President Droupadi Murmu has granted approval to the Digital Personal Data Protection Act 2023. This significant legislation is aimed at regulating the handling of personal data in the digital sphere and will become effective once the Central Government notifies a date.
The Act is a pivotal moment in data governance, not only introducing fresh regulations but also amending existing laws such as the Right to Information Act and the IT Act. It endeavors to establish equilibrium between individual rights to personal data protection and the legitimate necessity for lawful data processing.
At its core, the Act emphasizes responsible processing of digital personal data, ensuring individuals’ rights are honored while permitting authorized data usage. Crucial elements of the law include stringent responsibilities for Data Fiduciaries – entities like individuals, businesses, and government bodies engaged in data processing. These responsibilities encompass a range of data actions from collection to storage, all while safeguarding the rights and duties of Data Principals – the individuals the data pertains to.
To uphold data rights, responsibilities, and obligations, the Act introduces a robust framework of safeguards and penalties, holding Data Fiduciaries accountable for any violations.
As outlined in a Ministry of Electronics & IT circular, the Act is positioned to:
Facilitate a smooth transition to data protection regulations, minimizing disruptions and mandating crucial shifts in data processing practices.
Improve quality of life and business environment, fostering favorable conditions for individuals and enterprises.
Catapult India’s digital economy and innovation ecosystem, empowering growth and technological progress.
The Act is based on seven guiding principles:
1. Consent, Lawfulness, and Transparency: Use personal data with explicit consent and transparency.
2. Purpose Limitation: Utilize data solely for its consented purpose.
3. Data Minimization: Collect only necessary personal data.
4. Data Accuracy: Ensure data correctness and updates.
5. Storage Limitation: Retain data only for the necessary duration.
6. Reasonable Security Safeguards: Implement security measures.
7. Accountability: Hold entities responsible for breaches through penalties.
The Act confers fundamental rights on individuals, including:
1. Right to Access Information: Access processed personal data information.
2. Right to Correction and Erasure: Correct or erase personal data.
3. Right to Grievance Redressal: Address grievances through mechanisms.
4. Right to Nominate a Representative: Designate a representative for rights’ exercise.
To enforce these rights, affected Data Principals can approach Data Fiduciaries or escalate concerns to the Data Protection Board.
The Act establishes obligations for Data Fiduciaries, including security safeguards, addressing breaches, data erasure, and grievance mechanisms. Significant Data Fiduciaries have added mandates like data auditors and Impact Assessments for heightened protection.
The Act safeguards children’s data by permitting processing with parental consent and curbing practices jeopardizing their well-being.
In striving for balance, the Act provides exemptions for national security, research, startups, enforcement, etc.
