India introduces Digital Personal Data Protection Act, 2023
06 September 2023
On August 11, 2023, India’s Digital Personal Data Protection Act, 2023 (DPDP Act) has been notified and published in the Official Gazette. It regulates the processing of digital personal data in the country, where data is collected online and offline and then digitized. It applies to digital personal data processing within and outside the country, where it involves goods and services offered in India.
“In my view, the DPDP Act is simple and futuristic,” said Rachna Bakhru, a partner at RNA, Technology and IP Attorneys in Gurgaon. “It considers the speed with which technology changes and covers future changes without having to amend the law every time. Compared with the European General Data Protection Regulation, considered a gold standard in the privacy circuits, the act may not be as detailed. However, the compliance requirements for data collection and processing are robust, as are the penalties for non-compliance.”
Data privacy legislation and artificial intelligence
According to Bakhru, the DPDP Act will function as a foundation for good governance of the government’s several initiatives, such as Digital India and the growth of artificial intelligence, given that AI systems often scrape large amounts of personal data in every industry.
“The act will foster confidence in foreign companies doing business with India regarding the safety of the data transferred, for which currently contracts are the only option,” explained Bakhru. “In a country like India, where culturally, sensitivity to privacy and personal information practically does not exist, the DPDP Act would hopefully help affirm the gravity of the issue. Further, it may help combat the prevailing practice of selling data at a nominal cost for marketing and exploitation.”
However, Rohan Swarup and Tanya Arora, associate partner and associate respectively at Singh & Singh in Delhi, agreed with Bakhru that it has some inadequacies.
“While the DPDP Act is definitely a step in the right direction, it is not nearly sufficient to address the multifaceted personal data protection requirements of a nation as diverse as India. It raises significant concerns that need to be carefully addressed to ensure a balanced approach that protects both individual privacy rights and national security imperatives,” said Arora.
Firstly, it has no provision for protection of non-digitized personal data.
“Section 3 of the DPDP Act deals with the act’s application, which states that the provisions apply to the processing of digital personal data that is collected in digital form or in non-digital form and digitized subsequently. Therefore, quite clearly, the act does not at all deal with protection of personal data that exists in non-digital form,” said Swarup. “In a hugely diverse country of over 1.4 billion people, it is important to recognize that digitization of records is a massive and ongoing undertaking which only seriously began in 2015 under the National Digital India initiative.”
The DPDP Act also raises concerns regarding unchecked data handling by government bodies. This may lead to infringement of data privacy rights.
Section 17 presents another loophole. It provides for nearly blanket exemptions from the requirements of consent, notice and data protection by data fiduciaries in specific situations. This includes situations where the processing of personal data is necessary for enforcing any legal right or claim.
“Effectively, this empowers the state or its instrumentalities to process personal data on mere suspicion of the commission of an offence. What is more concerning than the granting of such wide powers, is the lack of clarity on what basis the government concerned will deem some personal data to be ‘necessary’ to be processed,” explained Arora.
In addition, the DPDP Act does not provide a requirement for government agencies to delete the data once the objective for data gathering is fulfilled, she said. This could pave the way for data misuse for surveillance purposes.
Bakhru added: “The government has yet to draft rules for enforcing the provisions under the act, set up the Data Protection Board of India to monitor compliance and imposition of penalties, and direct data fiduciaries to take necessary measures in the event of a data breach and hear grievances from affected persons. If the government does not quickly act to work on the remaining tasks, the DPDP Act may remain on paper with no teeth.”
There are just some of the concerns regarding the DPDP Act and the Indian government’s responsibilities in connection with the legislation.
“It will be crucial for policy-makers to engage in a comprehensive dialogue to address these concerns and create a robust data protection framework that safeguards the rights of individuals while promoting responsible data processing and innovation,” noted Swarup.
Despite these, Bakhru lauds the use of “she” and “her” in the legislative act to refer to an individual rather than “he” and “his.” According to her, this is a first in India’s history and is a “nice gesture” of recognizing equal rights for women in Indian society.
- Espie Angelica A. de Leon