CHANGES IN LEGISLATION
INDIA: DIGITAL PERSONAL DATA PROTECTION ACT, 2023 SCOPE AND APPLICATION INTRODUCTION
SCOPE
India officially implemented the Act on August 11, 2023, marking the culmination of the fifth version of the proposed personal data protection legislation. The Act closely aligns with the draft Bill published by the Ministry of Electronics and Information Technology on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which underwent public consultations. Upon full enforcement, the Act will supersede Section 43A of the Information Technology Act, 2000 (IT Act), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules).
The Act aims to establish a framework for the lawful processing of digital personal data, prioritizing the protection of individuals' rights related to their data. It introduces the concept of a fiduciary relationship between data subjects (individuals to whom the data pertains) and data controllers (entities determining the purpose and method of data processing), labeling them as data principals and data fiduciaries, respectively.
The Act is designed to be implemented gradually, with the Central Government initiating its provisions and continually issuing rules under the Act over time.
The origin of the DPDP Act can be linked to the 2017 landmark decision of the Supreme Court of India in the case of Justice K.S. Puttaswamy & Ors. v. Union of India & Ors,[1]. This ruling recognized the right to privacy as an integral component of the right to life and personal liberty under Article 21 of the Constitution of India, establishing it as a fundamental right. The court underscored the necessity for the government to enact a comprehensive personal data protection law to safeguard individuals' privacy rights.
APPLICATION No Sub-Categories of Personal Data: The Act specifically addresses digital personal data and does not encompass non-personal data. It pertains to the processing of 'personal data,' whether collected digitally or initially in physical form and later digitized. The definition of personal data includes all identifiable information about an individual but does not introduce sub-categories like sensitive personal data or critical personal data. This is a departure from the previous data protection regulations under the IT Act and SPDI Rules, which recognized sensitive personal data, imposing additional compliance measures. Extraterritorial Applicability: The Act extends its reach beyond the borders of India to include the processing of digital personal data abroad, especially when offering goods or services to data principals within India. Compliance with the Act is required even if the data fiduciary operates from outside India, engaging with data principals in the country. Notably, the Act doesn't necessitate a systematic or habitual engagement, meaning even occasional collection and processing of data from Indian data principals by foreign businesses may trigger compliance.
www.advocatesjournal.com
JANUARY 2024
11
