NEW DELHI: The Digital Personal Data Protection (DPDP) Act of 2023 is a major step forward in India's efforts to establish a strong data protection system. This law aims to protect the digital personal data of individuals, while also balancing the right to privacy with the need for lawful data processing.
The Legislative Journey of the DPDP Act, 2023
The DPDP Act of 2023 was developed from a draft version that was initially released for public consultation in November 2022. After undergoing a series of revisions and extensive consultations, the final bill was approved by the cabinet in July 2023, passed by both houses of the Indian Parliament in August 2023, and subsequently received presidential assent, thus becoming law.
Data Protection Act: Roles, Penalties, and New Authority
The Indian Data Protection Act specifies the responsibilities of data fiduciaries, which can be individuals, companies, or government entities involved in handling personal data. The Act also defines the rights and duties of data principals, who are the individuals to whom the data belongs. Additionally, the Act introduces financial penalties for any breach of these rights, duties, and obligations. A significant aspect of India's data protection framework under this Act is the establishment of the Data Protection Board of India. This body acts as an adjudicatory authority, responsible for resolving disputes related to data privacy.
Telecom Disputes Settlement and Appellate Tribunal (TDSAT)
The Data Protection Board is an independent regulatory authority that will handle privacy-related grievances and disputes. Its primary function is to assess compliance with the provisions of the Act and impose penalties in case of any non-compliance. Additionally, the Act allows for the creation of an appellate body that may be assigned to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). This appellate body will be responsible for hearing appeals against the decisions made by the Data Protection Board.
Financial Implications of Data Protection Non-Compliance
The act has introduced strict financial penalties for non-compliance, with fines ranging up to INR 2.5 billion (approximately USD 30 million) depending on the nature of the violation. These penalties cover a range of breaches, from failure to take reasonable security measures to unauthorized sharing of children's data.
Exemptions and Compliance, (DPDP Act)
The Data Protection and Privacy Act (DPDP Act) allows certain agencies to be exempted from its provisions in cases involving national security, public order, research or statistical purposes, and other similar scenarios. To comply with this act, companies should evaluate their data privacy frameworks, update their data processing agreements, and establish methods for consent management and data principal rights.
Also Read - What Are The Rights And Duties Of Data Principal Under DPDP Act 2023
The Act is seen as a historic step in aligning India's data protection standards with global norms like the European Union's General Data Protection Regulation (GDPR). However, it has not been without criticism. Concerns have been raised about potential government overreach and the implications for privacy rights, with some critics arguing that it could grant the government excessive access to personal data.
Also Read - What is Forensic Audit: Know India's Legal Framework for Combating Financial Crimes
The Digital Personal Data Protection Act, 2023, represents a significant overhaul of India's data protection policies, aiming to protect individual privacy while allowing for lawful data processing. As India continues to evolve as a digital economy, the DPDP Act is a crucial step towards ensuring that data privacy and protection are prioritized, providing a framework that balances individual rights with the needs of businesses and government agencies.
