The DPDP Act 2023: Why We Needed a Data Privacy Law?

Introduction

India has needed a standalone comprehensive privacy framework for the longest time. The wait is over now with the enactment of the Digital Personal Data Protection Act. The Right to privacy and formulation of privacy framework in the Indian context have evolved over a longer period and underwent several changes in contrast to other Jurisdictions. Indian Courts had a considerable role in reading the Rights as part of Article 21 of the Constitution of India. Now the legislature has also finally complemented the courts with a law that intends to balance the need for privacy protection with the importance of data processing.

Also, read DPDP v. GDPR.

Right to Privacy in India

The Courts in India developed and led the regime for privacy rights. The concept of the right to privacy in India being a fundamental right was initially opposed by the Supreme Court. There is no basic right to privacy, the Supreme Court of India declared in the 1962 case of Kharak Singh v. State of Uttar Pradesh ((1964) 1 SCR 332). Later, in Justice K.S. Puttaswamy (Retd.) vs. Union of India & Ors. Judgement (2017) 10 SCC, the Supreme Court of India reversed the 1962 decision. 1. The Puttaswamy ruling recognised the Indian Constitution’s Article 21’s Fundamental Right to Privacy.

Need for a Data Privacy Law in India

A remarkable amount of data is available in India. India is expected to have 1 billion smartphone users by 2026. By 2025, Approximately 1 billion individuals in India will have access to the Internet. India continues to be the main growth market for social media goliaths, who get their value from the data they collect. It boasts several domestic unicorns in the e-commerce, fintech, and edu-tech sectors.

The necessity to safeguard citizens’ private information and make data usage clear is urgent, given the rise of digital platforms. India consistently experiences one of the highest rates of data breaches, and both private and public websites are affected. Since 2004, there have reportedly been 962.7 million data items leaked, principally names and phone numbers, affecting an estimated 18 of every 100 Indians. A recent data breach exposed over 28 crore Indian citizens’ online EPFO (Employees’ Provident Fund Organisation) registration information. 

According to IBM’s 2023 report on the Cost of a Data Breach, the average total cost of a breach is now around 4.45 Million USD. Further, this cost even increases by USD 470,000 in cases where law enforcement was not involved. This reflects the importance of the State’s regulatory intervention and laws to sustain and facilitate the data-driven economy.

Tracing the History of this Act

Over a decade has passed as numerous drafts and committees have been formed to develop a comprehensive data protection law in India. The procedure began in 2011 when the Ministry of Personnel, Public Grievances, and Pensions started working on earlier drafts of a Privacy Bill. These early drafts covered parts of both data privacy and surveillance reform, but they didn’t move past this point. The release of a comprehensive study on global and domestic privacy standards by the Expert Committee on Privacy, headed by Justice A.P. Shah and working under the former Planning Commission, on 12th October 2012, marked a significant turning point in 2012. 

On 16 December 2021, the Joint Committee on the Personal Data Protection Bill 2019 released its findings after over two years and numerous extensions. A new version of the law known as “The Data Protection Bill, 2021” (DBP, 2021) was also included in the report.

Another twist came in formulating India’s Data privacy law when the IT minister announced the withdrawal of the 2021 Data Privacy Bill. The release of the Draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022), for public comment in November 2022 followed this

The 2023 version of this Bill was made public on 27^th July 2023. Subsequent to that, it was introduced and approved in Both houses of the Indian Parliament by 9^th August. This Bill was enacted into law on 12th August after it received Presidential Assent and got notified in the Gazette.

DPDP Act, 2023: A Step in the Right Direction?

The following aspects of this Act reflect how it is a good starting point for India to enter the privacy regulation realm:

Obligations of Data Fiduciaries:

Data fiduciaries are required to comply with the following obligations: (i) make reasonable efforts to ensure the accuracy and completeness of the data; (ii) put in place reasonable security safeguards to prevent a data breach; (iii) notify the Data Protection Board of India and any affected individuals in the event of a breach; and (iv) erase personal data as soon as the purpose has been achieved and retention is no longer required for legal purposes.  The Right of the data principal to erasure and storage restrictions does not extend to government organisations.

Rights and obligations of Data Principals:

The “data principal,” or the person whose data is being processed, possesses the following rights: (i) the right to access information about the processing; (ii) the right to delete personal data; (iii) the right to designate a substitute for themselves to exercise rights in the event of death or incapacity; and (iv) the right to grievance redressal. The obligations of data principals include refraining from: (i) filing a fictitious or baseless complaint; (ii) providing any false information; or (iii) impersonating another individual in certain circumstances. Duty violations are penalised by fines of up to INR 10,000.

Centralised Regulatory Authority: Data Protection Board of India

The effective execution of the Indian privacy framework depends on the Data Protection Board (DPB). It carries out a number of significant tasks, including as keeping track of how well data fiduciaries, consent managers, and intermediaries abide by local laws and enforcing penalties when they don’t. The DPB prioritises using digital processes while conducting investigations and making decisions. It adheres to the ideas of natural justice. According to the Code of Civil Procedure, 1908, it has authority comparable to a Civil Court.

Penalties:

The Act empowers the DPB to impose penalties based on its Schedule. The Bill imposes punishments for certain Data Fiduciaries’ transgressions. Failure to implement adequate security safeguards may result in a penalty of up to Rs. 250 crores if it breaches personal data. Failure to notify the Board and the impacted Data Principals of a violation and failure to comply with additional obligations about Children may result in a punishment of up to 200 Crores. Significant Data Fiduciaries may also be fined up to Rs. 150 crores for breaching their obligations. If Data Principals break Section 15’s rules, they might be fined up to Rs 10,000. Penalties under Section 32 apply to any voluntary commitment the Board has agreed to.

Also read DPDP Bill, 2023: What Changed from its 2022 Version.

Conclusion

The DPDP Act is a huge milestone in the Indian Data Privacy regime. After years of attempts and multiple drafts, Indian Citizens finally have a law that will protect their personal data from threats in cyberspace. This Act will also aid and facilitate the new age data-driven economy of India. The Role of the central regulatory authority, i.e., the Data Protection Board of India, is going to be crucial for the effective implementation of this Act. Legislative remedies for personal data breaches are now available to Indian citizens, allowing them to exercise their right to privacy without having to resort to the courts.

Stay updated with the developments in the privacy realm of multiple jurisdictions by getting in touch with Tsaaro. Our Team of dedicated professionals will aid in simplifying your compliance and fully prove the strategy as well. Contact us at info@tsaaro.com.