Protection revolution

In an era defined by digital transformation, data has rightly been called the new oil of the global economy. Richa Relhan, in-house counsel at Max Life Insurance Company, explores the safety fencing that India is attempting to establish around this valuable resource

India, with its burgeoning tech ecosystem, has taken a significant stride forward with the Digital Personal Data Protection Act, 2023 – a significant marker of its new status on the world stage.

The need to legitimise data protection has not only become crucial, but an urgent necessity. Digital interactions have become an integral part of everyday life, particularly for Gen Z and Gen Alpha. These generations are growing up in an environment where sharing information online is the norm. Unfortunately, this makes them vulnerable to manipulation and exploitation.

Data breaches, identity theft and unauthorised data sharing has become common, and the need for safeguarding data and asserting ownership over is paramount. With the country’s vast digital user base spanning e-commerce, fintech, insurance, healthcare and beyond, there is an evident need for a structured legal framework that balances innovation with individual privacy.

The new act signals India’s intent to create a robust data protection ecosystem that safeguards citizens’ rights while encouraging responsible data practices and protecting data from being misused for targeted marketing, scams and other nefarious purposes. The act aims to provide individuals with a sense of empowerment and control over their personal information. It provides them with the right to decide how their data is collected, used and shared, as well as the ability to access, correct and delete their information.

There are complexities in setting the delicate balance between data protection and fostering innovation, coupled with a need for international data flow. Successfully striking this balance while ensuring the act’s effective implementation will be a key challenge in coming years.

My data, my rights

India has witnessed an exponential surge in internet users, smartphone adoption and digital transactions. As individuals engage in online activities across sectors such as shopping, researching their educational courses, looking up medical advice and using social media, they inevitably leave behind a digital footprint – a trail of personal data that is valuable and, unfortunately, vulnerable.

With the advent of the act, individuals – who have the status of data principals under the act – have been bestowed with the right of digital property over their personal data and the rights associated with it, just as they own their physical property.

Key aspects of this act – such as explicit consent, data localisation and penalties for non-compliance – underscore the government’s intention to endorse individuals’ control over their data. As India embarks on this journey, fostering digital literacy becomes paramount. Secure online behaviour equips individuals to navigate the digital landscape safely and with confidence.

The act explicitly demonstrates that individuals are not passive subjects of data collection. They are active participants in their digital interactions. The act heralds an environment where individuals can exercise informed choices, demand accountability and foster a culture of data responsibility.

Genesis and evolution

The seed for the act germinated in 2017 with the Puttuswamy judgment, also known as the Aadhaar judgment. This is where the right to privacy was discussed widely for the first time. It gave impetus to developing much-required data privacy legislation for India.

In 2017, the Ministry of Electronics and Information Technology constituted a committee of experts, under the chairmanship of Justice BN Srikrishna, to deliberate on a data protection framework. The committee’s report laid a foundation for the Personal Data Protection Bill in 2018, which was further amended in 2019 and tabled before the parliament after public input.

The 2018 bill recommended principles for data protection and privacy, emphasising the need for a strong legal framework. However, the 2019 amendments expanded the horizon. The bill was referred to a joint parliamentary committee for further deliberation and the committee tabled its report with 81 amendments. The report contained a draft bill, titled the Data Protection Bill (2021) – the title was amended to drop the term “personal”.

Eventually, the data privacy bill was withdrawn owing to dissent from various factions of society, and sent for more deliberation. One of the main reasons that was cited was the negative impact the bill would have had on startups due to increased regulatory compliance.

Many tech companies were also against the bill’s data localisation provision, which required companies to store a copy of sensitive personal data within India. It also prevented companies from exporting critical personal data.

Data localisation gives countries more control over data, and security against data breaches and theft. It ensures more authority for countries, and also improves accountability and enforcement of state laws against technology giants. The joint parliamentary committee report had stressed the importance of data localisation in India.

However, technology giants were opposed to the idea over the increased expenditure that would be required for establishing and operating localised data collection centres. Also mentioned were possible increases in service costs and a decrease in the efficiency of services.

2022 release

The government recently released the Digital Personal Data Protection Bill (2022). The bill has reduced the number of clauses to 30. Unlike its predecessors, it omits personal data stored in physical format (Clause 4(30)). The bill doesn’t categorise personal data into sensitive and critical personal data. The 2019 version did have this classification and had more restrictions attached to it.

The 2022 bill empowers data principals to nominate another individual to exercise their rights in the event of death or incapacity (clause 15). The new bill has exemptions for data fiduciaries transferring personal data outside India (clause 17). It provides for higher penalties for non-compliance (clause 25 and schedule 1). The Data Protection Authority has been replaced with the Data Protection Board of India, the decisions of which are appealable to high courts (clause 22).

The bill also details “deemed consent” from data principals (clause 8).