Why in News?
NITI Aayog, the top think tank of the government, had opposed some of the provisions of the Digital Personal Data Protection Act 2023. The Aayog particularly raised concerns regarding the changes proposed to the Right to Information (RTI) Act 2005.
What’s in Today’s Article?
- What is the Digital Personal Data Protection Act (DPDPA) 2023?
- Key Features of the DPDPA
- Concerns Regarding DPDPA Raised by the NITI Aayog
What is the Digital Personal Data Protection Act (DPDPA) 2023?
- It is a comprehensive privacy and data protection law that provides guidelines on processing, storing and securing personal data.
- It recognises the right of individuals, referred to as data principals, to protect their personal data during the processing of that data for lawful purposes.
- The law culminates a seven-year journey that began when the Supreme Court of India (SC), in the K.S. Puttaswamy case, ruled the right to privacy was protected under the Constitution of India in 2017.
- The DPDPA includes provisions regarding consent, legitimate uses, breaches, data fiduciary and processor responsibilities, and individuals' rights over their data.
- The law doesn't apply to paper data unless it's digitised or data collected for personal, artistic and journalistic use.
- Fines for non-compliance range from Rs 10,000 for individuals to Rs 2.5 billion for organisations.
- The law is yet to be operationalised, with necessary rules for its implementation still pending.
Key Features of the DPDPA:
- Applicability:
- It applies to all types of data linked to an individual, including name, addresses, ID numbers and behavioural information such as location, web history and preferences.
- But it doesn't apply to data made publicly available by an individual or third parties.
- This means information that an individual has consented to share is considered protected, but not data indexed by search engines or social media sites.
- Defines data processing:
- It includes how the data is collected, recorded, structured, stored, shared or automatically acted on.
- This data can be processed in India or other countries unless specifically barred and applies to all companies that offer goods or services within India, regardless where their headquarters is located.
- Defines responsibilities of specific entities:
- Data fiduciaries are businesses and other organisations that interact with individuals to collect, amend and delete data as requested.
- They need to specify why data is required, how long it's retained and how it can be used.
- Significant data fiduciary (SDF): Companies that process large amounts of data may be designated as a SDF and need to
- Appoint an Indian data protection officer,
- Conduct third-party audits and
- Perform data protection impact assessments.
- Data processors are third-party businesses that process data on behalf of fiduciaries. They can include cloud providers or services in relation to KYC, fraud detection and credit ratings.
Concerns Regarding DPDPA Raised by the NITI Aayog:
- The DPDP Bill proposed an amendment to a section [Section 8(1)(j)] in the RTI Act with such effect that disclosure of personal information about public officials would not be allowed even when these are justified in larger public interest.
- The NITI Aayog (then in the inter-ministerial consultations) suggested the Ministry of Electronics and Information Technology (MeitY) to not pass the proposed law in its current form as it could weaken the RTI Act.
- The provision to amend the RTI Act was also criticised by the Opposition parties and civil society activists during the consultation period and when the Bill came up for discussion in Parliament.
- However, the MeitY kept the proposed changes to the RTI Act unchanged despite the reservations of NITI Aayog.
- The government was of the view that the right to privacy is a fundamental right under the Constitution of India, and should be made available to officers in government institutions as well.