The Digital Personal Data Protection Act of 2023: Guarding Digital Privacy
Written by K.Sowndarya
Table of Contents
- Introduction:
- Objective of Data Protection Law:
- Entities:
- Consent Of Data Principal
- Data Protection Bill amending the RTI:
- Conclusion:
Introduction:
The adoption of DIGITAL PERSONAL DATA PROTECTION BILL 2023 in parliament, after 6 years of Justice Puttaswamy v. Union of India[1] a landmark case in which the Supreme Court ruled that the ‘right to privacy’ includes the ‘right to life’ which is ‘right to informational privacy’. The negative and positive content of the right to privacy, where the State was not only restrained from committing an intrusion upon the right but was also obligated to take necessary measures to protect the privacy of an individual. The judgment held informational privacy to be a part of the right to privacy[2].
The negative restriction is the sense, that it limits the power of the state in terms of what it may want to rule but this is also a positive obligation in terms of ensuring that it brings out acts of legislation which is one of the primary methods to which rights can also be protected by the action of legislation by this sense of protection of ‘informational privacy’ which is the essential part of DPDP 2023. The DPDP Act aims to recognise the rights of individuals pertaining to the protection of their personal data in digital form or in non-digital form which is subsequently digitised and usage of such personal data of individuals by any other person for lawful purposes[3].
Objective of Data Protection Law:
The primary objective of any data protection law is to prevent the misuse of personal data, including financial fraud. However, in order to achieve this objective, it is crucial that the government’s discretionary powers are limited, and the law ensures transparency, accountability, and protection of citizens’ privacy[4].
Entities:
“Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with a disability, includes her lawful guardian, acting on her behalf
“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data;
“Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
“Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
“personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;
Consent Of Data Principal
The word consent – to put to notice and told why the procedure is done and choice to examine.
Section 6: The consent obtained by the Data Principal ought to be:
- Free
- Specific
- Informed
- Unconditional
- Unambiguous
The Data Principal’s consent ought to signify an agreement to the processing of their personal data for a specific purpose and the use of such personal data must be limited to the specified purpose.
The request for obtaining the consent of the Data Principal for processing their personal data must be presented to them in clear and plain language. The Data Principal should be able to access such requests in English or any other language contained in Schedule 8 of the Constitution of India.
Section 9: In order to process the personal data of a child, the Data Fiduciary ought to obtain the consent of the lawful guardian of the child. The Data Fiduciary should not process any personal data that is likely to have a detrimental effect on the well-being of the child, and should not undertake tracking or behavioural monitoring of children or targeted advertising directed at children[5].
No consent will be required if
7. (g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;
(i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.
Consent: Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. A notice must be given before seeking consent. The notice should contain details about the personal data to be collected and the purpose of processing. Consent may be withdrawn at any point in time. Consent will not be required for ‘legitimate uses’ including: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment. For individuals below 18 years of age, consent will be provided by the parent or the legal guardian[6].
We have never seen the objectifying fact this DPDP do not impose duties in terms of penal action for breaches of data principle which is ordinary people who are sort to be protected by this law.
Rights and duties of data principal: An individual, whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal. Data principals will have certain duties. They must not: (i) register a false or frivolous complaint, and (ii) furnish any false particulars or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of up to Rs 10,000.
Data Protection Bill amending the RTI:
The Data Protection Bill of 2022 includes a provision that seeks to amend the Right to Information (RTI) Act in India.
The RTI Act has been essential in empowering Indian citizens by providing them access to information since its enactment in 2005.
Access to information is crucial for holding governments accountable in a democracy and is especially beneficial for the poor and marginalised sections of society. The disclosure of personal data has been deemed necessary for public scrutiny and transparency.
Additionally, democracies routinely disclose voters’ lists with personal data to prevent electoral fraud. Furthermore, the use of the RTI Act has shown that access to relevant and granular information is essential for citizens, especially those who rely on government schemes and welfare programs[7].
Conclusion:
The Digital Personal Data Protection Act, 2023 lays down procedures to process personal data in a lawful manner and thereby empowers and protects the rights of data principles. Factors such as accountability, transparency, data minimisation, fairness, accuracy, and lawful processing of personal data have been reflected in the DPDP Act. It addresses Data principles as ‘she/her’, which is unseen in any Indian law to date and sets the tone in a new light[8].
[1] Justice K.S.Puttaswamy(Retd) v. Union Of India And Ors. on 24 August, 2017.
[2] https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india-ors.
[3] https://www.mondaq.com/india/data-protection/1358896/overview-of-the-digital-personal-data-protection-act-2023#:~:text=The%20DPDP%20Act%20aims%20to,other%20person%20for%20lawful%20purposes.
[4] https://www.studyiq.com/articles/the-dangers-in-the-digital-personal-data-protection-bill/#:~:text=In%20summary%2C%20the%20article%20is,companies%20in%20its%20drafting%20process.
[5] https://www.mondaq.com/india/data-protection/1358896/overview-of-the-digital-personal-data-protection-act-2023#:~:text=The%20DPDP%20Act%20aims%20to,other%20person%20for%20lawful%20purposes.
[6]https://prsindia.org/files/bills_acts/bills_parliament/2023/Summary_Digital_Personal_Data_Protection_Bill_2023.pdf.
[7] https://www.studyiq.com/articles/the-dangers-in-the-digital-personal-data-protection-bill/#:~:text=In%20summary%2C%20the%20article%20is,companies%20in%20its%20drafting%20process.
[8] https://kpmg.com/in/en/home/insights/2023/08/decoding-digital-personal-data-protection-act-2023.html.
