India is one of the most diverse countries in the world. The country's population is equivalent to 17.76% of the total world population, which makes it number 1 on the list of country's populations. As of the 2020 survey, around 31.7% of the people in India use smartphones, which has grown further recently. With the increasing population and their mounting desires, digital technology is too budding and flaring its arms.

The digital world is equipped to immerse all varieties of new brainchildren and innovations. Not only individuals but also big organizations heavily count on the digital world for their working and easy administration. There are various elements and benefits of the digital world, one very essential being the "sharing of data".

The Digital World:

In the interconnected world, data sharing on the internet is a fundamental aspect of digital communication, commerce, and modernization. But what exactly is the sharing of data? It is the sharing and exchange of data between individuals, organizations, and different entities and the Government over the Internet. This exercise enables various activities stretching from social interactions to public services.

Individuals, social media platforms, messaging apps, and email services allow individuals to share their data which includes their messages, pictures, and videos which fosters their social connectedness with the world. Whereas, the business perspective is very different from that of the individuals. Business organizations and professionals use the digital world mainly through collaborative tools like cloud-based services, facilitating remote work, project management, and professional networking. While digital data sharing offers abundant advantages, it also comes with numerous significant disadvantages and challenges, particularly in India.

Cookies:

While browsing any site, the first page always calls for permission for the cookies. What are they? Do they have any significant importance related to us or are they only for the site's benefit?

Cookies help websites remember user preferences, such as login credentials, and language preferences. This enhances user convenience by eliminating the need to repeatedly enter the credentials. They are tiny data files stored on our device by websites one visits enabling them to remember their preferences. These small pieces of data are integral to the functioning of modern websites.

Individuals benefit from cookies as they remember their preferences including the language and login credentials which helps for better work for those who visit the same site repeatedly. Cookies can also track the browsing history to recommend previously viewed products, articles, and other content. This enhances user experience by making it easier to find previously accessed information. Based on the information gathered through cookies, sites may offer personalized content based on the user's past behaviour on the site, such as recommending similar articles or products.

Similarly, business organizations use cookies to collect data as to how a user interacts with their website. It includes all the information ranging from pages visited to the number of times they were visited.

Apart from these two kinds, there is also a role of a third party in the management of cookies. They track users' behaviour across multiple websites allowing businesses to deliver their ads which increases the relevance and efficacy of the advertising drives. There are key differences concerning the merits of cookies when looked at from an individual's perspective and when looked at from a business perspective.

The following are the major differences:

• Individuals use cookies primarily for convenience and personalization on a per-site basis, whereas, a business organization uses them for broader purposes including overall user engagement across multiple touchpoints.
• Individuals get a more streamlined and personalized browsing experience. They do not leverage this data beyond their direct personal usage, whereas, business organizations collect and analyse cookie data to determine business decisions and improve customer services.
• Individuals manage their cookies through browser settings, and extensions, focusing on controlling their privacy and personal data. Whereas, business organizations comply with cookie management solutions and compliance frameworks to ensure legal obedience for business insights.

Like a coin, every aspect has the other side too. While cookies offer numerous benefits in terms of user experience and website functionality, they also introduce inherent risks and vulnerabilities that can be exploited by attackers. Some of them are:

• They can store sensitive information, including user preferences, browsing history, and demographic data. This raises privacy concerns, particularly when cookies are used for tracking user behaviour across multiple websites without explicit consent.
  
  Third-party cookies, often employed by advertisers and analytics providers, track user activity across different websites to create detailed profiles for targeted advertising. This extensive tracking infringes on user privacy and raises ethical concerns regarding data collection and surveillance.
   
• With the proliferation of cookies across the web, managing cookie settings and permissions becomes increasingly complex for users. Despite browser settings to control cookie behaviour, users often find it challenging to configure these settings effectively.

There are two types of cookies, one being temporary, while the other lasting for long.

Session Cookies:
Session cookies are cookies that last for a session. A session starts when you launch a website or web app and ends when you leave the website or close your browser window. Session cookies contain information that is stored in a temporary memory location which is deleted after the session ends. Unlike other cookies, session cookies are never stored on your device. Therefore, they are also known as transient cookies, non-persistent cookies, or temporary cookies.

The session cookie is a server-specific cookie that cannot be passed to any machine other than the one that generated the cookie. This cookie stores information such as the user's input and tracks the movements of the user within the website. There is no other information stored in the session cookie.

A common example of a session cookie in action is in the shopping cart feature found on most e-commerce websites. The session cookie stores the items that the user has added to their cart so as they browse through the site, the items in the cart will follow them. Without a session cookie, when a user went to the checkout page, items would disappear from the shopping cart because the new page would not recognize prior activities on the website.

Persistent Cookies:
Persistent cookies or permanent cookies are stored on users' hard drives until they expire or until the user deletes the cookie. These cookies remain on a user's device even after they close a web browser. Persistent cookies are used to collect identifying information about the user, such as Web surfing behaviour or user preferences for a specific Web site. Persistent cookies have an expiry date and will be destroyed when the expiry date is reached. Persistent cookies are also used to track user behaviour when they move around a site, and this data is used for optimizing and improving the website experience.

An example of a persistent cookie is when a user checks the box, "Remember me" a persistent cookie is created and stored on the user's device.

To overcome the risks and vulnerabilities of the cookies and other data accessing weapons available digitally for individual and business organizations, the "Digital Personal Data Act, 2023" was passed by the legislature in 2023. It provides for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their data and the need to process such personal data for lawful purposes and matters connected therewith or incidental thereto.

The importance and need for this act were recognized by the Indian Supreme Court in its latest judgment "Justice K.S. Puttaswamy & Anr. V. Union of India & Ors., also known as the privacy verdict". It is a landmark judgment by the Supreme Court of India, which holds that the right to privacy is protected as a fundamental right under Articles 14, 19, and 21 of the Constitution of India.

The Digital Personal Data Protection Act, 2023:

The Digital Personal Data Protection (DPDP) Act, 2023 of the Parliament received the assent of the President on 11th August, 2023. The main aim of this act is to protect the digital data of a person. The act is concluded with 44 Sections and a schedule. This act not only deals with the data collected digitally but also the data that is collected non-digitally and digitized subsequently. Another very important element of this act is, unlike many legislations, here the term "she" has been used for the very first time which includes all individuals regardless of their gender. This has been used for acknowledging the women in Parliament law-making.

According to Section 2(s), the term "person" covers – an individual, a Hindu undivided family, a company, a firm, an association of persons or a body of individuals, whether incorporated or not, the State; and an artificial juristic person. (Justice, 2023)

According to this act, there are several grounds for processing the data by the Data Fiduciary (the person who collects the data), which includes the consent of the Data Principal (to whom the data belongs) and for the lawful purpose which is expressly not forbidden in the eyes of law. This shifts the act of responsibility on the Data Fiduciary's end to serve a notice to the Data Principal for providing her consent to the usage of data for processing and its purpose.

It also provides for the redressal of grievance and right to revoke her free consent which she gave to process the data as and when felt. The Data Principal is responsible for the consequences of withdrawing consent, and this withdrawal does not affect the legality of processing done before the withdrawal. Upon withdrawal of consent, the Data Fiduciary must stop processing the Data Principal's data within a reasonable time unless continued processing is legally required or authorized.

In terms where it is evident that the consent was the basis for the processing of data, the Data Fiduciary is indebted to prove that the notice was served to the Data Principal before such act.

Legitimate Use Of The Data/ Rights Of The Data Fiduciary:
The act specifies the legitimate use of the data by the Data Fiduciary in the cases where the Data Principal herself has provided consent for such process.

• It includes the consent given previously by the Data Principal to the State and its instrumentalities who process the data given digitally or digitized subsequently for any subsidy, license or permit, benefits, etc.
• It also includes that any person in India who is legally required to disclose information to the government or its agencies must do so, as long as the process follows the existing laws regarding such disclosures.
• The State may access the personal data in the surge of sovereignty, integrity, or security of the country.
• It may also be used for employment purposes or to protect the employer from loss or liability, such as preventing corporate espionage, maintaining the confidentiality of trade secrets, intellectual property, classified information, or providing any service or benefit to an employee.

General Obligations Of The Data Fiduciary:
There are certain general obligations that a Data Fiduciary must comply with to work effectively. This includes:

• Complying with the provisions of this Act and its rules for any data processing it undertakes or that is done on its behalf by a Data Processor, regardless of any agreement or the Data Principal's actions.
• Use a Data Processor to handle personal data for providing goods or services only under a valid contract with the Data Principal.
• If the data affects the Data Principal or is disclosed to another Data Fiduciary, the Data Fiduciary must ensure the data's completeness, accuracy, and consistency.
• The Data Fiduciary must implement appropriate technical and organizational measures to comply with the Act.
• The Data Fiduciary must protect personal data from breaches, including data processed by a Data Processor.
• In case of a personal data breach, the Data Fiduciary must notify the Board and affected Data Principals in the prescribed manner.
• The Data Fiduciary must erase personal data when the Data Principal withdraws consent or when the specified purpose is no longer being served unless retention is required by law. The specified purpose for data holding is deemed no longer obliged if the Data Principal does not approach the Data Fiduciary to perform the specified purpose or exercise any of her rights related to the data processing.
• The Data Fiduciary must also ensure that its Data Processor erases any personal data provided for processing.
• The Data Fiduciary must publish the business contact information of a Data Protection Officer or a designated person who can respond to queries about the processing of personal data.
• The Data Fiduciary must create an effective mechanism to address and resolve grievances raised by Data Principals.
• The Data Principal is considered not to have approached the Data Fiduciary for the specified purpose if she has not initiated contact for such performance over a period, whether through personal visits, electronic communication, or physical correspondence.
• Upon receiving a request from the Data Principal, the Data Fiduciary must correct inaccurate or misleading personal data, complete incomplete personal data, or update the personal data as necessary.

Apart from these primary obligations of the Data Fiduciary, there are additional obligations of Significant Data Fiduciary which include the amount and nature of personal data, potential harm to individuals' rights, effects on national integrity, threats to electoral processes, concerns regarding national security, and potential impact on societal stability.

Rights & Duties Of The Data Principal:

Not only the Data Fiduciary but the Data Principal too are entitled to certain rights under this act to maintain a balance and effectiveness in the digital world.

Rights:
The Data Principal has the right to request from a Data Fiduciary:

• A summary of the personal data being processed and the activities undertaken by the Data Fiduciary about that data.
• Information about other Data Fiduciaries and Data Processors with whom the personal data has been shared, along with descriptions of the shared data, is limited by the exception.
• Any other details related to the personal data and its processing, as prescribed, are limited by the exception.
• Right to correct, complete, update, and erase her data for which she has given consent, subject to legal requirements.
• The Data Principal has the right to easily access grievance redressal mechanisms provided by a Data Fiduciary or Consent Manager. This covers any actions or failures related to the Data Principal's data or her rights under the Act and its rules.
• The Data Principal has the right to designate another individual, as prescribed, who will exercise the Data Principal's rights under the Act and its rules in case of the Data Principal's death or incapacity.

Duties:
The Data Principal must:

• Adhere to all current laws when exercising rights under this Act.
• Provide personal data honestly and do not impersonate others for a specific purpose.
• Provide accurate information and do not withhold essential details for official documents issued by the State or its agencies.
• Refrain from submitting false or frivolous complaints to a Data Fiduciary or the Board.
• Only submit verifiably authentic information when exercising rights for correction or erasure under this Act or its rules.

Dispute Resolution:

Under the DPDP Act, Section 31 provides for the Alternative Dispute Resolution(ADR) as the step to resolve the issue. It mentions: "If the Board thinks that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon, or as provided for under any law for the time being in force in India." (Justice, 2023) This statement describes a procedure for resolving disputes through mediation as determined by a Board within the framework of Indian law.

When the Board believes that a complaint can be resolved via mediation, it instructs the disputing parties to attempt mediation. The parties involved are then encouraged to mutually agree upon a mediator. If they cannot reach an agreement, the mediator will be chosen according to the provisions of the applicable laws in force in India. This approach aims to facilitate an amicable resolution without the need for prolonged litigation.

Penalties & Liabilities For The Breach Of Data Privacy:

In an era where data is considered the new oil, safeguarding personal information has become paramount. The proliferation of digital platforms and the vast amounts of data they handle have necessitated stringent measures to protect privacy. Consequently, the breach of data privacy is not merely an ethical concern but a legal one, carrying significant penalties and liabilities.

These repercussions are designed to hold organizations accountable and ensure they implement robust security measures to protect individuals' sensitive information. Understanding the scope and implications of these penalties is crucial for businesses and individuals alike, as the legal landscape continues to evolve in response to emerging threats and technological advancements.

Apart from Schedule I concerning Section 31: Alternative Dispute Resolution" of the DPDP Act (Justice, 2023), the Information & Technology Act, 2000, also known as the IT Act, also lays down the punishment for such data breach activities. Under this act, the following Sections deal with the penalty and punishment :

Section 43A, IT Act, deals with the "Compensation for failure to protect data". It mentions, "Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected." (IT ACT, n.d.)

This means, if a company or any similar entity (referred to as a "body corporate") that owns, controls, or operates a computer resource containing sensitive personal data fails to implement and maintain proper security measures, and this negligence results in someone experiencing wrongful loss or gain, the entity must compensate the affected person for the damages. In essence, the law holds companies accountable for protecting sensitive personal information. If they are negligent and this leads to harm, they must pay for the resulting damages.

Section 66E, IT Act, deals with the "Punishment for violation of privacy". It mentions, "Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both." (IT ACT, n.d.) This means, that the unauthorized and intentional or knowing capture, publication, or transmission of images of a person's private areas.

It emphasizes that such actions must be done without the person's consent and under circumstances that violate their privacy. The law aims to protect individuals from invasive and non-consensual photography or recording, which can be highly intrusive and damaging. If someone is found guilty of this offense, they can be punished with imprisonment for up to three years, a fine of up to two lakh rupees, or both. This provision underscores the importance of respecting personal privacy and provides a legal remedy against violations.

Section 72, IT Act, deals with the "Penalty for breach of confidentiality and privacy". It mentions, "Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both." (IT ACT, n.d.)

This means any person who, without consent, discloses electronic records, books, registers, correspondence, information, documents, or other materials accessed under the powers granted by this Act or related regulations will face penalties of up to two years in prison, a fine of up to one lakh rupees, or both.

Section 72A, IT Act, deals with the "Punishment for disclosure of information in breach of lawful contract". It mentions, "Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both." (IT ACT, n.d.)

This means any person or intermediary who, while providing services under a lawful contract, accesses personal information about someone else and discloses it without consent or in breach of the contract, intending to or knowing it could cause wrongful loss or gain, shall be punished with up to three years in prison, a fine up to five lakh rupees, or both.

Conclusion:
In an era of rapid digital transformation, India's diverse and populous landscape is witnessing an unprecedented surge in digital technology adoption, reshaping social interactions and business operations. The Digital Personal Data Protection Act, of 2023, addresses the privacy concerns and risks that come with increased data sharing on the internet. This Act establishes stringent guidelines for the processing and protection of personal data, balancing individual privacy rights with the necessity of data usage for lawful purposes.

It mandates that data fiduciaries serve notices and obtain consent from data principals before processing their data, ensuring transparency and accountability. The Act also empowers individuals with the right to access, correct, and erase their data, providing robust mechanisms for grievance redressal.

Moreover, the Act introduces alternative dispute resolution through mediation, aiming to facilitate amicable resolutions without prolonged litigation. This is crucial for maintaining trust in the digital ecosystem and ensuring that disputes are resolved efficiently. By addressing both individual and business perspectives on data usage and protection, the Act seeks to foster a secure digital environment. These measures not only safeguard individual privacy but also support technological advancements, ensuring that India can continue to thrive in the digital age while protecting the rights and data of its citizens.

Frequently Asked Questions (Faqs):
Q.1. Can personal data be used for any purpose under the DPDP Act?
Ans. NO. Personal data can only be used for the specific purpose for which the consent was given. The consent must be free, specific, informed, unconditional, and unambiguous and it is limited to the personal data necessary for the specific purpose.

Q.2. In which all circumstances, the DPDP Act is not applicable?
Ans. When personal data is processed by the Data Principal for any personal or domestic purpose or is made or caused to be made publicly available by himself or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

Q.3. Under what grounds can the personal data be possessed?
Ans. It can only be possessed when retained for a lawful purpose and with the consent of the Data Principal.

Q.4. Does the IT Act,2000 have an overriding effect on the DPDP Act,2023?
Ans. No. According to the Proviso to Section 81, IT Act, 2000, has been amended by this act to exclude the DPDP Act, 2023 from the overriding power of the IT Act, 2000.

Q.5. In case of a conflict between a provision of this Act and a provision of any other law currently in effect, what will be the outcome?
Ans. The provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force. When a conflict arises between a provision of this Act and any provision of another law currently in force, the provision of this Act will take precedence to the extent of that conflict. This ensures that the rules and principles established in this Act hold sway in situations where there might be inconsistency with other existing laws.