Finally, India has a personal data protection law in place.
The Digital Personal Data Protection Act 2023 (DPDPA) got its assent from the president of India after the legislation was passed by both houses of Parliament six days after its introduction in the Lok Sabha on 3 August this year.
Clearly, this is significant for a nation that has seen the necessity for separate personal data protection legislation for more than a decade now and not is governed by the provisions of the Information Technology (IT) Act 2000 and the rules implemented thereunder as it has been till now.
Recap: India's DPDPA Timeline
DPDPA seeks “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto,” as mentioned at the beginning of the legislation.
Now it remains for the central government to notify the law in the official gazette and different dates will be notified for different provisions of this Act and its commencement.
In August 2017, when the nine-judge bench of the Supreme Court of India in the Justice Puttuswamy vs Union of India case ruled that the right to privacy was a fundamental right, the intensity of having the law for data protection amplified and the central government established a Committee of Experts on Data Protection in the same year chaired by Justice B N Srikrishna.
From its recommendations in July 2018, leading to the introduction of the Personal Data Protection Bill 2019 (PDPB) in Lok Sabha in December 2019 and its subsequent scrutiny by a Joint Parliamentary Committee which submitted its report in December 2021 to its withdrawal by the government in August 2022, citing the need for further refinement, much has happened.
Subsequently, in November 2022, the Draft Digital Personal Data Protection Bill was released for public consultation and reintroduced in the Parliament on 3 August 2023 and passed.
DPDPA vs GDPR
The pertinent point is if the legislation, that has finally arrived after so long, will serve the purpose for which it is intended. Also, if the exemptions given to the state are much more than actually required that could become an issue later in terms of privacy protection.
In this direction, many compare the provisions of the DPDPA to those of the European Union General Data Protection Regulation (GDPR), one of the strictest personal data protection legislations globally.
Both the GDPR and DPDPA emphasise the importance of obtaining informed consent from individuals before collecting or processing their personal data. They also require data fiduciaries (an entity responsible for managing and processing personal data) to be transparent about the purpose and scope of data collection.
The DPDPA also establishes obligations for data fiduciaries in terms of data accuracy, security, and purpose limitation. Data fiduciaries are required to ensure that the data they collect and process is accurate, secure, and deleted once its purpose has been fulfilled. This obligation reflects the importance of data integrity and the responsible handling of personal information.
However, the central government can, by notification, restrict the transfer of personal data by a data fiduciary to any country or territory outside India, which is a good step compared to the provisions in the PDPB Bill 2022 where the transfer was permitted only to countries notified by the central government.
Another similarity lies in the accountability and enforcement mechanisms.
Both frameworks establish penalties and fines for non-compliance with data protection regulations. They also provide individuals with the right to take legal action against data controllers in case of privacy breaches. Even on the extraterritorial scope, both GDPR and DPDPA apply to businesses and organizations outside the EU and India respectively, if they process personal data of EU and Indian residents.
Even the provisions for exemptions under the GDPR and DPDPA are consistent. The GDPR grants exemptions and clearly states that the transmission of data for national security or defense reasons is exempt from the GDPR laws.
Likewise, public safety and the safeguarding, prevention, investigation, detection, or prosecution of criminal offenses are also protected and if there is private, personal data collected or exchanged for these reasons, then they are exempt from the GDPR. In DPDPA, there are exemptions granted to the state in terms of data processing, especially in the context of national security.
Many critics raise questions if these exemptions could result in the potential misuse of personal data and its alignment with the fundamental right to privacy. However, the checks and balances and the circumstances under which such exemptions are possible are clearly defined.
Data Localisation and the Right to be Forgotten
The DPDPA provides significant authority to the central government regarding issuing notifications, prescribing rules, and setting out subordinate legislation. Additionally, the central government has been given the power to request information from the DPB or intermediaries under the IT Act, 2000, for the purposes of the law.
Furthermore, the central government could also issue a blocking order to either a government agency or an intermediary. This blocking order can be used in the interest of the public to prevent a data fiduciary from offering goods or services to data principals and this power can be exercised upon receiving a reference from the DPB.
However, there is a difference in the approach to data localisation. The DPDPA proposes data localisation requirements, mandating that certain categories of sensitive personal data must be stored and processed only within India. The GDPR does not have explicit data localisation provisions.
Moreover, the GDPR includes specific provisions on the right to be forgotten, enabling individuals to request the erasure of their personal data under certain conditions. The DPDPA does not encompass an explicit right to be forgotten, although it incorporates data minimisation principles.
Additionally, the GDPR provides a more comprehensive framework for cross-border data transfers, incorporating mechanisms such as standard contractual clauses, adequacy decisions, and binding corporate rules. The DPDPA, on the other hand, empowers the government to formulate separate rules for cross-border data transfers.
For now, it remains to be seen how the implementation of the DPDPA is undertaken so that a trusted ecosystem can develop soonest whereby the personal data of individuals are protected.
(Subimal Bhattacharjee is a commentator on cyber and security issues around Northeast India. He can be reached @subimal on Twitter. This is an opinion piece and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)