Introduction:
In an age where digital technology pervades nearly every aspect of our lives, the protection of personal data has become a paramount concern. Recognizing the need for robust legislation to safeguard individual privacy rights, governments around the world have been enacting comprehensive data protection laws. One such milestone legislation is the Digital Personal Data Protection Act of 2023, a significant step forward in regulating the collection, storage, and use of personal data in the digital sphere.
Understanding the Digital Personal Data Protection Act, 2023:
The Digital Personal Data Protection Act, enacted in India in 2023, represents a comprehensive framework aimed at safeguarding the privacy and security of individuals’ personal data in the digital age. The Act builds upon foundational principles established by earlier data protection laws but introduces several key provisions tailored to address the evolving challenges posed by rapid technological advancements and the increasing digitization of personal information.
Key Provisions of the Act:
Definition of Personal Data: The Act provides a clear and expansive definition of personal data, encompassing any information that can directly or indirectly identify an individual, including but not limited to names, addresses, identification numbers, biometric data, and online identifiers.
The Act also defines the three types of data users –
Consent Requirements: One of the fundamental principles of the Act is the requirement for explicit and informed consent for the collection, processing, and sharing of personal data. Organizations are mandated to obtain consent from individuals before collecting their personal data and must clearly communicate the purposes for which the personal data will be used.
Every request made to the Data Principal under this Act for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal informing her – (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights to raise grievances under the Act and (iii) the manner in which the Data Principal may make a complaint to the Data Protection Board of India to be established under the Act.
The above notice is required to be sent to Data Principal even if the consent is given by the Data Principal before the commencement of the Act.
Data Minimization and Purpose Limitation: Organizations are obligated to limit the collection of personal data to what is strictly necessary for the specified purposes and are prohibited from retaining data for longer than is necessary to fulfil those purposes.
For example – X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.
Any consent sought by the Data Fiduciary and provided by the Data Principal which constitutes an infringement of the provisions of this Act or rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.
For example – X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid.
Withdrawal of Consent: the Act recognises the right of Data Principal to withdraw their consent at any time. The process of withdrawing consent should be as easy as giving consent in the first place. The Act provides that the consequences of withdrawing Consent are to be borne by the Data Principal.
For example – X, an individual, is the user of an online shopping app or website operated by Y, an e-commerce service provider. X consents to the processing of her personal data by Y for the purpose of fulfilling her supply order and places an order for supply of a good while making payment for the same. If X withdraws her consent, Y may stop enabling X to use the app or website for placing orders, but may not stop the processing for supply of the goods already ordered and paid for by X.
The Act clarifies that the withdrawal of consent doesn’t retrospectively invalidate the legality of processing personal data that occurred before such withdrawal. In other words, any processing that was done based on the individual’s consent prior to their withdrawal remains lawful.
Data Security Measures: The Act imposes stringent requirements on organizations to implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, disclosure, alteration, and destruction. This includes encryption, access controls, regular security assessments, and the appointment of data protection officers.
Further, if Data Fiduciary appoints Data Processor(s) to process the Personal Data of Data principal, the
Data Fiduciary must ensure that adequate safeguards are in place to protect the data in accordance with the standards set forth by the Act. This may involve the use of contractual clauses, binding corporate rules, or adherence to recognized data protection frameworks.
Deletion of Personal Data: the Act outlines the obligations of a Data Fiduciary regarding the erasure of personal data. It states that unless retention is required by law, the Data Fiduciary must erase personal data upon the Data Principal withdrawing consent or when it’s reasonable to assume that the specified purpose for data processing is no longer being served, whichever occurs earlier. The Data Fiduciary must also ensure that any personal data provided to a Data Processor for processing is erased by the Data Processor as well.
For example – X, an individual, registers herself on an online marketplace operated by Y, an e-commerce service provider. X gives her consent to Y for the processing of her Personal Data for selling her used car. The online marketplace helps conclude the sale. Y shall no longer retain her Personal Data.
Conclusion:
The Digital Personal Data Protection Act, 2023, represents a significant milestone in the ongoing efforts to safeguard personal data in an increasingly digitized world. By establishing clear rights and obligations for both data controllers and data subjects, the Act seeks to strike a balance between promoting innovation and protecting individual privacy rights. As technology continues to advance and new challenges emerge, the Act provides a robust framework that can adapt and evolve to meet the evolving needs of the digital landscape, ensuring that personal data remains secure and protected for generations to come.