In an era where information is not just power but also currency, the value of safeguarding our personal data cannot be overstated. Our lives are increasingly intertwined with the digital realm, from online shopping and social media to remote work and telehealth appointments. While these digital conveniences offer tremendous benefits, they also expose us to unprecedented risks. Data breaches, identity theft, and invasive surveillance threaten the very essence of our privacy. It's a stark reality: as we embrace the digital age, we must also equip ourselves with the knowledge and tools to protect what matters most—our personal data.

Context
At present, India lacks a distinct law dedicated to safeguarding personal data. Instead, the usage of such data is governed by the Information Technology (IT) Act of 2000. In 2017, the government formed a Committee of Experts on Data Protection, led by Justice B. N. Srikrishna, to study the issue of data protection in the country. The Committee submitted its findings in July 2018, which led to the introduction of the Personal Data Protection Bill, 2019 in the Lok Sabha in December of that year.

The Bill was subsequently referred to a Joint Parliamentary Committee, which presented its report in December 2021.2 However, the Bill was withdrawn from Parliament in August 2022. A Draft Bill was later released for public consultation in November 2022, and in August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament. The Bill was granted Presidential assent and officially became a law on August 11, 2023.

Issues Regarding Data Privacy in India

In recent years, Europe, particularly Western countries, has been increasingly focused on managing and safeguarding personal data, driven by their extensive data knowledge and proliferation. Governments in this region have established regulations aimed at protecting the personal data of their citizens, with the European Union's General Data Protection Regulation (GDPR) now being widely regarded as the gold standard in privacy legislation by many nations.

On the other hand, India's data and internet economy began to thrive in the late 2000s. During that period, data protection in India was primarily governed by the Information Technology Act of 2000, which primarily focused on imposing penalties for mishandling data due to negligence. However, in the years since, India's approach to data privacy regulations has predominantly been sector-specific, resulting in varying interpretations of privacy and data protection standards.

India's National Unique Digital Identity system, Aadhaar, based on voluntarily registered biometric data (fingerprint and iris scans), now includes over 1 billion people, making it indispensable to aggregating and delivering government services. When mobile internet users reached close to 500 million in 2018, the increased use and storage of personal data by the government, tech and telecom giants exposed the inadequacy of the existing laws in preventing data vulnerability and privacy breaches. The first was the usage and protection of personal data and its vulnerability to data breaches by tech companies. India reported 313,000 cybersecurity incidents in 2019, making it the third-largest destination for data breaches worldwide.

Those facing data breaches included both private companies such as Domino's Pizza and public enterprises such as the State Bank of India. On the one hand, ordinary citizens or users of social media sites and other internet users are worried about their data security and privacy. On the other hand, governments are concerned about national security and protecting the basic rights of citizens when tech giants hold reams of personal data. Corporates and tech giants worry about how excessive data regulations and government surveillance could lead to a loss of trust in their services if the personal data they hold is compromised.

In a recent address, Justice D.Y. Chandrachud underscored the inseparability of life and individual freedom from human dignity as fundamental rights. The Constitution of India upholds a delicate equilibrium of these rights among individuals, with the pursuit of freedom serving as its cornerstone. The Indian Constitution guarantees the indispensable right to security, encompassing individual freedom and the right to life. This protection is intricately linked to the various facets of freedom and respect enshrined by the fundamental rights in Part III of the Constitution under Article 21.

To maintain security and confidentiality, it is mandatory to maintain detailed records and policies, including physical security measures. Adherence to international standards in Information Technology, such as IS/ISO/IEC 27001, can also help implement effective security management systems and techniques.

In the case of the District Registrar and Collector of Hyderabad v. Canara Bank, the Supreme Court of India recognised and validated an individual's right to privacy regarding their bank-held documents. This underscores the importance of maintaining the confidentiality of such documents.

Key Highlights of the Act:
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as 'DPDPA') lays down procedures to process personal data in a lawful manner and thereby empowers and protects the rights of Data Principals. Factors such as accountability, transparency, data minimisation, fairness, accuracy, and lawful processing of personal data have been reflected in the DPDPA.

The Digital Personal Data Protection Act, of 2023, will have jurisdiction over the processing of digital personal data in India, whether collected online or offline and subsequently digitised.

For the lawful processing of personal data, consent from the individual is a fundamental requirement, although certain legitimate uses will not necessitate explicit consent. These exceptions include voluntary data sharing by individuals and data processing by government entities for purposes such as permits, licenses, benefits, and services.

The bill includes several provisions that prioritise individual rights and ensure easy access to basic information in languages listed in the eighth schedule of the Indian Constitution. It also emphasises the significance of obtaining an individual's consent before processing their data. It requires Data Fiduciaries to inform data principals of the specific personal data they wish to collect, along with the purpose of collection and further processing.

Furthermore, data principals can retract their consent from a Data Fiduciary and have the right to request the correction or deletion of data collected by the data fiduciary. In addition to this, data principals can nominate an individual who will be authorised to exercise these rights in the event of their death or incapacity. Overall, the bill aims to safeguard individual privacy and promote transparency in data processing.

Data fiduciaries, Significant Data Fiduciaries, or entities responsible for handling personal data, will be legally obliged to maintain data accuracy, ensure data security, and delete data once its intended purpose has been fulfilled. The Bill also endows individuals with specific rights, including the right to access information about their data, request corrections or deletions, and seek resolution for grievances.

Under specific circumstances, the central government may exempt government agencies from complying with certain provisions of the Bill in the interest of national security, public order, and the prevention of criminal activities. To oversee and enforce compliance with the Bill's provisions, the central government will establish the Data Protection Board of India, which will have the authority to adjudicate cases of non-compliance.

Key Issues of the Act
Exemptions in the Bill that allow the State to process data in the name of national security might result in excessive data collection, processing, and retention, potentially infringing upon the fundamental right to privacy. Furthermore, the Bill lacks provisions to effectively address the risks and potential harm associated with personal data processing. The Bill also falls short in granting data principals essential rights, such as the right to data portability and the right to be forgotten.

Regarding cross-border data transfer, the Bill permits the transfer of personal data outside India, with exceptions only for countries specified by the central government. However, this mechanism may not ensure rigorous evaluation of data protection standards in the recipient countries, raising concerns about data security and privacy.

Lastly, the appointment of Data Protection Board of India members for a two-year term with the possibility of re-appointment raises concerns about the board's independence and impartiality, potentially affecting its ability to function autonomously.

Conclusion
To sum up, India's Digital Personal Data Protection Act of 2023 marks a significant milestone in the country's data protection journey. It not only establishes a comprehensive framework for safeguarding personal data but also incorporates inclusive language and modern principles to uphold the privacy rights of individuals in the digital landscape.

While we initially had reservations about India's ability to embrace digital transformation, we have emerged as global leaders in UPI transactions. We are now on the path towards securing a bright future for privacy in India, even though there may be some initial challenges. As more and more people in India realise the benefits of protecting their personal data, the pace of adoption will inevitably accelerate.