Security and privacy of data is essential since there is a lot of personal information being sent and transferred from one site to the next. The legal environment in India regarding data privacy is still dynamic and mainly privacy of an individual in cyberspace is the central focus. The focus of this blog post takes on Indian Data Protection laws which include the legal frameworks derived from the following: Information Technology Act, 2000 (IT Act), Digital Personal Data Protection Bill, 2023.
The Information Technology Act, 2000: Foundational Data Privacy Provisions
India’s first major legislation addressing data privacy (particularly in regard to cybercrimes, electronic commerce and data security) was the Information Technology Act, 2000. The designed ordinance laid the foundation to more vigorous data protection laws in the country.
Section 43A - Protection of Sensitive Personal Data
Section 43A of the IT Act is one of the major provisions, which mandates the companies and organizations that handle sensitive personal data to undertake reasonable security practices to avoid any data breach. It makes organizations responsible in case that they fail to secure data, and thus breach their user's privacy. This applies to all data fiduciaries engaged in processing of sensitive personal data or information (SPDI).
For example: In 2017 the Hospital market was disrupted when a Fortis Healthcare unit lost a data breach due to failure of proper protection of patient information, which is section 43 A of the IT act. The court found Fortis liable for not taking proper security measures that resulted in large scale data exposure of sensitive health information.
Also, Check What is Personal Data Under GDPR?
Section 72A - Disclosure of personal information as an offence and Punishment.
Section 72A of IT Act, 2000 deals with unauthorized disclosure of personal data or information. In case of disclosure without the individual consent or by any person or corporates, then that person will be imprisoned up to 3 years or face a fine up to ₹5 Lakh, or both.
The requirement of consent to disclose personal information protects the privacy of individuals and that sensitive information is not disclosed without consent.
For example: This section allows an employee of a tech company to face penalties if he/she discloses a user's data to a third party without authorization.
The Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act , 2023 (DPDP) presents even better personal data protection mechanisms compared to GDPR. India aligning with global standards (like GDPR or General Data Protection Regulation) for safeguarding personal data, the DPDP Act will serve as a big leap for securing the personal data.
Section 7: Consent Based Data Processing
Section 7 of the DPDP Act is a fundamental provision because it mandates data fiduciaries to seek the explicit consent of individuals who are the subject of their personal data before processing that data. It has to be given freely, informally, specifically and unambiguously.
Similarly, individuals need a simple way to withdraw their consent at any time.
In the case of registering for an online service, the individual must be presented with a privacy notice that clearly sets forth how the individual's data is going to be used; only after the data is processed are they asked for their consent.
Learn, How is Data Privacy a Fundamental Right?
Section 12: Rights of Data Principals
Individuals referred to as data principals are given several rights to their personal data under Section 12 of DPDP Act , 2023. They also have a right to access, correct and erase their personal data, amongst other rights.
People must be given control over their data, with a right to request deletion, if they no longer want to have data processed with regard to them.
For example: Section 12 allows a consumer to request that their account and data be deleted from an e-commerce platform if they would like to delete their personal data. Unless the data is needed for legal reasons, the platform must comply.
Also, Learn How is Data Privacy a Human Right?
Section 18: Data Localization
Specific types of sensitive personal data are required to be stored and processed within India under Section 18 of the DPDP Act, 2023. This goal is to prevent the data of Indians residing in India from being governed by laws from another country.
For example: companies such as Facebook and Google which are active in India will have to keep some categories of personal data in local data centres to comply with this provision.
This is to prevent foreign governments from accessing Indian citizens data without rightly providing legal oversight.
Section 24: Penalties for Non-compliance
The DPDP Act 2023 carries the introduction of severe penalties for any breach of its provisions. Violations pertaining to the personal data protection can attract fines of up to ₹500 crore as per section 24. If the data fiduciaries protect data inadequately, do not get appropriate consent or use data for other purposes than initially agreed upon, the fines will be imposed on them.
Also, Learn about What is Data Privacy Management
Data Privacy Compliance and Enforcement in India
The data protection framework will be enforced by the Data Protection Authority of India (DPAI) which is envisaged in the DPDP Act . It will also investigate data breaches, mediate between data subjects and data fiduciaries on behalf of data subjects, and enforce compliance with the rules.
Penalties for Non-Compliance
Penalties for violations of DPDP provisions may be quite severe under the DPDP Act. For instance, organizations that do not let individuals know about data breach or misuse of personal data could be fined up to ₹500 crore. The penalties range depending on what kind of infraction has been committed. Besides financial penalties, organizations are sometimes forced into implementing corrective actions like strengthening data security measures or carrying out mandatory audits.
Also, Get to Know Which are the Top 30 International Data Privacy Law Firms
Summary
The story of India's journey with protective measures concerning data privacy and protection has come quite a long way since the early days of the foundations that were laid in Information Technology Act 2000 which led us to overcome and be ready to jump in the year 2023 to embrace a comprehensive framework of Digital Personal Data Protection Bill. Consequently, these laws target the prohibition of data processing without informed consent, personal data localization, rights with regards to personal data and severe penalties in the event of non-compliance.
In aggregate, these legal instruments attempt to provide the necessary protection of data privacy, raise the awareness and establish standards of accountability including use of personal information on the internet and social media which offers a potent and well-rounded avenue for daily protection of the individual’s privacy for data localization and enforcement mechanisms.
Related Posts:
Data Privacy Laws in Indian: FAQs
Q1. What is the Digital Personal Data Protection Act ?
Digital Personal Data Protection Act, 2023 aims to provide for the protection of personal data of individuals, preventing processing of sensitive personal data, including health factors, Aadhaar number and religious and other sensitive matters, without the explicit consent or parental consent, whichever is applicable. It provides provisions for data processing on consent basis; data localization, and rights of individuals on their personal data.
Q2. How does Section 43A of the IT Act secure data privacy?
Section 43A requires organizations to put in place reasonable security practices to protect sensitive personal data. However, if they don't do this and we experience a breach, they are ultimately liable for invading our privacy.
Q3. What are the penalties for violating Indian data privacy laws?
Failure to comply can attract a penalty of up to ₹500 crore and above depending on the violation. In addition, organizations may need to correct their actions.
Q4. Does the IT Act deal with unauthorized disclosure of personal data?
Section 72A of the IT Act, provides for the criminal action (and penalty) for breaching the unauthorized disclosure of personal data.
Q5. In the DPDP Act, what is data localization?
Certain types of sensitive personal data must be stored and processed within India under data localization laws, such that it is protected by Indian laws.
