Futuristic regulation

In August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023. The statute, which is yet to be implemented, is based on the fundamental principle of the “Right to Privacy”. The statute’s primary focus lies in regulating personal data in the digital world.

By prioritising privacy and security, the DPDP Act strives to create a framework that inter alia addresses the issues posed by data handling in the current digital age. The DPDP Act grants data principals, i.e., those whose data is stored, data privacy rights which data fiduciaries, i.e., entities storing data, must honour. Otherwise, data fiduciaries face penalties. It also aims to establish a higher level of accountability and responsibility for entities operating within India, including web-based companies and other entities involved in the collection, storage, and processing of data. The legislation seeks to ensure that entities operate transparently and are accountable when it comes to handling anyone’s personal data, thus protecting the privacy of citizens.

The Act stipulates: the obligations and duties of Data Fiduciaries, i.e., persons, companies, and government entities who process data; the rights of Data Principals, i.e., the person(s) to whom the data relates; and financial penal consequences for breach of provisions. Data fiduciaries have an obligation to maintain data security, apart from various other duties stipulated. Data principals will have the rights to access their personal data held by data fiduciaries, including the source of data, the purpose for which it is being processed, and the categories of data recipients. They will have the right to correct their personal data if it is inaccurate or incomplete. There will also be the right of erasure of personal data, i.e., to erase it if it is no longer necessary for the purpose for which it was collected or processed or if consent is withdrawn. Data principals will also have the right to restrict the processing of their personal data in certain circumstances. There will be the right to transfer data from one organisation, known as fiduciary, to another. There is also the right available to object to the processing of personal data. Further, there is also a right to withdraw consent, i.e., to withdraw consent to the processing of personal data.

The Act permits personal data collection for any lawful purpose, subject to obtaining consent from the individual or establishing legitimate reasons as prescribed in the law. It necessitates data collectors to provide clear notices detailing the specifics of data usage, etc. For data collected from children or minors, parental or guardian consent is mandated. Crucially, individuals retain the right to withdraw their consent. Activities catering to India’s sovereignty, security, and public order, and activities related to research or statistical purposes are exempted. The Act also grants the government the power to introduce additional exemptions.

There will be the constitution of a Board, known as The Data Protection (DPBI), which is deemed to function as an impartial adjudicatory body responsible for resolving privacy-related grievances and disputes between parties. The appointment of board members will be made by the Central Government, ensuring a fair and transparent selection process. The decisions of the Board are appealable to the Appellate Authority. There is a reference to the Telecom Regulatory Authority of India Act, 1997, in the provisions of Appeal under the DPDP Act, the authority of which is the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”).

The right to privacy has been recognised as a fundamental right in the well-known Judgment of the Supreme Court in the case of Justice KS Puttaswamy vs. UOI. The principles revolve around the data economy. It has provisions to curb the misuse of individuals’ data by online platforms.

The new statute is based on the principle of consented, lawful, and transparent use of personal data. It includes: the principle of purpose limitation, i.e., the use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal; the clause of data minimisation, i.e., collection of only as much personal data as is necessary to serve the specified purpose; the stipulation of data accuracy, i.e., ensuring data is correct and updated; covers the aspect of storage limitation, i.e., storing data only until it is needed for the specified purpose; emphasises reasonable security safeguards; and the principle of accountability as the Act imposes penalties for breaches. This law holds a positive and futuristic vision, aligning us with many other nations.

The writer is a practising Advocate in Supreme Court and High Court of Delhi. Views expressed are personal