Introduction
With the introduction of the Digital Personal Data Protection Act on August 3rd, 2023, India redefined its legislative framework on data privacy. The Act laid down comprehensive provisions safeguarding individual privacy concerning the transmission of personal data, following the spirit of K.S. Puttaswamy case ruling. However, the legislature needs to work upon certain critical areas which may rise question of accountability and transparency, regarding the functioning of the enactment.
Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act, 2023 was passed with the aim to create an equilibrium and amid the right to privacy ensured under Article 21 of the Constitution of India and access to such data concerning national integrity and security. The Act underlines the commitment of Data Fiduciaries, requiring them to administer the digital personal data in such a manner that access to personal data for legal resolves and matter connected or supplementary to it, should not violate rights recognised under article 21.
Right to Privacy before the Digital Personal Data Protection Act, 2023
In the pre-independence period, there was no such provision ensuring the right to privacy, especially concerning digital data protection perceptibly, because:
- The society was neither so complex, nor technology was much advanced and developed, that the need of recognition of such right and concerned protective measures were felt;
- Also, as per the need of time, society wrongs like limited data protection and confidentiality in contractual agreements were governed by the Indian Penal Code, 1860 and the Indian Contract Act, 1872.
In the post-independence period, even after the commencement of the Constitution of India, for a long period of time right to privacy was not provided any comprehensive outline to govern and regulate unrestricted access to personal data, especially access to digital data. Then government tried bring the issue under legal answerability through the framework of the Information Technology Act, 2000. However, the act has serious limitations, as being restricted to “sensitive personal data” only.
Further, the Indian judiciary, by virtue of Article 32 the Constitution of India to brought the right to privacy under the canopy rights conferred by Article 21 in the verdict of K.S. Puttaswamy v. Union of India, which strengthened the ambit of security of digital personal data of individuals.
This led to the realisation among legislators, political experts, and policy-makers to devise a uniform and comprehensive enactment dealing with access to digital personal data.
Crucial Aspects of the Digital Personal Data Protection Act, 2023
Conformity with the Global Data Protection Rights – the legislation conforms with the global standard for data protection and privacy, and the domestic legislation provide for the provisions of consent of data and data principal, data fiduciary which makes it in resonance with the GDPR, with necessary refinement to fit in the Indian setting.
The Commitment of Data Fiduciary – the data fiduciaries were obliged to ensure accuracy in data transfer alongwith the authorised access to data transfer, and account and supervision over data breach. Also, to supervise the transfer of user data outside the territorial jurisdiction of the country.
The Data Protection Board – the Act provide for the establishment of a body corporate under Section 18, i.e., the Data Protection Board, to regulate, control and supervise transfer of personal data and devise remedial measures for data breach via unauthorised access.
Prioritization to individual’s right – the provision of prior consent from individuals over use and access of users’ data, and appointment of Data Principal and Consent Manager to ensure protection of ones’ right to privacy and right to live with dignity as held in K.S. Puttaswamy v. Union of India, AIR 2017.
Further, the Act tried to established an ease of doing business regime by providing clear and regulated guidelines and rules over access to personal data in align with domestic and global regulation.
Major concerns with the Digital Personal Data Protection Act, 2023
Implication on the Right to Information Act – the Act is severely critized by critique for undermining accountability and answerability due to Section 44, as it provides for amendment to Section 8 of the Right to Information Act, 2005. The outcome was that it mentioned that it was no longer governments responsibility to be answerable to the questions raised by the citizens under the Right to Information Act as Section 44 of the Digital Personal Data Protection Act, 2023 act as a blanket of immunity over the strict regulations of answerability as stipulated under the Right to Information Act, 2005.
Challenges with Cross-border Data Transfer – in case of cross-border data transfer the Act provides for mechanisms of restricted data transfer to white list countries, while strictly provides for bar on transfer of data to all those countries and corporate houses situated under those countries marked as blacklisted one by virtue of the Act. Further, it raises concern over the mechanism and apparatuses’ efficacy and competency in discharging such responsibilities without biasness.
Dilemma of Data Fiduciaries – in balancing privacy rights in the light of exemptions granted to certain entities. The Act proved to be inadequate and inefficient in dealing with issues like data theft, pre-emptive surveillance, freedom of access to user data by corporate houses, and so on. Thus, the Act put emphasis on dispensation of individuals personal data rather than safeguarding individuals’ right to privacy.
Question over Discretionary powers to the Central Government – the Act granted unrestricted power to the Central Government in determining the pertinence of the provisions of the Act in terms of user data transfer. Despite the provision of data consent, the act provides no accountability and remain silent when it comes to access to data private entities – where and how the provided data will be utilised by them, who will be held accountable in case of data theft, misuse of data or cyberbullying.
Conclusion
In a nutshell, the DPDP Act is a landmark legislation, which tries to navigate the balance between national security and individuals’ privacy. However, the Act needs to be revised concerning the aforementioned issues and maintaining the check and balance in government power while exercising its rights and duties.
