Data Protection: Safeguarding Privacy in Digital Age

In today’s interconnected world, data has become one of the most valuable assets. From personal information to business intelligence, data Plays a important role in our everyday existence and drives innovation across industries. However, the increasing reliance on data also raises significant concerns regarding its protection. Data breaches (Any unauthorised handling of personal data or unintentional exposure, acquisition, distribution, utilisation, modification, deletion, or disruption of access to personal data that jeopardises the confidentiality, accuracy, or accessibility of such data) privacy violations, and cyberattacks have become common occurrences, underscoring the need for robust data protection measures. This blog explores the concept of data protection, Its significance, Key takeaways from recent enactment of –The Digital Personal Data Protection Act, 2023.

What is Data

Data  a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated mean

Data Protection is essential for preserving individuals’ privacy rights. Without adequate protection, this data can be exploited for various purposes, including identity theft and invasive profiling. A data breach can have long-lasting negative consequences for an individual’s image and financial health.

At present India lacks an Independent & utilisation of personal data. It is regulated under the IT Act, 2000. In 2017, the central government established an Expert Committee on Data Protection, A committee chaired by Justice B. N. Srikrishna was established to examine matters related to data protection in the country. In July 2018, the committee submitted its report. Based on its recommendations, the Personal Data Protection Bill, 2019, was proposed in the Lok Sabha in December 2019. After undergoing scrutiny by a Joint Parliamentary Committee, which presented its report in December 2021, the Bill was retracted from Parliament in August 2022. A Draft Bill was released for public consultation in November 2022, followed by the introduction of the Digital Personal Data Protection Bill, 2023, in Parliament in August 2023.

The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 of Parliament received the approval of the President on the 11th August 2023. A legislation aimed at regulating the processing of digital personal data, with due recognition of both individuals’ right to safeguard their personal information and the necessity to process such data for lawful purposes, along with related and incidental matters. The act yet to be notified by the Central Govt. and also Govt. yet to prescribe the rules around this enactment.

The proposed legislation will encompass the handling of digital personal data within India, whether it’s acquired online or offline and subsequently digitised. It will also extend its jurisdiction to data processing activities conducted outside India when they pertain to offering goods or services within the Indian territory. The Act specifies that the Personal data may be processed only for a lawful purpose upon consent of an individual.

Consent may not be required for specified legitimate uses including

(i) specified purpose for which data has been provided by an individual voluntarily

(ii) provision of benefit or service by the government,

(iii) medical emergency, and

(iv) employment.

 

Rights of Data Principal:

The Act specifies that for an individual whose data is being processed (also called data principal), will have the entitlement to:

(i) Acquire information regarding data processing,

(ii) Request rectification and deletion of personal data,

(iii) Designate a representative to exercise rights in case of demise or incapacity, and

(iv) Seek resolution for grievances.

The central government exempts government agencies from the application of provisions of the act in pursuit of defined objectives such as safeguarding national security, maintaining public order, and preventing criminal activities.

 

Obligations of Data Fiduciaries:

The act lays down obligations on Data fiduciaries (The entity responsible for determining the purpose and methods of data processing and Data Processors) should:

(i) Undertake diligent measures to maintain data accuracy and completeness,

(ii) Establish reasonable security measures to prevent data breaches,

(iii) Notify both the Data Protection Board of India and the individuals affected in the event of a breach, and

(iv) Erase personal data promptly once the intended purpose has been fulfilled and retention is no longer required for legal purposes (in accordance with storage limitations).

 

Exemptions:

In specific scenarios, certain rights of the data principal and the responsibilities of data fiduciaries (excluding data security) will not be applicable. They are

(i) prevention and investigation of offences

(ii) the assertion of lawful rights or claims.

The central government holds the authority, through notification, to grant exemptions from the Act’s applicability. Such exemptions may encompass:

(i) Data processing by government entities To ensure the protection of national security and the preservation of public order,

(ii) Data handling for research, archival, or statistical purposes.

 

Data Protection Board of India:

The Central Government proposes the establishment of a Board – The Data Protection Board of India to adjudicate on non-compliance with the provisions of the act.

Key responsibilities of the Board encompass:

(i) Overseeing adherence to regulations and levying penalties when necessary,

(ii) Instructing data fiduciaries to implement required actions in case of a data breach,

(iii) hearing grievances made by affected persons.

Board members will be appointed for two years and will be eligible for re-appointment. The central government will prescribe details such as the number of members of the Board and the selection process. Appeals against the decisions of the Board will lie with TDSAT.

 

Penalties:

The Bill’s schedule outlines penalties for various violations, including potential fines of up to:

(i) Rs 200 crore for non-compliance with obligations related to children’s data, and

(ii) Rs 250 crore for failing to implement adequate security measures to prevent data breaches.

These penalties will be determined by the Board following a formal inquiry.

 

Conclusion:

The enactment of The Digital Personal Data Protection Act, 2023 represents a significant milestone in the ever-evolving landscape of data privacy and security. This legislation not only safeguards the rights and privacy of individuals but also sets clear guidelines for organisations and entities handling personal data. As we navigate the digital age, the act serves as a crucial framework that balances the need for data-driven innovation with the imperative of responsible data handling.

0

Need Help?

We're Here To Assist You

Need more information?

Feel free to contact us, and we will be more than happy to answer all of your questions.