Digital Personal Data Protection Act 2023: Privacy & Security

Explore the Digital Personal Data Protection Act 2023, a comprehensive legislation ensuring privacy and security in the digital realm. Uncover key highlights, implications for businesses, and the balance between innovation and privacy. Stay informed about India’s significant step in safeguarding personal data and empowering individuals in the digital age.

The Digital Personal Data Protection Act 2023: Unlocking the power of Privacy and securing a bright digital future

Introduction:

In an increasingly interconnected world, where personal data is constantly being generated and shared, protecting individuals’ privacy has become a paramount concern. Recognizing the need for comprehensive legislation, the Indian government has introduced the Digital Personal Data Protection Act, 2023. This Act is like a superhero cape for personal data, ensuring it stays safe and secure in the digital realm.

Currently, India does not have a standalone law on data protection. Previously, various acts had distinct provisions for safeguarding individuals’ data. However, with the introduction of The DPDP Act, all these provisions have come together in one place and have become a unified framework. The use of personal data is regulated under the Information Technology (IT) Act, 2000. Based on the recommendations of the Committee of Experts on Data Protection, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019.  In November 2022, a Draft bill was released for public consultation. On 3^rd August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament. On 7^th August 2023, Lok Sabha granted its approval and the same was passed by Rajya Sabha on 9^th August 2023. The assent of the president was received on the 11^th August 2023.

Applicability:

 The Act applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to the processing of personal data outside India if it is for offering goods or services in India.

Privacy matters: Unveiling the need for the DPDP Act, 2023:

 The rapid advancement of technology has enabled businesses to collect vast amounts of personal data. However, this has also raised concerns about data breaches, unauthorized access, and misuse of information. The Act seeks to address these concerns by providing individuals with enhanced rights and imposing stricter obligations on data processors.

Key Highlights of the Act:

•  Consent and Control: The Act emphasizes the importance of informed consent, ensuring that individuals have the right to determine how their personal data is used and shared.
• Data Localization: Recognizing the significance of data sovereignty, the Act mandates the storage of critical personal data within the boundaries of India. This measure aims to protect sensitive information from unauthorised access and foreign surveillance.
• Strengthening Data Protection Authorities: The Act establishes a Data Protection Authority (DPA) responsible for enforcing data protection regulations, investigating data breaches, and imposing penalties for non-compliance. The DPA will play a crucial role in ensuring accountability and transparency in data processing activities. The penalties may range between Rs. 10,000 to Rs. 250 crores depending on the extent of violation and non-compliance.
• Balancing Innovation and Privacy: While the Act prioritizes privacy protection, it also acknowledges the importance of fostering innovation and economic growth. It provides a framework for companies to process personal data for legitimate purposes, promoting responsible data-driven practices while maintaining the privacy rights of individuals.
• Implications for businesses: Pursuant to the introduction of the Act, businesses will face significant implications regarding the handling and protection of personal data. They will need to ensure compliance with the new regulations, which may require implementing robust data protection measures, obtaining explicit consent for data collection and processing, and adopting secure storage and transfer practices. Companies should take proactive steps to adapt to the implications of the Act. They should conduct a thorough review of their data handling practices, ensuring compliance with the new regulations. This may involve implementing robust data protection measures, such as encryption and access controls, obtaining explicit consent for data collection and processing, and establishing procedures for data breach notification.

Conclusion:

With the Act, India takes a significant step towards safeguarding personal data and empowering individuals in the digital age. By safeguarding personal information, companies will not just ‘lock’ away data but ‘unlock’ a world of trust and security. With this Act, businesses are urged to embrace a new era of data protection, safeguarding personal information and respecting privacy rights. By prioritizing compliance and adopting robust data security measures, companies can strengthen customer trust and enhance their reputation.

The Article is written by Charu Roopchandani, Deputy Manager, CSR and BRSR Team – MMJC and Mr. Pradnesh Kamat, Partner – MMJC.