Overview of Data Protection Laws in India
Data protection laws are important for keeping people’s personal information safe and private. In India, the need to create strong data protection laws has been going on for some time, with several important steps along the way. Right now, the main law dealing with data protection is the Information Technology (IT) Act , 2000.
However, this law doesn’t cover everything. In 2017, the Indian government formed a Committee of Experts on Data Protection, the leader of the committee was Justice B. N. Srikrishna. This committee helped create the Personal Data Protection Bill, 2019, which has now evolved into the Digital Personal Data Protection Act, 2023.
Meanings
- Personal data is any information about a person who can be identified.
- Processing includes any operation or Act that is automated (done with machines and without the use of people) or set of operations performed on digital personal data.
- People that determine how and why data is processed are called data controllers.
- People that process data on behalf of others are called data processors.
Key Provisions of the Digital Personal Data Protection Act, 2023
- The Digital Personal Data Protection Act, 2023, aims to create a whole set of rules for data protection in India.
- It includes various sections about the rights of people whose data is being used, how those using it have to deal with it and handle data breaches (accessing data without permission), and the creation of a body that looks over these issues and matters.
- Clearly says what is personal data- it is information that can identify an individual directly or indirectly.
- Mandates getting explicit consent from individuals before processing their personal data, with some exceptions.
- Allows data processing only till the stated purpose for which it was collected.
- Requires collecting only the necessary personal data for fulfilling the intended purpose.
- Ensures the correct and updated nature of processed personal data.
- Puts strict measures to protect personal data from unauthorized access, disclosure (reveal), or loss.
advertisement
Applicability
- The Act applies to when digital personal data is used in India.
- This includes data collected online or offline and then turned into a digital form.
- It also applies to data that is processed outside India if it includes offering goods or services to people in India.
Consent
- You can't just go around using people's personal info for whatever you want. You need to make sure it's for a good reason and that they're okay with it first.
- Notice: Individuals should be clearly informed about what data is being collected and why before giving consent.
- Withdrawing Consent: People can take back their consent whenever they want. But some uses like voluntary data sharing, government services, medical emergencies, and employment don’t need consent.
Rights of Data Subjects
People whose data is being processed (data subjects) have several rights:
- Right to Information: They can know if their data is being processed.
- Right to Correction and Erasure: They can ask for corrections if their data is wrong and request deletion if the data isn’t needed anymore.
- Right to Grievance Redressal: If their data rights are violated, they can file complaints.
advertisement
Responsibilities of Data Handlers
Entities processing data (data controllers and processors) have certain duties:
Ensure the data is accurate and secure.
Delete data once it’s no longer needed.
If a data breach happens, tell the Data Protection Board of India and the people affected.
Data Breach Notification and Penalties
If a data breach happens, the Act requires data handlers to inform the Data Protection Board of India and the people affected. There are penalties for various lapses, like failing to protect children's data or not implementing proper security measures to prevent breaches. Fines can go up to Rs 250 crore.
Data Protection Board of India
The Act establishes the Data Protection Board of India to monitor compliance, manage data breach notifications, and address complaints. The central government will decide the board's composition and selection process. Board members will serve two-year terms with the possibility of reappointment, although the short term may impact their decisions.
Cross-Border Data Transfer
The Act allows personal data to be sent outside India, except to countries restricted by the central government. This raises questions about the level of protection for data sent abroad.
advertisement
Frequently Asked Questions
1. What is the Data Protection Law in India?
The Data Protection Law in India, called the Personal Data Protection Act, whose purpose is to protect people's personal information and make sure it's used properly by organizations.
2. What are the main rules of the Data Protection Law in India?
- Clear Purpose: Collect data only for specific and clear reasons.
- Limit Data: Only collect the data you need.
- Be Transparent: Tell people how their data will be used.
- Keep Data Safe: Protect personal data from being accessed or changed without permission.
3. What rights do individuals have under the Data Protection Law in India?
- Access: You can ask if your data is being used and see what data is collected.
- Correction: You can ask to correct wrong or incomplete data.
- Deletion: You can ask to delete data that's no longer needed.
- Portability: You can get your data in a readable format and transfer it to another organization.
4. What must organizations do under the Data Protection Law in India?
- Get Consent: Ask for permission before using personal data.
- Ensure Security: Use measures to protect personal data.
- Assess Risks: Check how data processing might affect people.
- Report Breaches: Inform authorities and affected people if data is leaked.
advertisement
References
- The Information Technology Act , 2000
- Committee of Experts on Data Protection Report, 2018
- The Digital Personal Data Protection Act, 2023
Written by Saanvi Arora
As a second-year law student at IIM Rohtak, Saanvi Arora is deeply passionate about exploring the nexus of law, public policy and society. With keen interests in areas like ADR, Data Protection Law, Company Law and Public International Law, she is a curious and dedicated to understanding how legal principles impact everyday life.
advertisement
Further Reading
advertisement