Digital Personal Data Protection Act, 2023 is a milestone legislation in India, dealing with the issues of data privacy and security in the current age of digitalization. It is an extensive legislation aimed at promoting reasonable data management practices.
Advotalks gets into an in-depth conversation with Adv. Chaitanya Hariharan over these data protection provisions. She has done her Master of law in Technology, Media & Telecommunication law from prestigious Queen Mary University of London and is currently practicing in the field of Intellectual Property Laws, Technology Laws and commercial laws.
Can you begin by explaining what is data protection and what are the various laws regarding it?
Data Protection is the law which protects the personal information collected, processed or stored by an autonomous means. A person does multiple digital transactions on a daily basis wherein they put their personal data. For example- shopping on Amazon which is an internet shopping site wherein you would have to put all your personal information including name, phone number, address, bank details and CVV which now they possess. Moreover social media sites like Instagram, WhatsApp which people use for photo sharing thereby giving parent company Meta access to all these photos and information. Without data protection laws, this data can be used for purposes you did not consent to and can be misused by these companies. With evolving technology and increased digital presence of people, the laws have also evolved. Now people have the right to know where their data is stored, for what purpose it is stored. Moreover, now people can also rightfully ask the company to delete the data if it not being stored for consented purpose.
What are the legislations concerned with procurement as well as safe processing of the personal data?
India as of yet does not have an all-encompassing regulation that deals with personal data. We have IT Act of 2000 that deals with fragments of personal information. We also have IT Rules of 2011 that deals with social media intermediaries and all platforms regulating your data. Then we have certain sections of IPC. We also have specific laws in the banking and the financial service sector and telecom sector that deal with data in those sectors. However, these laws are not adequate to deal with evolving sphere of technology and therefore the government has now passed the Digital Personal Data Protection Bill which has now received the presidential assent.
Can you elaborate the evolution of the legal journey that has led towards Digital Personal Data Protection Act? What is the scope of the Information Technology Act?
The scope of the IT Act, 2000 was to deal with cybercrimes and facilitate e-commerce, e-governance and e-transaction. The act gives recognition to digital signature and e-record keeping. When it came into place, intention of lawmakers was not to protect personal data, but when the law evolved it also went on to protect certain facets of personal data. One important contribution of the Act has been Cyber Appellate Tribunal that resolves disputes arising in digital space. However, the act does not deal with all aspects of collection and use of personal data and therefore a need for new legislation was felt.
What are the key features and provisions of the Digital Personal Data Protection Act?
Nowadays there is a lot of cross border data transfer especially since the pandemic which could not be properly regulated under IT Act, 2000. In 2017, Supreme Court laid down a landmark judgement in Justice KS Puttaswamy v. Union of India where the Supreme Court recognized the Right to Privacy as a fundamental right under Article 21. Thereafter an effort was made to protect the personal data of the citizens which is how Data Protection Bill came into being. But the bill had multiple lacunas because of how expansive it was in scope. It provided for establishing a digital protection authority with regulatory powers. But India at the time was not in a place to have that authority because no one had prior experience to legislate over and regulate in that space. So after a lot of deliberation and discussion this Digital Personal Data Protection Act, 2023 came into play.
The applicability and scope of the Act, it applies to processing of digital personal data within India whether it is collected online or in a digitized format from offline sources. The Act extend its jurisdiction to data outside India if it is collected for the purpose of providing Goods or Services in India.
The Act also provides certain rights to data principal. Data principal is a person whose data is being collected and the one collecting and processing the data is called Data Fiduciary. Data Principal has a right to information about how the data is being processed, the reason behind it and right to correction if there is some mistake or error. There are also certain obligations on the Fiduciary which is to ensure that the data is accurate, to maintain security, to delete the data when its purpose is done. The Act also provides for certain exemptions to government entities for data erasure and storage of information.
Another key feature of the act is the transfer of data and its exemption. The Act permits transfer of personal data outside India except for countries that are restricted by the Government. So, this provision allows smooth cross-border transfer. The Act also establishes a data protection board that will oversee compliance, impose penalties, address data breach and handle grievances.
What were the real-world cases that led to this paradigm shift in the statute?
Before lockdown, news around the world was covering Mark Zuckerberg doing rounds of US Court. That was a data breach scandal. Cambridge Analytica as a data analysis firm and they had and they exploited Facebook users data to such an extent, that it was alleged that they were able to rig the 2016 US Presidential Election and Brexit vote. Due to this Facebook lost 18% of its shares in one week and had to pay 725 million dollars as fine to settle the suit and Cambridge Analytica eventually declared bankruptcy. It brought into light many issues as to how personal data can be used to manipulate a democratic process.
In October of 2023, there was allegedly a data breach that happened in Indian Council of Medical Research where personal data of 81 Crore Indians was leaked and was allegedly for sale on the dark web.
What are the goals and objectives of Global Data Protection Regulations (GDPR)?
GDPR is one of the strongest legislations that protect a person’s personal data. Along with GDPR we have UK Protection Act of 2018 which is an exact replica of GDPR but it came into effect in 2018 post Brexit. US also have California Consumer Privacy Act. The personal information protection legislation is China’s data protection Act. These are significant examples of Global Data Protection. All these laws share couple of common principles. Firstly transparency what is happening with the date which is paramount. All these Acts also have provision for knowing the purpose of collecting data and the limitation where if a person does not want to give it for a certain person , the company who is collecting the data has to ensure that are not using your data for those purposes. And all these legislations have given individuals a right to manage their personal data.
What are the differences between GDPR and DPDP Act?
All data protection laws globally where they have given individuals control over their personal data and they also mandate that the organization that is collecting their data must use it lawfully, so that is what they have in common. The GDPR extends to the entire of European Union and is applicable to a cluster of countries whereas DPDP is only applicable to India. Secondly, data localization is where GDPR shines. It essentially means that GDPE mandates that you must store the personal data that you have collected from European Union person in EU itself but DPDP Act does not have this provision. Thirdly, when it comes to consent, GDPR requires explicit consent of the individuals before processing the data whereas DPDP Act allows processing of the data without a person’s consent in certain cases like public interest or for investigative or preventive purposes. And in case of data breach where the GDPR says that the organizations have to notify the relevant data protection authority within 72 hours. DPDP Act also mandates the same thing, but the organization also has to notify the person whose data has been breached within 72 hours.
In general GDPR is considered a more stringent statute only because of the consent requirement and data localisation. But I genuinely think that the DPDP Act is going to be adequate for India’s data protection requirements
To watch the video interaction of this blog Click Here
Talk to Adv. Chaitanya Hariharan ! Get 5 Minutes Free Legal Consultation Click Here
