Digital Personal Data Protection Act 2023

Background

• 2017: Privacy is FR 21
• Introduced as Personal Data Protection Bill 2019
• withdrawn in 2022, MeitY released draft of DPDP Bill 2022

Provides

• obligations of Data Fiduciaries (entities who process data)
• right and duties of Data Principals (person to whom data relates)
• financial penalties for breach of rights, duties, obligations

Specs

1. Consent: User may withdraw consent anytime
   • for child, the guardian provides consent
2. Data Protection Board of India: hearing grievances, monitoring compliance, imposing penalties.
3. Significant Data Fiduciaries: entities with large scale or high sensitivity will face additional obligations

Limitations

1. Exemption for State
2. Inadequate safeguard for entities outside India
3. No compensation to victims
   • Sec 43A, IT Act 2000 which mandated compensation is removed
4. Complicated approach for grievance redressal
5. Lack of clarity $\to$ no definition of “detrimental effect”
6. No provision for Right to be forgotten like the EU has

Way forward

• cross border data governance
• data rights
• clear wordings
• quantify time duration to delete user data if not needed anymore

See also: General Data Protection Regulation