+ Follow

Image by melovess.com from Pixabay

INTRODUCTION 

“A data breach is about both privacy and security. And security becomes very, very important because you can’t have privacy unless you have good security. And if someone tries to say otherwise, they are crazy people!”  – Dr. Larry Ponemon 

Mobile and Internet are something which is very well acquainted in our surroundings. If there is anyone unaware of the books but they can't be unfamiliar with mobiles and internet. Mobile and internet are something which has become an essential part of our basic amenities. The Internet is that basic element that is invisible in mobile but connects the person to the different corners of the world. The term Internet entails that the network in which millions of computers are interconnected with each other is called the Internet. As of now, in India, there are approximately 800 million users of the internet and it's been assumed that by 2025 this number will go up and the number of internet users will cross the mark of 900 million. 

Even though the internet is a magic lamp from which anything can be found concerning information on any possible subject. However, it has some major possible issues where one's personal information can be misused, and other than that cyber-attacks can take place, and major tragedies can happen. Thus, some efforts were taken by 'the state' to improve the situation and consequently, the Digital Data Protection Act, of 2023 came into being. It wasn't so easy it took almost 7 years for it to happen. In the Puttaswamy Case of 2017, the Supreme Court held that the Right to Privacy comes under Article 21 which is a fundamental right. The very next year in 2018, a Committee under the chairmanship of Justice B.N. Srikrishna was set up to ascertain the matter regarding data protection in the country and the committee submitted its report in 2018. As per the recommendations of the aforementioned committee, Personal Data Protection Bill, 2019 was introduced in Lok Sabha. The Bill was despatched to a Joint Parliamentary Committee which submitted its report in December 2021. In August 2022, the Bill was withdrawn from Parliament, and in November 2022 Bill was put before public view for suggestions. In August 2023, ultimately, the Digital Data Protection Bill was passed by both houses of the Parliament. 

WHY DID INDIA REQUIRE THE DIGITAL PERSONAL DATA PROTECTION ACT or DPDP ACT 2023? 

Data Protection is a significant thing that was being protected under the Information Technology (IT) Act, of 2000 before this new act. Now Digital Personal Data Protection Act will replace the other and will become the prime law of the land in terms of data protection for the country. The need for this act can be understood in such a manner that we know how much technology has been disseminated across the world to increase efficiency and effectiveness. Thus, information is also given via the internet, and while doing so it has been seen that due to the recklessness of the companies and the lust for money of some greedy people, they leak the data either to sell some other company or publicized it for the sake of releasing the personal information of the people. For instance, In July 2023 in Australia, the Australian Court imposed a 111 crore rupees fine on Meta(Facebook) for failing to safeguard the information of an individual. The same incident has also happened in other parts of the world. By keeping these kinds of incidents, the Government of India also put its keen attention to this sensitive subject and brought the Digital Personal Data Protection Act in August 2023. 

SALIENT FEATURES OF THE DPDP ACT 2023

There are various underlying features of this act which can be noticed and understood in the following ways: 

  1. This act will be applicable for the processing of digital data collection. It will act on the collection of digital data and collection of data which will be digitized later on. Moreover, if the company is located outside but providing the goods and services in the country in that position this act will be applicable too. 
  2. The personal data of an individual can processed only after asking for consent from that person and consent can be withdrawn by the person at any point in time. If the person is a minor then permission will be given by parents or legal guardians. 
  3. Two significant terms have been used in this act, the first one is Data Principal. This term implies the individual whose data has been processed and the same person will have some rights like he will be informed about the processing of his data, asking for modifying or erasing some data, can nominate to other people to use or manage his data in his absence, or death and can move for grievance redressal. 
  4. The data principal indeed has some rights but it doesn't mean that he doesn't have any duty or restriction over him. The data Principal cannot file any false report but if he does so then he will be penalized by imposing a penalty of 10,000. 
  5. The second most significant term in the act is Data Fiduciary. It is the company or the organization that is responsible for determining the purpose and means of processing. It has the responsibility to ensure the accuracy and completeness of data, build such a structure where the possibility of a data breach is not feasible, inform the Data Protection Board of India and affected persons if the data has been breached, and delete the personal information of the individual if the purpose has been met.
  6. The data can be transferred to other countries for storage or processing except in those countries which have been prohibited by the Indian government by issuing a notification. 
  7. There are certain exemptions where the rights of the data principle and duties of data fiduciaries do not come under this act except the data security. The Union government can exempt some activities by a notification which may comprised of processing by government entities in the interest of the security of the state and public order, and research, archiving, or statistical purposes.
  8. The Union government has been empowered to establish the Data Protection Board of India. The Key functions of the Board are as follows:
    - Monitoring compliance and imposing penalties,
    - Directing data fiduciaries to take necessary measures in the event of a data breach
    - Hearing grievances made by affected persons.
    Board members will be appointed for two years and will be eligible for re-appointment. If the parties are not satisfied with the decision of the aforementioned authoritative board then they can appeal to the Telecom Disputes Settlement and Appellate Tribunal or TDSAT. 
  9. As per the act of DPDP, if non-adherence is found then penalties can be imposed in the form of 200 crore INR can penalize for non-fulfillment of obligations for children, and 250 crore INR for not fulfilling the proper management to prevent a data breach. However, penalties will be imposed by the Data Protection Board after conducting an inquiry.

Therefore, these were the certain dominating characteristics of the act, whose influence can be seen on public life in the subsequent time. 

POSITIVE CONNOTATIONS OF THE ACT THAT DISSOLVE THE ISSUE 

This act is the silver lining amongst all the acts that exist nowadays and this act has various positive points, some of which a given below: 

  1. This act may act as a milestone amongst all the previous acts about data protection.
  2. This act has reduced the chance of recklessness of private enterprises in processing, collecting, and utilizing the data. This act will make them responsible and accountable to the people and the government. 
  3. Enormous amount of penalties is a remarkable step towards bringing the attention of the biggest companies in the world like Amazon, Google, and Meta. 
  4. A separate statutory body "Data Protection Board" will be there to resolve the matters relating to data protection. If the parties are not satisfied they can go to TDSAT as well. 
  5. This act may give impetus to the alien companies to set up their storage center of data in India and in this way local people can get employment. The chance to grow startups may flourish. 

DRAWBACKS OF THE DPDP ACT? 

There is no denying that this act has significant requirements for personal data protection however, at the same time there are some shortcomings as well and those are this way: 

  1. Concessions to the central and state government concerning the exemption itself from collection, processing, and retention of the public data having accomplished the set target, is a violation of the Right to Privacy which was declared by the Supreme Court in the Puttaswamy Case of 2017. 
  2. Government agencies have got edge over other Private Enterprises because governmental authorities are not required to delete the personal data of the people for the sake of maintaining law and order and also in the interest of the country. 
  3. Initially, the draft of the Bill of Data Protection in 2018 and 2019 had provisions for the protection of the right to data portability and the right to be forgotten. Parliamentary Committee and Srikrishna Committee supported that the rights of data principals should be stiff. This, however, act does not have the adhere to these. These rights are based on principles of autonomy, transparency, and accountability to give individuals control over their data. 
  4. There is one provision in the act that says about the transfer of personal data that can be done in other countries with the permission of the union government. When, however, the data of the other country is not safe how can we expect a private enterprise to retain its data safely without signing any agreement? 
  5. Provision for getting the information of the child is a little tricky because the minor age in India is 18 years. After all, it is time-consuming to get permission from parents or legal parents. 
  6. The election period of 2 years of member. Once selected member can be a member again. Thus it loses independence. 
  7. Section 43A of the IT Act, 2000 imposes an obligation on corporates to award damages to affected persons in case of negligent handling of their sensitive data. However, the Bill excludes the application of Section 43A.
  8. This act deprives the command of getting the personal information of functionaries concerning their wealth and property due to the aid of the RTI Act. For instance, now it is extremely hard to know about the property of public officials which was possible earlier due to the influence of the RTI ACT.

COMPARATIVE STUDY OF DPDP ACT WITH OTHER NATIONS 

Numerous countries in this world have made their own law concerning digital data protection. 

  • American Model of Data Protection: The American model of data protection is not as comprehensive as it is in India. In America, they focus on Individual liberty against the intrusion of governmental activities. In America, data is collected as long as the individual is informed about it in India the data principal is informed and data fiduciaries are responsible for them. 
  • European Model of Protection: The General Data Protection Resolution or GDPR is a comprehensive and high standard of data protection resolution for processing and collecting personal data. This resolution is comprised of Privacy Rights, Digital Services Act, and Digital Market Act
  • Chinese Model of Protection: Recently Chinese government has recently launched its data security and privacy policy which includes the Personal Information Protection Law(PIPL), and Data Security Law(DSL). These laws provide the right to the individual to persuade himself that his data is safe and the same act restricts cross-border data transfer. 
  • United Nations: According to the United Nations Conference on Trade and Development, 137 out of 194 countries have made laws, rules, regulations, and resolutions to secure the protection of data and privacy.

WAY FORWARD

As we know there is always scope for improvement in every field Similarly in this act there is some scope for rectification as well and those are suggested in the following manner: 

  1. Independent working of the Data Protection Board of India should prevail and ensure that as soon as it is possible to establish and start the proper functioning of the Board. 
  2. Minimal government interference should take place and the exemptions which have been provided to the government should be reduced so that more liberty can be delivered to the people. 
  3. Transparency and Accountability of Data Fiduciaries should be ensured, conduct a regular audit, and provide accessible mechanisms for citizens to file complaints. 
  4. The appointment of the Chairperson and members of the Data Protection Board of India and the Tribunal like TDSAT (Telecom Disputes Settlement and Appellate Tribunal) should be done with the suggestion of the judge of the Supreme Court, Prime Minister, Leader of Opposition their term should be for a fixed period for them.
  5. The decisions of the Board and the tribunal should also be brought under the jurisdiction of Lokpal as well. 
  6. The Digital Personal Data Protection Act is a technical act whose practical implications should taught by the government through general awareness campaigns with the aid of technology and collaboration with Educational institutions and NGOs. 
  7. Perpetual ascertainment of the act and adaptation according to the demand of the time and technology should be done. 
  8. The jurisdiction of the RTI Act should be not reduced to the name of national interest and more rights of the public enterprises. 

CONCLUSION 

“In the digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous?” - Al Gore

Digital Data Protection Act is a milestone in the field of digital data protection as before this act there was not any other act which had influence as well as dedication like this. However, the IT Act 2000 prevails and deals with the issues but not like this act. This act has assured the people about the protection of their digital data and also issued a kind of warning to the companies who have the responsibility to secure and manage the data of the people. It essentially deals with multifarious interrelated aspects like cybersecurity, competition, artificial intelligence, and more. We are looking forward to the possible and positive impact of data protection and increased responsibility of the MNCs and governmental agencies too. 

.    .    .

REFERENCE:

  • pib.gov.in 
  • www.civilsdaily.com 
  • blog.forumias.com

Discus