Why Digital Personal Data Protection Act (DPDP Act) is the Need of the Hour | All Your Questions Answered

In this internet-based world where our lives rely more on the virtual world rather than the real world, it is important to take proper security measures and ensure precautions for personal data security. With the rapid growth in internet dependency, the need for robust legislation to ensure privacy and data security is also increasing. 

In the past few years, India has emerged as one of the biggest consumers of the internet, increasing the risk of online fraud and malfunctions. Therefore, taking into account all these concerns, the Supreme Court of India recognized the right to privacy in the 2017 verdict. In August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP Act). 

In this article, we are going to provide all the information about and related to the Digital Personal Data Protection (DPCP Act).

What is the Digital Personal Data Protection Act (DPDP Act)?

The Digital Personal Data Protection Act (DPDP Act) passed by the Indian parliament in August 2023 is legislation that provides a balance between the privacy of data with the necessity of processing such data for lawful purposes. This bill highlights the obligation of Data Fiduciaries, those processing data, and outlines the rights and duties of Data Principals, individuals to whom the data pertains.

It also introduces strict penalties in case of data breaches. The DPDP act follows India’s Personal Data Protection Bill (PDPB) 2022, one of the initial steps by the Indian legislature towards strengthening its attempts to create a comprehensive data privacy law. 

As part of the National IT Governance Framework Policy and a new Digital India Act, this act was the result of the attention needed by the agencies towards data security.

The PDPB Act 2022 was primarily objectified “to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters connected therewith or incidental thereto.”

Looking back at the History of India’s Privacy and Protection Laws

Presenting you a brief history of India’s Privacy and Protection Laws:

1. Early Foundations

• Pre-Independence: There were no such rights that existed in the pre-independence era. However, some colonial-era laws listed them:
  • Indian Penal Code (1860): This section covered defamation, trespass, and limited data protection;
  • Indian Contract Act (1872): Introduced the concept of confidentiality in contractual marriages/relationships;
  • Constitutional Recognition: In 1950, the Indian constitution added the fundamental rights later encompassed the right to privacy:
  • Article 21 (Right to Life and Personal Liberty): The Supreme Court of India added the right to privacy in several landmark cases;

2. The Road to Data Protection Legislation

• Information Technology Act (2000): With limited scope, this bill introduced basic “sensitive personal data” protection and penalties for breach;
• Draft Bills and Public Feedback: Several interactions of Data Protection laws were introduced in 2011, 2018 and 2019, facing public criticisms and reviews;
• The Digital Personal Data Protection Act (DPDP Act): Passed by the Indian legislature in 2022, this law established a comprehensive data protection framework in India;

Key Features of the Digital Personal Data Protection Act (DPDP Act)

The Digital Personal Data Protection Act (DPDP Act) aims at empowering the user or individual in a manner to regulate their data handling practices in India. These regulations are applied to all the authorities, either private or public, processing the personal data of individuals in the country.

With the DPDP Act, individuals have the right to access, rectify, erase or restrict their data from further use. On the other hand, all the organizations looking to gather data from individuals need to have consent by providing the exact reason for collecting the data. 

In some scenarios, there are some exceptions, like localizing the data is allowed for specific purposes with government approval. With the DPDP Act, the Data Protection Board was established to overlook and employ penalties for non-compliance, ranging from financial punishments to imprisonment in specific cases. 

Some key rights introduced by this DPDP Act were:

• Right to access;
• Right to rectification;
• Right to erasure (right to be forgotten);
• Right to restrict processing;
• Right to data portability;

Key obligations announced by the data fiduciaries:

• Consent;
• Notice;
• Security;
• Data minimization;
• Data localization;

Why is the Digital Personal Data Protection Act (DPDP Act) needed?

The rapid digitisation of data has converted our data from personal data to online behaviour. While this data helps in understanding user requirements and leads to innovations, it also increases concerns about data privacy and security. The Data Personal Data Protection Act (DPDP Act) addresses all these vital concerns:

1. Empowering Individuals:

• Control over personal data: Individuals gained the rights like erasure, correction, access and transfer of their data;
• Transparency: Transparency should be followed to showcase the reason for collecting data, the use of data, and how the data will be used, ensuring that the individual has a full understanding of the usage of their data;

2. Balancing Innovation and Privacy: 

• Responsible data practices: Urging businesses to collect only the necessary data and ensuring all the safety and privacy measures during the process;
• Protects individual privacy: Regulating the data collection and processing prevents individuals from misusing their data;

3. Addressing Data Breaches and Misuse:

• Enhanced data security: Organisations are required to robust their security measures and ensure the safety and privacy of the data they are collecting;
• Accountability for data handling: This Act holds the organisation accountable for all the data they are collecting, deterring potential misuse and encouraging ethical data practices;

4. Building Trust in the Digital Economy:

• Increased consumer confidence: Increases the trust of users as they feel more control over their data, encouraging participation in the digital atmosphere;
• Transparency and accountability: Safe and secure standards create a cleaner environment, providing a transparent and accountable digital ecosystem;

What personal data is covered by the Digital Personal Data Protection Act (DPDP Act)?

The Digital Personal Data Protection Act (DPDP Act) defines personal data, which includes any data or information that directly or indirectly identifies a user. This includes but may not be limited to:

• Direct identifiers: Name, address, phone number, email address, unique identification number (aadhaar card), etc.;
• Indirect identifiers: Location, financial information, health data, genetic data, religious or political beliefs, browsing history, etc.;

It is important to understand that the DPDP Act does not specify any exclusive list or category of data to be considered personal. Instead, it focuses on the identification of the individual based on the data, either alone or combined with other information.

When will the DPDP Act be implemented?

As per the latest data, no official data or schedule has been announced for the implementation of the Digital Personal Data Protection Act (DPDP Act). The Act was enacted in August 2023; after this, the central government has the authority to determine the commencement date through an official Gazette in India. 

The notification can specify the dates and schedule for enforcing the various provisions of the Act. As of today (29 February 2024), no official date for the implementation of the DPDP Act has been announced by the central government.

READ MORE: Difference Between Cloud Security and Cyber Security

Summary of Digital Personal Data Protection Act (DPDP Act)

The Digital Personal Data Protection Act (DPDP Act) empowers individuals to regulate and control the use of their data. A concise summary of the DPDP Act is given below:

• Individual Rights:
  • Control over data: Access, correct, erase and transfer of data;
  • Informed consent: Essential to inform the user about the use of their data;
• Data Fiduciary Obligations:
  • Security: Implementation of a robust security system that secures the data collected from the users;
  • Minimise data collection: Only the essential and mandatory data should be collected from the user;
  • Be transparent: Individual must be informed about the manner their data is to be used;

Penalties under the DPDP Act

The Digital Personal Data Protection Act (DPDP Act) offers penalties of up to INR 250 crores on crimes like failure to prevent data breaches. This Act removed the INR 500 crore capital on the penalties for a single instance. 

Unlike the previous drafts, the affected data principals cannot seek compensation for breaches by data fiduciaries. Still, the board can levy penalties up to INR 10,000 for data principals not fulfilling their duties.

Conclusion

The DPDP Act is a strong and distinctive approach by the Indian legislature towards safeguarding personal data. This Act represents a crucial step towards the longstanding need for data policies in the context of increasing internet users and cross-border trade.

In simple terms, the DPDP Act can be stated as India’s stance towards data protection, implemented based on post-draft consultations. Although its instructions are not detailed like GDPR, it mandates a significant shift in how Indian businesses approach privacy and personal data. 

Like every other thing, the DPDP Act is also not prone to trolls and criticism. Some say it can affect digital growth due to strict laws and control, while some say that it won’t take long to ensure individual privacy. 

The forthcoming rules through the delegation will play a vital role in shaping these aspects. A standardised process of implementation followed by the release of rules, coupled with the industrialists, can robust and shape the data protection framework benefiting the entire technology sector in India.

FAQ’s