Navigating the uncharted waters of the Digital Protection Act 2023: Overcoming unsolicited challenges in the digital realm

The Digital Personal Data Protection Act. 2023 (DPDP 2023) delineates stringent measures to enforce accountability among data fiduciaries in handling sensitive information. In an era where personal data has emerged as one of the most prized assets, compliance with these regulations becomes paramount.

Under Chapter II, Clause 8 of the Act, the obligations placed upon data fiduciaries are substantial, namely:

● A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.

● In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal intimation of such breach in such form and manner as may be prescribed.

Data fiduciaries may face consequential penalties, reaching a maximum of ₹ 250 crores, in the event of a failure to uphold their duty to implement reasonable security measures to prevent personal data breaches.

Furthermore, a failure to promptly notify the board or the affected data principal in the event of a personal data breach constitutes a breach of its obligation. Non-adherence to this requirement may result in a substantial penalty of ₹ 200 crores.

Chapter II, Clause 9 emphasises the significance of guardian consent and judicious handling of children's data. It stipulates the necessity of obtaining verifiable consent from a child's parent or legal guardian before processing their personal data. The clause, moreover, unequivocally prohibits any data processing that might adversely affect a child's well-being, imposing restrictions on tracking, behavioural monitoring, and children-targeted advertising.

Contravention of these obligations concerning children's data constitutes a breach, potentially leading to a substantial penalty of ₹ 200 crores.

On the other hand, Chapter III of DPDP 2023 confers upon data principals an array of rights and their corresponding responsibilities. These rights encompass the ability to access information regarding personal data and the right to correction, completion, updating, and erasure of personal data. The Act further accords the right to designate a representative who will advocate for their rights in the event of the data principal's demise or incapacity, as outlined in the Act and its accompanying rules.

Of particular note is the provision for grievance redressal, affording individuals a legal avenue to hold data fiduciaries accountable.

However, in contrast to the penalties imposed on data fiduciaries for non-compliance, the Data Protection Board's authority to levy fines on data principals (for violations of duties not to file frivolous complaints or impersonate others) is limited to a modest sum of up to ₹ 10,000.

This duality poses a significant concern, as it introduces the possibility of groundless complaints. A successful complaint can yield a substantial ₹ 200 crore award, while an unsuccessful one carries a comparatively nominal penalty of ₹ 10,000. This dynamic could lead to an influx of speculative claims and an environment of undue frustration.

There may be merit in revisiting the penalty structure, aligning it with the sum initially sought by the complainant to ensure the integrity of the complaint forum.

One notable absence in the Act is the 'right to be forgotten', a provision in comparable digital data protection legislations like the GDPR. This right empowers individuals to exert control over the online dissemination of their personal data. The omission is particularly striking in light of the Delhi High Court's precedent-setting decision in Zulfiqar Ahmad Khan v. Quintillion Business Media Pvt. Ltd., where the Court recognised and upheld an individual's 'right to be forgotten'.

The plaintiff sought a permanent injunction against the defendants, who had published two articles containing harassment allegations under the #MeToo campaign. While the defendants agreed to remove the articles, they were subsequently republished by other platforms. The Court recognised the plaintiff's right to privacy, encompassing both the 'right to be forgotten' and the 'right to be left alone', and directed a halt on any re-publication or dissemination of the original articles or any derivative thereof across print or digital platforms for the duration of the ongoing suit.

Relatedly, the Srikrishna Committee's 2018 report underscored the pivotal role of robust data principal rights within the framework of data protection legislation. These rights, founded on principles of autonomy, transparency, and accountability, form a cornerstone, granting individuals precise control over their personal data. Omitting this vital right undermines the efficacy of this new Act.

Finally, it's imperative to note the exemption granted to the Central government and its agencies under DPDP 2023, invoking national security considerations and maintaining law and order. This exemption absolves State agencies from the obligation to delete personal data post-use, overriding individual consent when the State processes personal data for benefits, services, licenses, permits, or certificates. It expands the boundaries of purpose limitation in matters pertaining to the State, sparking concerns about unfettered government surveillance of citizens.

About the author: Dr Kislay Pandey is a Solicitor at the Supreme Court of India.