The Digital Personal Data Protection Act,2023 of India
The Data privacy framework is finally in place with the Digital Personal Data Protection Act, 2023(“PDPDA,2023”) getting enacted with the assent of the President of India on 11th August, 2023.
The date of implementation of different provisions shall be notified, in a stage wise manner, from time to time.
There are over 80 crore Internet users in India. India is amongst the highest consumers and producers of data per capita amongst the countries. It has become clear over the last few years that while the Internet and technology are a force for good and connectivity, Internet is also a place where user harm and misuse can exist if rules and laws are not prescribed.
That is why laws and rule-making for the Internet has to be around the basic foundational principles and expectations of the citizens of openness, safety and trust and accountability.
Further, the Supreme Court in the Puttaswamy case in 2017, has declared the right to privacy as protected as part of the fundamental rights guaranteed by the Constitution of India. Therefore, it has become imperative that digitised personal data of the citizens of India be protected .
To sum up, while digitisation using personal data of Data Principals has transformed delivery of services to them enhancing ease of living, Data Principals are also increasingly at risk of harm from misuse of their personal data.
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
The entire enactment has thrusted upon three aspects as under;
Personal data should be used by organizations in a manner that is lawful, fair to the individuals concerned, and transparent to individuals.Only those items of personal data that are required for attaining a specific purpose must be collected.
B.Accuracy of Personal Data
Reasonable effort should be made to ensure that the data of an individual is accurate and kept up to date.
The following would constitute the basis of data processing under the Bill:
(a) Processing may be done only in accordance with the provisions of the Bill and the rules made thereunder;
(b) It may be done only for lawful purposes; and
(c) It may be done on consent, or for certain legitimate uses specified in the Bill.
Reasonable safeguards are to be taken to ensure that there is no un-authorized collection or processing of personal data. This is intended to prevent personal data breaches.
The person who decides the purpose and means of processing personal data should be accountable for such processing.
There are seven principles on which this enactment has been formulated. For the ease of understanding, it is being covered under a separate write up.
Before requesting consent, the Data Fiduciary must give a written notice specifying the purpose for which data will be processed, with the option to access it in any of the Indian languages listed in the 8th Schedule to the Constitution.
Consent given shall be limited to personal data necessary for such purpose, and the giving of consent for personal data not necessary for the purpose may not be made a condition for processing. It shall be withdrawable at any time.
G.Data Control Board of India
The complaints related to contravention of the provisions of DPDPA,2023 has to be filed with the Data Control Board of India.
In terms of Section 38 of the PDPDA,2023, this enactment shall be considered to be a law in addition to and not in derogation of any other law for the time being in force.
In the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict.
To know more about the issues discussed above, You may please connect with email@example.com or firstname.lastname@example.org.