Index

1. Introduction 
2. Key Terms Defined Under The DPDP Act
3. Innovative Aspects Of The DPDP Act
4. Rights Under The DPDP Act
5. Data Protection Impact Assessment (DPIA)
6. Data Fiduciary
7. Data Protection For Children
8. Establishment Of The Data Protection Board Of India (DPBI)
9. Composition And Term Of The Board
10. Exemptions Under Section 17 Of The DPDP Act
11. Latest Judgement
12. Evaluating The Effectiveness Of The DPDP Act In India
13. Critiquing The DPDP Act: Addressing Its Shortcomings
14. Difference Between General Data Protection Regulation And DPDP
15. Conclusion 

Introduction 

The Digital Personal Data Protection Act (DPDPA), 2023 is a landmark legislation in India that aims to protect digital personal data and empower individuals with rights over their data. It applies to digital personal data processed in India and data processed outside India if it is in connection with any activity related to offering goods or services to data principals in India. It excludes personal data processed by an individual for personal or domestic purposes and data made publicly available by the data principal.

Key Terms Defined Under The DPDP Act

To comprehend the DPDP Act effectively, it’s crucial to understand several key terms:

1. Data Fiduciary: Any person or group that, independently or jointly with others, determines the purpose and method of processing personal data (Section 2(i)).
2. Data Principal: The individual to whom the personal data pertains. For children, it includes their parents or lawful guardians, and for individuals with disabilities, it includes their lawful guardians acting on their behalf (Section 2(j)).
3. Data Processor: Any person processing personal data on behalf of a data fiduciary (Section 2(k)).
4. Data Protection Officer: An individual appointed by a Significant Data Fiduciary under Section 10(2)(a) (Section 2(l)).
5. Consent Manager: A platform facilitating Data Principals to provide, manage, and withdraw consent transparently and accessible (Section 2(g)).
6. Significant Data Fiduciary: A data fiduciary or a class of data fiduciaries notified by the Central Government under Section 10 of the Act (Section 2(z)).

Innovative Aspects Of The DPDP Act

The DPDP Act stands out as a transformative legislation due to its focus on data protection and fundamental rights to privacy, essential for our existence. Here are some innovative facts about the DPDP Act that highlight its significance in today’s world:

1. SARAL Approach: The DPDP Act adopts a SARAL approach, utilising simple language, illustrations for clarity, minimal cross-referencing, and no provisos.
2. Empowerment of Individuals: It signifies a shift towards empowering individuals to control, supervise, and protect their personal data.
3. Confidence in Data Security: The Act instils confidence in data security among Data Fiduciaries and ensures accountable data processing.
4. Emphasis on Consent: The Act places high importance on consent as a crucial basis for lawful processing of personal data, giving authority to the Data Principal.
5. Data Principal Rights: It allows Data Principals to rectify incorrect or incomplete data and withdraw consent without facing consequences.
6. Gender Neutrality: The Act is revolutionary for using gender-neutral language, including the use of ‘she’ instead of ‘he’.
7. Accountability of Data Fiduciaries: All Data Fiduciaries are held accountable, even if the Data Principal withdraws consent, a feature not addressed in previous bills.

Rights Under The DPDP Act

The DPDP Act grants individuals several crucial rights regarding their personal data:

1. Right to Information: Individuals have the right to be well informed about the collection, processing, and storage of their personal data, ensuring transparency and trust.
2. Right to Access: Individuals can access their personal data collected by organisations, allowing them to verify its accuracy and truthfulness.
3. Right to Rectify Information: Data subjects can request corrections to inaccurate or outdated personal data, ensuring data accuracy and completeness.
4. Right to Be Forgotten: Individuals have the right to request the deletion of their data when it’s no longer necessary or when consent is withdrawn, aligning with the principle of data minimization.
5. Right to Request Personal Data Copy: Individuals possess the right to request a copy of their personal data in a readable format, enabling them to transfer this data to another person. This right empowers individuals to control and share their data according to their preferences and needs, enhancing their rights and autonomy over their data.
6. Right to Object to Data Processing: Data subjects also hold the right to object to the processing of their data. They can object if there are legitimate grounds to deny such processing. This right empowers individuals to assert ownership over their data, limiting access and usage by unwanted entities. This right has similar consequences to when an individual withdraws consent, and objections should be accompanied by reasons for withdrawal.
7. Right to Lodge Complaints and Exercise Data Protection Rights: Individuals have the right to lodge complaints with data protection authorities, as granted by Section 13 of the DPDP Act, allowing them to seek grievance redressal. If dissatisfied with the response from the Data Fiduciary, individuals can escalate their complaints to the Data Protection Board within seven days. While these rights are essential, certain considerations maximize their benefits. Act promptly when exercising these rights to avoid estoppel, maintain clear and concise communication with the data controller or fiduciary, keep records of all interactions, and have proof of identity readily available.

Data Protection Impact Assessment (DPIA)

Data privacy laws mandate organisations to conduct data protection assessments for activities that may pose a high threat to individual privacy. These assessments analyse the necessity, proportionality, and compliance of companies with data privacy laws. By conducting these assessments, data-collecting companies can proactively identify and address data privacy risks before they escalate into significant breaches.

This helps prevent or minimize harm to individuals, such as reputational damage, emotional distress, identity theft, financial loss, and physical harm. It also protects organisations from the consequences of data breaches, including financial costs, legal fees, regulatory fines, and reputational damage.

DPIAs involve several key steps:

1. Data mapping: Visualizing and documenting how data is collected, stored, processed, shared, and disposed of within the organisation.
2. Data discovery: Scanning and analysing data repositories to find and classify personal or sensitive data.
3. Risk assessment: Evaluating the potential impacts of data processing activities on the rights and freedoms of individuals.
4. Mitigation: Identifying and implementing appropriate safeguards and controls to reduce the risks to an acceptable level.
5. Ongoing review: Monitoring and updating the DPIA as data processing activities change or new risks emerge.

By conducting DPIAs, organisations can make informed decisions about their data processing activities, align their practices with legal obligations, and foster a culture of privacy awareness. This benefits the public by ensuring their personal information is handled responsibly and securely, and that their privacy rights are respected.

Data Fiduciary 

A Data Fiduciary plays a crucial role within the framework, bearing responsibility for various aspects of compliance and duty performance. The obligations assigned to them under Chapter 2 of the DPDP Act can be summarised as follows:

1. Engaging or appointing a Data Processor to handle personal data on its behalf when offering goods and services to Data Principals.
2. Ensuring data completeness, accuracy, and consistency, particularly when data influences decisions affecting Data Principals or is shared with other Data Fiduciaries.
3. Adhering to duties and responsibilities outlined by the Act, regardless of any conflicting agreements.
4. Implementing appropriate technical and organisational measures to ensure effective compliance with the Act and its rules.
5. Safeguarding personal data under their possession or control, including data processed by them or on their behalf, by employing reasonable safeguards against data breaches.
6. Providing timely notification to the Board and Data Principals in the prescribed manner and form in case of a data breach.
7. Erasing personal data upon withdrawal of consent by the Data Principal or when the specified purpose is no longer served, with exceptions permitted by law, such as data retention requirements.
8. Publishing business contact information of the data protection officer or authorised personnel for addressing Data Principals’ queries regarding personal data processing.
9. Establishing a grievance redressal mechanism for Data Principles to address their grievances effectively.

Under Section 10 of the DPDP Act, there are additional obligations imposed on Significant Data Fiduciaries, which are determined by the central government based on various factors. These factors include the volume and sensitivity of personal data processed, potential risks to the data principal, impact on the sovereignty and integrity of India, risks to electoral democracy, security of the state, and maintenance of public order.

The specific obligations for a Significant Data Fiduciary are as follows:

Appointment of a Data Protection Officer (DPO):

1. The DPO should represent the Significant Data Fiduciary as per the provisions of the DPDP Act.
2. They must be based in India.
3. The DPO should be an individual accountable to the Board of directors or a similar governing body of the Significant Data Fiduciary.
4. They serve as the primary point of contact for the grievance redressal mechanism outlined in the Act.

Appointment of an Independent Data Auditor:

1. The Significant Data Fiduciary is required to appoint an independent data auditor tasked with conducting data audits.
2. The auditor’s role includes evaluating the compliance of the Significant Data Fiduciary with the provisions of the DPDP Act.

Undertaking Necessary Measures:

1. The Significant Data Fiduciary must conduct periodic data protection impact assessments.
2. They are obligated to perform periodic audits to ensure ongoing compliance.
3. Any other measures undertaken should align with the provisions outlined in the DPDP Act.

Data Protection For Children 

In cases where the data principle is a child or a person with disabilities, the term “data principal” includes their parents or lawful guardian, as outlined in Section 9 of the DPDP Act. Minors or individuals with special needs lack the capacity to provide consent for the processing of their personal data. Therefore, it is crucial for the Data Fiduciary to obtain verifiable consent from the parent or guardian in such situations. 

Furthermore, the DPDP Act prohibits Data Fiduciaries from engaging in any processing of personal data that could have detrimental effects on the well-being of a child. This includes activities such as tracking or behavioural monitoring of children, as well as targeted advertisements directed at them. These provisions are in place to safeguard the rights and privacy of minors and vulnerable individuals under the DPDP Act.

Establishment Of The Data Protection Board Of India (DPBI)

Chapter 5 of the DPDP Act outlines the formation and functions of the Data Protection Board of India (DPBI). As per Section 18 of the Act, DPBI is established by the Central Government as a body corporate with perpetual succession. It possesses a common seal and the ability to enter into contracts, pursue legal actions, or be subjected to legal actions.

The DPBI functions as an independent body, striving to operate digitally and using technology-driven measures to protect the personal data of individuals in India. It has the authority to ascertain instances of non-compliance with the Act’s provisions and impose penalties accordingly.

Appeals against the DPBI’s orders lie with the High Court, which can also take up any breach suo moto. No civil court has jurisdiction to entertain any suit or take action in respect of any matter under the DPDP Act.

The establishment of the DPBI marks a significant step in India’s efforts to create a robust data protection framework and safeguard the digital rights of its citizens

Composition And Term Of The Board

The DPBI comprises a Chairperson and other members appointed by the Central Government. Eligibility criteria for the Chairperson and members stipulate that they must be individuals of integrity and ability, possessing special knowledge or practical experience in fields such as data governance, dispute resolution, information technology, or law. At least one member must be an expert in the field of law. The term of office for the Chairperson and members is two years, with the possibility of re-appointment.

Powers of the Chairperson: Under Section 26 of the DPDP Act, the Chairperson of DPBI holds specific powers. These powers include general oversight and direction concerning administrative matters within the Board. The Chairperson is authorised to delegate scrutiny of communications addressed to the Board and can also delegate certain functions to individual members or groups of members within the Board, including the allocation of proceedings among them.

Powers and Functions of the Data Protection Board: Section 27 of the DPDP Act delineates the authority and duties of the Data Protection Board as follows:

1. Response to Personal Data Breaches: Upon receiving notification of a personal data breach under Section 8(6), the Board is mandated to promptly direct urgent remedial actions, conduct inquiries into the breach, and levy penalties as stipulated by the Act.
2.  Handling Complaints and References: The Board is tasked with investigating complaints lodged by Data Principles concerning personal data breaches, breaches of obligations by Data Fiduciaries, or references made by governmental bodies or courts. Subsequently, penalties are to be imposed based on the findings of these inquiries.
3.  Complaints Against Consent Managers: If a Data Principal lodges a complaint regarding breaches of obligations by a consent manager, the Board must conduct an inquiry and impose penalties accordingly.
4.  Response to Consent Manager Breaches: In the event of a breach of any conditions by a Consent Manager, the Board is responsible for investigating the breach and imposing appropriate penalties.
5.  Government References: Upon receiving a reference from the Central Government concerning breaches of Section 37(2) of the Act, the Board is obligated to investigate and impose penalties where necessary.

To ensure fairness and transparency in its proceedings, the Board is required to provide the concerned parties with an opportunity to present their case, maintain written records of its decisions, and issue directions as deemed necessary. These directions may be subject to modification, suspension, withdrawal, or cancellation based on representations made by the affected parties, with the Board having the authority to impose conditions as part of its directives.

Exemptions Under Section 17 Of The DPDP Act

Section 17 of the DPDP Act delineates specific exemptions where Chapter II, outlining the obligations of data fiduciaries, does not apply. These exemptions are as follows:

1. Enforcement of Legal Rights: Personal data processing deemed necessary for enforcing any legal right or claim is exempt from Chapter II obligations.
2. Compliance with Judicial Orders: Processing of personal data mandated by orders from courts or tribunals involved in judicial, quasi-judicial, regulatory, or supervisory functions is exempt.
3. Law Enforcement Purposes: Personal data processing aimed at prevention, detection, investigation, or prosecution of offences or contraventions of Indian laws is exempt.
4. Cross-Border Data Processing: Processing of personal data related to Data Principals outside India under contracts with entities outside India by Indian-based entities is exempt.
5. Corporate Transactions: Data processing necessary for corporate activities like mergers, amalgamations, demergers, or transfer of undertakings approved by competent authorities is exempt.
6. Financial Information Assessment: Processing of personal data for evaluating financial information and assets of defaulters of loans or advances from financial institutions is exempt, subject to disclosure provisions.

These exemptions are crucial in delineating scenarios where data protection obligations are superseded by legal or operational necessities, ensuring a balanced approach to data governance.

Under Section 17(2) of the DPDP Act, certain scenarios are outlined where the provisions of the Act do not apply:

1. Data Processing by Instrumentality of the State: The Act’s provisions are exempted when personal data processing is conducted by a State instrumentality, as notified by the Central Government, in the interest of India’s sovereignty, integrity, friendly foreign relations, maintenance of public order, or prevention of incitement to cognizable offences related to these aspects. Additionally, processing by the Central Government of any personal data provided by such instrumentality falls under this exemption.
2. Data Processing for Specific Purposes: The Act’s provisions do not apply when personal data processing is necessary for research, archiving, or statistical purposes, provided that the data is not utilised to make specific decisions impacting Data Principals.

Latest Judgement 

In a recent case titled X v. The Principal Secretary, Health and Family Welfare Department, Govt. of NCT of Delhi & Anr. (2022), the Supreme Court upheld the reproductive autonomy of an unmarried woman. The Court allowed a 25-year-old woman to undergo an abortion, emphasising that her right to bodily autonomy is protected under Article 21 of the Constitution. This decision underscores how the right to privacy, as enshrined in Article 21, enables individuals to exercise control over their bodies.

Another significant case, commonly known as the Hadiya marriage case (2018), highlighted the right of an individual to marry a person of their choice as an essential aspect of privacy. The Supreme Court emphasised that the state has no authority to interfere in such personal decisions, reinforcing the notion that privacy encompasses crucial aspects of one’s life choices.

In the Internet Freedom Foundation v. Union of India (2019) case, the Supreme Court addressed the issue of internet shutdowns and their impact on the right to privacy. The Court ruled that suspending internet services violates fundamental rights and should only be permitted if it aligns with the principles of necessity and proportionality. This landmark decision underscores the importance of protecting individual privacy rights in the digital age.

Evaluating The Effectiveness Of The DPDP Act In India

The DPDPA marks a significant milestone as India’s inaugural domestic data privacy legislation, a culmination of over six years of meticulous crafting. This legislation embodies robust provisions meticulously designed to uphold individuals’ right to privacy within India’s borders. It represents a comprehensive and detailed legal framework aimed at safeguarding privacy rights across various facets of data processing.

One notable aspect of the DPDP Act is its expansive scope, extending even beyond India’s borders through extra-territorial application. This extension applies when data processing occurs outside India but pertains to goods or services within the country, enhancing its reach and effectiveness in the global digital landscape.

A fundamental component of the Act is its detailed definition of personal data, encompassing any information relating to an identifiable individual. Moreover, the Act broadens the definition of data principals to include not just individuals but also parents, lawful guardians of children, and persons with disabilities, ensuring a more inclusive approach to privacy protection.

The DPDP Act demonstrates a dedicated focus on safeguarding children’s privacy rights by introducing specific provisions for processing personal data related to children. It mandates obtaining consent from lawful guardians before processing such data and prohibits actions that could have a detrimental impact on children’s well-being, such as tracking, behavioural monitoring, or targeted advertising.

Recognizing the challenges faced by start-ups in complying with complex legislation, the DPDP Act incorporates exemptions tailored to these entities. This strategic approach aims to encourage innovation and creativity while ensuring adherence to privacy standards.

Furthermore, the DPDP Act lays out clear obligations for Data Fiduciaries, outlining responsibilities such as implementing the Act’s provisions, deploying adequate security measures to prevent breaches, and providing transparent notice and consent mechanisms. These provisions collectively contribute to fostering a privacy-conscious environment in India’s digital landscape.

The DPDP Act empowers Data Principals with a range of rights concerning their personal data. These rights encompass access to information, correction and completion of data, nomination rights, and avenues for grievance redressal, among others. It establishes the requirement of consent for the processing and collection of personal data, with specific provisions for verifiable parental consent when dealing with data related to a child. This consent must meet stringent criteria, including being free, informed, unconditional, and unambiguous, and can be withdrawn later. The Act mandates data fiduciaries to provide detailed notices to data principals, outlining data collection purposes, rights descriptions, and grievance redressal mechanisms either during or before seeking consent.

Introducing the concept of consent managers, the DPDP Act designates these entities as intermediaries responsible for managing consent processes, including collection, modification, and revocation of consent. The Act further distinguishes between data fiduciaries and significant data fiduciaries based on various factors like data volume, sensitivity, and associated risks. Significant Data Fiduciaries have additional obligations such as appointing data protection officers, conducting data protection impact assessments, and undergoing periodic compliance audits.

The DPDP Act also establishes Data Protection Boards, outlining their framework, member qualifications, remuneration, disqualification criteria, and procedures for resignation. These boards are empowered to take urgent remedial actions in case of personal data breaches, initiate inquiries, impose penalties, and operate as independent digital offices. Additionally, the Act grants the board authority to direct parties towards mediation for resolving complaints when feasible.

Critiquing The DPDP Act: Addressing Its Shortcomings

Despite its initial recognition of privacy and related rights, the DPDP Act reveals several shortcomings upon closer examination:

1. Limited Scope: The Act primarily addresses digital data or non-digital data that is later digitised, leaving gaps in protection for non-digital data that remains offline. This biassed application limits privacy rights only to data stored digitally.
2. Absence of Data Categories: The Act lacks categorization of data into sensitive, critical, or other categories, which were initially proposed but later removed. This omission hampers the ability to provide stronger protection to more sensitive and private data.
3. Significant Exemptions: The DPDP Act contains substantial exemptions, not only for start-ups to foster innovation but also for government entities and instrumentalities. These exemptions grant unchecked power to the government in collecting and processing data, raising concerns about privacy safeguards.
4. Impact on Right to Information: Criticism has been directed at the Act for potentially impeding access to information as per the Right to Information (RTI) Act. While the RTI Act’s Section 8 provides exemptions for personal information unrelated to public activities, the DPDP Act broadly exempts all personal information from disclosure, undermining transparency and accountability.
5. Despite having a separate provision for data transfer, the DPDP Act lacks robust measures to protect data from breaches during transfer. The Act mentions the Central Government’s power to restrict cross-border transfers, but this doesn’t ensure sufficient protection for individuals’ personal data.
6. The Act faces criticism regarding the independence of the Data Protection Board. While it claims to be an independent body, concerns arise due to the term of appointment and the government’s role in its operations, raising doubts about the board’s true independence.
7. The success of the DPDP Act hinges on public awareness about rights and responsibilities regarding personal data. Many individuals are unaware of the Act’s existence, their data’s significance, collection processes, and grievance redressal mechanisms. There’s a notable absence of provisions mandating the Government or the Data Protection Board to educate the public about their data rights.
8. While the DPDP Act is a significant step towards protecting privacy rights, it also faces challenges. Its focus on digital data, lack of data categorization, and exemptions for government entities raise fairness concerns. Despite its promising features, addressing these concerns is crucial for ensuring a balanced and effective data protection framework.

Difference Between General Data Protection Regulation And DPDP

The General Data Protection Regulation (GDPR) is renowned for its robust data privacy provisions and is the European Union’s privacy legislation enforced since May 25, 2018.

Both the GDPR and the Digital Personal Data Protection Act (DPDP Act) share several comprehensive provisions, showcasing similarities between them.

Conclusion 

In conclusion, India’s data privacy and protection laws align with global trends recognizing the importance of data in our digital age. The DPDP Act is a significant step toward safeguarding personal data, giving individuals more control over their information, and holding data protection authorities accountable. The Act highlights key principles like data minimization, accuracy, accountability, and purpose limitation, and introduces rights for individuals.

The DPDP Act ensures that data handlers meet their obligations and imposes penalties for non-compliance. While it largely fulfills its intended purpose, it faces criticism. Notably, provisions for sensitive personal data were removed, and there are concerns about ambiguity in consent collection and data processing, as well as broad exemptions for the government. Critics argue that these issues represent missed opportunities. Nonetheless, the Act is expected to balance its strengths and weaknesses and uphold the Supreme Court’s privacy rulings.