Protecting Privacy: The Road to India's Digital Personal Data Protection Act

Digital Personal Data Protection Act 2023: A Landmark for India's Privacy

A Historic Journey: India's Digital Personal Data Protection Bill

Introduction: In recent years, India has made great progress in protecting personal information and privacy. The Ministry of Personnel, Public Grievances, and Pensions started this path by proposing a privacy bill that addressed reforms in data protection and monitoring.

The Supreme Court's 2017 recognition of the right to privacy as a basic right laid the groundwork for data protection laws in India and marked a significant turning point. The Personal Data Protection Bill (PDP), which was drafted in 2018, is the product of the future of data protection, which was shaped by numerous committees and experts thereafter.

After this draft was revised, the Data Protection draft of 2021 was produced. With the Digital Personal Data Protection Bill (DPDP Bill) finally becoming a law in 2023, data privacy in India achieved a significant win.

History of Digital Personal Data Protection Bill:

India has made major progress in safeguarding individuals' personal information and privacy in the past few years.

The Ministry of Personnel, Public Grievances, and Pensions initiated the process of drafting a privacy bill that addressed reforms related to data protection and monitoring. Regretfully, there was a temporary halt to this first activity.

The India Supreme Court's decision on the right to privacy was rendered on August 24, 2017. The right to privacy is a basic right guaranteed by Article 21 and Part III of the Indian Constitution, the Supreme Court ruled in the case of Justice K. S. Puttaswamy (Retd.) and Anr. against the Union of India and Ors.

When Justice A.P. Shah and his Privacy Committee delivered a thorough report on national and international privacy rules, however, activities resumed as planned. The groundwork for future advancements in India's data protection landscape was established by this report.

Following that, a Committee of Experts led by Justice BN Srikrishna was established by the Ministry of Electronics and Information Technology (MeitY). The future of data protection in the nation was greatly influenced by this committee. In 2018, the committee led by Justice Srikrishna published a comprehensive 176-page report outlining their proposal for the Personal Data Protection Bill, which is also known as the "Draft Bill."

The Personal Data Protection (PDP) Bill was redrafted in 2019 to include suggestions from the Srikrishna Committee report, marking the next step in the process. The objective was to preserve non-digital data as well as digital data, acknowledging the need of protecting all forms of personal data.

Two years later, the Joint Parliamentary Committee (JPC) released its report, which resulted in the creation of "The Data Protection Bill, 2021" (DPB, 2021), an updated version of the legislation. An important advancement in India's data protection efforts was this bill.

The Digital Personal Data Protection Bill (DPDP Bill) was finally authorised by the Cabinet in 2023 and was meant to be presented during the Monsoon Session of Parliament, which ran from July 20 to August 11, 2023. On July 27, 2023, a revised draft of the bill was made public, demonstrating the government's intention to improve data privacy.

On August 7, 2023, the Lok Sabha approved the Digital Personal Data Protection Bill, and the Rajya Sabha passed it shortly after. This demonstrated that the law had the support of both houses of Parliament and concluded the parliamentary approval process.

The Digital Personal Data Protection Bill was finally made a law on August 11, 2023, when it received the Honourable President's assent. For all Indian citizens, this law was a major victory in protecting their personal information and maintaining their right to privacy.

India has made significant progress in protecting individuals' privacy and personal data, with the enactment of the Digital Personal Data Protection Bill in 2023 marking a significant turning point in this vital process. It shows how dedicated the government is to protecting all of its residents' non-digital and digital data.

Digital Personal Data Protection Bill/ Act 2023: Timeline

• The Digital Personal Data Protection Bill, 2022 was made available for public consultation on November 18, 2022, and comments could be submitted until December 17, 2022.
• The Ministry of Electronics and Information Technology extended the deadline for public comments until January 2, 2023 on December 17, 2022.
• The Digital Personal Data Protection draft, 2023—a revised version of the draft that was previously submitted for public consultation—was approved by the cabinet on July 5th, 2023.
• Ashwini Vaishnaw, the Minister of Electronics and Information Technology, introduced the amended Digital Personal Data Protection Bill, 2023 in the Lok Sabha on August 3, 2023.
• The Lok Sabha passed the bill on August 7, 2023. The Rajya Sabha, the upper house of the Indian Parliament, then considered and approved the bill on August 9, 2023.
• The Digital Personal Data Protection Bill, 2023 (now known as the Digital Personal Data Protection Act, 2023) was approved by India's President Draupadi Murmu on August 11, 2023.

Additional Provisions for Children in Digital Personal Data Protection Bill 2023:

Additional obligations apply to processing data of children. Check out the issues with these provisions -

There are variations in how different jurisdictions define a child's capacity to give consent for the processing of personal data, regardless of the widely acknowledged notion that processing data concerning minors should be subject to stronger protections. A child is defined by the Bill as an individual who is less than 18 years old.

Individuals over 13 in the United States and the United Kingdom may consent to the processing of their personal data. The European Union's GDPR sets this age at 16, but member states may reduce it as low as 13. The Srikrishna Committee (2018) had suggested taking a few things into account when figuring out whether a youngster is old enough to give permission. These consist of:

(i) minimum age of 13 and maximum age of 18, and

(ii) a single threshold for ensuring practical implementation.

In terms of a child's complete autonomous development, it was also noted that eighteen years old might be too high. Nonetheless, the consenting age should be 18 years old in order to comply with the current legal framework. Eighteen is the minimum age required to sign a contract under the Indian Contract Act, 1872.

Parental Consent:Taking Verifiable Parental Consent May Require Verification of Everyone’s Age on Digital Platforms –

The Bill mandates that before processing a child's personal data, all data fiduciaries must get the legal guardian's verifiable consent. Any data fiduciary that wants to offer its services must confirm the age of each person registering in order to be in compliance with this clause.

To get permission from the person's legal guardian, it will be necessary to determine whether the individual is a child. This could lessen the likelihood of kids making up statements. That being said, this might make it harder to remain anonymous online.

Data Protection Board India –

Section 18a of the Digital Personal Data Protection Act, 2023 authorizes the Government of India to establish the Data Protection Board of India as an adjudicating (deciding) authority. This organization resolves disputes between individuals whose personal information has been provided to a platform and the platform, which has violated the Digital Personal Data Protection Act, 2023, on the platform's part.

According to the Bill, the members of the Indian Data Protection Board will have independent authority. The term of each member's appointment is two years, after which they may be reappointed. A brief tenure with the possibility of reappointment could compromise the Board's ability to operate independently.

The Digital Personal Data Protection Act, 2023, Section 18, states that the chairperson of the board must be appointed.

Powers and Functions of Data Protection Board in India:

Upon receiving a notification of a breach of personal data under section 8 sub-section (6), the Data Protection Board is mandated to investigate the personal data breach and impose penalties in accordance with the Digital Personal Data Protection Act, 2023. Additionally, the Board is authorised to direct immediate remedial or mitigating measures.

• To provide guidance on mitigating or correcting data breaches
• To investigate complaints and data breaches, and to levy fines
• to accept voluntary undertakings from data fiduciaries and to forward complaints for Alternative Dispute Resolution
• To recommend that the government ban a Data Fiduciary's website, app, etc. if it is discovered that the fiduciary has consistently violated the Bill's provisions; resolve disputes through adjudication
• The Board will decide if there are enough reasons to move forward with an investigation.
• Levy fines for violations of the Digital Personal Data Protection Act of 2023

Final Words –

Significant progress has been made in India's data protection history, including the growth of laws and the recognition of the right to privacy as a basic right. The government's commitment to protecting both digital and non-digital personal data is demonstrated by the enactment of the Digital Personal Data Protection Bill in 2023.

The bill's development from public consultation to presidential approval shows a committed attempt to safeguard the privacy of the people. Additionally, the measure addresses consent and parental consent while introducing provisions for the protection of children's data.

Although crucial, the creation of the Data Protection Board in India raises concerns regarding its duration and independence. In order to strengthen the commitment to data protection in the digital era, this board has the authority to investigate data breaches and impose sanctions.