Data protection laws have become essential as personal data has emerged as a valuable asset, from the details we share online to what companies collect when we use their services. Cybersecurity Solutions are crucial to safeguard this data and ensure individuals have more control. To address these concerns, India has introduced the Digital Personal Data Protection Act 2023 (DPDPA). This law sets new rules for how businesses handle personal information and outlines the rights of individuals regarding their data.
Whether you’re a consumer wanting to protect your privacy or a business aiming for compliance, understanding the DPDPA is essential for navigating the digital landscape.
Here’s a concise comparison of personal data and sensitive personal data:
| Aspect | Personal Data | Sensitive Personal Data |
| Definition | Identifies an individual (e.g., name, email). | A subset of personal data needing extra protection (e.g., health, financial data). |
| Examples | Name, email address, phone number. | Health info, biometric data, sexual orientation. |
| Risk Level | Low to moderate risk if mishandled. | Higher risk, leading to significant harm if exposed. |
| Consent Requirements | Generally requires consent; more flexibility. | Requires explicit consent for collection and processing. |
| Regulatory Protections | Subject to general data protection laws. | Subject to stricter regulations and protections. |
| Handling and Storage | Standard data protection measures are sufficient. | Requires enhanced security measures. |
Data privacy laws in India have taken a significant step forward with the introduction of the DPDPA in 2023. This new law aims to protect the personal data of individuals and regulate how businesses and organizations handle it. The DPDPA was introduced to ensure that people’s data is processed lawfully, securely, and transparently. Under this act, individuals, known as Data Principals, have specific rights, such as the right to access their data, correct it, and request its deletion.
The Data Privacy Act in India, specifically the DPDPA in 2023, outlines responsibilities for businesses, referred to as Data Fiduciaries. These responsibilities include obtaining proper consent from users, protecting the data they collect, and reporting data breaches. The DPDP Act 2023 also governs how personal data can be shared across borders and imposes penalties on those who fail to comply with the rules. It’s a significant step toward safeguarding privacy in an increasingly data-driven world.
The DPDP Act applies to anyone who processes digital personal data outside of personal or domestic contexts under the following conditions:
The term “person” under the DPDP Act encompasses more than just individuals or businesses. It includes:
Chapter III of the DPDP Act outlines the rights of data principals as follows:
Data principals have the right to request a summary of their personal data that has been processed. This includes information about the activities of data fiduciaries and details of any data fiduciaries or data processors with whom their personal data has been shared.
Data principals can ask data fiduciaries to:
Data fiduciaries must respond to such requests within a reasonable timeframe.
Data principals can request the deletion of their personal data. However, data fiduciaries are not required to erase this data if it is necessary for fulfilling the purpose for which it was collected or for compliance with legal obligations.
Data principals have access to a grievance redressal mechanism to address any issues related to the obligations of data fiduciaries or enforcement of their rights. They must use this mechanism before approaching the Data Protection Board if their grievance remains unresolved.
In the event of their death, mental incapacity, or physical infirmity, data principals can nominate an individual to exercise their rights under the DPDP Act.
Data principals can revoke their consent at any time. However, they are responsible for any consequences that arise from this revocation. Upon revocation, data fiduciaries must cease processing the personal data of the data principal and ensure that data processors do the same.
The Justice Sri Krishna Committee, established in 2017, played a pivotal role in shaping India’s data protection framework. Here are the key contributions of the committee:
The committee was tasked with examining issues related to data protection and proposing a comprehensive legal framework.
The committee developed the Personal Data Protection Bill based on extensive consultations with stakeholders, including legal experts, industry representatives, and civil society.
The committee made several recommendations, including:
The committee acknowledged that data protection is essential for safeguarding the right to privacy, which the Supreme Court of India recognized as a fundamental right.
It emphasized principles like data minimization, purpose limitation, and accountability for data processors, shaping the foundation for subsequent laws, including the DPDPA in 2023.
It brings significant changes for businesses operating in India. Here’s how it impacts them:
Businesses must implement robust data protection policies and procedures to comply with the DPDPA. This includes obtaining explicit consent from users, maintaining records of data processing activities, and implementing security measures to protect personal data.
Organizations are now accountable for how they handle personal data. This includes being transparent about data collection practices and ensuring that data is used only for the purposes specified at the time of collection.
While not mandatory for all businesses, those handling significant amounts of sensitive data are encouraged to appoint Data Protection Officers (DPOs) to oversee compliance and ensure that data protection measures are effectively implemented.
Non-compliance with the DPDPA can lead to hefty fines, which could impact a company’s bottom line. Businesses may need to allocate resources for legal consultations, compliance training, and system upgrades to avoid penalties.
The DPDPA mandates clear consent for data collection, which may lead businesses to rethink their data collection strategies. Companies will need to ensure that their practices are user-friendly and compliant with legal requirements.
By adopting transparent data protection practices, businesses can build trust with their customers. When individuals feel confident that their data is being handled responsibly, they are more likely to engage with a brand.
The demand for data protection services, such as compliance consulting, data audits, and security solutions, is expected to rise. Businesses may explore partnerships with specialized firms to ensure compliance with the DPDPA.
Organizations must invest in ongoing training and awareness programs for their employees to ensure everyone understands the importance of data protection and their roles in maintaining compliance.
It has a profound impact on individuals by empowering them with greater control over their personal data. Here’s how it affects them:
Individuals, referred to as Data Principals, are granted specific rights concerning their personal data. These rights include the ability to access their data, request corrections, and demand the deletion of information that is no longer necessary.
The DPDPA requires businesses to obtain clear and explicit consent from individuals before collecting or processing their data. This means individuals have more control over what information they share and with whom.
Individuals can request their personal data to be transferred from one service provider to another, making it easier to switch services while retaining their information. This promotes competition and allows users to choose better services.
The act provides individuals with the right to request the deletion of their personal data when it is no longer needed or when they withdraw their consent. This empowers users to manage their digital footprint more effectively.
Businesses are required to inform individuals about how their data will be used, stored, and shared. This transparency allows individuals to make informed decisions about their data.
In the event of a data breach, individuals must be notified, allowing them to take necessary precautions to protect their personal information. This increases accountability among organizations regarding data security.
The DPDPA establishes a framework for individuals to lodge complaints against organizations that misuse their data or fail to comply with data protection regulations. This provides a legal recourse for individuals seeking to address violations.
As individuals become more aware of their rights under the DPDPA, they are likely to be more proactive in protecting their personal data and seeking accountability from businesses.
The Digital Personal Data Protection Act (DPDPA) 2023 in India and the General Data Protection Regulation (GDPR) in Europe are both designed to protect personal data, but they differ in certain key areas:
| Aspect | DPDPA 2023 | GDPR |
| Scope | Applies to personal data of individuals in India, regardless of where processed, involving Indian citizens. | Covers personal data of individuals in the EU and applies globally if processing data of EU residents. |
| Consent Requirements | Emphasizes explicit consent for data collection and processing. | Focuses on consent but allows other legal bases like the performance of contracts and legitimate interests. |
| Rights of Individuals | Grants rights such as data access, correction, data portability, and deletion requests. | Offers broader rights, including objection to processing and restriction of processing, alongside access, correction, and deletion. |
| Data Protection Officers (DPOs) | DPOs are not mandated for all organizations but are expected for significant sensitive data handlers. | Requires appointment of DPOs for certain businesses, especially those processing large-scale data. |
| Penalties | Fines can reach up to ₹250 crore (approximately €28 million) based on violation severity. | Imposes fines up to €20 million or 4% of global annual turnover, whichever is higher. |
| Cross-Border Data Transfers | Allows transfers but requires adequate protection measures for data sent outside India. | Strictly regulates transfers, allowing them only to countries with adequate data protection or appropriate safeguards. |
While both laws focus on protecting personal data and ensuring transparency in data processing, GDPR offers more comprehensive rights for individuals and imposes stricter requirements on businesses, whereas DPDPA is tailored to India’s data privacy landscape and aims to balance privacy with business interests.
Here are some recent updates and amendments:
Enforcement Authority:
The Data Protection Board (DPB) has been established as the enforcement authority under the DPDPA, with the authority to impose penalties of up to INR 250 crore.
Appellate Authority:
The Telecom Disputes Settlement and Appellate Tribunal serves as the appellate authority for the DPDPA.
Parental Consent:
Data fiduciaries are required to obtain verifiable consent from parents or guardians before processing children’s data. However, certain entities, such as healthcare and educational institutions, may be exempt from this requirement.
Penalties for Data Breaches:
The DPDPA imposes significant penalties for data breaches. For instance, failing to notify the board or affected data principals about a personal data breach can result in a penalty of INR 200 crore.
India’s privacy law sets penalties for violations based on several factors, including the severity and duration of the breach, the type of personal data affected, the frequency of the violation, and the financial impact on the violator. Penalties can reach up to INR 250 crore (approximately $30 million).
Unlike many other data privacy laws worldwide, India’s privacy law does not specify a cure period for violations. However, violators are entitled to a hearing, reflecting the principle of natural justice.
| Nature of Violation/Breach | Penalty |
| Failure to implement security safeguards | Up to INR 250 crores (approximately $30.21 million) |
| Failure to notify a breach to the board | Up to INR 200 crores (approximately $24.17 million) |
| Non-compliance with special provisions regarding children | Up to INR 200 crores (approximately $24.17 million) |
| Non-compliance with obligations of the Security Designated Framework (SDF) | Up to INR 150 crores (approximately $18.13 million) |
| Non-compliance with obligations by data principals | Up to INR 10,000 (approximately $120) |
| Violation of any voluntary undertaking | Up to the applicable extent for that breach |
| Violation of any other provisions not specified above | Up to INR 50 crores (approximately $6 million) |
These penalties emphasize the importance of adhering to data protection regulations and safeguarding personal information.
Following these steps will help ensure compliance with the DPDP Act and safeguard personal data effectively.
This act is a pivotal advancement for data privacy in India, establishing a solid framework for personal data protection. It defines individual rights and business responsibilities, aiming to create a secure environment for personal information in a digital age. Organizations must prioritize compliance and invest in effective cybersecurity solutions to safeguard data. The DPDPA is not just a legal requirement; it represents a commitment to trust and accountability in data management, paving the way for a safer digital future for all stakeholders.
Also read:
