The DPDP Act : India’s new weapon in digital regulation

The Digital Personal Data Protection Act’s (DPDP) first draft has been released by the Ministry of Electronics and Information Technology (MEITY) in the Indian Gazette. The Ministry is seeking feedback/comments from the public and various stakeholders. This is the first time that India is bringing a law strictly regulating the processing of digital personal data of its citizens. India is not the first country bringing such a legislation, infact the DPDP act is drafted along the lines of EU and UK’s General Data Protection Regulation (GDPR). A lot of the features of DPDP act has also been influenced by the American digital regulations like the American Privacy Rights Act (APRA) or The American Data Privacy and Protection Act (ADPPA), etc.

Salient Features of the DPDP Act - 

-       Data Protection Board (DPB)

The Data Protection Board (DPB) will be constituted under the DPDP act to oversee the task of data protection. The DPB will operate with the power of a civil court which will allow the board to investigate, adjudicate and penalise in matters relating to the breach of the act. The board can impose penalties which can reach upto Rs. 250 Crores per violation. The board can also ask companies to amend practices if it feels the need to do so and the board also holds the power to issue tailored directives or rules to companies. The DPB as stated above can investigate and adjudicated matters such as data breach, mishandling of data, etc.

-       Transfer of data abroad

In the domain of the Cross Border Data Transfer, the Indian law is using a blacklisting approach, whereby data transfer can be done if not specifically barred by law. Another salient feature of this law is that it allows sector specific regulation in transfer of data abroad. For Instance, RBI has asked all payment operators in India to store its information in data centres located in India itself. Furthermore, data processors are required to implement security measures to prevent data breaches, and it requires valid contracts between data processors and data fiduciaries. Lastly, the act has extra-territorial application i.e. it is applicable to foreign companies who are dealing with Indians and involves data transfers.

-       Minor’s data processing 

This law restricts companies from processing of data which belongs to minors I.e of below age 18. This law also compels the apps to ensure the correct age of the user. The draft law also states that minors will now need parental consent to create social media accounts. The law state that “A data fiduciary shall adopt appropriate technical and organization measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence”. The rules explicitly state two methods to verify the age of the user. The law also specifically mentions that companies cannot track or conduct behavioural monitoring and data processing on data of a minor. This of course has some exceptions to apps operated by mental health authorities or fitness apps, etc.

-       Terms and Conditions of the apps 

The act mandates that consent to the terms and conditions of the said app or service has to be taken in either English or any one of the 22 scheduled languages whose choice depends on the user. The companies cannot only restrict to English or Hindi when asking for consent of the users. The law also makes sure that the privacy notice given by the companies is clear and understandable. If in case the consent is revoked anytime by the user, the company shall delete the existing data of the user.

-       Why social media companies are worrying 

This act has become a major point of stress to the social media cos in India. The biggest area of concern is that the new act prohibits undoing variable tracking, verifiable parental consent and targeted advertisement. Section 9 of the DPDP act disallows behavioural tracking of children which the companies say will have an impact on the effectiveness of their safety features. However, the Act does give government the ability to either exempt certain data fiduciaries or to exempt certain types of data processes from undoing behavioural tracking and this has made companies hopeful. 

Conclusion –

Some argue that the act relies on an incomplete foundation or will restrict the big tech from expanding in India. One major criticism of the draft has been that the legislation is not specific enough and would require new rules and amendments time to time. Be that as it may, the introduction of such an act is significant to India’s evolving digital population and is an important step towards boosting the country’s digital economy.

Read act : https://egazette.gov.in/WriteReadData/2023/247847.pdf