Privacy : Digital Personal Data Protection

The Digital Personal Data Protection Act (DPDPA) of 2023 , passed by the Indian Parliament
in August 2023, which aims to regulate the processing of digital personal data within India ,
balancing privacy rights with the needs of businesses and government, and mirroring
global data protection standards.

This is an act to provide for the processing of digital personal data in a manner that
recognises both the right of individuals to protect their personal data and the need to
process such personal data for lawful purposes and for matters connected therewith or
there to .

Parliament of India

Citation : Act No 22 of 2023

Territorial extent : India

Passed by : Lok Sabha

Passed on : 7 August 2023

Passed by : Rajya Sabha

Passed on : 9 August 2023

Assented to by: President of India

Assented on : 11 August 2023

First chamber Lok Sabha

Bill citation : bill no 113 of 2023

Introduced by : Ashwini vaishnaw minister of Electronics and Information Technology,

Minister of Communications, Minister of Railways

First reading: 3 August 2023

● Purpose of this act : To protect the personal data of citizens in the digital realm, while also
enabling the growth of India's digital economy .

● Scope of this act : Applies to the processing of digital personal data within India ,
including data collected in digital form or digitized from non-digital form .

● Key Concepts Of DPDP :-

Introduces concepts like "data fiduciary" (entities processing data),

"data principal" (individuals whose data is processed),

"consent", "sensitive personal data", and "significant data fiduciary".

● Data Fiduciaries' Obligations :-

The Act outlines the obligations of data fiduciaries, including providing clear information
about data processing, obtaining informed consent, and implementing security
safeguards.

● Data Principals' Rights : Citizens are empowered with rights, such as the right to access
their data, correct inaccuracies, demand erasure, and object to processing.

● Regulatory Body: The Act provides for the establishment of the Digital Personal Data
Protection Authority (DPDA) as the regulatory body for implementation and enforcement.

● Penalties: The Act includes provisions for financial penalties for breaches of rights,
duties, and obligations.

● Data Localization: The 2023 law reverses course on the issue of data localization, stating
that the government may restrict data flows to certain countries by notification, but this will
not impact measures taken by sector-specific agencies that have or may impose
localization requirements.

K. S. PUTTASWAMY V UOI 2017

This is a landmark case by Supreme Court of India . K . S. PUTTASWAMY stated that “

Aadhar violates right to privacy. Right to privacy is a fundamental right . This judgment has
significant implications for privacy and data protection in the digital age. The case primarily
dealt with the government's Aadhaar program, where petitioners challenged the collection of
biometric and demographic data of individuals without adequate privacy safeguards.

Legal issues :

1. Whether the Aadhaar Project violates the right to privacy of the citizens and is
unconstitutional?
2. Whether Right to Privacy is a fundamental right under Article 21 given in Part III of
Indian Constitution?
3. Whether Aadhar Act's provisions mandating the linking of Aadhar with mobile numbers,
bank accounts and school admissions be struck down?

Decision of Supreme Court:

AADHAR ACT IS CONSTITUTIONAL."

"BUT LINKING WITH MOBILE NUMBER, BANK ACCOUNTS & SCHOOL ADMISSIONS
NOT MANDATORY."

ARTICLE 21 : No person shall be deprived of shall be deprived of his life or personal liberty
except according to procedure established by law.

3 step test to breach privacy

STEP 1

First, such state action must have a legislative mandate.

STEP 2

Second, it must be pursuing a legitimate state purpose.

STEP 3

Third, it must be proportionate i.e., such state action must be necessary and the action
ought to be the least intrusive.

STEPS BY GOVERNMENT TO PROTECT THE PRIVACY

• Processing and collection of data

• Data Protection Authority

• Right to be forgotten

• Data localization, etc.

The Digital Personal Data Protection Act 2003

The Digital Personal Data Protection Act (DPDPA), enacted in 2023, is India's first data
protection law, aiming to regulate the pro-cessing of digital personal data and empower
individuals with rights over their data, while also outlining obligations for data fiduciaries .

● Purpose: To establish a framework for processing personal data in a lawful manner,

protecting the rights of data principals (individuals whose data is processed).
● Scope : Applies to the processing of digital personal data within India, including data
collected online or offline and later digitized.

● Principles: The Act is based on principles like ......

• Lawful, Fair, and Transparent Processing: Data processing must be lawful, fair, and
transparent.

• Purpose Limitation: Data can only be used for the purposes specified at the time of
obtaining consent.

• Data Minimization: Only necessary data should be collected and processed.

•Data Accuracy: Ensuring data is correct and updated.

• Storage Limitation: Data should be stored only as long as necessary for the specified
purpose.

• Security Safeguards: Implementing reasonable security measures to protect data.

• Accountability: Mechanisms for addressing data breaches and breaches of the Act's
provisions.

Rights of Data Principals:

• Right to access their personal data.

• Right to correction and erasure of data.

• Right to revoke consent.

• Right to grievance redressal.

• Right to nominate a consent manager to manage their data-related requests

Penalties:

Violations of the Act can result in penalties, including fines of up to INR 250 crore.
Name RUCHIRANI GOUDA

COURSE BBA LLB HONS.

SEM 2

ROLL NO 130650324059