on a daily basis. Although this technological breakthrough has many advantages, it also brings up very grave concerns of privacy, surveillance and breach of data and misuse of personal information. The Supreme Court of India in the case of Justice K.S. Puttaswamy (Retd.) has recognized privacy as one of the fundamental rights. v. The constitutional framework of a holistic data protection framework was developed by the Union of India. In reaction to these changes, the Indian Parliament has promulgated Digital Personal Data Protection Act, 2023 (DPDP Act). The law aims at controlling the handling of digital personal information and striking a balance between personal privacy and the legitimate governmental and business interests. This paper is a critical analysis of the history of data protection legislation in India, as well as the assessment of the main points of the Digital Personal Data Protection Act, 2023. It considers the rights of people, obligations of organizations, the regulation structures developed by the Act, as well as the issues regarding implementation. The paper also presents the Indian framework in comparison with other global frameworks like the General Data Protection Regulation (GDPR) of the European Union. The paper comes to the conclusion that in spite of the fact that the DPDP Act is a remarkable step in the Indian privacy law system, there are still a number of issues with its structure and regulation that need to be resolved to make sure that the privacy of the personal information is provided properly in the digital era.
KEYWORDS
Informational Privacy, Data Protection, Data Governance, GDPR, Cyber Law, Digital Personal Data Protection Act 2023, Data Protection, Data Privacy, Data Protection Law, Data Protection Regulation, Privacy Law, Data Protection, Data Protection Law, Data Protection Regulation, Digital Rights.
INTRODUCTION
Digital revolution has brought some drastic changes in the modern societies, where there is ease in communication, good governance and technological advancement. The proliferation of smartphones, social media applications, cloud networks and electronic payment systems has led to a massive growth in the volume of personal data gathered and processed. Personal data encompasses a diverse information of names, identification numbers, location information, financial information and digital identities. Such information has turned out to be a very cherished asset to both governments and corporations in the modern digital economy. Nevertheless, there are also new threats associated with privacy breaches, unauthorized surveillance, information breach, and identity theft due to the rapid development of digital technologies. People tend to post so much information about themselves on the internet without even knowing how their data will be utilized or kept. Organizations often gather data to target advertisement, analytics, and commerce. Administrative, welfare, and security are other purposes of gathering information by governments. These advancements have posed some serious concerns on the issue of safeguarding personal privacy and curbing data processing processes. The constitutional significance of the protection of privacy in India was achieved with the milestone case of the Supreme Court Justice K.S. Puttaswamy (Retd.). v. Union of India (2017). The Court concurred that the right to privacy is a right of fundamental right which is safeguarded by the Article 21 of the Constitution. This ruling created a case that people were entitled to the control of how their personal information was spread and used. In the ruling, it was also noted that the state needs to develop legal protection in order to secure informational privacy. There was no detailed data protection law in India before the Digital Personal Data Protection Act, 2023 was enacted. The information privacy was mainly regulated by the clauses of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These were narrow-minded provisions that could not sufficiently concern the intricacies of the digital ecosystem today. As the need to establish overall regulation, the Government of India has over the years put forward several draft bills on protection of data. The Digital Personal Data Protection Act, 2023 was eventually passed after a long period of discussion and legislation. The Act is designed to control the handling of online personal information and at the same time allow individuals to have control over their personal information.
EVOLUTION OF DATA PROTECTION LAW IN INDIA
Historical overview of the law on data protection in India. India has taken a slow route in the formulation of the law of data protection which has been shaped by the change in technology and judicial intervention. One of the first pieces of legislative work that dealt with the issue of cyber-related problems in India was the Information Technology Act, 2000. Section 43A of the Act held corporate entities liable in cases of negligence in ensuring that they practiced reasonable care in the keeping of sensitive personal data. Then, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, were issued to govern the mode and method of collecting and processing of sensitive personal data by companies. These regulations stipulated sensitive personal data to cover financial details, passwords, health recordings and biometric details. The regulations however only applied to the corporate entities but did not create a full framework on privacy protection. With the verdict of the Supreme Court in Justice K.S. Puttaswamy (Retd.), the privacy jurisprudence took a new turn in India. v. Union of India. The Supreme Court in this historic case in a nine-judge bench unanimously decided that right to privacy is a fundamental right that is based on right to life and personal liberty as envisaged in Article 21 of the Constitution. The Court stressed that privacy also covers informational privacy, which means that a person has a right to control his/her personal information. After this decision, the Government of India formed the Justice B.N. Srikrishna Committee to review the matters concerning the data protection and advise a legislative framework. India modern data protection law is based on the report by the committee called A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians. Another bill that was proposed by the committee was the Personal Data Protection Bill which subsequently became the Digital Personal Data Protection Act, 2023.
KEY CONCEPTS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT
The Digital Personal Data Protection Act presents a number of major concepts that are the basis of the Indian data protection regime. Personal Data This means information related to a person who can be recognized by that information. This refers to direct identifiers that include names and identification numbers and indirect identifiers that consist of location data and online identifiers. The Act presents a new term, Data Principal, which can be defined as the person to which the personal information is associated. The Data Principal has a number of rights that the Act grants in order to have the control of personal information. The other concept is that of a Data Fiduciary. A Data Fiduciary is any organization or a person, which defines the purpose and the way personal data is processed. It involves businesses, government entities, and online websites that gather and store personal data. A Data Processor is a party that processes personal data as a Data Fiduciary. Data processors are normally organizations that offer technological or operational assistance to organizations that process personal data.
Informed and Voluntary Processing of Personal Data.
The DPDP Act regulatory framework puts consent in the spotlight. The first stipulation of the Act is the statement that the personal data must be processed by the free, informed, specific and unambiguous permission of the Data Principal. Clearness of information should be given to the individuals on the purpose of collecting data, what kinds of data are being handled and what their rights are according to the law. Another concept that is established in the Act is deemed consent. According to this provision, the personal data can be used without their direct specification in some cases, namely the execution of state duties, the fulfillment of legal requirements, medical crises, as well as working issues. Although consent by the ruling is seen to be efficient in the governing and administration, critics believe that excessive broad interpretation can undermine the protection of individual privacy.
RIGHTS OF DATA PRINCIPALS
The Digital Personal Data Protection Act provides a number of meaningful rights to the citizens. These rights are expected to empower the people and enhance transparency in processing personal data. The right to access information of the way personal data is being processed is one of the important rights. Users can make a request on the type of data gathered and the persons that the data has been shared with. The other right is the right of correction and erasure of personal data. The individuals may seek corrections to be made to inaccurate personal data, as well as deletion of data that is not needed anymore with the same objective it was initially collected. The right to redress grievances is another right granted to individuals in the Act. A complaint may be made by Data Principals to Data Fiduciaries in case they think their rights have been infringed. In case of failure to find a satisfactory solution to the complaint, this may be taken to the Data Protection Board of India.
FIDUCIARIES of Data Obligations
There are a number of requirements to organizations that handle personal data as stipulated in the DPDP Act. Data Fiduciaries should also take reasonable security measures to ensure that personal data is not compromised due to breaches and unauthorized access. Organizations must inform the Data Protection Board, and individuals concerned in case of a breach of data. Some organizations are identified as Significant Data Fiduciaries depending on parameters including quantity of personal data that is handled and the risk that is likely to expose the individual. These organizations must designate a Data Protection Officer, as well as perform a routine data protection impact assessment.
REGULATION AND ENFORCEMENT
Digital Personal Data Protection Act provides the Data Protection Board of India as the key authority in the implementation of the law. Board is given the right to research data breaches, adjudicate on complaints, and penalize violations with fines. Depending on the nature and the magnitude of the violation, penalties in the Act can be quite extensive and even reach several hundred crore rupees. Presence of powerful punishments is meant to promote obedience and discourage the abuse of individual information.
COMPARATIVE PERSPECTIVE
On the international level, the General Data Protection Regulation (GDPR) of the European Union is considered one of the most extensive systems of data protection. The GDPR ensures powerful rights of individuals and sets stringent requirements to companies that handle personal data. The DPDP Act includes some of the principles that are similar to the GDPR, including the consent-based processing of data and the responsibility, but is relatively weak in some aspects. However, the implementation of DPDP Act is a significant move towards the harmonization of the Indian data protection framework with the international standards. Difficulties and Future-Outlook. Although the Digital Personal Data Protection Act is important there are a number of implementation challenges. One of the key issues is associated with the extensive exemption provided to government agencies on the reasons of national security and civil order. The opponents believe that this form of exemption would jeopardize the privacy. The other issue is the independence and efficacy of Data Protection Board. It is important to have robust regulatory institutions that ensure compliance and safeguard individual rights. The future of data protection in India will be based in the successful implementation of the DPDP Act, constant improvement of the regulations, and the creation of awareness of the business and citizens on the rights and responsibilities to data privacy.
CONCLUSION
The Digital Personal Data Protection Act, 2023 is a landmark in the Indian legislation of privacy protection. The Act tries to balance the regulatory environment by granting rights to people and duties to companies that ensure protection of personal information and economic development, as well as technological innovation. Nevertheless, the success of the law will be eventually determined by how well the law is implemented, independence of the regulatory bodies, and how the organizations are willing to comply with robust data protection measures. With the rise in digital economy in India, a strong and clear data protection policy will be necessary to protect the privacy of individuals and ensure that people have confidence in digital systems.
REFERENCE(S):
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
Information Technology Act, No. 21 of 2000, § 43A (India).
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018).
Digital Personal Data Protection Act, No. 22 of 2023 (India).
