Data has emerged as ‘New Oil.’ As technology has become the defining paradigm of the 21st century, the DPDP Act, India’s first data protection act, establishes a framework for the processing of personal data in India.
Context of the DPDP Act, 2023:
- Rise in Digital Data Usage: as per Nokia’s Mobile Broadband Index (MBiT), Indian users on average consumed 24.1 gigabytes (GB) of data per capita per month in 2023
- Judicial Interpretation: Recognition of the Right to Privacy as a fundamental right under Article 21 of the Indian Constitution emphasizes the need for a data protection law to protect personal information in the digital age.
- Global Trends: India’s DPDP Act mirrors global efforts to regulate data processing, such as the European Union’s General Data Protection Regulation (GDPR).
- Previous Data Protection Drafts: The DPDP Act, 2023, builds on earlier drafts of data protection bills (such as the Personal Data Protection Bill, 2019), which faced multiple revisions due to concerns over government exemptions, data localization, and compliance costs for businesses.
- Rise in cyber crime – As per NCRB, in May 2024, the Indian Cyber Crime Coordination Centre (I4C) recorded an average of 7,000 cybercrime complaints per day. This is a 60.9% increase from 2022 to 2023 and an 113.7% increase from 2021 to 2023.
- Use of Data in government schemes like Aadhar, DBT etc.
Salient Features of the Digital Personal Data Protection Act, 2023:
- Applicability: The DPDP Act applies to the processing of digital personal data in India, whether collected online or offline and later digitized. It also applies to data processing outside India if the data pertains to providing goods or services to data principals (individuals) within India.
- Key Stakeholders: Data Principal (DP), Data Fiduciary, Data Processor
- Penalty for Infringement: The Act imposes financial penalties for non-compliance, ranging from Rs. 10,000 to Rs. 250 crores, but does not impose criminal penalties.
- Conflict with Existing Laws: The DPDP Act’s provisions are additional to existing laws. In case of conflict, the DPDP Act will take precedence to the extent of the conflict.
- Data Protection Board of India (DPBI):
- An independent body responsible for resolving disputes related to privacy and data protection.
- It has the authority to impose penalties for non-compliance and breaches of the Act.
- Appeals against DPBI orders can be made to the High Court, which can also take up breaches suo moto
- Citizen’s Rights:
- Right to Information: The DP has the right to know how their data is being used.
- Right to Correction and Erasure: The DP can request corrections or erasure of their personal data.
- Grievance Redressal: The DP has the right to approach authorities for grievances related to data breaches or misuse.
- Right to Nominate: In case of death or incapacity, the DP can nominate someone to exercise their rights
Issues | Way Forward |
Lack of Standardization: Inconsistent data formats and standards across different departments. | Establishing a clear implementation framework to ensure effective coordination. |
Fragmented Systems results in data silos, making it difficult to share and access data across departments. | Developing decentralized, reliable databases to ensure that governance decisions are rooted in accurate and comprehensive data. |
Inaccurate or outdated data Eg- Issues with the accuracy of data in land records | Opening of data “silos” to capture the potential wealth of data sharing between governmental offices, corporations and citizens. |
By carefully choreographing a dance between data localization, infrastructure development, and technological innovation, India can pave the way for a data-driven future that is both innovative and accountable.