Defending Data Sovereignty: The Digital Personal Data Protection Act, 2023

The passage of the Digital Personal Data Protection Bill, 2023, represents a watershedmoment in India's journey towards a more secure and privacy-conscious digital ecosystem. In a significant milestone for data protection in India, the Digital Personal Data Protection Bill, 2023, has been successfully passed by both houses of Parliament and received Presidential assent. Its swift passage underscores the pressing need for comprehensive legislation to safeguard personal data in the digital age.

The journey towards the enactment of this bill has been marked by a series of challenges and deliberations. Previous iterations of the Personal Data Protection Bill in 2019 and 2022 were fraught with amendments and issues, ranging fromconcerns about data localization to transparency and compliance burdens. Recognizing the needfor a more robust framework, the Central Government took the bold step of withdrawing these bills, paving the way for the introduction of the Digital Personal Data Protection Bill, 2023.

The genesis of this landmark legislation can be traced back to the historic judgment of the Supreme Court in Justice K.S. Puttaswamy vs. Union of India (2017). In this watershed moment, the Court affirmed the 'Right to Privacy' as an integral facet of thefundamental right to life enshrined under Article 21 of the Indian Constitution. Byrecognizing the importance of protecting personal data as a corollary of the right toprivacy, the Court issued a clarion call to the government to enact comprehensive legislation for data protection.

In response to the Court's directive, the Digital Personal Data Protection Bill, 2023, represents a concerted effort by the government to fulfill its constitutional obligations and safeguard the privacy rights of Indian citizens. Its passage into lawheralds a newera of data protection, bolstering India's position as a global leader in the digital economy while upholding the principles of privacy and individual autonomy.

In an era dominated by digital transactions and online interactions, the need to protect personal data has never been more pressing. Recognizing this imperative, the Digital Personal Data Protection Act, 2023, stands as a beacon of hope, aiming to establisharobust framework for the safeguarding and management of personal data.

At its core, the Act is driven by a fundamental principle: to uphold the rights of individuals to protect their personal data while ensuring compliance with lawful processing requirements. Its applicability extends across the vast landscape of India's digital realm, encompassing both online and digitized offline data. Moreover, it extends its reach beyond national borders introducing concept of extra territorial jurisdiction as a unique point, covering data related to goods or services offered within India. It also sets the groundwork for other relevant laws, fostering India's advancement in technologies like Artificial Intelligence while upholding data privacy.

One notable aspect of the Act is its forward-thinking approach to inclusivity. By introducing gender-specific pronouns, it marks a significant departure fromtraditional legislative norms, setting a precedent for inclusive language in Indian law. It introduces gender-specific pronouns, a first in Indian legislation.

Delving into the key features of the Act, it defines personal data broadly, encompassing any information capable of being processed by humans or automatedmeans. This definition is crucial in an age where data permeates every aspect of our lives, from social media interactions to financial transactions.

The Act also lays down stringent guidelines for the processing of personal data, emphasizing the need for explicit consent from the data principal. This requirement ensures that individuals have full control over how their data is used, mitigating the risk of unauthorized access or misuse. Penalties outlined in the schedule of the Act specify the fines for various violations and breaches under its provisions. For instance, non-compliance with obligations concerning children may incur a penalty of INR200Crore, while failure to implement security measures to prevent data breaches, as per Section 8(5), could result in a fine of INR 250 Crore. Similarly, a breach in notifyingthe Board or the Data Principal about a personal data breach under Section 8(6) maylead to a penalty of INR 200 Crore. The Data protection board will impose these penalties following an inquiry conducted under Section 33 of the Act.

Furthermore, the Act outlines the rights and duties of data principals and data fiduciaries, setting clear expectations for both parties involved in the data processingecosystem. It also addresses the transfer of personal data outside India, striking a delicate balance between global connectivity and data protection.

However, the Act is not without its challenges. Implementation remains a key concern, with businesses grappling to adapt to the stringent compliance measures outlined in the legislation. The Act requires companies to adhere to compliance measures, such as appointing a Data Protection Officer, notifying data principal andthe government on data breach and implementing consent management mechanisms. However, Clarification is needed on thresholds for classifying companies as data fiduciaries, ensuring a fair and equitable application of the law.

Moreover, there are lingering concerns about the potential implications of surveillance and the need to strike a balance between privacy rights and national security interests. The act give ample power to the government to ask for informationfrom the companies in the form of compliance. These issues underscore the importance of careful interpretation by the courts, ensuring that the Act serves its intended purpose without infringing on individual liberties.

Despite these challenges, the Digital Personal Data Protection Act, 2023, represents asignificant milestone in India's journey towards modern data protection. It reflects thecountry's commitment to safeguarding personal data in an increasingly digitized world, laying the groundwork for a more secure and privacy-conscious future. As theAct continues to evolve, guided by the establishment of the Data Protection Boardandrule promulgation, it is poised to shape the landscape of data protection for years tocome.

Prateek Som is a lawyer at the Supreme Court of India and is currently a Mason Fellow at the Harvard Kennedy School, Harvard University