Introduction 

In 2017, the Supreme Court of India gave a verdict and recognized the ‘right to privacy’ as a fundamental right falling within the scope of Article 21 of the Constitution of India. However, no such provisions were there to protect this right. So, there was a need to constitute a Committee of Experts on Data Protection and examine the data protection issues prevalent in our country. Based on the suggestions of this Committee, the Personal Data Protection Bill of 2019 was drafted. In August 2023, the Digital Personal Data Protection Bill of 2023 was introduced in the Indian Parliament. Both houses of the Parliament have passed this bill. Recently, the bill has received the assent of the President. The act will come into force on the notification of the Central Government in the Official Gazette of India. This is the first legislation that deals with the processing of personal data. It applies the right to privacy principle to protect people’s personal data. It amends earlier legislations like the Right to Information Act and the Information Technology Act. The act balances the rights of individuals and the need to process people’s personal data.

Features of the Act

  • Applicability: It applies to all kinds of digital personal data that may have been collected online or offline. The term ‘personal data’ has been defined under this act as any data that can help identify an individual. This act applies to personal data processing, including collecting, storing, sharing, and using such data.
  • Importance of Consent: An individual’s consent is emphasized in data processing. The individual is provided the right to withdraw his consent at any time. In the case of a person below 18, consent is provided by his guardian. But there is no need to obtain consent for legitimate purposes like

a. Employment

b. To avail of any government service or benefit

c. Medical emergency

d. If provided voluntarily.

  • Data Principal: A person whose information is being processed is the ‘Data Principal.’ A Data Principal possesses certain rights and duties. The person has the following rights:
  1. To know about the information processing system
  2. Correction of the personal data
  3. Erasure of the data
  4. Nomination of another person to exercise these rights in case of his death.

Such a person is obliged not to provide any false details for processing or file any false complaint in case of any grievance. The violation of these duties can attract penalties.

  • Data Fiduciaries: The unit determining the means and the need for data processing is the ‘data fiduciary’. Such entities must:
  1. Processing correct and accurate data.
  2. Keeping the data provided secure.
  3. Informing the DPB and the individual in case of a data privacy breach.
  4. Erase the data if it is no longer required.
  • Data Protection Board: According to the act’s provisions, the Central government has to establish the Data Protection Board. The following is the main function that is to be performed by the board:
  1. Dealing with the complaints of the people.
  2. Directing the data fiduciary units to take necessary measures in case of a breach of an individual’s personal data.
  3. Ensuring compliance with the provisions of the act.
  4. Imposing penalties in case of default.

The board members’ term is two years, but they can be re-appointed. The persons are also entitled to appeal if they are unsatisfied with the board’s decision.

  • Data transfer: The act also provides for transferring personal data to other countries. However, the central government can restrict such transfers to some countries through notification.
  • Exemptions: There are certain cases where the provisions of this act can be exempted. It includes
  1. Cases where any offense is committed;
  2. Complying with legal rights and claims;
  3. For security purposes of the state;
  4. Research and statistical purposes undertaken by the government
  • Penalties: The act also provides for penalties in case of violation of the provisions of the act. The penalties can be imposed by the Board after proper investigation only. The following are the penalty provisions:
  1. Non-fulfilment of obligations related to children
  2. Failure to prevent the breach of the personal data of the person

Issues Raised

Although this act is a positive step in creating a balance between the rights of an individual concerning his data and the need to process such data. But there are several problems associated with this act:

  1. Exemption of State from application of the act: The definition of ‘state’ is provided under Article 12 of the Constitution of India. According to it, the term includes the central government, the state government, local authorities, and other entities set up by the government. The exemption of such entities on national security grounds, public order, etc., may result in instances of breach of the fundamental right to privacy of the people.
  2. Overriding of Consent provision: The act provides that the state may override the consent of an individual where personal data is processed for any benefit or service provided by the government, medical emergency, license, certificate or employment, etc. This creates chances of breach of the personal data of an individual.
  3. No regulation of harm: The act does not provide for the regulation of any harm that may arise out of the processing of personal data. The harm may be mental, financial, reputation loss, etc.
  4. No right to the erasure of data: Once the purpose for which the information was obtained is fulfilled, the information must be erased from the records. However, the act provides no provision regarding the right to be forgotten.
  5. Short-term and re-appointment provisions: The term of the board staff is just two years, and they can be re-appointed as well. These provisions will prevent the board from being an independent entity.
  6. Protection in case of cross-border transfer of information: The act provides that the information can even be transferred to other countries. The Central Government may restrict transfer to some countries. But, no provisions for the safe transfer of data to other countries are enshrined in the act.
  7. Children-related provisions: The children are not authorized to provide consent under the act. So, their guardians have to provide the same. This may also result in the need to verify the parent’s age.  Further, there is no clarity on what personal data may be detrimental to the children.

Analysis

The Digital Personal Data Protection Act 2023 is a step towards balancing the individual’s right to privacy and the need to process people’s personal data mainly for lawful purposes. The act provides provisions for the consent of the person whose personal data is taken to be processed. This makes the person aware of how and where his information will be used. In the case of a child below the age of 18 years, the consent of his legal guardian is taken for processing the child’s information or personal data. However, this provision is subject to certain exceptions. In the case of licenses, certificates, and employment aspects, the provision related to consent is not obligatory, which may result in the chance of a personal data breach. Also, no provision to deal with any kind of personal, mental, or reputation loss that may arise due to a breach of privacy is provided under the act. This act is drafted concisely, in plain language, with minimum cross-referencing provisions, and no provisos are there. So, the act can be understood easily without much difficulty.

The act provides for the data principal (whose information or data is taken) and data fiduciary units (that take the personal data and process such information). It also provides for the rights and obligations of these entities. The act is also dealing with the cross-country supply of the personal data of Indian citizens. The government can also restrict data transfer to certain countries by providing it in the Official Gazette. The act contains special provisions for the protection of the personal data of children. The act is based on the following principles:

  • Principle of consent
  • Data minimization
  • Data Accuracy
  • Limiting data storage
  • Protecting personal data
  • Accountability.

It can be said that this act is a step that enables our country’s digital economy and provides for innovation. It provides for the protection of the personal data of the people without much disruption. This enhances the ease of living and doing business. This act allows people to know how the authorities will use their data. It also provides for the correction and erasure of the data. It empowers a person to nominate one person who can exercise his rights and duties under the act in case of his death. The act also aims to establish a Data Protection Board to deal with the people’s grievances. It also provides for penalties in case of non-compliance with the provisions of this act or if any false complaint is being filed.

Conclusion

To conclude, it can be said that this act is a positive step in creating a balance between the right to privacy of an individual and the need to process his data. This act is a step forward in the direction of the verdict given by the apex court in 2017, considering the right to privacy as a fundamental right within the scope of Article 21 of the Indian Constitution. The act is drafted in a very plain and concise way. However, no legislation can ever be perfect. Even though this act has some loopholes but it can be said that this legislation will work in creating a balance between the rights of an individual towards his data and the need to address the data by the government or for some lawful purposes.