Active internet user’s in India exceed 760 million which makes the country the second-largest internet market globally. Before 2022, India never constituted any detailed privacy law to be followed by organizations. The Supreme Court of India acknowledged the right to privacy in the verdict of 2017. Later by August 2023, the Digital Personal Data Protection (DPDP) Act was passed by the Indian Parliament.
Content
What is India's Digital Personal Data Protection (DPDP) Act?
A Brief History of India’s Privacy and Personal Data Protection Laws
Key Terms & Provisions Of The Indian Personal Data Privacy Law
Responsibilities of Data Principles and Organizations
Additional Responsibilities for Organizations
Penalties for Noncompliance
Raising The Benchmark Of India’s Data Protection Rules
Tracing the Evolution of the Debate on the Legislation
Conclusion
Share This Article
The DPDP Bill's introduction was established in 2022, and by August 2023, the bill was amended and passed by both houses of the Indian parliament. However, the provision has not yet been brought into execution. The Indian DPDP Act resembles the European Union’s General Data Protection Regulation (GDPR) even though it differs in concerns about the exemptions and gaps.
This article provides a comprehensive view of the Digital Personal Data Protection Act involving the consumer's and organizations' responsibilities, penalties, and evolutions it brings with the implementation.
What is India's Digital Personal Data Protection (DPDP) Act?
The Digital Personal Data Protection Act 2023, is a beacon in India’s journey to securing data with sturdy data privacy regulations. The act is introduced to steer the wheel in the right direction concerning the management of digitized personal data, conferring roadblocks and opportunities for enterprises functioning within its authority.
The digital sphere in India is expanding widely, leading to the Digital Personal Data Protection Act implementation to ensure the privacy and security of each individual's data. The Act focuses on the legislative and regulatory steps implemented to secure people's data.
The Act emphasizes structured regulations for accumulating, processing, storing, and exchanging personal data by entities within India. The DPDP Act is India’s most sophisticated attempt to develop a detailed data privacy law following India’s Personal Data Protection Bill (PDPB) Vill 2022, which was part of a group of legislation comprising the National IT Governance Framework Policy and a new Digital India Act.
The PDPB 2022 focuses on “rendering the processing of digital personal data in a structured mode that identifies the right of individuals to secure their data and necessity to process personal data for lawful causes”, as per the draft legislation.
A Brief History of India’s Privacy and Personal Data Protection Laws
Following the Right to Privacy verdict in 2017 by the Supreme Court of India, the Indian government generated draft legislation formulated to safeguard the privacy of Indians. The initial conduction of the Personal Data Protection Bill acquired consequential review and eventually failed, inclusive of the Data Protection Bill 2021, which held some resemblance to the European Union’s General Data Protection Regulation but the DPB was abolished in August 2022.
On November 18, 2022, the Ministry of Electronics and Information Technology proposed the Digital Personal Data Protection Bill 2022 slated to replace some parts of existing law (Section 43A of the IT Act) and the SPDI Rules.
Key Terms & Provisions Of The Indian Personal Data Privacy Law
The Digital Personal Data Protection Act attains immense vitality as a legislative step focused on protecting individual privacy rights. There have been 81 amendments in the DPDP Bill after its introduction that have resulted in a comprehensive revision to its current existence. Key provisions and terms of the DPDP Act, 2023 are the following:
Data fiduciary: This refers to the person or an organizational body that is in alliance with one another, identifying the motive and ways of processing personal data, which is also termed a data controller under some other laws.
Significant data fiduciary: This refers to class data fiduciaries that comprise the character of operating activities to a wider scale of societal and national concerns like the importance of data involved and its impact along with the influence of India’s reputation globally.
Data processor: This is either an individual or an enterprise duly in charge of processing digital personal data on behalf of a data fiduciary.
Data principal: This is also known as data subjects and these are the people whose information is being managed by their guardian. For instance, if the data is a of a child their information will be managed by their parents who are considered as data principals.
Consent manager: This is a person registered with the Data Protection Board, wherein they act as a point of contact, enabling the Data principal to render, handle, review, and withdraw their approval through a transparent and easily accessible platform.
Responsibilities of Data Principles and Organizations
The DPDP Act allocates limitations on the organization processing personal data, consisting of:
Before processing any personal data of an entity, approval must be obtained to proceed with the same unless an exemption is implied.
Exploiting personal data for any purpose other than legitimate will not be accepted, and the approval or consent of the individual before proceeding with the use of data.
Appropriate care of the personal data acquired from the individuals to ensure it's protected from barred access, changes, exploitation use, or damaging.
Prompt attention to individuals' requests for changes in their data within a certain time limit.
Organizations are duly responsible for reporting any data breaches within 72 hours of coming to the attention of DPB.
Additional Responsibilities for Organizations
In addition to the above obligations, organizations that process data can take the following steps to help them better prepare for compliance:
Constant monitoring of data processing activities is required to ensure that any alterations comply with the DPDP Act.
Organizations are required to build a dynamic data protection policy
Organizations should develop a data protection policy that targets their commitment to protecting personal data and outlines their data processing practices.
Organizations need to appoint a data protection officer when processing personal data on a larger scale, wherein the DPO will be in charge of reviewing the organization’s compliance with the DPDP Act.
Appointing an independent auditor for regular audits to ensure the smooth functioning of the running compliance.
Penalties for Noncompliance
The DPDP Act defines a personal data breach as “any unauthorized processing of personal data or disclosure of data by error, acquisition, sharing, changes, damage or losing the access to personal data that expose the confidential information, integrity, and accessibility of personal data.”
Violation of the regulations by the DPDP Act could result in millions of losses, imposing fines of up to 250 crore INR/$30 million. Hence, it is essential to extract the risk of data breach. However, the penalty is comparatively less stringent than 2022’s legislation, which implied a fine of up to nearly INR 500 crore (approx $61 million).
The Act mentions penalties for different types of infringements or violations.
Raising The Benchmark Of India’s Data Protection Rules
The DPDP Act resembles the EU’s GDPR, marking its stance globally on data security.
Data requests: Both the legislation i.e. the DPDP Act and the GDPR have specified fines for exploiting the rights that render a person (data principles) with rights like the knowledge to request access to their data, sort impressions, and request removal of less needed data through data requests.
Personal data protection: Safeguarding personal data is mandatory in both the DPDP Act and GDPR, even though the explanation of protecting various types of data differs.
Breach notification: In case of a data breach hampering personal data, both parties, whether an individual or the organization should be notified on a priority basis.
Tracing the Evolution of the Debate on the Legislation
The DPDP Act marks an exceptional approach concerning data protection compared to the 2018 and 2019 draft bills established in the Parliament. The shift came into exposure in the November 2022 draft bill and has been enhanced in the 2023 law.
The Data Protection Board is responsible for managing and enacting the DPDP Act, but the Central Government holds the major authority. The Act clarifies the nature and incidents required for data principles to register complaints about the processing of personal data breaches, how it should be managed, and the person authorized to handle and penalties to impose on the violations committed.
Conclusion
The DPDP Act is a pinnacle of debate and contemplation exceeding five years of discussion. It establishes its mark as a firm stand on personal data protection regulation. These regulatory developments and the establishment of new Acts to protect the data will shape the structure of personal data privacy and the level of protection delivered in the coming years.
The attempts made by the government to ensure data privacy protection in the country are commendable, considering their pace to match with the evolving data breaches rising at a higher rate. The government is altering its approach according to data privacy as the evolved measures of data breaches are identified. However, the existing version of the law imposes fewer fines compared to the initial version, concluding it is a positive sign.
A noteworthy ratio of voluntary power is endowed with the central government, stating a lot is on the government’s plate to ensure how finely the government is focused and bound to data privacy.
About The Author
Amit ChahalCo-founder & Head of Data Science
Amit Chahal is the co-founder and Data Science head at Sign3, brings over a decade of experience in machine learning and financial fraud solutions, transforming how businesses safeguard against risks.
