Continious Evaluation : 1

Digital Personal Data Protection Act Report

Writing

Academic Year : 2024-25

SUBMITTED BY: SUBMITTED TO:

PRATEEK KOTHARI PROF. RAJARAM GARUD

BALLB, 5TH YEAR (10TH SEMESTER)
DIVISION- A
URN NO: 2019-B-11062000
SUBJECT: INTERPRETATION OF STATUTES
Historical Background:
India’s quest for a data protection regime can be traced back to when the idea was first
mooted in the Indian Parliament in 2008, when an amendment to the Information Technology
Act, 2000 (“IT Act”) was proposed. The introduction of the new Section 43A under the
Information Technology (Amendment) Act, 2008 (“Amendment”) inter alia put an
obligation on companies to protect all sensitive personal data and information that they
possessed, dealt with or handled in a computer resource by implementing and maintaining
reasonable security practices and procedures. The Amendment also imposed a penalty for
non-compliance. The Amendment was followed by the introduction of the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules 2011, which inter alia specify minimum standards of data protection for
sensitive personal data, including requiring companies to have a privacy policy, to obtain
consent when collecting or transferring sensitive personal data or information, and to inform
individuals regarding who the recipients of such collected data are.
Over the years, various sectoral regulations and rules have also introduced suitable remedies
and preventive mechanisms for data protection. However, a fragmented set of regulations and
the changing trends in technology have exposed India to the loopholes in the prevailing laws.

Case law:

K.S. Puttuswamy v. Union of India (2017) 10 SCC 1, AIR 2017 SC 4161

The foundation for a single statute legislation for protection of data in India was laid down in
2017, in the much-celebrated Supreme Court judgment in K.S. Puttuswamy v. Union of India
(“Puttaswamy Judgement”), which recognised ‘privacy’ as intrinsic to the right to life and
liberty, guaranteed by Article 21 of the Constitution of India, thus making ‘right to privacy’ a
fundamental right. While chiefly dealing with the scope of rights of a citizen as against the
State, the Puttaswamy Judgement also touches upon protections to be accorded to individuals
in the private sphere. The Supreme Court linked the value of privacy to individual dignity and
used long-standing precedence to hold that the State has a positive burden of maintaining and
preserving this dignity. As a result, the Puttaswamy Judgement is not only the basis of
establishing a prohibition against privacy-violative State action, but also forms a basis for the
State’s mandate to regulate private contracts and private data sharing, in the interest of
individual privacy.

From Bill to Act:

This led to the setting up of the Sri Krishna Committee which floated the Draft Personal Data
Protection Bill in 2018. After amending the bill pursuant to industry and stakeholder
feedback, in December 2019, the Ministry of Electronics and Information Technology tabled
the Personal Data Protection Bill 2019 (“PDPB”) in the Rajya Sabha.
This version of the PDPB proposed the overhaul of India’s legislative framework for
regulating data sharing in private contracts. It inter alia prescribed compliance requirements
for all forms of personal data, broadened the rights given to individuals, introduces a central
data protection regulator, instituted data localisation requirements for certain forms of
sensitive data as well as imposed hefty financial penalties in case of non-compliance.
However, owing to various challenges with respect to its implementation, the PDPB was sent
for review to the Joint Committee of the Parliament (“JPC”) in 2019. Thereafter, the JPC
spent around 2 years amidst the global pandemic to examine and deliberate the nuances of the
PDPB.
In the interim period, a committee of experts set up under MEITY issued a report on the Non-
Personal Data Governance Framework (“NPD Report”) in July 2020. The intent of the NPD
Report was to create a framework to unlock the economic, social and commercial value of
non-personal data for corporates, start-ups and the Government. The committee received over
1,500 responses from various stakeholders to the NPD Report and made changes based on the
feedback received. In January 2021, the same committee released a revised NPD Report
which limited the scope and purpose of sharing non-personal data and expanded on how the
PDPB and the recommended Non-Personal Data Governance Framework would function in
tandem.
Thereafter, in November 2021, the JPC finally submitted its revised report and draft of the
bill. In its new iteration, the PDPB was renamed the Data Protection Bill 2021 (“DPB”) and it
brought in various significant changes. A key change was the expansion of the scope of the
law to cover not only personal data, but non-personal data as well. The DPB also introduced
stringent data breach reporting requirements, regulation of hardware manufacturers, enabling
a certification mechanism for all digital and IoT devices to mitigate data breaches and the
additional compliance measure of consulting the Central Government for cross border
transfer of sensitive personal data. The DPB also provided for a phased implementation
wherein the Central Government may notify different dates for enactment of different
provisions.
The expectation was that the DPB would be tabled in Parliament in the budget session held in
February 2022, however, the new version of the legislation attracted strong criticism and
pushback from various stakeholders, including from within the JPC as well as from domestic
and international business houses for inter alia being more focused on the protection of state
interests rather than being designed for the protection of data and privacy of individuals.
Consequently, the fate of the DPB is now uncertain, with various media news reports
suggesting that the Indian Government is likely to scrap the DPB in favour of completely
new data protection legislation. It is further understood from media reports that the IT Act
might also see an overhaul to address the requirements of the country’s changing
technological landscape.
Amidst the cloud of uncertainty around the data protection regime in India, MEITY has in
February 2022 released a Draft India Data Accessibility and Usage Policy (“Data
Usage Policy”) as an attempt to leverage the economic value of public sector data. The key
objective of the Data Usage Policy is to recognise open data i.e., any dataset which is free to
use, reuse, and redistribute by anyone, as a valuable public resource and overcome current
challenges in data accessibility. The Data Usage Policy is applicable to all data and
information created / collected / generated / archived by the Indian Government either
directly or through authorised agencies by various ministries, departments, organisation,
agencies and autonomous bodies.
The Data Usage Policy is a laudable first step for the unlocking of the economic value of
public sector data and has the potential to enable the business ecosystem to reap massive
dividends from the contemplated data sharing. However, the absence of a comprehensive
privacy and data protection legislation in India and lack of infrastructural support will make it
operationally difficult to assign accountability and provide redressal for privacy violations or
data breaches.
After receiving approval from both houses of Parliament and obtaining the President’s assent,
the Digital Personal Data Protection Bill of 2022 has officially become the Digital Personal
Data Protection Act of 2023. This Act is now in effect and governs the processing of digital
personal data in India, regardless of whether the data was originally collected in digital or
non-digital format and subsequently digitized. Under the DPDP Act, state agencies may be
exempted from its provisions at the government’s discretion. This legislation is designed to
bolster data protection and accountability for entities such as internet companies, mobile
apps, and businesses that handle citizens’ data. Furthermore, it’s worth noting that the DPDP
Act will have implications for India’s trade negotiations with other nations. It aligns with
global data protection standards, taking inspiration from models like the EU’s General Data
Protection Regulation (GDPR) and China’s Personal Information Privacy Law (PIPL).

India’s rapidly evolving technology landscape may have reached a significant milestone with
the introduction and subsequent enactment of the Digital Personal Data Protection (DPDP)
Bill, 2022. The Union Cabinet approved this pivotal legislation on July 5, and it was
presented during the ongoing Monsoon Session of Parliament, which commenced on July 20,
2023. It swiftly passed through the legislative process, receiving approval in the lower house
(Lok Sabha) on August 7 and in the upper house (Rajya Sabha) on August 9. The DPDP Bill,
2022, officially became the Digital Personal Data Protection Act after receiving the
President’s assent on August 11, 2023 (official Gazette notification by the Government of
India—DPDP Act).

WHAT IS DIGITAL PERSONAL DATA PROTECTION BILL?

As per details, the DPDP bill is legislation that frames out the rights and duties of the citizen
(Digital Nagrik) on one hand and the obligations to use collected data lawfully of the data
fiduciary on the other hand. The Bill, which seeks to govern and safeguard the use of
personal data, sets out the rights and duties of users, and the obligations on businesses.

It is based on six principles of the data economy of which the first one talks about the
collection and usage of the personal data of citizens of India. The collection and usage of
personal data should be lawful, must be protected from breach and transparency should be
maintained. The second principle talks about data collection exercises that must be for a legal
purpose and the data should be safely stored till the purpose is served.

The next principle talks about data minimization which says that only relevant data should be
collected of individuals and serving the pre-defined purpose should be the only aim.

The fourth principle is regarding Data Protection and Accountability while the fifth talks
about the accuracy of data. The last principle lays down the rules regarding reporting a data
breach. In case of a data breach, it should be reported in a fair, transparent, and equitable
manner to the Data Protection Boards.

WHAT THE DPDP BILL PROPOSES?

It proposes data protection legislation that allows the transfer and storage of personal data in
some countries while raising the penalty for violations.

Also, it proposed legislation stipulates consent before collecting personal data and provides
for stiff penalties of as much as ₹500 crore on persons and companies that fail to prevent data
breaches including accidental disclosures, sharing, altering, or destroying personal data.

WHO DOES IT APPLY TO?

It applies to data fiduciaries i.e. all persons (individuals, companies, start-ups and government
entities) who alone or in conjunction with others, determine the purpose and means of
processing the personal data (including collection, recording, organisation, structuring,
storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure,
restriction, and erasure / destruction).

WHAT SECTORS WILL GET AFFECTED?

Considering the type and volume of personal data that is collected, processed, stored,
retained, and disposed of in India, the Act will have an effect on the majority of
organisational sectors, including legal, information security, IT, sales and marketing, human
resources, and finance.

WHEN WILL THE ACT APPLY?

The Act applies to the processing of digital and digitised personal data within India and also
applies to the processing outside India where such processing is in relation to offering goods
or services in India.

The Act does not apply where the processing is done for personal or domestic or purposes by
individuals or where the personal data made publicly available.
KEY FEATURES OF THE ACT

i. NOTICE: The Act requires notice to be sent to data principals before obtaining their
consent. This notice should provide information on what data is collected and for
what purpose, how the data principals can exercise their rights and how can they
make complaints to the Data Protection Board.
ii. CONSENT: The Act allows for processing of personal data only after obtaining
consent of the data principal. There are also certain legitimate uses under the Act
where the consent is not required such as voluntary disclosure by data principal,
medical emergency, employment, threat to public health, etc.
iii. CHILDREN’S DATA: The Act allows for the processing of children’s data (below
18 years of age) and persons with disability only after obtaining verifiable consent
from the parent or legal guardian. The Act also prohibits behavioural monitoring and
targeted advertisements towards children.
iv. OBLIGATIONS OF DATA FIDUCIRARIES: Data fiduciaries are obligated to

1) ensure compliance with the Act irrespective of any agreements or non-

compliance by data principals,
2) ensure completeness, accuracy and consistency of personal data,
3) implement technical and organisational measures,
4) take reasonable security measures to prevent data breaches
5) intimate the Data Protection Board and data principals on occurrence of a data
breach,
6) Erase personal data as soon as the purpose has been completed and where
retention is not required for compliance with any law.

v. SIGNIFICANT DATA FIDUCIRARIES: An organisation that may fall under this

category is required to take additional measures like

a) appointing a data protection officer,

b) appointing an independent data auditor,
c) undertaking data protection impact assessments, and
d) undertaking periodic data audits.

vi. RIGHTS & DUTIES OF DATA PRINCIPALS: The Act provides data principals
with 4 rights i.e.,

1) right to access information about personal data,

2) right to correction & erasure of personal data,
3) right to grievance redressal, and
4) right to nominate.
 The Act also imposes certain duties which requires them not to impersonate another
person, not to supress any material information, not to register false or frivolous
complaints and only furnishing verifiably authentic information.

vii. CROSS-BORDER TRANSFER: Transfer of personal data has been allowed to all
countries except to those which will be notified by the government from time to time.
viii. EXEMPTIONS: The Act allows certain exemptions to which certain provisions of
the Act will not be applicable. These include:

1) processing to enforce any legal right or claim,

2) Processing for performance of any judicial or quasi-judicial functions by any
Indian court/tribunal or other body,
3) Processing in the interest of prevention, detection, investigation or prosecution of
any offence,
4) Processing of Data Principals outside the territory of India pursuant to any
contract entered into with any person outside the territory of India by any person
based in India, and
5) Processing necessary for a merger / amalgamation or similar arrangement as
approved by a court or other authority competent. The government may also
exempt certain activities to which the Act shall not apply i.e.,

a) processing by government entities in the interest of the security of the state

and public order, and
b) processing for research, archiving, or statistical purposes.

ix. DATA PROTECTION BOARD: This Board will established to monitor compliance
with the Act and impose penalties. It will direct data fiduciaries to undertake measures
on occurrence of a data breach and hear grievances of the data principals. Appeals
from the decisions made by the board will lie to TDSAT.
x. PENALTIES: The Act imposes penalties

1) upto INR 10,000/- on data principals for breach of their duties,

2) upto INR 200 crore for not giving notice in the event of a data breach,
3) upto INR 200 crore for non-compliance with additional provisions related to
children, and
4) INR 250 crore for non-compliance of provisions by data fiduciaries.

Conclusion and Remarks:

The DPDP Act marks a distinctive approach by India to safeguard personal data, reflecting
the culmination of thorough discussions after its initial draft. This data protection law
represents a crucial step in safeguarding personal data, addressing longstanding needs in the
context of increasing internet users, data generation, and cross-border trade.
In its entirety, the DPDP Act signifies India’s unique stance on modern data protection,
enriched by extensive post-draft consultations. While its provisions are less detailed than
standards like GDPR, it mandates a significant shift in how Indian businesses approach
privacy and personal data.

However, the DPDP Act is not immune from criticism. Some argue it could hinder
innovation due to perceived strictness, while others contend that it might not go far enough to
ensure individual privacy, primarily considering the discretionary power granted to the
Central Government in personal data processing. The forthcoming rules through delegated
legislation will play a vital role in shaping these aspects. A standardized process for rule
release, coupled with industry consultations as seen in amendments to Information
Technology Rules for online gaming, would establish a robust data protection framework
benefiting entire technology sector in India.

In conclusion, given that India is positioned as one of the largest data markets in the world, a
comprehensive data protection and governance regulation will certainly influence and greatly
contribute to the evolution of the global data governance landscape.

With the Digital Personal Data Protection Act, 2023 coming into picture, India’s digital
landscape has transformed to a robust Personal data protection regime. The Act's adoption is
set to strengthen user interactions and foster responsible innovation. With the Act being
implemented in a phased manner, timely creation of a robust implementation program for
data privacy and protection becomes of utmost importance for organisations under the
purview of this Act. In order to do so, they must review their current state of compliance with
the Act (including privacy policies, terms of service, consent forms, notices and other
documentations) and carry out the review of their legal measures to collect, process and
protect data to ensure that it not only complies with the Act but also the Rules which the
Central Government may publish from time to time.