Digital Personal Data Protection Bill 2023: DPDP Act Summary, Highlights & Key Points

With the immense growth of digitisation, how safe is your personal information? The Digital Personal Data Protection Act 2023 (DPDPA) marks a significant step in India’s journey towards securing individual privacy.

This blog simplifies the core aspects of the Act, focusing on the responsibilities it places on data managers, the rights it grants individuals, government exceptions, and the formation of a governing board to oversee compliance.

What is the Digital Personal Data Protection Act 2023?

The Digital Personal Data Protection Act 2023 deals with managing information that identifies individuals used by businesses and government bodies to offer products and services. 

This information helps tailor advertising, personalise services, and recommend items, enhancing user experience. 

However, unregulated use of personal data can infringe on privacy, a fundamental right, leading to negative outcomes such as financial loss, reputation damage, or unjust profiling.

Digital Personal Data Protection Act 2023 summary and highlights

The Digital Personal Data Protection Act (DPDPA) is designed to protect personal information by creating strong guidelines for controlling and processing it, guaranteeing privacy rights, ensuring data integrity, and governing data transfers. The legislation emphasises the responsible handling of personal data, particularly for vulnerable groups like children, and mandates compliance measures, including data audits and the appointment of Data Protection Officers. It also provides for rights such as the nomination of representatives to uphold the interests of Data Principals.

Features of the Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023 simplifies how personal data is managed online, focusing on:

• Applicability: It affects any personal information managed digitally in India or for Indian entities overseas, emphasising identifiable data and its usage, including collection, storage, and sharing.
• Consent Requirement: Users must agree before their data is used, with clear communication about the data's purpose. Withdrawal of consent is possible, with exceptions for emergencies or governmental needs.
• Individuals' Privileges: Users can inquire about their data usage, correct inaccuracies, or request deletion. Misuse or false identity claims can lead to fines.
• Responsibilities of Data Managers: Those in control of data must ensure accuracy. It is also important to protect it from unauthorised access and report breaches. Finally, the data has to be deleted when it is no longer needed.
• Sending Data Abroad: When there are exception circumstances, the state has the authority to transfer data to any other country. 
• Exceptions: There are instances where standard procedures may not be followed; for example, during criminal investigations or legal proceedings. Additionally, government agencies may also exempt themselves from compliance or grant waivers for research purposes.
• Data Protection Board: This board enforces these regulations, punishes offenders, assists in resolving violations and deals with complaints. Members of this board shall serve a two-year term.
• Fines: If rules are broken, fines can be huge, up to Rs.250 crore for not protecting data properly.

Exemptions under the Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023 provides several key exemptions, summarised as follows:

• Enforcement of legal rights or claims: Data fiduciaries are exempted from certain responsibilities where processing is necessary to enforce a right or manage claims under law.
• Judicial and Quasi-Judicial Functions: Any processing of data by any Indian court, tribunal or other judicial or quasi-judicial body so authorised, for the discharge of its functions is exempted.
• Prevention and Investigation of Crime: Where processing is essential for the prevention, detection, investigation or prosecution of any offence under any law or regulation it shall be exempted from certain restrictions.
• International Contracts: An agency based within India may process personal information which is necessary for the performance of a contract between itself (or any other person on behalf) situated outside India where such contractual obligations have been entered into with regard to individuals who are located overseas.
• Corporate Changes: When processing is necessary for executing a merger, amalgamation, or similar corporate restructuring approved by a court or other competent authority, it falls under the exemptions.

Pros and cons of the Digital Personal Data Protection Act 2023

Here are the advantages and disadvantages of this act for a better understanding: 

Pros:

• Enhanced Privacy Protection: This law ensures people agree before their data is used and gives them control over their information.
• Clarity for Businesses: It gives businesses clear rules on how to use personal data, helping them avoid confusion and encouraging them to follow the law.
• Global Alignment: This law matches worldwide data protection rules, making it easier for India to do business globally.
• Rights for Individuals: People get more power over their data, like being able to fix mistakes or delete them, giving them more control.

Cons:

• Costs of Compliance: The financial and administrative requirements brought by the new rules may hamper small businesses’ day-to-day activities.
• Concerns about independence: When the government appoints members of the Data Protection Board, it may be seen as interfering with its impartiality in decision-making.
• Efficiency of enforcement: No one has seen how effective fines are according to this act brought into play practically, also, whether penalties are imposed evenly or not, they have not yet been shown.