- Quick Contact:
- +91 22 2167 8100
Unravelling the Ambiguities of the Digital Personal Data Protection Act, 2023: A Legal Perspective - MMJC
Introduction:
In an era where data drives our digital existence, the need for robust data protection legislation is more pressing than ever before. With the attempt to do justice to Article 21 of the Indian Constitution, Section 43A of the Information Technology Act, 2000 stands repealed and the Digital Personal Data Protection Act, 2023 (“Act“) seeks to delineate the rights and responsibilities of various stakeholders in the complex ecosystem of data management. While laudable in its intent, a closer analysis reveals certain critical aspects that warrant scrutiny from the lens of legal rigor and public interest.
Amendment of Right to Information Act, 2005 Transparency and Accountability:
The provision permitting authorities to withhold personal information even in cases of larger public interest dilutes the principles of transparency and accountability that are crucial for a democratic society. By wielding such powers, the authorities can potentially cloak information that could otherwise shed light on matters of public concern, undermining the very essence of section 8(1)(j) of the Right to Information Act, 2005 that stands amended.
Uncharted Territory: Exemptions and Ambiguities:
The lack of clear guidelines on determining “good faith”, for taking action against the Board or Central Government, may inadvertently create a realm of legal ambiguity. This may require clarity regarding the overall accountability and checks and balances within the legislative framework.
Upholding Accountability: Varied Implications of Penalty Provisions:
Within the realm of data protection, the Digital Personal Data Protection Act stands as a beacon of accountability, particularly through the imposition of penalties for violations of its pivotal provisions. This includes a substantial penalty of up to Rs. 250 Crores applicable to all data fiduciaries, encompassing not only large corporate entities but also smaller players like MSMEs (Micro, Small, and Medium Enterprises). While this penalty structure might appear reasonable and proportionate for prominent corporations, it raises valid concerns when applied to smaller enterprises. Unlike larger organizations, smaller entities may lack the resources to establish a separate data protection office. Yet, they are equally vested in safeguarding personal data. Many MSMEs might find themselves in a delicate position, where they can afford to employ personnel to execute essential data protection functions but might not be equipped to sustain the financial brunt of such substantial penalties. Balancing penalties with the diverse capabilities of entities, therefore, becomes an essential consideration for ensuring equitable enforcement of data protection norms.
Penalties without Compensation:
While the Digital Personal Data Protection Act introduces penalties for breaches, a notable gap arises in the allocation of these penalties. Presently payable to the government, the critical question of compensation for aggrieved individuals remains unanswered. As the Act evolves, addressing this issue will be pivotal to ensure a comprehensive framework that not only holds wrongdoers accountable but also extends redressal to those impacted by data breaches.
Emerging Career Opportunities:
Amidst the contours of this evolving landscape, it’s worth noting that this legislation isn’t merely a mechanism for legal regulation, but also a catalyst for transformative career opportunities. As the Act paves the way for heightened data privacy standards and ethical data management practices, the demand for specialized roles becomes all the more evident. As the Digital Personal Data Protection Act, 2023 comes into play, a plethora of exciting career opportunities emerges on the horizon. The Act ushers in an era where the protection of personal data takes center stage, laying the foundation for a robust and ethically-driven digital ecosystem. Two significant roles that stand out amidst these changes are those of Data Protection Officers (DPOs) and Consent Managers. These professionals will play a pivotal role in ensuring data privacy, conducting comprehensive audits, and facilitating responsible data processing practices.
Data Protection Officers:
The role of Data Protection Officers is akin to that of guardians of information, entrusted with safeguarding the delicate balance between technological advancement and individual privacy. These experts will be at the forefront of implementing and overseeing data protection strategies, guiding organizations towards compliance with the Act’s stringent provisions. With their expertise in data management, risk assessment, and regulatory adherence, DPOs will be instrumental in instilling confidence in consumers, clients, and stakeholders alike.
Consent Managers:
On the other hand, Consent Managers will bridge the gap between data fiduciaries and data principals, acting as the linchpin for open and informed communication. Tasked with managing consent requests and facilitating transparent data processing, Consent Managers will empower individuals to exercise control over their personal data. This role goes beyond mere compliance, as it nurtures a culture of trust between businesses and their patrons, laying the foundation for sustainable, long-lasting relationships.
Immediate Actionable for Corporates:
| (a) | The Act opens new dimensions of alterations in the fabric of the long-term as well as day-to-day management of corporates and other entities which is likely to require legal attention enabling the formation and remoulding of its existing policies to align them with the compliance of the new legislation. | |
| (b) | Identifying and addressing the rights of the data principals (individuals sharing personal data) and the developing parameters for design and implementation of consent mechanism in an organisation needs to be acted upon. | |
| (c) | It shall also become important to identify third party data processors that are hired by corporate entities to store and process personal data and redefining their obligations. | |
| (d) | In order to mitigate the risks associated with even the unintended breach of the legislation, developing a legal and technological structure for managing and regulating any privacy breach; and directing the systems of the organisations towards well-defined policies protecting data at various levels, it may become necessary to carry out an audit of the legal foundation of the organisation. |
Conclusion:
While the Digital Personal Data Protection Act, 2023 is seamlessly aligned with existing statutes, embodying a harmonious construction that fosters coherence within the legal framework, it is important to acknowledge that while certain concerns have been raised regarding its provisions, the true litmus test lies ahead during the formulation of rules and its application. This iterative process will likely shed light on the finer intricacies, offer opportunities for public discourse, and fine-tune the legislative landscape. Therefore, while the Act’s current contours invite clarity, they also set the stage for collaborative efforts to ensure that the final regulations address the existing concerns and uphold the drafting of policies for transparency, accountability, and fairness to be incorporated by the entities to associate their compliance with an effective data protection framework.
References: Digital Personal Data Protection Act, 2023.
The article is published in Taxmann
https://www.taxmann.com/research/company-and-sebi/top-story/105010000000023277/unravelling-the-ambiguities-of-the-digital-personal-data-protection-act-2023-a-legal-perspective-experts-opinion
Article is written by
Pradnesh Kamat – Partner – pradneshkamat@mmjc.in
Veerti Shah – Manager – veertishah@mmjc.in