Earlier this year, a CNBC TV-18 news report caught the public eye when it quoted that according to Tenable, a cybersecurity company based in the US, India suffered from the second-most tech exposure breaches in 2022, with around 450 million records exposed.
The research report also found that a large number of security breaches happened due to old existing vulnerabilities and flaws that dated back to 2017. The organisations, however, had failed to apply the relevant security patches for these flaws, which led to an increased risk of breaches.
Around the same time in the first quarter of 2023, India also saw a sharp increase in cyber attacks, with over 500 million attacks blocked out of a billion globally, as per a news piece by The Economic Times which covered the State of Application Security Report by Indusface, a Security SaaS Company funded by Tata Capital Growth Fund.
These incidents exposed the personal data of millions of Indians to various risks, such as identity theft, fraud, cyberattacks, phishing, spamming, and other malicious activities. But more than that, they also violated our fundamental rights, such as freedom of expression, association, and movement, due to surveillance, profiling, targeting, or censorship based on their data. Are we aware of how these attacks infringe on our dignity and autonomy as human beings due to the commodification and manipulation of our data for commercial or political interests?
This article is an attempt to examine the recently enacted Digital Personal Data Protection Act (DPDA), 2023 (“The Act” or “DPDA, 2023”), and discuss how it is the guardian of our privacy.
The idea of enacting legislation like the Digital Personal Data Protection Act (DPDA), 2023, was inspired by the need to protect the privacy and rights of individuals over their digital personal data in India. Before the passing of the Act, the common man was susceptible to various risks related to their digital personal data, such as:
Lack of transparency and control over how their data was collected and used by various entities, such as social media platforms, e-commerce sites, online service providers, etc.
Exposure to identity theft, fraud, cyberattacks, phishing, spamming, and other malicious activities that could compromise their personal information and financial security.
Violation of their fundamental rights, such as freedom of expression, association, and movement due to surveillance, profiling, targeting, or censorship based on their data.
Discrimination or exclusion from accessing essential services or opportunities based on their data attributes, such as gender, caste, religion, health status, etc.
Infringement of their dignity and autonomy as human beings due to the commodification and manipulation of their data for commercial or political interests.
The Supreme Court of India declared privacy as a fundamental right on August 24, 2017, in the case of Justice KS Puttaswamy (Retd) vs. Union of India. The Court held that privacy is an essential component of the right to life and personal liberty under Article 21 of the Constitution of India. The Court's decision was a landmark moment in the history of privacy in India. It gave individuals the right to control their personal information and to challenge the collection, use, and disclosure of their data by the government and private entities.
The apex court's decision was also based on a number of factors, including laying down the triple test for judging the permissible limits for invasion of privacy while testing the validity of any legislation. The decision was passed in view of the increasing collection and use of personal data by governments and private entities, the growing threats to privacy posed by new technologies, and the fundamental importance of privacy to human dignity. The Court held that privacy is essential for the development of the individual personality, for the ability to form relationships with others, and for the ability to participate in society. The decision also paved the way for the passing of the Digital Personal Data Protection Act (DPDA), 2023.
The Act was also influenced by global developments in data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The Act was drafted by a committee of experts headed by Justice BN Srikrishna, who submitted their report and draft bill in July 2018. The bill was then introduced in the Parliament in December 2019 and underwent several revisions and consultations before being passed on 11 August 2023. The Act aims to provide a legal framework for the protection of digital personal data in India and to enhance the trust and confidence of individuals in the digital economy and society.
The DPDA, 2023 aims to address these risks by providing a legal framework for the protection of digital personal data in India. It is expected that the Act will enhance the trust and confidence of individuals in the digital economy and society.
The DPDA, 2023 is a landmark legislation that aims to protect the privacy and rights of individuals over their digital personal data. The Bill protects digital personal data, that is, the data by which a person may be identified. Three key areas that are addressed by DPDA, 2023, are:
The rights of Data Principals, i.e., the persons to whom the data relates.
The obligations of Data Fiduciaries, i.e., the persons, companies and government entities who process data by way of collection, storage or any other operation on personal data.
Financial penalties for breach of rights, duties and obligations.
While the Act regulates how organizations can collect, process, store, transfer, and use such data for lawful purposes, it also empowers individuals with various rights over their data, such as:
The right to be informed about the purpose, manner, and extent of data processing.
The right to access, correct, update, and erase their data.
The right to restrict or withdraw consent for data processing at any time.
The right to data portability, that is, to receive their data in a structured, commonly used, and machine-readable format and to transfer it to another data fiduciary.
The right to object to data processing that is likely to cause harm or discrimination.
The right to seek compensation for any harm caused by data breach or misuse.
The Act also establishes a Data Protection Authority (DPA) to oversee and enforce the compliance of the data fiduciaries with the provisions of the Act. The DPA has the power to issue codes of practice, conduct audits and investigations, impose penalties and compensation, and take any other action as may be necessary.
The Act makes a Data Fiduciary responsible for having security safeguards to prevent personal data breach. They are required to intimate personal data breaches to the affected Data Principal and the Data Protection Board. To fix end-to-end responsibility, the Data Fiduciary is required to erase personal data when it is no longer needed for the specified purpose or upon withdrawal of consent of the Data Principal. They are also required to have in place a grievance redressal system and an officer to respond to queries from Data Principals.
Additionally, Data Fiduciaries are required to fulfill certain additional obligations if they are Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure a higher degree of data protection.
With respect to the personal data of children, DPDA, 2023, casts heavier responsibilities on the Data Fiduciaries. It allows a Data Fiduciary to process the personal data of children only with parental consent and does not permit any processing detrimental to the well-being of children or if it involves their tracking, behavioral monitoring, or targeted advertising.
The DPDA, 2023, empowers Data Principals with a suite of rights, from information and access to data portability and the right to seek compensation for breaches. It instils accountability in Data Fiduciaries, demanding stringent security measures, redressal systems, and heightened responsibilities for Significant Data Fiduciaries. The two Cs of Consent and Compliance are at the heart of this Act, enabling individuals to manage their data and setting high standards for organizations' privacy practices.
Under the Act, the Data Principal may give, manage, review, or withdraw their consent to the Data Fiduciary directly or through a Consent Manager. In the case of children, consent shall be obtained from the parent or the lawful guardian. No separate consent, however, is required for "legitimate uses" recognized under the Act, which include data provided voluntarily by the Data Principal, personal data processed for any function under any law or judgment issued under law, for responding to a medical emergency involving a threat to the life of the Data Principal or other individual, for maintaining public order and ensuring safety; and lastly, for purposes related to employment.
Further, in terms of compliance by the Data Fiduciaries, they are required to design and implement privacy policies and procedures, including privacy notices to inform the Data Principals about the types of personal data collected and the purpose of the collection.
With the enactment of the DPDA, 2023, the Data Fiduciaries are required to take steps towards implementing technical and organisational measures and reasonable security safeguards to prevent data breaches. They will also be required to strictly enforce procedures to handle rights, requests and grievances of Data Principals. With respect to “Significant Data Fiduciaries”, there are some more compliances required with respect to undertaking Data Protection Impact Assessment, appointing a DPO and publishing business contact information. They are also required to perform periodic audits.
In conclusion, the DPDA, 2023, emerges as a formidable guardian of our digital privacy in an era where data breaches and cyber threats loom large. This legislation stands as a beacon of hope, addressing the vulnerabilities that ordinary citizens face in the digital realm. It reflects the commitment to safeguarding personal data, ensuring transparency, and empowering individuals with the right to control their information.
As we navigate the ever-evolving digital landscape, the DPDA, 2023, serves as a robust shield, transforming common individuals from being vulnerable to virtually invincible, ensuring that their digital lives are protected, their rights are respected, and their dignity is preserved. It's not just a legal framework; it's a promise of a safer and more secure digital future for all of us.
About the author: Arjit Benjamin is an Associate Partner at Prosoll Law.