President Murmu gives assent to Digital Personal Data Protection Act 2023; see details

President Droupadi Murmu has given assent to the Digital Personal Data Protection Act 2023. The Act, a landmark legislation designed to regulate the processing of personal data in the digital realm, is set to come into effect upon a date to be duly notified by the Central Government.

This legislation marks a watershed moment in data governance, as it not only introduces new regulations but also amends existing legislation including the Right to Information Act and the IT Act. The comprehensive framework seeks to strike a balance between individual rights to personal data protection and the legitimate need for data processing for lawful purposes and related matters.

At its core, the Act focuses on the responsible processing of digital personal data, ensuring that individuals' rights are respected while enabling legitimate data usage. Key provisions of the legislation include stringent obligations for Data Fiduciaries – entities encompassing individuals, companies, and government bodies involved in data processing. These obligations encompass various data operations, ranging from collection to storage while upholding the rights and responsibilities of Data Principals – the individuals to whom the data pertains.

The Act introduces a robust system of safeguards and penalties to hold Data Fiduciaries accountable for any breaches of data rights, duties, and obligations. 

According to a circular by the Ministry of Electronics & IT, the legislation is poised to:

Establish a seamless transition to data protection regulations, minimizing disruptions while necessitating vital changes in data processing practices.

Enhance the quality of life and the business environment, fostering a conducive atmosphere for both individuals and enterprises.

Propel India's digital economy and innovation ecosystem, empowering growth and technological advancement.

Also Read Hollywood vs AI: Why famous actors including Oppenheimer, Barbie cast are on strike

Seven Guiding Principles

Consent, Lawfulness, and Transparency: Personal data must be used with explicit consent, lawfully, and in a transparent manner.

Purpose Limitation: Data can only be used for the specific purpose for which consent was obtained.

Data Minimization: Collection of only necessary personal data to serve the designated purpose.

Data Accuracy: Ensuring data correctness and updates.

Storage Limitation: Storing data only for the required period.

Reasonable Security Safeguards: Implementing measures for data security.

Accountability: Holding entities responsible for data breaches through adjudication and penalties.

The Act empowers individuals with a set of fundamental rights:

Right to Access Information: Individuals can access information about their processed personal data.

Right to Correction and Erasure: Individuals have the right to correct or erase their data.

Right to Grievance Redressal: Mechanisms are in place for individuals to address grievances.

Right to Nominate a Representative: Individuals can nominate a representative to exercise their rights in case of incapacity or demise.

To enforce these rights, affected Data Principals can first approach Data Fiduciaries, and if unsatisfied, they have the option to escalate their concerns to the Data Protection Board.

The Act also lays out several obligations for Data Fiduciaries, including implementing security safeguards, promptly addressing breaches, erasing unnecessary data, and establishing grievance redressal mechanisms. For entities classified as Significant Data Fiduciaries, additional measures such as appointing data auditors and conducting Data Protection Impact Assessments are mandated to ensure a higher level of data protection.

Moreover, the Act takes a proactive stance in protecting children's personal data. It allows the processing of children's data only with parental consent and restricts harmful data practices like tracking, behavioural monitoring, and targeted advertising that could jeopardize their well-being.

In its mission to strike a balance between data protection and societal needs, the Act carves out exemptions for specific scenarios, including national security interests, research purposes, startups, legal enforcement, and more.

Also Read

Battle of the billionaires: Elon Musk vs Mark Zuckerberg cage match could make over $1 billion

Google appeals to Supreme Court to quash antitrust directives on Android in India