As the world increasingly becomes digitized and
interconnected, most of our personal data is now accessible through the Internet. This data can be broadly categorized into two types, each carrying distinct risks if stolen or misused:
Personally Identifiable Information (PII): This includes details like names, birth dates, and addresses. If stolen, this information can lead to identity theft.
Sensitive Personally Identifiable Information (SPII): This encompasses sensitive details like bank credentials and credit card numbers. If misappropriated, the consequences can be more severe, particularly in terms of financial loss.
In developed regions such as the US and Europe, data privacy acts have been enacted to safeguard the data of ordinary citizens. These laws regulate the proper handling and processing of data by organizations both within and outside these jurisdictions. In contrast, the absence of such legislation in India means that there may be inadequate protections in place, increasing the risk of data breaches.
After multiple revisions, the Digital Personal Data Protection Act of 2023 (DPDP) was finally signed into law by President Droupadi Murmu. In this blog, we will delve into the details of the DPDP Act, compare it with data protection legislation from other countries, and analyze what this new legal framework means for the security of our data.
Insight into Digital Personal Data Protection Act of 2023 (DPDP)
As published in the Gazette of India, the Digital Personal Data Protection Act is defined as:
“An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”
The Digital Personal Data Protection Act sets forth the principles and regulations for the collection and processing of personal data in India. These guidelines are applicable not only to data acquired within the country but also to the processing of data outside India, specifically when it involves offering goods or services to individuals who reside in India.
Key Features of the Act:
Protection of Data with Third Parties: Firms responsible for handling user data must ensure its protection, even when it is stored with a third-party processor.
Notification of Data Breaches: In the event of a data breach, companies are required to notify both the Data Protection Board (DPB) and the affected users.
Consent for Processing Sensitive Data: Consent from a guardian is required for the processing of children's data and data related to physically disabled individuals.
Appointment of a Data Protection Officer: Companies are mandated to appoint a Data Protection Officer and furnish users with relevant details.
Appeal Mechanism: Appeals against decisions made by the DPB will be heard by the Telecom Disputes Settlement and Appellate Tribunal.
Enforcement Authorities: The Act confers the power to summon individuals, inspect documents, and, in cases of more than two breaches of the Act's provisions, recommend to the government to block access to an intermediary.
Penalty Provisions: Penalties for data breaches, failure to protect personal data, or neglecting to notify the DPB and users of a breach can be as substantial as up to Rs 250 crore.
A Comparison of the DPDP Act 2023 with Data Privacy Acts in Other Countries
India is still in the early stages of establishing comprehensive data privacy practices. In this section of the blog, we'll explore how the DPDP Act compares to the existing data privacy laws in the US and Europe, highlighting some key differences:
Scope of Application: The DPDP Act is limited to digital data, whereas data privacy regulations in Europe and the US apply to both digital and non-digital (paper) data. This difference in scope might present gaps in protection for certain types of information within India.
Access to Personal Data: Unlike the laws in the US and Europe, where individuals can inquire a copy of their personal data stored in any database, the DPDP Act allows organizations in India to deny such requests.
Exclusion of Health Records during Erasure: The DPDP Act does not encompass health records when erasing personal data. This exclusion aligns with some privacy regulations in the US but stands in contrast to the more comprehensive privacy laws in Europe, where health records are typically included.
Lack of Provisions on Targeted Advertising: Most people experience targeted advertising based on their internet browsing behavior. While data privacy acts in the US and Europe require consent for such practices, the DPDP Act does not explicitly mention or regulate targeted advertising consent.
What does the DPDP Act of 2023 mean for our data privacy?
How ordinary citizens will be affected?
The DPDP Act serves as a comprehensive framework outlining the way corporations can utilize users' personal data. It requires consent for such usage and grants the central government the authority to prohibit the sharing of personal data outside India by an Indian data holder. However, this restriction may be waived with the government's prior approval, provided that a specific set of additional rules are followed. This means our data is more secure and in case of a data breach, we can raise it in court.
Also, the Act stipulates that, in the event of a breach in the protection of personal data, the government maintains the right to access and utilize the affected data, provided it does so in accordance with the law. This underscores the government's central role in ensuring data integrity and the lawful use of personal information.
Under the act of Right to Information Act, citizens have a legal right to access information from the state. According to RTIA, personal information can be shared in case of public interest and the responsibility to deny that information lies with the information giver. This is conflicting with the DPDP Act of 2023 which introduces a strict non-disclosure rule for personal information. In layman terms RTIA is much more flexible about sharing personal information than DPDP which is more restrictive.
How organizations will be affected?
This Act will have a major impact on Indian companies. Companies now need to focus more on data protection in order to avoid data breaches and penalty. The implementation of the Act is likely to increase the costs associated with data transactions. Furthermore, startups and other businesses may find themselves needing to hire specialists to manage data complaints and conduct regular checks on data protection, further adding to expenses.
Conclusion
In summary, the implementation of the DPDP Act marks a significant step forward in data protection, even though there is still progress to be made to ensure comprehensive security for both physical and digital data. We can take comfort in the knowledge that the data we provide to organizations will now enjoy enhanced protection. Furthermore, the Act ensures that in the event of a data breach, there are penalties in place. This new legislation serves as a commitment to greater accountability and safety, making it a promising development for consumers and businesses alike.
Very informative!