India’s Digital Personal Data Protection Act, 2023: A Step Towards Balancing Privacy and Legitimate Processing

BB Desk
BB Desk

Adv.  Zainab Binte Shabir

In a significant move towards protecting the privacy of individuals, the Indian government has introduced the Digital Personal Data Protection Act, 2023. The Act aims to strike a balance between the need to process personal data for legitimate purposes and the right of individuals to have their personal data protected.

*What is Personal Data?*

The Act defines personal data as any information that can identify an individual, either directly or indirectly. With over 760 million internet users in India, the need for data protection has become increasingly important.

*Scope of the Act*

The Act covers the processing of digital personal data in India, regardless of whether it is collected online or offline. It also applies to processing done outside of India if it is for the purpose of providing goods or services in India.

*Consent and Processing*

The Act requires consent for the processing of personal data, unless it is for legitimate purposes such as employment, government benefits, or medical emergencies. Children under the age of 18 require parental consent. The Act also provides individuals with the right to withdraw consent at any time.

*Rights of the Data Principal*

The Act gives individuals the right to seek information about processing, request rectification and erasure of personal data, appoint a substitute to exercise rights in case of death or incapacity, and seek redress for grievances.

*False Complaints*

The Act prohibits individuals from filing false complaints or providing false information, with a penalty of up to Rs 10,000 for violations.

*Data Fiduciary*

The Act requires the data fiduciary (the entity deciding on the purpose and method of processing) to take reasonable steps to ensure the accuracy and completeness of data, implement appropriate security measures, notify the Data Protection Board of India and affected parties in case of a breach, and delete personal data once the purpose is fulfilled.

*Data Transfer*

The Act permits the transfer of personal data outside India, except to countries notified by the central government.

*Exemptions*

The Act exempts processing carried out by government agencies for public order and security, as well as for statistical, archival, or research purposes, through notification by the central government.

*Data Protection Board*

The Data Protection Board of India will oversee compliance, enforce penalties, hear complaints, and instruct data fiduciaries to take appropriate measures in case of a data breach.

*Shortcomings*

While the Act is a positive step towards protecting digital personal data, it falls short in some areas. It does not provide the right to data portability or control the risks associated with processing personal data. Additionally, it permits the transfer of personal data outside India, which may not guarantee complete data protection.

*Conclusion*

The Digital Personal Data Protection Act, 2023, is a step towards balancing the need to process personal data for legitimate purposes with the right of individuals to have their personal data protected. However, there are shortcomings that need to be addressed. The State must carefully balance privacy concerns with legitimate State interests and be aware of the potential and threats to liberty presented by the digital world.

Note:-

Adv.  Zainab Binte Shabir D/O Shah Shabir Ahmed and Shookat Ara  

LLM (Corporate Banking and Insurance Law) 

Zainabshah9906@gmail.com