In a significant move towards a more secure digital era, Indian President Droupadi Murmu recently sanctioned the Digital Personal Data Protection Bill (DPDPB). The bill, which gained unanimous approval from both legislative branches in the preceding week, presents a balanced framework that respects individuals' rights to protect their personal data while also acknowledging the necessity of data processing for lawful purposes.
The necessity for such a law has been evident for some time, particularly since India's Supreme Court established privacy as an inviolable right back in 2017. Despite the monumental task of crafting a law that aptly addresses the nuanced arena of data privacy, it is indeed noteworthy that the first draft surfaced only a year later in July 2018. The path to this law's birth, marked by extensive deliberations and revisions, eventually culminated in a draft version of the bill being presented by the Ministry of Electronics and Information Technology (MeitY) in November 2022.
So what does this freshly minted law entail? Simply put, it speaks to data related to identifiable individuals collected via any medium – online or offline. Its major stipulation, however, is that data processors are permitted to handle an individual's data only if they acquire explicit permission and only if it's essential to the defined purpose.
For businesses, the act of obtaining the user's consent can't be considered in isolation. It ought to be accompanied by a clear notice outlining why their personal information needs to be processed. In some instances, consent isn't necessary, such as when users willingly share their data, like electing to receive emailed invoices.
Understandably, the law brings added caution while dealing with delicate sectors like children's data. For children (up to 18 years old) or individuals with disabilities, companies must gain verifiable consent from their parent or guardian. In line with this, the law outrightly prohibits reprehensible acts like tracking, behavioral monitoring, or targeted advertising of children. There may be some cases where this consent may be waived, but that would be contingent upon a comprehensive examination by the government, ensuring that the data treatment is "verifiably safe."
The law imposes other duties too – ensuring data accuracy, fortifying data security, and securely disposing of data when it has surpassed its usage are listed under a data processing entity's obligations. Users, on the other hand, gain the right to acquire information, seek rectification, request removal, and file complaints.
To oversee this comprehensive mandate, the law establishes a Data Protection Board (DPB) which has the power to scrutinize complaints, look into data breaches, and enforce penalties based on the breach's nature, duration, and recurrence. Organizations found guilty of misuse, lack of adequate protection, or failure to notify the DPB about a breach can be subject to hefty fines up to ₹250 crore ($30.1 million).
Despite its noble intent, the DPDPB has encountered criticism. The act exempts government agencies from its provisions for reasons related to law enforcement, opening up potential avenues for misuse. Concerns of escalated mass surveillance and feared invasions of privacy emanate from these provisions. Further, the potential for information access to be restricted in 'public interest', could also be misused for silencing dissent. In its current guise, there is fear that the DPDPB dismally overlooks the substantial data protection concerns, leading to apprehension that it may merely become a tool supporting certain state and private actors in their data processing activities rather than safeguarding individual data.
At Darksteel Technologies, we are an Orlando-based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.