The Digital Personal Data Protection Bill, 2023 (“DPDP Bill”)was the fourth Indian iteration of an comprehensive law on Data Protection. The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act”)is clearly part of a larger direction that the Indian Government is taking towards modernising the regulations and laws in India, with the much-anticipated Digital India Act, which will act as the replacement of the Information Technology Act, also set to come in the near future. It is thus evident that the passing of the DPDP Act is not end of the long sought dream of effective online legal regulation but merely its beginning.
NEED FOR DATA PROTECTION IN INDIA
The metaphorical awakening of the need for data protection in India began with the landmark case of K.S Puttaswamy vs. Union of India [WRIT PETITION (CIVIL) NO. 494 OF 2012] in the Supreme Court which declared the ‘Right to Privacy’ a fundamental right under Article 21 of the Constitution of India ,1949 and under it acknowledged ‘informational privacy’. After this India has setup a committee of experts on data protection under chairmanship of retired justice B.N Srikrishna to formulate an act to protect the personal data of the citizens and thus various drafts of the Personal Data Protection Bill starting rolling out in the following years which has led us to its fourth attempt in 2023.
KEY CHANGES FROM THE DPDP BILL
The DPDP Act has arrived with certain changes from the bill of 2022, after analyzing provisions from both the bills side by side the following key changes can be observed:
Certain new definitions have been added to keep in line with the new provisions and parameters which have been supplanted in the new Act.
The Act introduces the concept of “digital office”which is in reference to the Data Protection Board and the Appellate Tribunal which would act in the manner of a digital office to provide a complete online mechanism.
The definition “Data Principal” has been expanded to now include the lawful guardian of a disabled person.
The term “Processing” in relation to personal data, has been tweaked to include “wholly or partly automated operation performed on digital personal data” whereas the previous bill did not include this specification.
The term “specified purpose” has been added which means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal. The Data Fiduciary can thus only use the data disclosed by the Data Principle for those purposes which are stated in the notice, this will be called the ‘specified purpose’.
B. Scope Of The Act
The law will apply to “processing”of personal data in the digital form and in non-digital form which is then digitized.
The difference between the DPDP Bill and the DPDP Act is that“profiling” of data by any offshore entity processing will now not attract obligations under the Act. Whereas previously, extraterritorial applicability would have extended to foreign data processors even in cases of profiling, which would have been counterintuitive given the obligation on large scale data studies for research purposes. Non application:
In the case of non-applicability the DPDP Act has added that the law will not apply to the data of the Data Principal which is made public by himself/ by a person under the obligation of any law. The DPDP Acthas removed the provision of non-applicability on the following kinds of data:
C. Notice to be given to Data Principal by the Data Fiduciaries
. A new addition to the DPDP Act is that “the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.”
Interestingly enough, there seems to be no provision expressly stating that the Data Fiduciaries have to inform the Data Principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries. Rather there is a subsequent Right given to the Data Principles under Section 11 (b) of the DPDP Act where they can request identities of all the Data Fiduciaries and Processors to whom the personal data has already been shared.
D. Provision for consent and rebranding of “Deemed consent”
Unlike the DPDP Bill, the DPDP Act retains the concept of “deemed consent” albeit under the new heading of “Certain legitimate uses” under Section 7of the DPDP Act , where it is stated that data can be utilized without explicit consent, given that it is willingly provided and aligns with the “legitimate uses” outlined in the provision.
E. Right to information of Data Principals
As mentioned above the DPDP Act provides that if requested by the Data Principal, the Data Fiduciary has to disclose the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary along with a description of the personal data so shared. But it also states that these provisions will not apply to sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary unless and until the same is prescribes under law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.
F. Processing of personal data outside India done according to a Block List
According to the DPDP Act, the Central Government has the power to restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified by them. Thus, any entity engaged in the processing of personal data will have the authorization to transfer data to any foreign country for processing, provided that such transfers are not subject to restrictions/a block list imposed by the Central Government.
G.Exemptions for private actors
The DPDP Bill provided the Union Government with the power to exempt certain Data Fiduciaries or class of Data Fiduciaries from selected provisions. The DPDP Act retains this provision and specifically includes start-ups as data fiduciaries that may be exempted by the Union Government.
H.Data Protection Board
In the DPDP Bill, only the chairperson of the board was to be appointed by the Union Government. The DPDP Act has tweaked the selection of the members of the board and now all members of the board will be appointed by the Union Government. It is essential that the board is independent from the influence and interference of the government.
I.Appeals system: Revamped
Individuals who are aggrieved by the law will need to initially seek resolution through the grievance redressal mechanism provided by the Data Fiduciary itself. After utilizing this avenue if they continue to be, they will then have the opportunity to escalate the matter to the Data Protection Board. Any further appeals from decisions made by the Data Protection Board will be directed to the Telecom Disputes Settlement and Appellate Tribunal. The rationale behind this alteration and the specific selection of the Telecom Disputes Settlement and Appellate Tribunal remain unclear.
The DPDP Act still has ways to go to effectively protect the data of the citizens. The latest iteration of the Data protection law has still not been able to address all the issues that were raised against the DPDP Bill. The main criticism continues to remain that that the discretionary power and the immunity provided to the government and its agencies are too wide and effectively makes them immune to the provision provided under the DPDP Act.
Moreover, Data Fiduciaries must be given stricter guidelines for the notice to be sent to the Data Principal; hence they must be given more responsibilities. The DPDP Act is a welcome legislation only due to the old adage, “Something is better than nothing”, if the privacy and interests of the general public is truly to be protected than the DPDP Act leaves much to be desired for protection of the general public from unwarranted government scrutiny.
– Team AMLEGALS, assisted by Ms. Kermina Patel (Intern)
For any query or feedback, please feel free to get in touch with falak. firstname.lastname@example.org or email@example.com