In line with GDPR and California Privacy Rights Act, Indian government also enacted Digital Personal Data Protection Act 2023 on 11th august 2023 . The essence of the act is in tune with international legislation with respect to data protection but also reflects Indian perspective towards data protection. The cardinal principles that the act tries to ensure is the spirit of upholding individual right in protecting their personal data. The entity that determines the purpose and means of obtaining data is termed as data fiduciary and data principal is the individual whose personal data is processed. Data processor is the person or entity who is processing the data and the liability of data processor is not directly mentioned in the Act but it might rise due to the contractual obligation between the data fiduciary and data processor.
The basic tenets that act tries to establish is that, for processing any personal data, the consent of the individual is must and even after getting the consent, the data should used only for legitimate purpose. It also prescribes that consent should be free , specific, informed , unconditional and unambiguous. The seeking of consent by data fiduciary should also state the purpose , the manner in which the individual can exercise their rights and how the data principal can lodge a complaint. The individual can withdraw the consent at any point of time. As per section 11 of the Act , four main rights are conferred to the individual. The individual is having the right to access information about personal data, right to correction and erasure of personal data, right to grievance and right to nominate in the event of death or incapacity of data principal.
The data so obtained should only be used for legitimate purposes; by stating so, the act reminds us that purpose of using data should not be expressly forbidden by law. This phrase can lead to wider interpretation of law depending upon the general ethics and rights conferred to each citizen in India. The parent or legal guardian consent is required for processing data of child under age of 18 and disabled person. And the processing of data should not be detrimental to the wellbeing of the child or disabled person and should not conduct behavioural tracking or monitoring or targeted advertisement.
The Act sets the role of consent manager, data protection board and appellate authority. The consent manager should be registered with board subjected to the technical , operational and financial conditions prescribed by the board. As per section 28 (7) , the Act confer the power of Civil court to the board for discharging the function under this Act. Like the GDPR the penalty imposed by the act is hefty and as per Schedule, the penalty might range from 50 crores to 250 crores depending upon the gravity of breach. The board can determine penalty depending upon the nature and gravity of breach. The factors like type and nature of data , repetitive nature , realized gain on breach, action taken for mitigation are all considered in fixing the penalty. The penalty levied is credited to the consolidated fund of India. The act omitted section 43 A of the information technology and amended section 81 of patents act and Section 8 of right to information act.