Q10. Describe the context and salient feature of Digital Personal Data Protection Act 2023. (10)

Introduction

The Digital Personal Data Protection Act 2023 addresses the need to protect personal data while promoting the digital economy. It establishes a legal framework to regulate data collection, processing, and protection, aiming to ensure privacy and accountability.

Context of the Digital Personal Data Protection Act 2023

• Supreme Court’s Right to Privacy Judgment (2017): The judgment in Puttaswamy v. Union of India recognized privacy as a fundamental right.

E.g.: Called for a legal framework for personal data protection.

• Increasing Digital Economy: Growing online services collect vast amounts of personal data, necessitating regulation.

E.g.: India’s digital economy to reach $1 trillion by 2025 (MeitY).

• Global Data Protection Standards: The need to align with international data protection laws, like the GDPR, became essential.

E.g.: Similarities with GDPR, such as data minimization.

• Rising Data Breaches: Frequent data breaches in India prompted the need for robust legal protections.

E.g.: 52 million cyberattacks in India in 2022 (CERT-In report).

• Drafts and Recommendations: The Justice B.N. Srikrishna Committee recommended a legal framework for data protection.

E.g.: Recommended accountability and transparency in data handling.

Salient Features of the Digital Personal Data Protection Act 2023

• Data Processing with Consent: Data can only be collected with clear, informed consent from individuals.

E.g.: Requires explicit consent before processing personal data.

• Right to Data Portability: Individuals have the right to request transfer of their data from one service provider to another.

E.g.: Enhances user control over personal data.

• Data Localization Relaxation: Allows cross-border transfer of data to trusted jurisdictions, unlike previous drafts.

E.g.: Facilitates global digital business operations.

• Significant Data Fiduciaries: Entities processing large volumes of data must appoint a Data Protection Officer.

E.g.: Ensures accountability for big tech firms.

• Penalties for Non-compliance: Non-compliance with the Act results in heavy penalties, up to ₹250 crore.

E.g.: Deters data breaches and misuse.

• Right to Correction and Erasure: Individuals can request the correction or deletion of their personal data if it is inaccurate or no longer necessary.

E.g.: Empowers citizens to control their digital footprint.

• Grievance Redressal Mechanism: Data principals can lodge complaints with Data Fiduciaries or approach the Data Protection Board for resolution.

E.g.: Ensures faster resolution of privacy violations.

• Obligations on Data Fiduciaries: Companies must ensure the security of personal data through technical and organizational measures.

E.g.: Mandates regular audits and safeguards against data breaches.

• Children’s Data Protection: Special provisions protect data of children under the age of 18, including stricter consent requirements.

E.g.: Requires parental consent for processing children’s data.

• Exemptions for Government Agencies: Certain government agencies are exempt from some provisions, especially for national security and law enforcement purposes.

E.g.: Allows agencies to bypass consent for strategic interests.

Conclusion

The Digital Personal Data Protection Act 2023 strengthens privacy protection while fostering innovation in India’s digital ecosystem. By establishing robust data governance mechanisms and empowering individuals, it lays the foundation for a secure digital future.