India will see a massive shift in its approach to privacy and data protection thanks to the introduction of the Digital Personal Data Protection Act 2023. This new law holds significant implications for businesses dealing with substantial amounts of personal data, particularly the tech world giants such as Google, Meta (the parent company of WhatsApp and Instagram), and similar players.
These companies will be handed additional responsibilities, such as appointing a data protection officer, enlisting an independent data auditor, conducting data security assessments, and adhering to other regulations. All these changes aim to bolster online data security, a critical move given recent data breaches and misuse.
A pivotal element of this Act is its emphasis on safeguarding the personal information of children and young adults, who constitute a significant portion of customers for major tech firms in India. The Act stipulates that these companies must obtain consent from parents or legal guardians before utilizing the personal information of individuals under 18. It also curbs the use of data in ways that could be detrimental to children. Flexibility is built in, allowing the government to permit data processing for younger children if it’s deemed safe. This measure ensures more careful handling of user data from major tech products.
The Digital Personal Data Protection Act 2023 is set to trigger a profound shift in India’s privacy and data protection compliance landscape. A vital aspect of this legislation revolves around strengthening obligations for enterprises processing substantial volumes of personal data, likely to be categorized as ‘significant data fiduciaries.’”
Major tech conglomerates will likely fall within this category and shoulder augmented responsibilities. Among these new duties is the requirement to designate a resident data protection officer. Moreover, they must appoint an independent data auditor, conduct data protection impact assessments, and adhere to other measures stipulated by the upcoming legislation.
The Digital Personal Data Protection Bill 2023 has successfully passed through India’s parliament and gained the final approval of the President of India. Its implementation involves consultations with data fiduciaries to ensure a cautious yet swift rollout. This landmark legislation follows six years after the Supreme Court’s recognition of privacy as a fundamental right.
Under the new law, companies referred to as ‘data fiduciaries’ are mandated to establish safeguards for digital data collected from individuals. Companies must designate a Data Protection Officer to provide users with real-time grievance resolution. Users will also be granted control over their personal information. Failures to meet data security or disclosure requirements could lead to fines of varying degrees, with the possibility of cumulative penalties for repeated violations.
The Act introduces the concept of ‘consent managers’, offering users a centralized interface for managing their consent. These managers are required to register with the Data Protection Board, maintain an accountable relationship with users, and have the power to file complaints on their behalf.
Highlighted rights and responsibilities outlined in the Act encompass access to information about data processing, rectification and erasure of personal data, mechanisms for addressing complaints, and the option to appoint a representative to exercise rights in exceptional cases. Conversely, users are obligated not to submit frivolous complaints or provide false information, with potential penalties for non-compliance.
