The Digital Personal Data Protection Act, 2023 (also known as DPDP Act or DPDPA-2023) is an act of the Parliament of India to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. This is the first Act of the Parliament of India where "she/her" pronouns were used unlike the usual "he/him" pronouns.
The Ministry of Electronics and Information Technology set up a committee to study issues related to data protection. The committee was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft version of Personal Data Protection in July 2018. The report was modified several times later by the Government of India and after receiving the approval of central cabinet the draft legislation was tabled in the Parliament of India on 11 December 2019.
The Bill aims to:
to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.
It provided for extensive provisions around collection of consent, assessment of datasets, data flows and transfers of personal data, including to third countries and other aspects around anonymized and non-personal data.
The revised 2019 Bill was criticized by Justice B. N. Srikrishna, the drafter of the original Bill, as having the ability to turn India into an “Orwellian State". In an interview with Economic Times, Srikrishna said that, "The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.” This view is shared by a think tank in their comment number 3.
Fresh criticism on the international level comes from an advisor to a group proposing an alternative text. A moderately critical summary is available from an India scholar working with an American co-author.
The role of social media intermediaries is being regulated more tightly on several fronts. The Wikimedia Foundation is hoping that the PDP bill will prove the lesser evil compared with the Draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018.
Forbes India reports that "there are concerns that the Bill gives the government blanket powers to access citizens' data."
Jaiveer Shergill, a prominent Supreme Court Lawyer has shared the pitfalls and gaps of the current version of the draft bill. There are serious loopholes of how the bill is unable to identify the scope of governmental bodies in distinguishing who has access to the personal data of the citizens and missing state bodies to monitor the personal data.
The bill after being tabled was referred to the JPC which was chaired by Meenakshi Lekhi. Later received criticism from stakeholders, opposition and experts the bill was withdrawn from the Parliament of India on 3 August 2022.
Source:
The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
The Digital Personal Data Protection Bill, 2023 is the draft version of the Digital Personal Data Protection Act, 2023, initially the government has released its the Digital Personal Data Protection Bill, 2022 on 18 November 2022 for public consultation till 2 January 2023 and approved the revised version of the earlier draft which was released for public consultation making it the Digital Personal Data Protection Bill, 2023.
The Act protects digital personal data (that is, the data by which a person may be identified) by providing for the following
The Data Protection Board of India, an adjudicating body, will be established as per the provisions in this Act.
The Minister of Electronics and Information Technology Ashwini Vaishnaw and MoS Rajeev Chandrasekhar stated in press that the Central government is setting up the Data Protection Board of India which will be an adjudicating body. It is a body that adjudicates the dispute between those whose personal data has been given to a platform and the platform which has in turn breached the obligations under the law.
The Act has made exemptions from the regulations related to the Act, they are:
The Digital Personal Data Protection Act, 2023 has relaxed data localisation requirements when compared to the earlier attempted legislation PDP Bill, 2019 and permits cross-border data flow to certain countries and territories as may be notified by the central government. Unlike the earlier bills, the present legislation does not prescribe local storage or localization requirements. However there is a restriction on this, only the countries that are notified by the central government under this Act are allowed to do so under the regulations. Regarding on what basis the countries are notified and other data processing related details are yet to be announced by the Data Protection Board of India.
The Act is only applicable to the data collected digitally and when offline data gets digitized. Not having the applicability on offline personal data was criticized as there is no framework on how such data is handled.
The statement of objects and purpose of the DPDPA-2023 state that it is to “provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto”.
As it replaces information security with the right of an individual to control their own data privacy, the Act confuses the idea of informational privacy and leaves much to be desired. Since the need for such legislation was first stated in the Right to Privacy verdict, it appears that the DPDPA-2023 as it was enacted in this state differs from the original idea of what the law could have been.
The exemptions to the Government were criticized by the opposition and experts stating that the Right to privacy verdict is a fundamental right as per the supreme court's verdict and this exemptions don't ensure the satisfaction of the right to privacy.
However Rajeev, MoS has countered that these exemptions are for such incidents where a disaster or terrorist activity occurs and government should be able to access such personal data to rescue people in disastrous situations, and/or identify people behind a terrorist activity. The MoS has further confirmed that the government is also under the obligation of protecting the personal data it has, the only exemption is, it can access that data in events concerning "national security".
The Digital Personal Data Protection Act, 2023 requires data fiduciaries to obtain verifiable consent from a legal guardian before processing the personal data of a child (below 18 years). This would necessitate verifying the age of all users signing up for digital services to determine if they are minors and obtain parental consent. However, this verification process may compromise anonymity in the digital space, as it requires providing proof of age. These restrictions contravene India's obligations under the Convention on the Rights of the Child.
Owlapps.net - since 2012 - Les chouettes applications du hibou