Balancing Individual Rights & Business Growth In The Era Of Data Protection

The success of the DPDP Act will depend on its effective implementation, public awareness, and continuous refinements to address emerging challenges. With global alignment on data protection, India’s move reinforces the growing consensus that personal data must be safeguarded with integrity, responsibility, and ethical governance

With the Digital Data Protection (DPDP) Act 2023, India takes a decisive step towards safeguarding individual privacy ensuring a secure and transparent digital ecosystem. It is our country’s primary data protection law, establishing a framework for processing personal data and safeguarding individual’s private rights by outlining how one can collect, store and use personal data.

Going into the background of the Act, Supreme Court in its judgement in 1990, recognised the right to privacy as a fundamental right, enshrined in Article 21 of the constitution. It reaffirmed its position in 2017 in the Justice KS Puttaswamy case, while hearing the petitions challenging the Aadhaar Act.

The DPDP act is a step in this direction to ensure right to privacy to the citizens by placing certain obligations on the data controllers (referred to as Data Fiduciaries in the act). The act received the President's assent in August 2023.

This law is expected to establish a framework for ethical and lawful use of data and strives to strike a balance between ensuring individual rights and enabling businesses to thrive in the data driven economy. It is part of India's focus on data protection and privacy rights, responding to global concerns about data breaches, misuse and surveillance. Data is the life blood of our interconnected world, fuelling innovation and progress but with this immense power comes the crucial responsibility to safeguard the individual privacy. This realisation has driven global movement towards robust data protection frameworks. Internationally we have seen landmark developments like General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in California and similar legislations. These frameworks share core principles which are individual rights, organisational accountability and independent oversight.

India's DPDP act, while uniquely tailored to our context, is part of this global web reflecting a commitment to protect digital personal data. We have provisions for data protection in the IT Act 2000, The IT (Reasonable Security Practices and Procedures) Rules 2011, Telecommunications Act 2023 and Consumer Protection Act 2019. In telecom, Universal License agreement conditions place a responsibility on the licensee to safeguard the privacy and confidentiality of information and ensure that unauthorised interception of messages doesn't take place.

The DPDP act represents a significant leap forward to establish a comprehensive framework for data protection. It is a paradigm shift as it empowers individuals with greater control over their data while placing obligations on the organisations that handle it.

Principles of the act

1) The act focuses on consented, lawful and transparent use of personal data. For example, some taxi aggregators capture the battery percentage of a customer's mobile while he books a taxi and jack up the fare, if the battery percentage is low. Battery percentage is not consented data so the aggregator is violating the principle of the act. (2) It upholds the principle of purpose limitation, limiting the use of data only for specified purposes. (3) It embraces data minimisation, collecting only the necessary data. (4) Ensures data accuracy and updates. (5) Stipulates that data is retained only as long as necessary. (6) Mandates reasonable security standards. (7) The act implements accountability through breach adjudication and penalties.

Key stakeholders defined in the act

Data Principal: The individual to whom personal data relates.

Data Fiduciary is a person or entity that determines how personal data is processed.

Although the words Data Principal and Data Fiduciary are coined by our country (Data Subject and Data controller are the words used in GDPR act), these words are appreciated and adopted worldwide.

Significant Data Fiduciary (SDF): Data Fiduciary with a higher threshold. They will be identified after an assessment by the central government. Data Processor processes personal data on behalf of the Data Fiduciary.

A Data Protection Officer is an individual appointed by a SDF.

Consent Manager is an organisation managing the consent on behalf of Data Principals.

Data Protection Board: It addresses the disputes between Data Principal and Data Fiduciary. It is Digital by Design. It is a virtual board and is available online. It does adjudication and mediation. The Fiduciary can give voluntary undertakings to the board. The aim of the board is not to stop business but to bring uniformity and regulation. Government appoints Chairman and Members of the board based on Search cum selection committee recommendations.

The ground for processing personal data can be consent in case of nongovernment Data Fiduciary or legitimate use in case of government Data Fiduciary. The Data Fiduciary requests for consent from the Data Principal through notice. Data Fiduciary institutes appropriate technical and organisational measures to protect personal data, reports breaches to the Data Control Board as well as to the affected Data Principal. Data breach means where there is CIA (Confidentiality, Integrity, Availability) risk. Data Fiduciaries implement a mechanism for Data Principals to exercise their rights, implement a Grievance Redressal mechanism for handling queries from Data Principals, irrecoverably deletes personal data after the purpose for which it is collected has expired or when requested by the Data Principal. If Data Fiduciary outsources data processing, he should sign a valid contract and ensure key obligations are abided including data deletion.

There are additional obligations in case of SDF- it verifies that software used by it is not risky to Data Principal rights, it ensures that specified personal and traffic data is processed within India as mandated by the government.

Children's Personal Data can be processed only on the basis of verifiable parental consent. Likewise personal data of a person with disability can be processed only on the basis of verifiable lawful guardian consent.

Data Principal has rights of access to his personal data, correction, erasure of their personal data (not applicable in case of government department), grievance redressal and nomination. Nomination right in the DPDP act is the 1st of its kind in the world. It’s a novel idea that after the death or incapacitation of a person, his nominee can take a call on the personal data of the dead/incapacitated person.

Regarding transfer of data outside India, there is no bar except when the country is black listed. There can be restrictions based on sectoral requirements. Compliance is required with data protection standards of the recipient country.

One interesting thing in the act is even Data Principal is having certain duties. He should not impersonate, he should not register false grievances. Exemptions are there from the act for legal and judicial functions, research, statistical and archival purposes and for startups. In the act there are no criminal penalties. Only graded civil penalties. Data Fiduciary can be imposed a maximum penalty of Rs 250 crore. Data Principal can be fined up to Rs 10,000 in case of violation of his duty.

Draft DPDP Rules 2025

The draft DPDP rules 2025, detail the implementation of the provisions of the act, including specific requirements for data collection, consent, security measures, breach notification procedure, compliance, grievance redressal and enforcement, aiming to operationalise the principles in the act. These rules are short. There are only 22 rules and 7 schedules. Not more than 30 pages are there. They are written in plain language and are easy to understand. There are illustrations and there is no cross-referencing. Public can give comments on the draft rules up to 05.03.25.

Way forward

Hope all the stakeholders will understand the requirements of the DPDP act, its implications and meet the Implementation challenges and compliance requirements to ensure that the act is implemented effectively thereby creating a safer and trustworthy digital environment for all.

Privacy Enhancing Technologies (like Data Anonymization, Differential Privacy, Synthetic data using AI) are coming up worldwide with the DPDP act and similar legislations.

With around 110 crore connections, no digital ecosystem is reaching the customers more prominently than the Telecom. Each Telecom Service Provider (TSP) is reaching nearly 80 per cent of the addressable population. So, these rules will significantly affect them. As TSPs handle vast quantities of sensitive personal data, they are likely to be classified as SDFs, bringing enhanced responsibilities on them from revamping the consent mechanism and strengthening the security safeguards to adapting operational processes. To meet these challenges, TSPs have to formulate strategies to navigate through the implementation of this act. They may require planning, for business processes, re- engineering and technology solutions to create necessary tools.

(The author is Former Advisor, DOT, Government of India, Bangalore)