This article has been written by Nandan Rathi, a 5th year law student at Hidayatullah National Law University.
Abstract-
Personal Data is the essential information belonging to an individual, entity, or business. Such data is at risk of getting targeted or misused. In technological advanced era, there is a need to have proper laws to govern personal data in the digital realm. The Government has taken necessary steps to protect personal data. The Digital Personal Data Protection (DPDP) Act, enacted in August 2023, marks a significant step toward safeguarding personal data. This law introduces comprehensive guidelines, definitions, and penalties aimed at enhancing data privacy. For Corporates, the DPDP Act establishes clear obligations for handling personal data, emphasizing compliance and accountability. This article explores the Act’s key provisions and its impact on business practices in India, outlining both opportunities and challenges in its implementation.
Key Words- Personal Data, Privacy, Data Fiduciary, Technology, Digital Personal Data
INTRODUCTION-
With the evolution of technology, people’s lives have increasingly become more social. It is now a fact that people have greater access to technology, which has brought both benefits and adversaries. People nowadays upload almost every aspect of their lives on social media. This has resulted in a risk of getting targeted, a threat to the privacy of individuals. There was a time when no laws, rules, or regulations would govern and regulate privacy in India. Growing incidents of privacy violation underscored the urgent need for data protection laws.
Evolution for Laws on Privacy-
Right to Privacy Judgment–
“Justice K.S Puttaswamy vs Union of India, 2017[1] Was a watershed moment in Indian laws on the Right to Privacy. The Supreme Court recognized the right to privacy as a Fundamental Right under Article 21 of the Constitution”.
Next, the legislative efforts taken by the government to counter privacy threat. This includes formation of committees to passing of various acts into effect.
Srikrishna Committee-
After Puttaswamy’s judgment, the government formulated “Justice B.N. Srikrishna Committee to draft a comprehensive data protection framework. The committee submitted its report and bill in 2018. The recommendation of this bill led to the formation of the 2019 Bill”[2].
The bill recommended strong data privacy rights for individuals and strict obligations on data fiduciaries.
The Data Protection Bill, 2019-
The government introduced the bill in response to concerns about privacy and the need to regulate personal data. There were several developments, legal and technological, that emphasized personal data protection and the need for having a comprehensive legal framework.
Factors that contributed to making the bill-
Rapid Digital Usage-
India was experiencing rapid digital transformation. The usage of digital platforms, social media, e-commerce, and financial technologies created the need for how digital data is protected.
Major Shortcomings of the Bill-
Once the bill was introduced in parliament for discussion, it went through a lot of scrutiny. Many amendments were suggested to address critical shortcomings-
- The Bill granted excessive government powers. Therefore, the discretionary powers of the government were broad. It put concerns about mass surveillance by the government.
- The bill imposed strict data localization requirements, with certain sensitive data being stored in India only.
- The bill introduced the setting of the Data Protection Authority. However, it was controlled by the government, thus lacking independence.
- The bill focuses mainly on personal data, overlooking non-personal data protection.
- The bill identified social media platforms (like Facebook and Twitter) as intermediaries and placed restrictions on them.
- No clear definition of “Critical Personal Data”, it does not properly define what critical data constitutes.
- The bill granted several rights to data principles (individuals whose data is processed) but failed to give rights to users who use these rights effectively.
- Stringent rules impacted the newly developed startups and halted innovation.
- The bill lacked provisions to compensate those individuals whose data privacy rights were violated.
Global Data Protection Trends-
In 2018, the European Union adopted the General Data Protection Regulation [GDPR], setting up global standard data privacy. India lacked adequate laws to govern the cross-border data flow and compliance with international standards.
Ethical concerns over Data misuse and Breaches–
Across the world, major privacy scandals like the Facebook-Cambridge Analytical Scandal[3] And increasing cybercrime activities underscored the need to have laws protecting people.
PERSONAL DATA PROTECTION BILL- 2022
The 2019 bill met with severe criticism. It was the first attempt by the government to regulate the personal data and privacy of individuals. To overcome the shortcomings of the previous bill, the government enacted “The Personal Data Protection Bill also called Digital Personal Data Protection Bill 2022”.
“This bill aimed at regulating the processing of personal data, protecting individual privacy, and setting up a framework for entities handling personal data”[4]. Here are the key features of the bill-
Definition of Personal Data-
“The Bill defines personal data as any information that identifies an individual directly or indirectly”[5]. It also differentiates between personal data and sensitive personal data. Sensitive data includes information related to health, financial, and biometric data.
Data Fiduciary and Data Principle-
“The Data Principle is the person whose data is processed. A Data Fiduciary is an entity or individual responsible for determining the means and purpose of processing data is called data fiduciary”[6].
Let’s understand these terms with example. Instagram will be data fiduciary as it collects and processes personal data from millions of users—such as profile information, photos, and browsing activity. As a Data Fiduciary, Instagram is legally bound to handle this data responsibly, ensuring that users’ information is secure, used fairly, and accessible to the users themselves if they want to manage or delete it.
Similarly, each user is a Data Principal, as they own their profile information and other data they share on the platform. Users (Data Principals) have the right to control their data, such as deciding who can see their posts, requesting data deletion, or downloading their data from the platform.
Consent Based processing-
Data fiduciaries are under obligation to get clear, informed, and specific consent from the data principle. Certain guidelines are to be followed to withdrawing consent.
Purpose Limitation and Data Minimization-
Data fiduciaries will collect only such information for necessary purposes after getting consent. Only essential and relevant data must be collected.
Example- When a clothing retailer collects customer details for online orders, it only asks for necessary data, like shipping address and payment info—not irrelevant details like marital status or education level. This minimizes data storage and reduces risks related to excessive data collection, aligning with privacy-by-design principles.
Data Localization-
Unlike the previous privacy laws, this bill mandated cross-border data transfers, with certain restrictions. Certain sensitive data will have to be stored in India.
“Rights of Data Principle-
- Right to Access their personal information
- Right to Correction of their data
- Right to Data Portability”[7] (in specific cases)
Data Portability is the right of individuals to transfer their data from one service provider to another in a readable format, enhancing control and flexibility.
Example- If a user decides to switch from Spotify to Apple Music, they can request Spotify to provide their playlists, listening history, and other relevant data in a standard format. This makes it easy for the user to take their data and start afresh on Apple Music without losing any preferences or curated content.
There were certain obligations on data fiduciaries.
The bill introduced significant data fiduciaries- organizations whose data processing activities involve large amounts of data or sensitive data will attract additional obligations.
Setting up a Data Protection Board to oversee the entire process, was also mandated under the Act.
Criticisms-
- Excessive government exemptions (Broad discretionary powers)
- Weak Data Localization Requirements
- No Independence of Data Protection Board
- Ambiguity in the definition of Sensitive Data
- Inadequate User Control and Consent Mechanism
- Absence of Data Anonymization Safeguard-
- Less emphasis on Non-Personal Data
DIGITAL PERSONAL DATA ACT 2023
Object and Applicability of Act-
- “The primary object of the act is to establish a comprehensive framework for the Protection and Processing of Personal Data.
- The act shall apply to the [8]Processing of personal data in India, both online and digitized offline data”.
- The Act also lays the foundation of “the Digital India Act and other industry-specific laws relating to data privacy.
- The act is the first in India to use she/her pronouns while referring to individuals.
- The act will also aid businesses in enhancing collaboration with other industries located internationally and protect their data”[9].
Key Definition and Features-
Steps involved in the processing of data-
Processing means performing a “set of operations wholly or partially automated on digital personal Data. It includes collection, storage, indexing, sharing, use, disclosure, and erasure”[10].
Consent-
Section 6 talks about consent. Personal data will only be processed for specific purposes after obtaining permission from the data principal. Section 5 provides that a notice must be given before taking the consent. Such consent must be “free, specific, informed, unconditional, and unambiguous with affirmative action”. Further, the person who has given consent can withdraw consent anytime.
Rights of Data Principal-
- “Sections 12 to 14 give certain rights to the data principal-
- Obtain information about processing
- Seek correction and erasure of personal data
- Nominate another person to exercise rights in case of death
- For any grievance and redressal
Section 15 outlines certain duties for data principals and under obligation NOT to
- Register a false or frivolous complaint
- Suppress any material information
- Furnish any false particulars or impersonate in specified cases”[11].
Data Fiduciary Responsibilities-
“As per section 8, the data fiduciary must
- Process such data whose consent has been given and for legitimate use only
- Ensure accuracy and completeness of data
- Take necessary measures to protect personal data in possession
Section 16 of the Act allows extraterritorial processing and transferring of data except to restricted countries.
Illustration-
Consider an employer (a corporation) and an employee. In this relationship, the corporation acts as the Data Fiduciary since it collects and manages the employee’s personal data, like salary information, contact details, and health benefits records. The employee is the Data Principal and, under the DPDP Act, has rights to ensure that their personal information is handled securely and used only for legitimate, disclosed purposes, such as processing payroll.
Role of the Data Protection Board of India–
Sections 27 and 28 lay down the roles and duties of the Board-
- Direct urgent remedial measures in case of breach of personal data-
- Inquiry into such a breach
- Imposing penalties as per Act”[12]
Penalties-
If the companies are found to not comply with the rules established by Law, hefty penalties will be imposed-
- “200 crores for non-compliance of obligations related to children
- 250 crores for failure to take security measures to prevent data breaches under section 8(5)
- 200 crores for breach in giving notice of personal data breach to the Board or Data Principal as per section 8(6)”[13]
Section 33 provides for penalties to be imposed by the board after completing the inquiry.
Appeals-
If not satisfied with the decision, the company can appeal in “the Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) within 60 days” of the Board’s decision.
Comparison of DPDP Act with GDPR-
Consent-
GDPR- Consent must be specific, informed, and freely given, with clear opt-in mechanisms. Users have broad rights to withdraw consent.
DPDP- Similar emphasis on consent but allows for “deemed consent” in specific cases, where explicit consent isn’t always required. This is slightly more flexible compared to GDPR.
Data Localization-
GDPR- No strict data localization requirement. However, transfers outside the EU are restricted and permitted only to countries with adequate data protection.
DPDP- Mandates that sensitive data can be transferred to approved countries only, with specific rules around data sharing abroad. This reflects India’s focus on maintaining control over data.
Penalties-
GDPR- Severe penalties for non-compliance, up to €20 million or 4% of global turnover, whichever is higher.
DPDP- INR 250 crore (around €30 million) per violation, depending on severity. This puts DPDP penalties on par with international standards.
The DPDP Act aligns with GDPR on core principles like consent and penalties but introduces unique elements, such as data localization to balance privacy with national interests. It offers greater flexibility in certain contexts, making it suited to India’s regulatory landscape.
IMPACT OF THE DPDP ACT ON THE CORPORATE WORLD AND BUSINESSES
The DPDP Act will significantly impact the corporate world and businesses in India. The act introduces stringent rules on “the collection, storage, and processing” of personal data. The rules are on par with the global framework, and the act brings a new set of challenges that companies will have to navigate.
Stricter Compliance Obligation-
Companies that handle personal data are required to adhere to strict consent requirements for data collection and ensure transparency, accountability, and responsibility in how they handle information.
Significant Data Fiduciary Obligations-
Large organizations will face more challenges. They will have to “appoint a Data Protection Officer, conduct a data protection impact assessment”, and ensure monitoring of data processing activities.
Challenges in Cross-Border Data Transfer-
The act restricts data transfer to certain countries. This could affect a company’s business that relies upon global data operations.
Data Breach Reporting-
Companies have to inform the Data Protection Board of any data breaches; it requires investing in breach detection and remediation.
Excessive Penalties and Fines-
The act imposes strict fines for companies ranging from 200-250 crores. This can create financial difficulties for companies. Non-compliance with the DPDP Act poses significant financial risks, especially for small and mid-sized enterprises (SMEs). This will further impact on-
Reputational Damage: Data breaches due to non-compliance harm trust, potentially causing customer loss and affecting future business.
Operational Disruptions: Remediation costs, such as enhanced security measures post-breach or legal fees, add unplanned expenses, diverting resources from core operations.
Loss of Market Access: Non-compliance might prevent SMEs from collaborating with larger, compliant businesses, limiting growth opportunities.
- Sector specific challenges-
FINANCE: The financial industry handles highly sensitive personal and financial information, making data protection critical.
Challenges
Data Localization: Banks rely on cross-border data for fraud detection, but localization requirements may restrict data flows.
Consent Complexity: Managing consent across multiple services (loans, credit scores) can complicate data processing.
Audits and Compliance Costs: Frequent audits and data security measures increase expenses, particularly for smaller financial institutions.
E-COMMERCE:
E-commerce platforms collect a wide array of personal data, including preferences, shopping habits, payment information, and delivery addresses.
Challenges-
Data Minimization: Limiting data collection may impact personalization and customer insights.
Data Portability: Allowing users to transfer data to other platforms poses technological challenges.
Third-Party Compliance: Ensuring marketplace sellers also adhere to data protection rules adds oversight burdens.
HEALTHCARE- The healthcare industry processes particularly sensitive data, including medical histories, diagnoses, and genetic information, requiring strict privacy controls.
Consent for Sensitive Data: Managing consent for health data, especially for secondary uses, is complex.
Data Security: Protecting sensitive medical records demands advanced security, as breaches carry high penalties.
Interoperability: Enabling data portability across fragmented health systems is technically challenging.
Probable Challenges in Implementing Rules-
Unclear and Vague Provisions–
Many provisions under the act have broad interpretations. For example, “public interest and national security” for data processing exemptions is vague. This creates confusion in compliance.
High Costs of Compliance-
Small companies and startups will face huge challenges in implementing rules like data audits, security systems, and hiring of DPOs.
Complex Cross-border Data Flow-
Businesses must be informed about which countries they can share their data. The absence of clear data about which countries are restricted from sharing could impact companies.
Lack of Data Protection Expertise-
Most Indian companies have yet to be made aware of the rules. Further, the act requires expert supervision in compliance with guidelines. Lack of training personnel may result in difficulty in implementing necessary changes.
The Act overlaps with provisions of other laws-
The provisions of the DPDP Act seem to overlap with the Information Technology Act. This has led to legal ambiguities and regulatory confusion for businesses.
Lack of resources-
Small and newly set up businesses lack the proper resources or understanding of how to implement these data protection practices.
How companies can overcome these problems-
Invest in Compliance Infrastructure-
Companies should invest in data protection technologies such as encryption, anonymization, and secure data storage to ensure compliance. While companies will have to spend a considerable amount of money, this investment will be helpful for them in the long run and escape hefty penalties. Large companies having resources, can set up a data compliance team.
Training Awareness Programs-
Conducting regular training programs for employees in the organization will be fruitful. Educating employees about data protection principles, the importance of consent, and how to handle personal data will help in reducing compliance risk. Appointing of DPO will further help in easing the process.
Solutions for Handling of Cross-Border Data-
To handle cross-border data, companies are advised to have cloud devices and processing services to ensure that operations are safe and meet with India’s adequate standards. Companies could also create data localization solutions if their operations heavily rely on sensitive data.
Conducting Audit for Data Protection-
Businesses will now have to regularly conduct data audits to assess the types of data they collect and ensure only necessary data is retained by companies.
Collaboration with Industry Leaders and Take Legal Help-
Companies should willingly seek to collaborate with industry leaders like FICCI or NASSCOM. They can provide vital resources and guidelines for compliance with the DPDP Act.
Companies can also actively seek legal assistance whenever necessary for proper compliance with legal rules.
Incorporate Best Global Standards-
Companies should adopt best global practices like those established under the GDPR to ensure that they stay updated with data protection laws across multiple jurisdictions. This approach will be beneficial for companies having more cross-border data.
Measures that can make the DPDP Act more Accessible and Easier to Implement-
Clear Definitions and Guidelines-
The government should simplify and issue detailed guidelines and clear ambiguous terms. Certain definitions require modifications like “critical personal data, national interest, and adequacy standard” for cross-border transfers.
Critical Personal Data is a category of personal data deemed highly sensitive by the government, usually related to national security, financial stability, or other essential interests, such data may include national defence information or critical infrastructure details, and it may be subject to strict localization requirements.
The Adequacy Standard is a benchmark used to determine whether a foreign country’s data protection laws offer a level of privacy protection equivalent to that of the originating country.
Gradual Implementation of Rules-
This law could better be implemented in a phased manner. This allows businesses especially SMEs to get enough time to make necessary changes as per regulatory requirements. Strict timelines will make things more complicated for companies.
Government Awareness Campaign-
A nationwide governmental initiative would enhance corporate awareness of the DPDP Act. This would also include developing resources, manuals, and workshops to help companies apply and comply with the new law.
SME Support Programs-
Offering tax benefits, financial support, or grants to SMEs will help companies to invest in data protection infrastructure.
Simplified Reporting and Compliance Tools-
Creating automated reporting systems and compliance tools could simplify the process of legal compliance. This would help businesses especially startups to streamline their operations.
Coordinating with Existing Regulatory System-
Harmonizing with other laws will reduce confusion and prevalent regulatory overlaps for companies.
Conclusion-
The Digital Personal Data Protection Act, 2023 was a landmark law that transformed how businesses in India handle personal data. The law is not without challenges, as companies will strictly comply with the act. Further companies have to invest in infrastructure, data protection training, and legal counsel. Ensuring smooth adoption, clearer guidelines, phased implementation, and government support will be crucial. With the right resources and clear guidelines, companies can overcome challenges posed by the law.
Future developments in Indian data privacy laws, especially the DPDP Act, are likely to focus on enhancing clarity, flexibility, and enforcement. Corporations may push for more precise guidelines on consent and data minimization to streamline compliance, possibly leading to clearer rules. Government may refine localization requirements based on industry feedback, balancing national security with global business needs.
As data privacy awareness grows, there may be demand for stronger enforcement frameworks. Based on feedback from companies engaged in international trade, the DPDP Act’s list of approved countries for data transfers may expand, facilitating smoother global data flows.
[1] AIR 2018 SC (SUPP) 1841 KS Puttaswamy vs Union of India
[2] Gardhouse, K. (2023). India Privacy Bill and Understand the Impact of GDPR. [online] Private AI. Available at: https://www.private-ai.com/en/2023/08/21/indias-privacy-bill-gdpr/ [Accessed 16 Oct. 2024].
[3] Confessore, N. (2018). Cambridge Analytica and Facebook: The Scandal and the Fallout So Far. The New York Times. [online] 4 Apr. Available at: https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html.
[4] Athavale, V. (2020). The Study of Right to Privacy with Reference to Information Technology Act, 2000 – ProQuest. [online] Proquest.com. Available at: https://www.proquest.com/docview/2559685352 [Accessed 16 Oct. 2024].
[5] Supra note 3
[6] Drishti IAS. (2022). Digital Personal Data Protection Bill 2022. [online] Available at: https://www.drishtiias.com/daily-updates/daily-news-analysis/digital-personal-data-protection-bill-2022.
[7] Obhan, A. and Dua, A. (2022). Understanding The Digital Personal Data Protection Bill, 2022 – Data Protection – Privacy – India. [online] Mondaq.com. Available at: https://www.mondaq.com/india/data-protection/1254446/understanding-the-digital-personal-data-protection-bill-2022 [Accessed 16 Oct. 2024].
[8] Choudhary, A. and Gupta, V. (2024). Guardians of Privacy: Demystifying Gaps in the Digital Data Protection Act 2023 – NLIU-CLT. [online] Nliu.ac.in. Available at: https://clt.nliu.ac.in/?p=961 [Accessed 16 Oct. 2024].
[9] Kapadia, I.A. (2023). Digital Personal Data Protection Act, 2023 – A Brief Analysis. [online] Bar and Bench – Indian Legal news. Available at: https://www.barandbench.com/law-firms/view-point/digital-personal-data-protection-act-2023-a-brief-analysis.
[10] Ibid.
[11] Suresh, A. and Magesh, A. (2023). Rights And Duties Of Data Principals Under The Digital Personal Data Protection Act, 2023 – Data Protection – Privacy – India. [online] Mondaq.com. Available at: https://www.mondaq.com/india/data-protection/1528818/rights-and-duties-of-data-principals-under-the-digital-personal-data-protection-act-2023 [Accessed 16 Oct. 2024].
[12] Ibid.
[13] PRS Legislative Research (2023). The Digital Personal Data Protection Bill, 2023. [online] PRS Legislative Research. Available at: https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
