IMPACT OF DPDPA ON IoT IN INDIA

Introduction:

The term Internet of Things (IoT) was first mentioned by Peter T. Lewis at an annual event where he explained that the IoT is the integration of technology with people through the process of connecting various devices and sensors which would enable remote monitoring, manipulating and evaluating the evolving trends of such devices. Such devices have been popularly recognized as smart objects. These smart objects range from home appliances, and wearable devices to complex industrial equipment machinery. Under the technology of IoT smart cities are envisioned as well. The IoT is based on several technologies which enable the operation of these smart devices. let’s read about IoT IN INDIA.

The basic technologies are sensors that stay at the heart of the devices which enable the devices to interact with the real-time environment. The sensors help the devices to run on the mechanism of automation. Additional technologies that are necessary for the working of devices are connectivity tech for the transfer of data among devices, cloud computation for storage, processing and analysis of such data which need to be further processed into simplified information using big data analytics tools. Such data when sensitive and at a large scale would require privacy and security technologies like encryption of data. With such advancements in technology, the application of IoT technology is widespread in industries like healthcare, manufacturing, retail, agriculture, transportation, military, infrastructure and digitalization of products. 

Scope of Internet of Things in the Indian landscape  

India has stepped into the stage with other nations in regulating data-related activities. The Digital Personal Data Protection Act, 2023 was introduced to govern the processing of digital personal data or non-digital data to be processed digitally. At its core, the legislation aims to establish a higher level of accountability for the companies and entities collecting, analyzing, and storing data within India. The Act’s scope extends beyond the borders which encompasses digital data processing activities abroad as well. Through this act, India fortifies its data protection measures. Since the IoT technology is based on the collection, transfer and storage of data including personal data, all such processing of data within India comes under the ambit of the DPDP Act, 2023.   

It has been estimated that investments in IoT in India were close to 5 Billion U.S Dollars in 2019 which had tripled to 15 Billion USD by 2021 across technology and service industries. Several applications of IoT technology are immensely trending in the Indian innovation market. With the help of IoT technology, cities are turning smart integrating advanced technologies in the utilization of the IoT data, which feature intelligent street lighting, monitoring of pollution, smart parking facilities, systematic waste management systems, pedestrian-friendly zones and smart homes that come with improved technology and infrastructure. Smart Factories have enhanced productivity due to automation and instant analysis of data. The factory operations have been streamlined hence improving the quality of output, identifying human errors that tend to be overlooked and reducing production time.

The healthcare sector in India is largely data-driven powered by IoT technology. The healthcare sector is backed by IoT devices which provide assistance in remote monitoring of patients and hence reduce the risks of fatalities. The nascent booming stages of AI largely process data from IoT devices for carrying out preparation of data, real-time tracking of location and predictive analysis. In the retail store sectors, smart retailing is where the managers of the store can now understand the behaviour of the customer along with efficiently managing the stock of the products. Furthermore, the common public uses smart devices like smartphones and watches which offer real-time health, location and financial monitoring which may send alerts to necessary authorities at times of distress. 

Challenges:

Technical Challenges 

Though the IoT technology has brought convenience among societies and economies but poses some serious security challenges. This is mainly because one chain of IoT depends on the functioning of the single source device. For instance, if the source device gets breached, then the entire security of the chain of IoT devices is compromised, which may lead to the breach of a wide network. Some of the identified challenges posed by the IoT tech-induced devices in India are:

• Weak authorizing systems and authenticating models
• Concerns about Data security and privacy among various networks
• Lack of sufficient testing and updating of the IoT devices and applications 
• Weak default passwords
• A significant rise in botnets which are mainly aimed at cryptocurrency
• Ai-based autonomous systems and tools
• Unreliable methods of detection of threats and unknown communication lines
• Phishing attacks on a smaller and larger scale
• Lack of storage, transfer and processing of data leading to its vulnerabilities 
• Geofencing and containerizing of sensitive enterprise-related information. 

The most probable challenge of IoT devices are the personal home and wearable devices which process personal data of the owners making them the most vulnerable of the lot. 

Regulatory Challenges 

The provisions of the DPDP Act, 2023 shall have a significant impact on smart devices. The act is aimed to provide the people (data principals) greater control over their data and how it may be used. Smart devices store data of their owners which is further processed to yield desired results. The companies that manufacture such devices must beforehand acquire consent with necessary details as explained under Section 6 of the Act.

For example, if you purchase a smartwatch to track your health, before processing your (data principal) personal data like heart rate, pulse rate and steps walked, the company brand (data fiduciary) must acquire your consent through a notice. Further, the company irrespective of any agreements drawn with the data principals must erase the data processed by the IoT devices upon the withdrawal of the consent by the data principals.

The IoT technology has been immensely beneficial to kids. Smart watches specifically designed for children enable GPS tracking allowing parents to monitor their child’s location and further setting up geo-fencing alerts It allows convenient communication with their parents and guardians, fitness and step trackers and also educational activities and games. With such applications, these smart watches constantly retrieve and process the personal data of the children.

Devices like smart speakers are voice-activated through personalized voice-recognition features. Latest toys like Lego Boost enable children to build and program their toys. As per Section 9 of the Act it is provided that a Data Fiduciary shall not undertake processing of personal data which could cause detrimental effects on the well-being of children further preventing any tracking or behavioral monitoring of children without verifiable consent from parents or a lawful guardian.

Similarly, any IoT device for assisting people with disability must obtain verifiable consent from their lawful guardians to obtain consent to process their data. Under the new Act as and when the Data Fiduciaries would transfer sensitive personal data cross-borders acquired using the IoT technology to any of the non-white-listed (by the Government) may be restricted through Central Government notifications.

Data Fiduciaries’ products which centrally function on the IoT technology when fail to prevent or report a sensitive personal data breach or adhere to compliances would be imposed with heavy fines which may affect the financial structure of the company overall. 

Conclusion:

Managing the growth of IoT technology comes with certain complexities mainly focusing on ensuring secure and safe collection, storage and processing of data. The new DPDP Act, 2023 aims to regulate the processing of personal data by all the existing and upcoming IoT-driven devices. By the introduction and implementation of this Act, the IoT devices no matter how advanced would be bound by stringent regulations and repercussions for to failure adhere to the same.