As our lives become increasingly digital, concerns about online privacy and personal data have grown significantly. In India, legal protections around data and digital privacy are evolving, especially with the recent enactment of the Digital Personal Data Protection Act, 2023. Here's what Indian law currently says about your digital rights and responsibilities.
The Digital Personal Data Protection Act, 2023 (DPDP Act)
This is India’s landmark data protection law, passed in August 2023. It aims to safeguard personal data of individuals while also allowing lawful processing for legitimate purposes.
Key Provisions:
- Consent-Based Data Collection: Companies must obtain clear, informed consent before collecting personal data.
- Right to Withdraw Consent: Users can withdraw their consent at any time.
- Data Principal Rights: You have the right to access, correct, delete, and nominate someone to manage your data in case of death or incapacity.
- Obligations for Data Fiduciaries (companies or organizations): They must ensure security safeguards, limit data storage duration, and notify breaches.
- Penalties: Companies can face penalties of up to ₹250 crore for data breaches or non-compliance.
What Is Considered ‘Personal Data’?
Under the DPDP Act, personal data means any data that can identify a person, such as name, email ID, phone number, location data, biometric information, etc.
There is no longer a distinction between “sensitive” and “non-sensitive” personal data as in earlier drafts.
Your Rights as a Data Principal (Individual)
You have several key rights:
- Right to Access Information: Know what data is being collected and how it’s used.
- Right to Correction and Erasure: Request changes or deletion of your data.
- Right to Grievance Redressal: Approach the data fiduciary or Data Protection Board in case of misuse.
- Right to Nominate: Assign someone to manage your data in case you pass away or become incapacitated.
What Obligations Do Companies and Apps Have?
Any organization (called a Data Fiduciary) that collects your data must:
- Use the data only for specific, lawful purposes.
- Take steps to protect your data from breaches.
- Delete your data when it’s no longer needed.
- Allow you to withdraw consent easily.
There is also a special category called Significant Data Fiduciaries (like large platforms), which have additional responsibilities like appointing data protection officers and conducting audits.
What About Government Access to Your Data?
The DPDP Act allows the government to exempt itself or certain agencies from some parts of the law for reasons like national security or public order.
This has raised concerns about unchecked surveillance and lack of judicial oversight.
Other Relevant Laws
In addition to the DPDP Act, other laws also touch on digital privacy:
- Information Technology Act, 2000: Covers hacking, identity theft, and online fraud.
- Indian Penal Code: Applies to cyberstalking, defamation, and unauthorized access.
- IT (Intermediary Guidelines) Rules, 2021: Requires platforms like WhatsApp and Facebook to remove harmful content and trace messages under certain conditions.
Indian law has made a significant leap with the Digital Personal Data Protection Act, 2023, but many challenges remain particularly around government access, user awareness, and enforcement. As a user, understanding your rights and practicing digital hygiene is more important than ever.
To explore more about how privacy works and related concepts, you may check out this insightful book.