Context- The Central Government recently announced that companies / entities can be given about a year and even a little more time for smaller organizations or start-ups to meet the standards of DPDP Act 2023.
- The Digital Personal Data Protection (DPDP) Act, 2023 is a legal framework established in India to protect the personal data of individuals and share that data only with their consent.
- It regulates the processing of digital personal data and outlines various provisions to protect the privacy of individuals in the digital age.
- This applies to the processing of digital personal data in India, whether it is collected online or offline and then digitized.
- It can also be applied to the processing of digital personal data outside the territory of India, if it involves the supply of goods or services to controllers located in the territory of India.
- The conceptual basis of the DPDP Act is the report of an expert committee headed by Justice BN Srikrishna, which led to the promulgation of the Personal Data Protection Act in 2019.
- After several iterations and hearings, both the Lok Sabha and the Rajya Sabha introduced and later passed the Digital Personal Data Protection Act, 2023.
- Key Stakeholders:
- Data Principal (DP): (Data Owner) DPs can be individuals or entities whose data must be protected.
- To produce and process data, the DP must give written consent stating the purpose of using the data.
- DP can withdraw consent or limit its use at any time.
- Data Fiduciary – The entity that collects, stores and shares data.
- The data fiduciary also acts as a consent manager, enabling the DP to grant, manage, review and withdraw consent through an easily accessible, transparent and interoperable platform.
- Based on the assessment of important factors, the Central Government can recognize any data fiduciary or class of data fiduciary as an important data security person if it turns out to be systemically important.
- Data processor – a person who processes data on behalf of the data controller.
- In certain small entities, both the data fiduciary and the data processor may be the same.
- Data Protection Officer (DPO): – may be any person appointed as a Data Protection Officer by data fiduciary under this Act.
- Citizen rights: In accordance with the main data rights, individuals also have the right to receive information, the right to correction and deletion of data, the right to address complaints, and the right to appoint another person to exercise those rights in the event of the death of the individual. or disability.
- Establishment of Data Protection Board of India (DPBI):
- It acts as an impartial adjudicator responsible for resolving privacy complaints and disputes between the parties involved.
- As an independent regulatory body, it has the power to identify violations of the law and impose sanctions.
- The central government handles the appointment of the CEO and board members of the Data Protection Board.
- The DPBI order can be appealed to the High Court. The High Court could consider any violation of Suo moto.
- No civil court shall have jurisdiction to hear a suit or take action relating to the provisions of this Act, nor shall any court or other authority grant an injunction relating to measures taken under the provisions of this Act.
- Penalty for violation:
- The law does not provide for criminal punishment for negligence.
- The financial penalty could range from as high as Rs. 250 crores to a data fiduciary or data processor to as low as Rs.10000 to a data principal (the owner of data).
- Conflict with existing Laws:
- The provisions of the DPDP Act complement and do not replace other laws currently in force.
- However, if there is a conflict between a provision of this Act and a provision of another existing law, the provision of this Act shall apply to the extent of the conflict.
Source: The Hindu
- Will Digital Personal Data Protection Bill violate privacy of citizens? Critically examine.