In a pivotal stride towards safeguarding digital data and its intrinsic privacy, the Digital Personal Data Protection Act of 2023 has finally come to fruition. Representing a monumental legislative endeavor, this act endeavors to create a comprehensive shield for digital data within India. Unlike previous cyber security protocols, it forgoes categorizing data into sensitivity tiers, establishing a more holistic approach.
The primary objective of this pioneering act is to wield control over the collection, processing, and storage of personal data concerning individuals, imbuing a heightened sense of data sovereignty.
Journey of the Act
- August 2017: Formation of a dedicated committee tasked with a meticulous analysis of personal data protection.
- July 2018: Culmination of the committee's efforts, resulting in the submission of a comprehensive report outlining the Data Protection Framework.
- December 2019: A momentous milestone, as the bill is introduced in the Lok Sabha and subsequently referred to the Joint Parliamentary Committee (JPC).
- December 2021: The JPC concludes its rigorous evaluation, submitting a comprehensive report that serves as a roadmap for the upcoming legislation.
- August 2022: An unexpected turn unfolds as the government withdraws the Personal Data Protection bill, leading to speculation and anticipation.
- November 2022: A renewed effort takes center stage as the government introduces the Draft Digital Personal Data bill, soliciting valuable insights and commentary from the public at large.
- August 2023: The culmination of unwavering dedication materializes, marking the establishment of India's inaugural Data Privacy Act, a historic milestone.
Scope and Applicability
True to its nomenclature, the Act's purview extends exclusively to Digital Personal Data. Given the contemporary digital landscape where data processing predominantly occurs in digital realms, this Act envelops a wide spectrum of personal data. The legislation meticulously takes into consideration data within Indian borders from data situated outside, as follows:
1. Data Processing within Indian Territory
- Digital Collection: Pertains to any digital platform employed for data collection.
- Non-digital to Digital Conversion: Encompasses scenarios where data initially captured in non-digital formats is later digitized, bridging analog and digital realms.
2. Extraterritorial Application
The Act holds jurisdiction over data processing outside India if the collected personal data pertains to services or goods offered to individuals within India.
Exclusions
The Act explicitly exempts certain scenarios from its regulatory ambit:
- Personal/Domestic Usage: Data employed for personal or domestic purposes falls outside the Act's domain, acknowledging the nuances of private life.
- Publicly Accessible Data: Data made publicly available by either the data owner or entities obligated by law to disclose is beyond the Act's jurisdiction, upholding principles of transparency and legal compulsion.
In essence, the Digital Personal Data Protection Act of 2023 signifies a substantial leap towards safeguarding the privacy and sanctity of digital data, shaping a new era where individual sovereignty over personal information is paramount.
Parties involved
Data Principal
The individual to whom the personal data relates:
- In the case of a child, it includes parents or lawful guardian
- In the case of person with disability, include her lawful guardian, acting on her behalf
Person
The term "Person" includes an individual; a HUF; a company; a firm; an AOP / BOI, whether operated or not; the State; and every artificial juristic person who is not falling within any of the above.
Child
Any individual who has not completed the age of 18
Data Fiduciary
Any person who alone or in conjunction with other persons determines the purpose and means of processing the personal data.
Data Processor
Any person who processes the personal data on behalf of the data fiduciary.
Consent Manager
Person registered with the Data Protection Board of India, who acts a single point of contact to enable data principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.
Key Terms
- Personal Data: Any data about an individual who is identifiable by or in relation to such data
- Personal Data Breach: Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.
- Digital Personal Data: Personal data in digital form.
Processing
A wholly or partly automated operation or set of operations performed on digital personal data and includes operations such as
- Collection
- Recording
- Organizing
- Structuring
- Storage
- Adaption
- Retrieval
- Use
- Alignment or combination
- Indexing
- Sharing
- Disclosure by transmission
- Dissemination or otherwise making available, restriction, erasure or destruction.