The Digital Personal Data Protection Act of 2023 is legislation that will determine the regulation of the collection, storage, and processing of personal data in India. It outlines the framework for the protection of the rights of individuals to their privacy, balanced on the opposite end by the needs of businesses in the digital economy. It lays down obligations in the form of data fiduciaries, a breach of which is penalized with appropriate consequences, as well as sets up a Data Protection Board. The Act conforms to the judgment of the Supreme Court of 2017 on the right to privacy being a fundamental right and seems to reflect the concerns that are growing in this increasingly data-driven world.
- The DPDP Act regulates the processing of digital personal data and outlines various provisions to protect individuals’ privacy in the digital age.
- The Bill applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It also applies to such processing outside India if it is for offering goods or services in India.
Why is a New Act Necessary?
The IT Act of 2000 has been amended numerous times, including the IT Act Amendment of 2008 and the IT Rules 2011, as a measure to establish and maintain an emergent and digital nature it regulates, showing emphasis on policies of data handling. Basically, an IT Act is designed to protect e-commerce transactions and provide offenses under cybercrime initially and has no provisions to deal with today’s complexities of cybersecurity and data privacy issues. Unless the existing digital laws are comprehensively overhauled, it will be challenging for the IT Act to deal with the growing complexity and frequency of cyber threats. The proposed Digital India Act intends to strengthen the Indian economy through innovation and startups and citizen safety, trust, and responsibility.
Possible Provisions of the Digital India Act 2023
- Freedom of Speech. The social media platforms may have to do so to set moderation policies that better resonate with constitutional protections for freedom of speech. A recently amended provision to the IT Rules, 2021 requires that the various platforms must respect users’ free speech rights. In addition to this, three Grievance Appellate Committees have been put in place to redress complaints of undesirable content. These are likely to be incorporated into the Digital India Act.
- Cyber Safety: The Act will address the issue of AI, deepfakes, cybercrime, competitive practice by internet platforms, and data protection. This legislative piece will be formed out of the draft Digital Personal Data Protection Bill 2022, National Data Governance Policy, amendments in the Indian Penal Code along with other rules under the Digital India Act.
- New Adjudicatory Mechanism: A new framework would be introduced in handling all the crimes and civil offenses committed through the internet.
- Safe Harbour: The ‘safe harbour’ concept has been reviewed. Presently, social network sites are exempt from liability for user-generated content, but the amendments have curtailed it to a greater extent.
Digital Personal Data Protection Bill
It applies to digital personal data processed in India or outside and targets persons whose data is collected for offering goods or services or for profiling them within India. Data fiduciaries have a duty to process personal data alone in pursuit of legitimate purposes with consent, which may be either express or implied in specified circumstances. Data fiduciaries shall ensure accuracy, security, and deletion of data in a reasonable timeframe after the expiry of its purpose. This bill also clearly spells out rights to access, correct, or delete data by individuals and lists certain exceptions for government agencies based on reasons such as national security. A Data Protection Board of India will be established to monitor compliance.
Data Protection Laws Worldwide
- European Union Model: The General Data Protection Regulation (GDPR) is the model under which privacy becomes a human right for personal dignity and ownership of data.
- US Model: Contrary to the practice in the EU, the US does not have a comprehensive framework on privacy. It makes use of the sectoral approach to regulate privacy. Government operations with respect to an individual’s personal data are well covered by broad legislation, for example, the Privacy Act and the Electronic Communications Privacy Act.
- China Model: Newly enacted legislations such as Personal Information Protection Law (PIPL) and Data Security Law (DSL) in China have endowed new rights to the citizens and stringent controls over data usage and cross border transfers and business classified data of varying importance levels.
| Digital Personal Data Protection Act 2023 UPSC Notes |
| 1. Digital Personal Data Protection Act 2023 regulates the manner of obtaining, storing, and processing personal data in India; thus, it seeks to ensure protection of individual privacy while balancing business needs. 2. It offers a framework for data fiduciaries and outlines penalties for violations, as well as establishing the Data Protection Board to supervise compliance. 3. DPDP Act is in line with the judgment of the Supreme Court in 2017, when it recognized a right to privacy as a Constitutional right. 4. It applies to personal data processed in digital form within India and offline data that is digitized; it also covers processing outside India where it relates to the provision of goods or services within India. 5. The Act can be considered to have made provisions for social media companies to follow the freedom of speech protections while setting up Grievance Appellate Committees to redress complains regarding contents. 6. It addresses AI, deep fakes, cybercrime, and competitive practices by internet platforms, incorporating elements from the draft Digital Personal Data Protection Bill and other policies. 7. The current safe harbour exemption, which has exempted internet-based social networking sites from the liability towards any content generated by the end-users, will be reviewed and may be curtailed. 8. It will be very much susceptible to the international models—GDPR of the European Union, where privacy is conceived as a right; sectoral approach in the US; and China with strict data control laws like PIPL and DSL. |
