DIGITAL PERSONAL DATA PROTECTION ACT, 2023

Data privacy is vital in the digital age, because enormous amounts of personal information are gathered, processed, and shared online. It protects individuals’ privacy by preventing the misuse of sensitive data such as financial information, medical records, and personal identifiers. Effective data protection fosters trust between users and digital services, which is critical for both businesses and governments working in a data-driven economy. It also helps minimize cybercrime, identity theft, and data breaches. As digital activities become more prevalent, strong data protection protects both security and user autonomy in navigating the digital terrain. To further the needs of the current digital aged world and to deal with the issues arising out of the digitization, India came up with ‘The Digital Personal Data Protection Act, 2023 (DPDP Act).’

The Digital Personal Data Protection Act, 2023 (DPDP Act) was passed by India in August 2023 with the goal of creating a legal framework for protecting personal data in the digital age. It arose as part of India’s larger drive to address data privacy and security issues, mirroring worldwide developments such as the European Union’s GDPR. The DPDP Act superseded previous proposals, including the Personal Data Protection Bill of 2019, which underwent numerous amendments.

The landmark case which highlighted the importance of data privacy is, Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors.^[1] This case serves as the foundation for Indian ‘Right to Privacy’ doctrine. In this case, the nine-judge bench unanimously reiterated the right to privacy as a fundamental right under the Indian Constitution. The Court determined that the right to privacy was inextricably linked to the freedoms protected by fundamental rights and was an inherent part of dignity, autonomy, and liberty. Before the act, India did not have any standalone act concerning the data protection. The data protection in India earlier was regulated by Information Technology Act, 2000^[2]. Later on, a committee^[3] of experts was constituted under the chairmanship of Justice B.N. Shrikrishna to delve upon the issue related to data protection. According to the reports of the committee and its recommendation ‘the personal data protection bill,2019’ was introduced in parliament. Then the bill was referred to joint parliamentary committee and before introducing the final bill in the parliament, it was released for public consultation.

Key provisions include data processing regulations, obligations for data fiduciaries (organizations that handle data), user consent requirements, and penalties for noncompliance. The Act established a Data Protection Board to enforce compliance and specifies the conditions for data transmission beyond India.

The Bill will apply to the processing of digital personal data in India, whether it is obtained online or offline and digitised.  It will also apply to such processing carried out outside India if the goods or services are to be offered in India. Personal data may only be processed for authorized purposes with an individual’s consent.  Consent may not be necessary for certain lawful uses, such as the individual’s voluntary sharing of data or the State’s processing of permits, licenses, benefits, and services. Data fiduciaries will be required to maintain data accuracy, keep data safe, and erase data after its purpose has been fulfilled.
Individuals are granted specific rights under the Bill, including the ability to acquire information, seek rectification and erasure, and have their grievances heard. The central government may exclude government agencies from the application of the Bill’s requirements for specific reasons, such as state security, public order, and prevention of offences. The national government will establish the Data Protection Board of India to adjudicate noncompliance with the Bill’s requirements.

Prima facie the bill seems to be beneficial for India but delving deeper in the said act, there seems to be many issues which needs to be addressed. One of the major issues of the act is that there could be misuse of the provision where state is empowered to process data without adhering to any obligation provided in the provision of the act for the interest of state security and maintenance of public order. This may lead to ungoverned use of data processing beyond the level its needed. In 2017^[4] judgement of Supreme Court, the court laid down proportionality test. This test entails, the nature and extent of state interference with the exercise of a right must be proportionate to the goal it seeks to achieve i.e. the infringement of the right to privacy must be proportionate to the need of such interference. Hence, the unchecked power given to the Central government under the act, raises the question, whether it passes the test of proportionality as laid down by Supreme Court.

Another issue is that, the Bill does not address the risks of harm emerging from the processing of personal data.  The Srikrishna Committee (2018) observed that personal data processing may cause harm. Material losses, such as financial loss, as well as loss of access to benefits or services, can be considered harm. It may also include identity theft, reputational harm, discrimination, and unfair surveillance and profiling. It advocated those harms be regulated by a data protection law.

The adjudicatory body-Data Protection Board of India- is proposed to be established under the Act. While it is declared to be an ‘independent body,’ the Central Government has the authority to prescribe the membership of the Board, the method of selection, removal, terms and conditions of appointment, and services. The chairperson, members, officers, and employees of the Board are considered public servants. Furthermore, it should be highlighted that the chairperson designated to administer the Board’s business will be appointed by the Central Government, and the Central Government will set the terms and conditions of employment. As a result, the scope of the Board’s independence in light of these requirements is uncertain.

The act needs certain reformations like the exemption provided to the State for data processing for the interest of state security and maintenance of public order should not be unchecked and unregulated, there should be provisions introduced which will bring proportionality test into the act which will make it more just and fair. The act should also address the harm as mentioned by Shrikrishna Committee and incorporate provisions accordingly. Establish a more independent Data Protection Board with less intervention of central government for the appointment of the member of board to ensure impartial enforcement of data protection laws.

In conclusion, the Digital Personal Data Protection Act (DPDP) 2023 is an important step toward protecting individual privacy in an increasingly digital environment. It establishes a much-needed legal framework to govern how personal data is processed, kept, and shared while assuring user consent and accountability. To fulfill its full potential, the Act requires additional safeguards, particularly in terms of government exclusions and regulatory independence. With expanding technology and rising cyber dangers, the DPDP Act establishes the groundwork for data privacy in India, but further refinement and implementation will be critical in tackling future issues and guaranteeing strong data protection.

Reference(s):

^[1] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017) 10 SCC 1

^[2]  The Information Technology Act, 2000.

^[3]  ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, July 2018. 

^[4] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017) 10 SCC 1