DPDPA: How does India’s digital data protection act protect service users?

Home | Blog | DPDPA: How does India’s digital data protection act protect service users?

Data may not be the new oil, but it’s surely the new currency, putting India in the face of a digital threat of epic proportions. As the country’s data becomes increasingly shared, stored, and analysed, India has taken significant steps to safeguard its digital treasure trove through the Digital Personal Data Protection Act (DPDPA) of 2023, which was notified on 11 August 2023. This is different from the Information Technology Act, also known as the IT Act, which was introduced in India to counter unauthorised acts of cybercrime and electronic commerce. The IT Act came into force on 17 October 2000. 

Remember, the DPDPA and the IT Act are two different laws addressing different aspects of digital security and privacy. The DPDPA focuses on the protection of personal data, while the IT Act deals with cybercrime and electronic commerce. Both play crucial roles in India’s digital landscape. 

The Digital Data Protection Act in India is the comprehensive legislation that addresses the challenges posed by the digital age, ensuring the security and lawful processing of personal data while protecting individual privacy. The law is in line with the EU’s General Data Protection Regulation (GDPR).

One key aspect of the DPDPA is its distinction between “personal data” and “sensitive personal data.” The act imposes stringent requirements for handling and processing sensitive personal data, emphasising the need for higher security standards.

Key Highlights of the DPDPA Act – 2023:

Data Localization: The act requires certain categories of data to be stored within India, enhancing data sovereignty and security.

Consent Mechanism: Clear and unambiguous consent from individuals is essential for data processing under this act, giving individuals control over their personal information.

Data Transfer: The act introduces conditions for cross-border data transfers, ensuring adequate safeguards are in place.

Data Processing Principles: Fair and transparent data processing principles are outlined, emphasising accuracy, integrity, and confidentiality.

Data Protection Officer (DPO): Organisations are mandated to appoint a DPO to oversee compliance with the act.

Data Breach Notification: Data controllers must report breaches to the regulatory authority and affected individuals, ensuring prompt resolution.

 Hefty Fines for Non-compliance: Non-compliance with the DPDPA Act can result in significant financial penalties.

Why DPDPA Matters for Businesses?

Compliance with the Digital Data Protection Act or the DPDPA is crucial for businesses operating in India. Mishandling or tampering the personal data can damage a company’s reputation and credibility. By implementing robust data protection measures, businesses can position themselves as responsible custodians of customer data and attract customers who prioritise data safety.

DPDPA: Your Key to Data Security

The Digital Personal Data Protection Act 2023 sets new standards for data handling and emphasises data security in India. Compliance with the act requires a proactive approach in implementing measures to protect individuals’ privacy. Organisations must stay updated with any changes to the law and adapt their practices accordingly. By going beyond compliance, businesses can safeguard client data (customers’ data) and establish trust in the market for their products and services.

Why is DPDPA important?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is a landmark legislation in India that aims to protect the personal data and privacy of individuals in the digital world. It empowers individuals and the State to ensure data privacy and lays out a framework to prevent misuse of data.

Key Privacy Aspects of this Privacy Law:

Data: A representation of information, facts, concepts, opinions, or instructions suitable for communication, interpretation, or processing by humans or automated means.

Personal Data: Any data about an individual that can identify them.

Digital Personal Data: Personal data in digital form.

Data Principal: The individual to whom the personal data relates. This includes children and individuals with disabilities, along with their parents or lawful guardians.

Data Fiduciary: Any person who determines the purpose and means of processing personal data.

Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.

Processing: Operations performed on digital personal data, including collection, recording, storage, retrieval, sharing, disclosure, erasure, or destruction.

Applicability of the DPDP Act:

The DPDP Act (sometimes as the Digital Data Protection Act) applies to the processing of digital personal data within India’s territory, whether collected in digital form or non-digital form and subsequently digitised. It also applies to the processing of digital personal data outside India if it is related to offering goods or services to individuals within India.

Obligations of Data Fiduciary:

Consent: Data Fiduciaries must obtain free, specific, informed, unconditional, and unambiguous consent from Data Principals. Consent should be limited to relevant data and necessary for the specified purpose.

Legitimate Use: Data Fiduciaries may process personal data for certain legitimate purposes, such as compliance with the law, medical emergencies, or employment-related matters.

General Obligations: Data Fiduciaries are responsible for compliance with the DPDP Act, ensuring data accuracy and security safeguards, and reporting personal data breaches to the Data Protection Board of India.

Personal Data of Children: Verifiable consent from parents/legal guardians is required before processing any personal data of children. Tracking or behavioural monitoring of children or targeted advertisements directed at children are not allowed.

Rights and Duties of Data Principal: Data Principals have rights and privileges to maintain the privacy of their personal digital data. Duties include providing consent, withdrawing consent, and filing complaints or grievances.

The Digital Data Protection Act provides a comprehensive framework for protecting personal data and privacy in India’s digital landscape. It ensures that individuals have control over their data and promotes responsible data handling practices by organisations. 

Still Curious? Explore DPDPA Frequently Asked Questions (FAQs)

FAQs about India’s Digital Data Protection Act and its Impact on the Right to Information Act (RTI)

When was the Digital Data Protection Act introduced in India?

The Digital Data Protection Act was introduced in August 2023 after discussions on privacy and the right to information in a Government of India report. The report highlighted the need to address privacy issues in the context of the digital data era.

What are the main objectives of the DPDP Act?

The DPDP Act aims to provide a legislative framework for data privacy rights and define responsibilities for businesses. Its objective is to protect personal data and safeguard citizens’ privacy in the digital realm.

How does the DPDP Act relate to the Right to Information Act (RTI)?

The Digital Data Protection Act or the DPDP Act has implications for the RTI Act. It introduces a formulation that limits the scope of privacy in a way that hinders the right to information. This intersection between privacy and information access poses challenges for citizens and activists seeking transparency and accountability.

What is the impact of the DPDP Act on the RTI Act?

The DPDP Act makes it difficult for the RTI Act to be used effectively. It undermines the original purpose of the RTI, which was to combat corruption and ensure transparency. The right to privacy is used as an excuse to impede accountability, particularly in cases of corruption and misuse of power.

Can you provide an example of how the DPDP Act intersects with the RTI Act?

The intersection between the DPDP Act and the RTI Act is primarily negative. The DPDP Act restricts access to information related to individuals, limiting the effectiveness of the RTI in exposing governmental irregularities. It creates a challenging landscape where individual privacy and the right to information are at odds.

Has the government consulted stakeholders, including organisations like MKSS, in drafting the Act?

No, there has been limited consultation with stakeholders during the drafting of the Act. Only one online consultation was conducted, and key information activists, including members of organisations like MKSS, were not consulted. This lack of consultation raises concerns about transparency and inclusivity in the legislative process.