Introduction
Personal data is the information through which an individual can be identified, either directly or indirectly, as that information is connected to a person. Personal data is considered sensitive information that must be protected; otherwise, it can be used to harm an individual physically, mentally, or financially. With the advancement of technology, the threat of breaches of personal information has become a major concern. To protect the right to privacy of an individual, it is essential to have legislation to regulate and penalize violations of privacy. In 2016, the European Union adopted the General Data Protection Regulation, which came into effect in 2018. In 2023, India became the 137th country to enact personal data protection legislation. The Digital Personal Data Protection Act, 2023 (DPDP ACT), is a notable piece of legislation in India aimed at protecting digital personal data and penalizing its violation.[1]
Development Of DPDP in India
In 2017, the Supreme Court of India gave a landmark decision on the Right to Privacy in Justice K.S. Puttaswamy v. Union of India, considering privacy a fundamental right under Article 21 of the Constitution. Thereafter, a B.N. Srikrishna Committee was constituted to make a report on digital personal data protection. However, it was not the first committee to suggest a privacy law; in 2012, the A.P. Shah Committee was the first to recommend legislation for the protection of an individual’s privacy. The recommendations of the Srikrishna Committee were referred to a Joint Parliamentary Committee, where almost eighty amendments were suggested. Thereafter, in 2023, the Digital Personal Data Protection Act, 2023, was enacted.[2]
Kinds Of Data
The DPDP ACT covers digital data, personal data, non-personal data, and critical data.
- Information collected and stored in electronic form is digital data.
- Any information through which an individual can be identifiable, such as name, address, phone number, credit information, etc., is personal data.
- Non-personally identifiable information is non-personal data.
- Information that is vital for the operation, process, or reputation of an organization, individual, or government is critical data.
Applicablity Of DPDP Act
The DPDP ACT applies to all kinds of data collected through electronic form and any information that is collected offline but stored in digital form. The jurisdiction of applicability of this act does not restrict itself to data collected in India only but also includes such processing outside India if it is for offering goods and services in India.[3]
- Data localization
Data localization means that the information or data collected will be stored in that place only. The DPDP act does not explicitly mandate data localization; however, it restricts the transfer of personal data collected in India to any restricted country under section 16 of the act.[4]
- Data sovereignty
Data sovereignty means that the laws from where the information is collected will be applicable to such data. Any personal data collected in India will therefore be subject to Indian laws.
Data Fiduciary And Data Principal
There are two players in the DPDP ACT: the data fiduciary and the data principal. Data fiduciaries are those who collect the data; they can be individuals, companies, or governments, and data principals are those whose data is collected by data fiduciaries.
Data fiduciaries play an essential role in the collection and storage of digital personal data. Chapter 3 of the DPDP ACT deals with the obligations of data fiduciaries. The following are the duties or obligations of data fiduciaries:
- Data fiduciaries can collect data only for legitimate purposes and shall use it for lawful purposes only. Data fiduciaries shall use the collected data only for those purposes for which it was collected; they can use the data for other purposes if the data principal has consented to the same.
- Data fiduciaries can retain data for 3 years, and thereafter, it must be erased. Before erasing it, they must inform the data principal within 48 hours that they are erasing their information.
- It is the duty of data fiduciaries to protect the personal data of data principals, and in case of any data breach or hacking, the fiduciaries shall inform the data principals and the data protection board.
- The data fiduciary shall obtain the consent of a parent or guardian in the case of children or any person with a disability.[5]
SIGNIFICANT DATA FIDUCIARY – A significant data fiduciary is one who collects a high volume of data.
DATA PROTECTION IMPACT ASSESSMENT – Data protection impact assessment is a duty of data fiduciaries to provide a report on how the data collected will impact the privacy of data subjects.
Following are the rights of data principals:
- The data principals can at any time demand that the data fiduciaries erase their information, correct data, or alter or modify data.
- Data principals have the right to access their information and be informed in case their personal data is hacked.
- Data principals have the right to be informed about the transfer of their data, for what purpose it is used, etc.
- Data nomination – A data principal can nominate someone to control the principal’s data in the case of the data principal’s death or incapacity.[6]
Following are the obligations of data principal’s:
- The data principal does not impersonate another person while providing information to the data fiduciary.
- It is the obligation of the data principal not to suppress any material information.
- The data principal shall not register false or frivolous grievances or complaints with a data fiduciary or the Board.[7]
Data Protection Board
The central government will establish a data protection board for monitoring, providing directions to data fiduciaries and principals to comply with rights and obligations, and may impose fines in case of default.[8]
Composition – the Board shall have a chairperson and such other members as the government deems fit, and at least one of them should be an expert in the field of law.[9]
Qualification – the members of the board should have special knowledge or practical experience in the field of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, etc.[10]
Functions and powers of the board – the primary aim of the data protection board is to monitor the functions of data fiduciaries, give directions to data fiduciaries and principals to comply with their rights and duties, impose penalties in case of personal data breaches, and address complaints by data principals against data fiduciaries and the government.[11]
Appeal – any person aggrieved by the decision of the board may appeal to the Telecom Dispute Settlement and Appellate Tribunal (TDSAT).[12]
Penalties
The board can impose the following penalties on the defaulter:
- The board can impose a penalty of up to two hundred fifty crore rupees on the data fiduciary who breaches their obligations to safeguard against data breaches.
- The board can impose a penalty of up to two hundred crore rupees in case the data principal fails to comply with their duties and if the data fiduciary fails to comply with the obligations regarding children and persons with disabilities.
- A significant data fiduciary will be penalized up to one hundred fifty crore rupees if they fail to comply with their duty to provide an assessment of the data protection impact assessment.
Criticisms of the DPDP Act
The DPDP ACT is a vital step taken by the legislature in this era of technology. The protection of personal data breaches and prevention from its misuse is a big deal. However, despite being crucial legislation, it has several shortcomings. Critics argue that in this social media era, users publicly post their photos and personal details such as name, address, email, professional life, etc., but this act does not provide any protection for such publicly published personal information by users themselves. This act prevents the data fiduciary from disclosing any personal data to third parties, which leads to a lack of transparency and accountability. According to the Right to Information Act, 2005, the citizens of India have the right to information, and the DPDP ACT is inconsistent with the RTI Act.
Critics also argue that the government has control over personal data, which increases the risk of state surveillance over the personal data of its citizens. There are exemptions for the government and its agencies to access personal data for the purposes of security, public order, prevention, investigation of offenses, and enforcement of legal rights and claims. The board established under this act is also regulated by the government, which minimizes the independent functioning of the board.
Incidents Of Data Breach In India
The breach of personal data Is not a rare phenomenon in the current scenario; there are various infamous data breaches that put both physical and mental health and financial security at high risk. In October 2020, the Bigbasket data breach incident took place, where over 20 million customers personal data was leaked. Similarly, the Unacademy data breach, Domino’s India data breach, and Air India data breaches posed security threats to their customers.
Conclusion
The Digital Personal Data Protection Act, 2023, is a significant step towards protecting individuals’ personal data in India. It outlines the rights and obligations of data principals and fiduciaries, establishes a Data Protection Board, and imposes penalties for non-compliance. However, critics argue that the Act has shortcomings, such as a lack of transparency, the potential for state surveillance, and inconsistencies with existing laws. Despite these limitations, the Act aims to safeguard personal data and promote responsible data handling practices. As technology continues to evolve, it is crucial to refine and update the Act to address emerging challenges and ensure effective protection of individuals’ rights.
[1] Mark Nicholls, what is ‘personal data’ and why is it so important to keep it safe?, Redscan (Oct. 10, 2023, 13:49 PM), https://www.redscan.com/news/personal-data-important-keep-safe/.
[2] Data protection laws in India, Data protection laws in the world (Jan. 6, 2025), https://www.dlapiperdataprotection.com/?t=law&c=IN.
[3] Anirudh Burman, Understanding India’ s new data protection laws, Carnegie Endowment for international peace ( Oct. 3, 2023), https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law?lang=en&utm_source=chatgpt.com.
[4] Ibid.
[5] Ibid.
[6] Ibid.
[7] Ibid.
[8] Digital Personal Data Protection Act, 2023, § 18.
[9] Digital Personal Data Protection Act,2023, § 19(1).
[10] Ibid., § 19(3).
[11] Ibid., § 27.
[12] Ibid., § 29.
Author: Sweta Pathak is a B.A. LL.B (Hons) 5th year student at S.S. Khanna Girls’ Degree College, Prayagraj.