The DPDP (Digital Personal Data Protection) Act that was passed by Parliament during the just-passed monsoon session of the Indian Parliament is now in force with the President giving assent to it.
With the passing of this law, individuals will be empowered with more control over their data while companies will be allowed to transfer users' data to other countries or territories through notification to be processed, except nations and regions prohibited by the Centre.
Furthermore, it authorizes the government to request information from companies and request directions that content be blocked if it finds it offensive. There have been some criticisms of the new law over the broad exemptions granted by the state agencies, as well as some provisions of it that are diluted from the landmark Right to Information (RTI) law, even though it seeks to establish a robust framework for the protection of personal data in the digital era.
In December, the government withdrew a bill, which was proposed to both restrict the flow of cross-border data between countries and result in more stringent privacy conditions, after tech companies like Facebook and Google were alarmed by the proposed measures.
Some Key Takeaways From the Landmark Law That was Recently Enacted
A Data Fiduciary's obligations have to do with obtaining free, informed, and unconditional consent from individuals before any of their data is collected, processed, or used by them. Data fiduciaries are entities that collect, process, and store personal data about persons. Whenever a data set is no longer needed for its original purpose or consent has been withdrawn, the data must be deleted.
The Data Protection Board of India and affected parties must be alerted when a data breach has taken place so that steps can be taken to prevent the violation from occurring, and entities must consider reasonable security measures to prevent it from happening.
If a Data Fiduciary is responsible for the protection of personal data, then they have to publish information about who can be contacted for information about data protection, as well as who can answer questions related to data processing. A grievance redressal mechanism needs to be established by the Data Fiduciary to address complaints effectively.
It is the responsibility of individuals to be aware of the rights and responsibilities on their part about accessing their data and knowing who has access to it. Upon request, they can have their personal information erased, corrected, or updated and understand with whom it has been shared, along with the purposes for which it has been collected.
A person may request that their data be deleted, corrected, or updated by requesting the website. There is a mechanism set up by data fiduciaries through which data users can go when they have a grievance against the data. In addition to the rights, there are also duties attached to them.
Organizations cannot provide personal information by impersonating another individual, registering a false complaint, or suppressing important data of individuals. Penalties as high as Rs 10,000 can be imposed if there is a breach of duties on the part of the employee.
Generally, if the State has an exemption to the processing of data for national security reasons, then the State may collect, process, and retain data for a period longer than is necessary. A violation of this right to privacy may be construed as a violation of fundamental rights.
There are differences between the treatment of government and private entities that perform the same commercial functions, such as providing banking or telecommunication services when it comes to consent and storage limitations outlined in the Bill. The rights of the private sector providers to equality are likely to be violated in this case.
The central government will determine the composition of the Data Protection Board of India, and how and under which conditions the members will be appointed. There is therefore a question regarding the independence of the Board's functioning in light of this. This bill does not explicitly grant the data principal the right to data portability or the right to be forgotten under the GDPR.
In respect of the Bill, it provides to all data fiduciaries that before processing the personal data of a child, the legal guardian must provide verifiable consent in writing. Every person seeking or registering for the services of a data fiduciary will have to verify his or her age to comply with the provisions of this section.
Anonymity in the digital space may be negatively impacted by this phenomenon. The Act provides for the constitution of an independent Data Protection Board of India, which will have the responsibility of ensuring compliance, investigating breaches and imposing sanctions in cases of data breaches, and directing remedial or mitigation measures as necessary.
Different penalties are laid down in the provisions for different offenses - failure to take reasonable security safeguards to prevent data breaches is punishable with up to Rs 250 crore, whereas failing to fulfill the duty of informing the Board and individuals about a data breach can result in a penalty up to Rs 200 crore. A penalty of up to Rs 200 crore may be imposed if the additional obligations relating to the child have not been met.
The Internet Freedom Foundation (IFF) criticizes that the new law appears to place a higher priority on data processing rather than privacy protection, which contradicts the original intention in which the law was meant to safeguard the rights of individuals. Additionally, the broad exemptions which are granted to state-owned entities are something to be concerned about. In addition, the law doesn't contain any meaningful safeguards against "overbroad surveillance" which is prohibited by the law.
It has been argued that the legislation could allow the government and its agencies to access information gathered by companies and individual individuals without their consent, despite opposition MPs and digital experts arguing otherwise. As the Editors Guild of India states, this legislation interferes with press freedom, creates a framework for the surveillance of citizens, including journalists and their sources, and dilutes the Right to Information laws of the country.
