Protecting digital privacy in a world where data is the most important asset, the Digital Personal Data Protection Act, 2023 has emerged as a major development in strengthening digital privacy protection. DPDP Act, 2023 regulates the use of personal data but at the same time promotes innovation and governance.
Digital Personal Data Protection Act, 2023
The DPDP Act, 2023 ensures that personal data of individuals and companies is protected and that organizations handling this data are held accountable. Here are its key features of the Act -
The Concept of Personal Data
Section 2 (t) says that personal data in the DPDP Act is any information either directly or indirectly relating to or identifying an individual.
Under this Act, personal data can be processed within India and also extends to processing by organizations outside India where such processing relates to personal data which is of Indian citizens.
For example: If a UK-based social media company collects data from Indian users for targeted advertising, it is required to comply with India’s DPDP Act, 2023.
Also, Learn the Basics about What is Data Privacy
Consent as an Essential Element
Section 6 states that personal data can only be processed if the person gives clear, voluntary, and informed consent. The consent must be for a specific purpose and can be withdrawn at any time.
For example: If a food delivery application attempts to access location data, it needs to describe the reason for that data collection and that users are allowed to not grant the permission, if it so wishes.
The Data Fiduciary Obligations which are contained
Organizations, referred to as data fiduciaries, must adhere to several obligations outlined in Sections 8 and 9:
Get just enough data to get a particular job done.
Keep data only for as long as necessary for that stated purpose.
Implement measures that can keep data breaches or misuse at bay.
For example: If you are a fintech company collecting KYC information, you should be encrypting the data as it comes in, when you are processing it. Once verified, the details must then be safely deleted.
The Data Protection Board of India
Section 27 of DPDP Act, 2023 establishes the Data Protection Board of India to:
Oversee compliance.
Discuss concerns related to data breach.
Impose penalties on entities that defile the DPDP Act, 2023.
For example: The DPBI can fine a retail company if it makes customer information publicly available.
Critical Analysis of the DPDP Act, 2023
Despite the strong framework of the DPDP Act, 2023 it has its own shortcomings. Following are some strength and weakness of DPDP Act, 2023-
Strengths of DPDP, Act, 2023
User-Centric Approach: User consent must be collected in this Act to a great extent and users' rights to protect the trust in the digital environment are very strong.
Accountability Mechanism: The Act provides for accountability and for enforcement by virtue of its provisions in regards to data fiduciaries being required to meet certain obligations as well as the creation of the DPBI.
Global Alignment: The DPDP Act is consistent with the international standard such as GDPR has made it easy for the free flow of data across borders and cooperation between countries.
Shortcomings of DPDP Act, 2023
Exemptions for Government Agencies (Section 17(2)(a)): The Act also has a provision that permits the government to exclude some agencies from the provisions of the Act thus creating a predisposition to abuse.
Ambiguity in Cross-Border Data Transfers (Section 17): The Act affirms the permissibility of data transfers to the notified countries and so it lacks clear standards on the selection of the notified countries.
Limited Coverage for Non-Personal Data: The concentration on personal data makes other forms of non-personal data out of scope of the Act, thus, making it not well placed to address other data management issues.
Implications of the DPDP Act, 2023
The DPDP Act has profound effects on the business, individuals and the regulatory authorities.
For Businesses
The Act requires organizations to evaluate several aspects of their data collection and processing activities. They need to:
Carry out data protection impact assessments.
Employ people in the organization to oversee the compliance process known as Data Protection Officers (DPOs).
Mitigate risks by investing in cybersecurity so as to avoid the occurrence of hacking or other related issues.
For Individuals
The DPDP Act, 2023 enables people to seize and control their own data. It promotes privacy consciousness and offers its users means of ensuring that they are protected from infringement of their right.
Also, Get to Know Role of Quantum Computing in Data Privacy
Summary
The Digital Personal Data Protection Act, 2023 regulates personal data protection in India. It defines what people are allowed to do with the data, and what the organizations are supposed to do concerning the data. However, the achievement of these objectives depends on proper implementation and other issues such as government exemptions and cross border data transfer.
Related Posts:
Data Privacy Act in India: FAQs
Q1. In what way does the DPDP Act guarantee consent for data collection?
The Act provides for the clear, unambiguous and voluntary consent to the processing of personal data which can be withdrawn at any time with effect from the data subject.
Q2. What are the consequences of failing to adhere to the provision of the DPDP Act?
The DPDP Act also contains provisions which allow the authorities to impose fine on the entities if they breach any provision of the Act
Q3. Whether the provisions of the DPDP Act has any extra territorial jurisdiction or not?
Yes, if they are an organization outside India and they are processing personal data of those who are inhabitants of India or in relation to offering goods and services to them.
Q4. What duty does the Data Protection Board of India (DPBI) perform?
The DPBI enforces the DPDP Act, handles complaints and sanctions entities breaching the DPDP Act.
