Data Privacy In The Age Of Digital Minefield: Balancing Convenience And Security In Light Of Digital Personal Data Protection Act, 2023
In an era where information is not just power but also currency, the value of
safeguarding our personal data cannot be overstated. Our lives are increasingly
intertwined with the digital realm, from online shopping and social media to
remote work and telehealth appointments. While these digital conveniences offer
tremendous benefits, they also expose us to unprecedented risks. Data breaches,
identity theft, and invasive surveillance threaten the very essence of our
privacy. It's a stark reality: as we embrace the digital age, we must also equip
ourselves with the knowledge and tools to protect what matters most—our personal
data.
Context
At present, India lacks a distinct law dedicated to safeguarding personal data.
Instead, the usage of such data is governed by the Information Technology (IT)
Act of 2000. In 2017, the government formed a Committee of Experts on Data
Protection, led by Justice B. N. Srikrishna, to study the issue of data
protection in the country. The Committee submitted its findings in July 2018,
which led to the introduction of the Personal Data Protection Bill, 2019 in the
Lok Sabha in December of that year.
The Bill was subsequently referred to a Joint Parliamentary Committee, which
presented its report in December 2021.2 However, the Bill was withdrawn from
Parliament in August 2022. A Draft Bill was later released for public
consultation in November 2022, and in August 2023, the Digital Personal Data
Protection Bill, 2023 was introduced in Parliament. The Bill was granted
Presidential assent and officially became a law on August 11, 2023.
Issues Regarding Data Privacy in India
In recent years, Europe, particularly Western countries, has been increasingly
focused on managing and safeguarding personal data, driven by their extensive
data knowledge and proliferation. Governments in this region have established
regulations aimed at protecting the personal data of their citizens, with the
European Union's General Data Protection Regulation (GDPR) now being widely
regarded as the gold standard in privacy legislation by many nations.
On the other hand, India's data and internet economy began to thrive in the late
2000s. During that period, data protection in India was primarily governed by
the Information Technology Act of 2000, which primarily focused on imposing
penalties for mishandling data due to negligence. However, in the years since,
India's approach to data privacy regulations has predominantly been
sector-specific, resulting in varying interpretations of privacy and data
protection standards.
India's National Unique Digital Identity system, Aadhaar, based on voluntarily
registered biometric data (fingerprint and iris scans), now includes over 1
billion people, making it indispensable to aggregating and delivering government
services. When mobile internet users reached close to 500 million in 2018, the
increased use and storage of personal data by the government, tech and telecom
giants exposed the inadequacy of the existing laws in preventing data
vulnerability and privacy breaches. The first was the usage and protection of
personal data and its vulnerability to data breaches by tech companies. India
reported 313,000 cybersecurity incidents in 2019, making it the third-largest
destination for data breaches worldwide.
Those facing data breaches included both private companies such as Domino's
Pizza and public enterprises such as the State Bank of India. On the one hand,
ordinary citizens or users of social media sites and other internet users are
worried about their data security and privacy. On the other hand, governments
are concerned about national security and protecting the basic rights of
citizens when tech giants hold reams of personal data. Corporates and tech
giants worry about how excessive data regulations and government surveillance
could lead to a loss of trust in their services if the personal data they hold
is compromised.
In a recent address, Justice D.Y. Chandrachud underscored the inseparability of
life and individual freedom from human dignity as fundamental rights. The
Constitution of India upholds a delicate equilibrium of these rights among
individuals, with the pursuit of freedom serving as its cornerstone. The Indian
Constitution guarantees the indispensable right to security, encompassing
individual freedom and the right to life. This protection is intricately linked
to the various facets of freedom and respect enshrined by the fundamental rights
in Part III of the Constitution under Article 21.
To maintain security and confidentiality, it is mandatory to maintain detailed
records and policies, including physical security measures. Adherence to
international standards in Information Technology, such as IS/ISO/IEC 27001, can
also help implement effective security management systems and techniques.
In the case of the District Registrar and Collector of Hyderabad v. Canara Bank,
the Supreme Court of India recognised and validated an individual's right to
privacy regarding their bank-held documents. This underscores the importance of
maintaining the confidentiality of such documents.
Key Highlights of the Act:
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as 'DPDPA')
lays down procedures to process personal data in a lawful manner and thereby
empowers and protects the rights of Data Principals. Factors such as
accountability, transparency, data minimisation, fairness, accuracy, and lawful
processing of personal data have been reflected in the DPDPA.
The Digital Personal Data Protection Act, of 2023, will have jurisdiction over
the processing of digital personal data in India, whether collected online or
offline and subsequently digitised.
For the lawful processing of personal data, consent from the individual is a
fundamental requirement, although certain legitimate uses will not necessitate
explicit consent. These exceptions include voluntary data sharing by individuals
and data processing by government entities for purposes such as permits,
licenses, benefits, and services.
The bill includes several provisions that prioritise individual rights and
ensure easy access to basic information in languages listed in the eighth
schedule of the Indian Constitution. It also emphasises the significance of
obtaining an individual's consent before processing their data. It requires Data
Fiduciaries to inform data principals of the specific personal data they wish to
collect, along with the purpose of collection and further processing.
Furthermore, data principals can retract their consent from a Data Fiduciary and
have the right to request the correction or deletion of data collected by the
data fiduciary. In addition to this, data principals can nominate an individual
who will be authorised to exercise these rights in the event of their death or
incapacity. Overall, the bill aims to safeguard individual privacy and promote
transparency in data processing.
Data fiduciaries, Significant Data Fiduciaries, or entities responsible for
handling personal data, will be legally obliged to maintain data accuracy,
ensure data security, and delete data once its intended purpose has been
fulfilled. The Bill also endows individuals with specific rights, including the
right to access information about their data, request corrections or deletions,
and seek resolution for grievances.
Under specific circumstances, the central government may exempt government
agencies from complying with certain provisions of the Bill in the interest of
national security, public order, and the prevention of criminal activities. To
oversee and enforce compliance with the Bill's provisions, the central
government will establish the Data Protection Board of India, which will have
the authority to adjudicate cases of non-compliance.
Key Issues of the Act
Exemptions in the Bill that allow the State to process data in the name of
national security might result in excessive data collection, processing, and
retention, potentially infringing upon the fundamental right to privacy.
Furthermore, the Bill lacks provisions to effectively address the risks and
potential harm associated with personal data processing. The Bill also falls
short in granting data principals essential rights, such as the right to data
portability and the right to be forgotten.
Regarding cross-border data transfer, the Bill permits the transfer of personal
data outside India, with exceptions only for countries specified by the central
government. However, this mechanism may not ensure rigorous evaluation of data
protection standards in the recipient countries, raising concerns about data
security and privacy.
Lastly, the appointment of Data Protection Board of India members for a two-year
term with the possibility of re-appointment raises concerns about the board's
independence and impartiality, potentially affecting its ability to function
autonomously.
Conclusion
To sum up, India's Digital Personal Data Protection Act of 2023 marks a
significant milestone in the country's data protection journey. It not only
establishes a comprehensive framework for safeguarding personal data but also
incorporates inclusive language and modern principles to uphold the privacy
rights of individuals in the digital landscape.
While we initially had reservations about India's ability to embrace digital
transformation, we have emerged as global leaders in UPI transactions. We are
now on the path towards securing a bright future for privacy in India, even
though there may be some initial challenges. As more and more people in India
realise the benefits of protecting their personal data, the pace of adoption
will inevitably accelerate.
Law Article in India
You May Like
Please Drop Your Comments