History and Development of the Indian Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 or the DPDPA is an act to provide for the processing of digital personal data of individuals in such a manner that it recognises both the rights of the individuals to protect their data and to process this data in a lawful manner. It is the first act which contains pronouns where she/her were used instead of the usual he/him.

History of the act

On 24^th August, 2017, the Supreme Court of India gave the judgement for the case of Justice K. S. Puttaswamy (Retd) and others vs Union of India and others. This landmark judgement is also known as the ‘Right to Privacy verdict’. In this historic judgement, the Supreme Court recognised the Right to Privacy as a fundamental right protected under Article 21 and Part III of the Indian Constitution.

After the verdict, the Government of India set up a data protection framework which started taking steps towards the protection of digital personal data.

Timeline

22^nd December, 2018 – A committee of experts was set up under the chairmanship of Justice B.N Srikrishna for the creation of a framework for data protection.

The committee sought public consultation on various aspects related to data protection and released the Personal Data Protection Bill, 2018 draft.

14^th August, 2019 – The Ministry of Electronics and Information Technology (MEITY) sought feedback on the draft Bill.

4^th December, 2019 – After various consultations, the Personal Data Protection Bill, 2019 was approved by the Cabinet Ministry of India.

11^th December, 2019 – The Bill was brought into the Lok Sabha, and on the same day it was referred to the Joint Parliamentary Committee (JCP).

16^th December, 2021 – The JCP presented its report which proposed more than 80 amendments to the 2019 Bill.

3^rd August, 2022 – The Personal Data Protection Bill, 2019 was withdrawn, as it received criticism from stakeholders, opposition and experts.

18^th November, 2022 – The MEITY released the draft legislation of the data protection framework for consultation of the public.

5^th July, 2023 – The cabinet approved the Digital Data Protection Bill, 2023.

3^rd August, 2023 – The Bill was introduced in the Lok Sabha by the MEITY.

7^th August, 2023 – The Bill was passed by the Lok Sabha.

9^th August, 2023 – The Bill was introduced in the Rajya Sabha and on the same day it was passed.

11^th August, 2023 – Draupadi Murmu, the President of India, gave assent to the Digital Personal Data Protection Bill, 2023 which made it the Digital Personal Data Protection Act, 2023 (DPDPA).

Case Summary of Justice (Retd.) K. S. Puttaswamy and others vs Union of India and others, 2017

Writ Petition (Civil) No. 494 of 2012, (2017) 10 SCC 1

Appellant – Justice (Retd.) K. S. Puttaswamy

Respondent – Union of India and others

Bench – Sanjay Kishan Kaul, Dhananjaya Y. Chandrachud, R. K. Agrawal, J. S. Khehar, S. A. Bobde, S. A. Nazeer, J. Chelameswar, R. K. Agrawal, A. M. Sapre JJ.

Brief Facts of the case

In 2012, retired High Court Judge K.S. Puttaswamy brought a case against the Union of India to a nine-judge bench of the Supreme Court, saying that Aadhaar was unconstitutional because it violated the right to privacy. This was done at the request of the Constitution Bench, which was looking into whether the right to privacy was a separate fundamental right in the Indian constitution based on previous decisions by Supreme Court benches.

See also: Recent developments in Indian IP and Data Privacy/Data Protection space

Issues of the case

1. If the Indian Constitution gives people a basic right to privacy or not.
2. Does the Court’s decision that there are no such basic rights in M.P. Sharma & Ors. vs. Satish Chandra, DM, Delhi & Ors. and also, in Kharak Singh vs. The State of U.P. accurately reflect the constitutional position?

Judgement of the case

Article 21 of the Constitution of India says that everyone has the right to privacy. On August 24, 2017, a nine-judge bench of the Supreme Court of India upheld this right in an important decision.

In the ruling, it was said that privacy should be an important part of Part III of the Indian Constitution, which lists people’s basic rights. The Supreme Court also said that the government had to carefully balance the privacy of each person with the legal goal. They had to do this no matter what, because fundamental rights can’t be given or taken away by the law, and all laws and acts have to be in line with the constitution. Also, the Court said that the right to privacy is not an absolute right and that any invasion of privacy by a state or non-state agent must meet the three-part test, which is:

1. Legitimate Aim
2. Proportionality
3. Legality

The decision that has been passed by all nine judges holds:

1. It is no longer true that the Constitution of India does not protect the right to privacy in the case of M P Sharma vs. Satish Chandra.
2. The Kharak Singh vs. State of UP ruling that the right to privacy is not protected by the Constitution is also thrown out.
3. Article 21 of India’s constitution protects the right to privacy as an essential part of the right to life and personal liberty. Part III of the Constitution also protects the right to freedom.

Key Highlights of the Justice B. N. Srikrishna Committee Report on the Data Protection Bill Draft, 2018

1. Individual Consent: The proposed Bill puts the user’s permission at the centre of sharing data, gives them rights, and makes data fiduciaries (including the State) responsible for the goal and means of data processing.

2. Data Protection Authority: The data protection law will create the Data Protection Authority (DPA). The DPA will be a separate governing body whose job it is to make sure the law is followed. The main things the DPA is supposed to do are keep an eye on and enforce the law, do study and raise awareness about policies and standards, and handle and decide on grievances.

3. Personal Data: Both public and private organizations will be able to use the rule to process personal data. The law will govern how personal data is handled if it was used, shared, made public, received, or handled in some other way in India.

4. Data Storage: Data keeping rules are spelled out in the Bill. It is required that a copy of personal data be kept in India.

5. Appellate Tribunal: The Central Government must either set up an appellate court or give a current appellate court the power to hear and decide on any appeals against a DPA order.

6. Penalties: People who break the data protection rule could be punished. The fines would be either a set amount up to that cap or a percentage of the total worldwide sales in the previous fiscal year, whichever is greater. The Committee wants any organization that collects or processes data to be fined Rs. 15 crores, which is 4% of its total worldwide sales. If you don’t move quickly on a data security breach, you could be fined up to Rs. 5 crores, which is 2% of your annual sales. In this case, the fines paid by the violating organizations will go into a Data Protection Fund. This fund will be used to pay for the Data Protection Authority’s work, among other things.

7. Exceptions: The government can use someone’s data without their permission if it’s for the public good, to keep the peace, in an emergency where the person is unable to give permission, for work reasons, or for another acceptable reason.

8. Personal data transfers across borders, excluding sensitive data, will be based on model contract terms outlining key obligations. The person transferring the data will be responsible for any harm caused to the person receiving it by the transferee breaking those obligations.

9. Data of Children: Committee has said that there should be separate and stricter rules for protecting children’s data. They have suggested that companies should not be able to process children’s data in ways that are not in their best interests, such as tracking, monitoring their behaviour, sending them targeted ads, or any other type of processing.

References

1. Prashant Phillips, Data Protection Bill Withdrawn: Roadblocks towards a comprehensive data protection framework, available at <Data Protection Bill withdrawn: Roadblocks towards a comprehensive data protection framework | Lakshmikumaran & Sridharan Attorneys (lakshmisri.com)> (Accessed on 3^rd June 2024)
2. Ritansha Lakshmi, Case Summary: Justice K. S. Puttaswamy (Retd.) vs. Union of India, 2017, available at <Case Summary: Justice K. S. Puttaswamy (Retd.) vs. Union of India, 2017 – LawLex.Org> (Accessed on 3^rd June 2024)
3. Drishti, Justice B. N. Srikrishna Committee Report, available at <Justice BN Srikrishna Committee Submits Data Protection Report (drishtiias.com)> (Accessed on 4^th June 2014)
4. Kishita Gupta, Constitutional Validity of Aadhar Act in the case of Justice K. S. Puttaswamy (Retd.) and Anr vs Union of India, available at <Constitutional validity of Aadhar Act in the case of Justice K.S. Puttaswamy (Retd.) and Anr. Vs. Union of India – iPleaders> (Accessed on 5^th July 2024)
5. Aiman J. Chishti, Parliament Passes Digital Data Protection Bill, available at <Parliament Passes Digital Personal Data Protection Bill (livelaw.in)> (Accessed on 5^th June 2024)

---

About Author