There is a significant shift towards digitalization in India, with people relying more on technology and the Internet for their everyday activities. India is the second-largest internet market, with 780 million internet users.
This has increased the need for data protection and cybersecurity measures to safeguard individuals and businesses from cyberattacks and data breaches.
As a citizen, you have a fundamental right to privacy under Article 21 of the Constitution. The Information Technology Act of 2000 provides punishment if anyone violates your privacy. Additionally, the Copyright Act of 1957 covers copyright protection for databases.
Although your rights are protected through the above law, there are no particular laws for data protection at the moment. The Ministry of Electronics and Information Technology has developed a draft Bill to address this issue.
The Digital Personal Data Protection Bill (DPDP), 2023, has recently been introduced and recently approved by the President. The provisions seek to regulate personal digital data and provide resolution for data breaches. Below, I have explained the highlights of the Bill.
Here are the key points of the Digital Personal Data Protection Bill of 2023:
1. Application Of The Bill
The provisions of the Bill extend outside India. The DPDP Bill will apply to digital personal data processed outside India only if such processing is associated with activities related to offering goods or services to data principals (data subjects) within India.
In simpler terms, if an organization or entity located outside India collects and processes the personal data of individuals in India as part of providing goods or services to them, the DPDP Bill will be applicable to regulate and protect that data.
For instance, if a foreign e-commerce company offers its products or services to Indian customers and collects their personal data for transactions or marketing purposes, the company will be subject to the DPDP Bill’s requirements regarding data protection, regardless of its physical location.
This provision helps in ensuring that the data privacy of Indian users is upheld even in cross-border data processing scenarios.
2. Focus On Digital Data Only
The Digital Personal Data Protection Bill only applies to personal data that exists in two specific forms:
Digital Personal Data: Any personal information collected and stored in digital formats, such as data collected through online platforms, websites, mobile apps, or electronic systems.
Non-Digital Data Digitized Later: The DPDP Bill also covers non-digital personal data later converted into digital form. For example, if physical records, documents, or information are scanned or converted into electronic files, they will fall under the purview of the DPDP Bill once they become digitized.
3. Consent Requirements for Data Usage
Websites and apps will be required to seek explicit permission from users before using their data, ensuring increased transparency and user control. Users should be fully aware of what data is being collected, how it will be used, and the purpose for which it will be processed.
For example, you open a bank account using YZ’s mobile app or website. To complete the Know-Your-Customer requirements under the law for opening a bank account, you opt for processing your personal data by YZ in a live, video-based customer identification process.
YZ shall precede the request for personal data with a notice to you describing the personal data and the purpose of its processing.
4. Language
The notice that informs the data principal about the personal data and the proposed purpose of processing can be accessed in English or in any other language specified in the Eighth Schedule of the Constitution of India (which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, etc.).
5. Grievance Resolution
The proposed legislation aims to establish the Data Protection Board of India as a means to address concerns regarding personal data privacy. If companies using personal data fail to resolve complaints made by individuals, the Board will step in to handle the issue.
Those dissatisfied with the Board’s ruling can appeal to the telecom tribunal TDSAT and then to the apex court. Large online platforms will be required to appoint a Data Protection Officer to facilitate grievance and redressal procedures for their users. Additionally, these platforms must hire independent data auditors to assess their compliance with the DPDP Bill 2023.
6. Implication On Companies
Small and medium-sized companies may face challenges initially in complying with the new regulations, but data management support will be available to help them navigate the requirements effectively.
According to experts, most companies will be able to maintain their usual operations with only minor interruptions, but they will be held accountable for data security and privacy obligations.
Startups collecting data for research or tech development will receive additional protection. Tech-focused firms can shield trade secrets better, as accessing employee data for this purpose will be considered employee consent.
The penalty may extend to 250 crore rupees upon breach of the provisions.
7. Central Government and Authorities Exempted
The Bill clearly states that Central Government, the Board, its chairperson, and any Member, officer, or employee cannot be sued, prosecuted, or face legal action for any actions taken in good faith under the provisions of this Act or the rules made under it.
This provision provides unrestricted powers to the government and lacks effective regulation of private firms handling data. It provides broad grounds for blocking information and services.
8. All Your Data Will Be Treated Equally
The absence of a distinction between sensitive and personal data in the Data Protection Bill can have significant implications for Indian citizens. All personal data will be treated equally under the Bill without differentiating between sensitive and non-sensitive data.
This means your personal information, like your email address adivtaxzw@gmail.com, and sensitive data, like your political opinions or religious views, will be treated similarly.
9. Threat To Your Privacy
In certain situations, personal data is exempt from the regulations laid out in this Act. For example, if the state processes data through designated entities for national security purposes. This provision is a significant threat to your privacy rather than safeguarding it.
This section allows the government to invade people’s privacy and increase surveillance capabilities.
Several members of Parliament have raised concerns about the Bill’s violation of the right to privacy, unchecked government powers, and increased surveillance potential, leaving the privacy of 1.4 billion Indians at risk.
10. Present Status of the Bill
The DPDP Bill has been passed by both; the Lok Sabha and the Rajya Sabha. The DPDP Bill has been presented to the President of India for her approval. The Digital Personal Data Protection (DPDP) Bill has been granted assent by President Droupadi Murmu on August 11.
Conclusion
The Digital Personal Data Protection Bill 2023 is perceived as safeguarding personal digital data in India. Some provisions hold companies accountable for misusing your data; however, the violation of privacy is deeply concerning.
As the Bill progresses through the legislative process, it will be crucial to address its privacy concerns. Experts are worried about people and their privacy.
“India’s new Bill is not the People’s Privacy Bill that it should be. Digital India urgently needs a robust, rights-respecting data protection law — not one that enables government-led invasions of privacy and the expanding of surveillance. Further, it obscures the right to information which is crucial for accountability from public officials. It’s a win-win, but only for the government and big tech,” said Raman Jit Singh Chima, Asia Pacific Policy Director At Access Now.