Digital Personal Data Protection

clearias.com/digital-personal-data-protection/

ClearIAS Team August 9, 2023

Digital Personal Data Protection Bill, 2023 has been passed by the parliament. How
is it different from its previous version? What are the domains where it has made
improvements and the ones where it is lacking? What does personal data
protection entail? Read here to understand better.

Digital personal data protection refers to the safeguarding of individuals’ personal

information in the digital realm.

With the increasing use of technology and the internet, individuals share a substantial
amount of personal data online, ranging from financial information to private
communications.

Protecting this data from unauthorized access, breaches, and misuse has become a
critical concern in the modern digital age.

Also read: Data Localisation

Table of Contents

Toggle
Aspects of Personal Data Protection
The Digital Personal Data Protection Bill, 2023
Highlights of 2023 Bill
Issues with the 2023 Bill
Need for Digital Data Protection in India

1/5
 Important cases related to data protection
Way forward

Aspects of Personal Data Protection

Many countries have enacted data privacy laws and regulations that govern the
collection, processing, storage, and sharing of personal data. These laws provide
individuals with rights over their data and impose obligations on organizations that handle
personal data.

Organizations are required to obtain individuals’ informed consent before collecting

and using their personal data. Consent should be freely given, specific, informed,
and revocable.
Adequate security measures must be implemented to protect personal data from
breaches, unauthorized access, and cyberattacks. This includes encryption, secure
storage, access controls, and regular security assessments.
Organizations are expected to provide clear and easily understandable information
about their data practices, including how data is collected, processed, and shared.
Data subjects (individuals whose data is being collected) have rights to access their
data, correct inaccuracies, request deletion, and restrict or object to certain
processing activities.
Organizations are often required to notify individuals and authorities in the event of
a data breach that could pose a risk to individuals’ rights and freedoms.
When personal data is transferred across borders, organizations must ensure that
appropriate safeguards are in place to protect the data’s privacy and security.
Organizations are responsible for complying with data protection laws and
demonstrating their commitment to data privacy through policies, practices, and
documentation.
Many countries have established data protection authorities or agencies responsible
for enforcing data privacy laws, conducting audits, and addressing complaints.

The General Data Protection Regulation (GDPR) in the European Union is one of the
most comprehensive data privacy regulations globally.

Other countries have introduced similar regulations, such as the California Consumer
Privacy Act (CCPA) in the United States.

Also read: Digital monopolies by big techs

The Digital Personal Data Protection Bill, 2023

The Ministry of Electronics and Information Technology (MeiTY) established an expert
committee in 2017, which marked the beginning of the process towards a data protection
law.

The Data Protection Bill, 2021 (DPB, 2021) was published in December 2021,
which was a significant step.

2/5
 On August 3, 2022, it was retracted in Parliament by Ashwini Vaishnaw, the minister
of communications and information technology.
A draught of the Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) was
made available for public comment on November 18, 2022.
The comments submitted as part of this consultation process were kept private.
In a Right to Information case, the demand for the submissions to be made publicly
available was also rejected.

Highlights of 2023 Bill

The Bill will apply to the processing of digital personal data within India where such
data is collected online, or collected offline and is digitised.
It will also apply to such processing outside India, if it is for offering goods or
services in India.
Personal data may be processed only for a lawful purpose upon consent of an
individual. Consent may not be required for specified legitimate uses such as
voluntary sharing of data by the individual or processing by the State for permits,
licenses, benefits, and services.
Data fiduciaries will be obligated to maintain the accuracy of data, keep data
secure, and delete data once its purpose has been met.
The Bill grants certain rights to individuals including the right to obtain information,
seek correction and erasure, and grievance redressal.
The central government may exempt government agencies from the application of
provisions of the Bill in the interest of specified grounds such as security of the
state, public order, and prevention of offenses.
The central government will establish the Data Protection Board of India to
adjudicate non-compliance with the provisions of the Bill.

Issues with the 2023 Bill

Exemptions to data processing by the State on grounds such as national security

may lead to data collection, processing, and retention beyond what is necessary.
This may violate the fundamental right to privacy.
The Bill does not regulate risks of harm arising from the processing of personal
data.
The Bill does not grant the right to data portability and the right to be forgotten to the
data principal.
The Bill allows the transfer of personal data outside India, except to countries
notified by the central government. This mechanism may not ensure adequate
evaluation of data protection standards in the countries where the transfer of
personal data is allowed.
The members of the Data Protection Board of India will be appointed for two years
and will be eligible for re-appointment. The short-term scope for re-appointment
may affect the independent functioning of the Board.

Also read: Right to Privacy as a Fundamental Right – Implications of the Verdict

3/5
Need for Digital Data Protection in India
India has made significant technical strides and is on pace with other nations, but it trails
behind them in having clear, strict rules that cover all the recent changes in how personal
data is handled.

Many nations, including the USA, China, and many others, have enacted new data
protection legislation during the past 20 years.
India currently has inconsistent laws. India must implement new laws in order to
keep up with the trends and collaborate with other nations.

In spite of the fact that India’s existing Information Technology Act, of 2000 substantially
addresses the country’s data protection challenges, it is not particularly tough since it fails
to adequately enforce the laws. India today demands data protection with tight execution.

Another problem that has lately gained popularity is spam, which is when a user receives
a lot of the same messages again and it clogs their inboxes.

The USA and other European nations have rules that penalise spam senders, but
India does not. Laws that address freshly discovered issues are urgently needed.

Additionally, as online transactions are now governed by RBI guidelines, they must be
properly handled by applicable legislation.

This increases the need for new data protection regulations in India.

Even before it is presented, technology is out of date, and that is still true in India today.

Online banking, publishing regulations, cyber defamation, cyber-terrorism,

cryptocurrencies, and NFTs are only a few examples of provisions that urgently
need to be addressed by appropriate law in order to manage their associated
problems.

One of the main causes of the breach of a significant quantity of data in India is the
intersection of many regulations for various areas, which leads to uncertainty.

In India, there isn’t yet a single codified legislation that carefully considers every
element of data privacy and maintains track of the consequences that ought to be
applied.

Also read: Right to be Forgotten

Important cases related to data protection

State of Tamil Nadu v. Suhas Katti (2004): This case is significant because it
encouraged citizens all around the nation to come forward and report incidents of
online abuse.

4/5
 Amar Singh v. Union of India (2011): In light of Sections 69, 69A, and 69B of the
IT Act, 2000, this case is significant. It was held by the court that the service
provider must confirm the legitimacy of any government orders “to tap phones”
when they include serious errors. In order to avoid unlawful call interception, the
court further ordered the central government to establish specific directives and
rules.
Shreya Singhal v. Union of India (2015): The entire Section 66A was declared
unconstitutional by the Supreme Court of India on the grounds that its intended
protection against annoyance, inconvenience, danger, obstruction, insult, injury, and
criminal intimidation went beyond the bounds of reasonable restrictions under
Article 19(2) of the Indian Constitution.
Justice K.S. Puttaswamy (Retd) v. Union of India (2017): This case upholds the
right to privacy as a right which is protected by the Constitution of India.
Praveen Arimbrathodiyil v. Union of India (2021): In this case, several
companies, including WhatsApp, Quint, LiveLaw, and the Foundation for
Independent Journalists, have contested the regulations published in 2021. The
outcomes of the judgement will impact the future direction of Indian law in
information technology, for which the petition is currently pending before the
Supreme Court for listing.

Way forward
Despite the fact that India is a member of various international bodies, such as the United
Nations Commission on International Trade and the clauses in the Directive Principles of
State Policies, that focus on data protection methods, a comprehensive law or
mechanism is still absent.

The general welfare of the populace is addressed in Article 38. In essence, a

welfare state is tied to privacy and data protection.
As stated in Article 51, the State shall seek to encourage conformity to treaty
commitments and international law in order to foster global peace and security.

Digital personal data protection is a shared responsibility between individuals,

organizations, and governments.

It aims to strike a balance between utilizing data for beneficial purposes while respecting
individuals’ rights to privacy and security.

Effective data protection practices help build trust between organizations and individuals,
fostering a safer and more transparent digital environment.

Also read: How can Technology be used in Law Enforcement?

-Article by Swathi Satish

5/5