top of page
Writer's pictureAmicusX

Empowering Privacy: A deep dive into India's Data Protection and Privacy Act

  1. INTRODUCTION

In today's digital age, where personal data has become the currency of the virtual realm, safeguarding individuals' privacy has emerged as a paramount concern. The advent of the Digital Personal Data Protection Act of 2023[1] is a hugely significant development. This bill, the nation's first cross-sectoral law of its kind, represents a turning point in the field of safeguarding personal data after a difficult and protracted five-year journey. According to the proverb, "knowledge is power," and in the era of digitalization, power is represented by data. The extensive collection, usage, and processing of personal data by companies and other groups has given rise to current ethical, legal, and societal issues.

The Digital Personal Data Protection Act of 2023 seeks to ease these concerns by establishing comprehensive rules and regulations governing the handling of personal data. The function of intermediaries, including social networking sites, online merchants, and data brokers, has come under closer examination in light of these statutory developments. These intermediaries act as conduits for the flow of personal data between individuals and third-party entities. Consequently, they play a pivotal role in determining the extent to which individuals' privacy rights are respected and upheld. Intermediaries functioning within the digital ecosystem bear the appropriate weight of the adage, "With great power comes great responsibility." Intermediaries control people's online experiences and digital footprints since they are the guardians of enormous volumes of personal data. To preserve users' rights to privacy and data protection, this authority must be balanced with a commensurate feeling of responsibility. The crux of this investigation is the need to achieve a careful balance between people's inalienable right to protect their personal information and the need to use such information for legal purposes. The preamble of the Act articulates this pivotal balance, invoking a metaphorical tightrope walk where each step must be measured with precision to avert the perils of overreach or negligence.


II. INTERMEDIARIES AS CONSENT MANAGERS: SAFEGUARDING PRIVACY IN THE DIGITAL ERA

Intermediaries, like lighthouses in a stormy sea, help us navigate our digital lives by making sure that data protection laws are followed. They act as a lighthouse, shedding light on the process of obtaining informed permission for the gathering, handling, and use of personal data. With unwavering determination, they navigate the murky waters of privacy issues, and this distinction emphasizes their position as guardians of our digital rights. According to Section 2(g) of the Digital Personal Data Protection Act, 2023[2], intermediaries are defined as consent managers, navigating the turbulent waters of the online world with unwavering determination.[3]

With their diverse functions, such as enabling smooth data flow between users and online services, including file transfers, emailing, and instant messaging, intermediaries protect internet communication channels by guaranteeing the secure movement of data while following stringent security and privacy rules. Subsequently, intermediaries function as hosts for digital platforms, applications, and websites, managing the infrastructure that permits online data storage and access. They guarantee the availability and security of hosted data by taking strong security precautions to defend against unwanted access and data breaches. Ultimately, intermediaries are essential to the dissemination of digital content, including web pages, multimedia files, and streaming services. They optimize this process. Intermediaries make it easier for people all over the globe to access online resources by using content delivery networks (CDNs) to reduce latency and improve the user experience. This improves the global digital environment.

Furthermore, intermediaries are crucial parts of the internet ecosystem that support efficient communication, creativity, and privacy protection. Through the provision of infrastructure and essential services for social networking, online collaboration, and information sharing, they provide smooth communication and collaboration between individuals, businesses, and organizations globally. Intermediaries also foster innovation and economic growth by offering platforms and resources to facilitate commercial endeavours and the development of digital goods and services. Most significantly, intermediaries safeguard individuals' rights to privacy in an increasingly interconnected digital environment by acting as consent managers and ensuring that explicit agreement is obtained prior to processing personal data.


III. EVOLUTION OF INDIA'S DATA PROTECTION LAWS: FROM CONCEPTION TO IMPLEMENTATION

As the ancient adage suggests, "Rome wasn't built in a day," and indeed, the gestation period of this legislation reflects the meticulous craftsmanship and deliberation undertaken to forge a robust legal framework. The journey through legislation that resulted in the Digital Personal Data Protection (DPDP) Act being passed in 2023 is a maze of drafts, turns, and crucial points that represent the effort to strike a compromise between the right to privacy and the need for regulation. It all started with the landmark 2017 ruling in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors.[4] by the Indian Supreme Court, which upheld the right to privacy as an essential component of the basic right to life. This landmark ruling served as a catalyst for subsequent legislative endeavours.

The saga unfolds with the unveiling of the initial data protection blueprint crafted by a committee of experts in 2018,[5]eliciting public feedback and laying the groundwork for subsequent iterations. This prelude segues into the government's maiden foray with the Personal Data Protection Bill, 2019, tabled in Parliament.[6] But concerns about its overbroad reach and regulatory omnipotence led to its ultimate retraction.[7] Undaunted, the legislative process continued in November 2022 with the introduction of a new bill known as the Digital Personal Data Protection Bill, 2022.[8] This draft represented a paradigm shift in approach, departing from previous drafts and striking a balance between the strictures of regulations and real-world needs.

The bill, a confluence of contemporary norms and regulatory aspirations, drew inspiration from the recommendations of the Srikrishna Committee, chaired by Justice B.N. Srikrishna, and international benchmarks such as the European Union's General Data Protection Regulation (GDPR).[9] While lauding the preventive ethos of the 2019 bill, concerns over its all-encompassing scope necessitated recalibration. The DPDP Act, rooted in the November 2022 draft, epitomizes this recalibration, harmonizing robust protections with operational realities.

Notable clauses include the classification of personal data types and enhanced security measures for critical data, which are similar to growing fragile orchids in a hothouse. The Act also requires large data fiduciaries to implement compliance procedures, and it imposes harsh penalties for non-compliance, which works as a deterrent against infractions similar to sentinels defending a castle. Moreover, the Act incorporates subtle exclusions for certain institutions, skilfully striking a balance between regulatory requirements and pressing concerns like public health and national security—a recognition of the complex fabric of government. India's dedication to developing a strong data protection ecosystem is reflected in this legislative tapestry, which is weaved with strands of regulatory foresight and jurisprudential insight.[10]


Striking the Right Tone in Data Protection Regulation

The evolution of the 2018 draft into the present 2022 law reflects introspection and progress, indicating a move toward a stronger focus on privacy and flexibility. The present law's limited jurisdiction for the Digital Protection Board (DPB) contrasts sharply with the ambitious objectives of the 2018 bill for a strong regulatory agency similar to the Data Protection jurisdiction (DPA). The latter takes a more balanced approach, restricting the DPB's authority to handling violations and sanctioning non-compliance, as opposed to the former, which envisioned a vast regulatory environment affecting every industry. This shift represents a maturing of the legislative approach, moving away from a manual, inflexible paradigm and toward a more flexible, agile one. However, the ongoing conflict between the demands of privacy and the interests of the state is highlighted by the continual exemptions for government operations and discretionary authorities. With its foundation in the creative November 2022 draft, the DPDP Act ushers in a new era of data protection legislation and lays the groundwork for future research.[11]


IV. ESSENTIAL HIGHLIGHTS OF THE DPDP ACT, 2023

In India, the Data Personal Data Protection Act (DPDP) acts as a sentinel protecting the privacy of personal information by sweepingly encompassing people's digital traces. Its interpretation of what constitutes "personal data" is as broad as the horizon, taking into account any information that may be used to determine someone's identity. Additionally, the DPDP extends its vigilant gaze beyond the borders of India, embracing digital personal data wherever it may roam, as long as it dances in the realm of offering goods or services to the denizens of India. Nevertheless, within this broad jurisdiction, the DPDP recognizes areas of exemption, recognizing the domain of private or home-based activities that are not subject to government oversight. Moreover, it gives a bow of acknowledgment to the public plaza, where private information voluntarily enters the spotlight or is shown there by a court order. For the purpose of protecting personal data under India's jurisdiction, the DPDPA expands its protective scope to include enterprises and residents who are both international and Indian. It's a symphony of regulation, harmonizing the global with the local, ensuring that even amidst the digital cacophony, the melody of privacy remains sweetly preserved.

The 2023 legislation allows processing of personal data for legitimate reasons, provided that the subject provides consent or the data is used for activities that are designated as "legitimate uses." With explicit rules on data collection and consumer rights, consent must be freely provided, informed, and intended for a specified use. Government services, security, statutory requirements, emergency situations, and public health issues are examples of legitimate usage. Through the act, ethical and open practices are encouraged while striking a balance between the right to privacy and the need for data processing.


Privacy, Compliance, Security and Data Localization Legislation

The DPDP Act lays forth a person's obligations and rights, including a range of benefits and obligations. These include the right to a succinct overview of all collected data as well as the revelation of the identities of all other data fiduciaries and processors engaged in data sharing, including a detailed description of the shared data. People are entitled to make any required corrections, additions, updates, and deletions to their data. They also retain the ability to file complaints and the authority to choose representatives to receive data.For organizations that handle digital personal data, or "data fiduciaries," the DPDP Act lays out strict requirements. The aforementioned responsibilities encompass the implementation of strong security protocols, upholding the precision and entirety of information, expeditiously notifying the Data Protection Board of India of any compromised data, and expunging data upon consent withdrawal or purpose completion.[12] Apart from this, in order to handle the data of children, data fiduciaries need to get consent from parents or guardians, designate a data protection officer, and set up complaints and enforcement procedures. Though it grants extensive exclusions from these requirements without providing explicit rules, the legislation forbids any data processing that is likely to cause harm to minors. Interestingly, significant data fiduciaries (SDFs), who are selected based on certain standards, are also accountable for hiring a data protection officer headquartered in India and carrying out audits and impact assessments. However, in comparison to the 2019 law, the 2023 legislation has less regulatory control due to the elimination of the SDF registration requirement and fewer comprehensive rules.

To protect individual privacy, the DPDP Act of 2023 establishes the crucial concepts of notice and permission. This law highlights the significance of getting people's consent in a free, informed, and explicit manner before processing their data. Also, people are free to change their minds at any moment, and it won't impact the validity of previously consented data processing. The Act also requires that people be given unambiguous notices explaining what data is being collected, why it is being collected, and how they can exercise their rights.[13] Additionally, it guarantees linguistic diversity by permitting notice and consent forms to be completed in any of the Constitution's official languages. In addition, the Act presents the idea of "legitimate uses," which allows data processing without express agreement in specific situations like emergencies or legal requirements.

In a shift from the 2019 bill, the 2023 law regarding data localization takes a different approach. The new law states that the government may prohibit data transfers to specified nations by notice, whereas the old act placed limitations on particular data flows. While not mentioned directly, it seems that the ability to limit data transfers is intended to give legal authorization for national security objectives. Furthermore, the legislation guarantees that actions taken by industry-specific organizations, such as the localization standards set by the Reserve Bank of India, will continue to be lawful and unaffected by these modifications.


V. THE REGULATORY DYNAMICS OF INDIA'S DPDP ACT IN 2023

The intended regulatory system described in the 2019 draft is significantly altered by the 2023 law. The 2023 law creates the DPB, a significant change in institutional architecture from the independent regulatory body that the previous legislation had in mind. The DPB does not have the same regulatory role as the proposed DPA, as did its predecessor. Instead, the main scope of its duty is restricted to supervising the avoidance of data breaches, implementing corrective measures, carrying out investigations, and levying fines for noncompliance.[14] The government appoints members of the DPB, and regulations governing their terms and conditions of service provide stability during their term. The Telecom Disputes Settlement and Appellate Tribunal is the court of appeal for judgments made by the DPB, which is authorized by law to impose severe financial penalties of up to 250 crore rupees. To further give flexibility to the enforcement procedure, data fiduciaries may choose to accept voluntary undertakings in exchange for complaints.[15]

A noteworthy addition to the legislation from 2023 is Section 37, a new provision that gives the government the authority to prevent the public from accessing information that would otherwise allow a data fiduciary to offer products or services in India. The DPB's repeated fines and a blocking recommendation are prerequisites for this action. Most importantly, prior to the implementation of such policies, impacted data fiduciaries are given the chance to make their case. This clause balances due process rights with enforcement in a thoughtful approach to regulatory supervision.


VI. HOW EFFECTIVELY DOES THE DPDP ACT OF 2023 SAFEGUARD PRIVACY IN INDIA?

In the rapidly developing digital world, where data is exchanged like commodities in a busy marketplace, the DPDP Act of 2023 appears as a rock-solid defender, acting as a sentinel to protect India's right to privacy.  With the passage of the 2023 legislation, India will have its first data privacy law, which is a landmark development for the country's legal system. This all-encompassing structure requires the sacred precept of consent before any personal data is processed, together with a carefully chosen list of exclusions outlined in the law. Giving customers a plethora of rights—such as the ability to view, correct, update, and delete their data—as well as the novel right of nomination, it fortifies the security measures designed with the processing of children's data in mind.

Simultaneously, the legislation places strict requirements on companies, including restrictions on their use, notice requirements for the gathering and use of personal data, and strong security measures. Additionally, it mandates that businesses set up grievance redress channels, overseen by the powerful Data Protection Board (DPB), which has the power to impose fines for noncompliance.[16]

However, against the backdrop of development, there is a lurking fear, centered mainly on a few clauses that might undermine the ostensible safeguards contained within. Of particular note are exceptions that allow the state to intervene, giving the government undue authority and precedence over private companies. These measures, although seemingly justified in emergency situations, run the risk of extending the reach of state action beyond reasonable bounds and might ultimately result in the unfettered collection of personal information by government entities.[17]

Furthermore, worries about the deterioration of the law's protective fabric are raised by the discretionary rule-making powers of Section 17(5). The lack of a clear deadline or instructions about the use of certain exemptions creates uncertainty and increases concerns about potential abuse or evasion of the law's purpose. These concerns are further exacerbated by the government's erroneous authority to exclude companies from some regulations regarding the processing of children's data, as outlined in Sections 9(1) through 9(3). Moreover, there are uncertainties over the membership's mission and composition due to the DPB's structural architecture, which generates additional issues. Concerns are raised about the board's effectiveness and impartiality in deciding noncompliance cases due to the lack of specified numbers and a regulation requiring only one legal expert. Therefore, even if the DPDP Act presents important data privacy protections for the first time, some of its provisions may outweigh its benefits if the government does not strictly enforce them.


VII. A COMPARATIVE STUDY OF DPDP AND GDPR: INSIGHTS INTO PRIVACY LEGISLATION

With effect from May 25, 2018, the General Data Protection Regulation (GDPR) is recognized as the most restrictive privacy and security regulation in the world.[18] It lays forth strict guidelines for preserving the privacy of persons living in the European Union (EU). Its provisions are noteworthy for having impacted the creation of the DPDP Act, India's data protection law. As such, the DPDP Act and GDPR have a number of noteworthy parallels.

An important similarity is the authorization of data processing in some situations, even in the absence of express permission. The DPDP Act refers to these situations as "legitimate use," which includes emergencies, employment objectives, and national security, even if GDPR allows such processing for contractual performance, legal compliance, and protection of vital interests. Similarly, while imposing some obligations on the data controller, the GDPR allows the data controller to process personal data without consent in certain circumstances.[19]Another similar provision is the consent of data principals. Both of the laws say that consent should be free, informed, and specific, and the reason to process personal data should be legitimate. It also requires that the consent obtained be in compliance with the law, and it is the duty of the data fiduciary to ensure this. Additionally, the DPDP Act goes a step further by introducing provisions for presenting consent requests in multiple languages, thereby enhancing accessibility and ensuring comprehension among diverse populations.

Without a doubt, the General Data Protection Regulation (GDPR) has influenced data privacy legislation throughout the world. India's Data Protection Bill (DPDP), which takes inspiration from GDPR while forging its own distinctive course, is no different. The government has made a noteworthy step with this law, which reflects a tailored approach to protecting personal data. A notable aspect of the DPDP is the idea of a "consent manager," as stated in the Act's Section 2(g). Acting as a single point of contact, this person is registered with the board. Through a platform that stresses accessibility, openness, and interoperability, their role is crucial in enabling data principals to grant, manage, evaluate, and withdraw consent. The accompanying rules will include more information about their responsibilities.[20]In terms of application, while GDPR applies to offline data as well, the Indian law applies only to online data. In terms of age of consent for children, GDPR has a range of age between 13 and 16, whereas DPDP treats everyone below 18 years of age as children, and ‘verifiable parental consent’ would be required for those below 18. This has also become a point of criticism, as everyone below 18 would require parental consent, despite the fact that the needs of children of different age groups vary. For example, a child of 10 years of age may prefer online games more while a child of 15 would prefer websites and apps for educational and career purposes, and hence they should not be treated as the same. Except for this, the rest of the provision, which is the processing of children’s data, is a good one because it prohibits data fiduciaries from undertaking tracking or behavioral monitoring of children, targeted advertising directed at children[21]or any such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.[22]

Another key difference is between the legitimate uses that DPDP talks about and the legitimate interests that GDPR refers to. The lists of legitimate uses in DPDP are narrower than the legitimate interests for processing personal data in GDPR, which has a wider scope. The DPDP is more of a consent-centric law than the GDPR. When it comes to notice for taking consent, under DPDP, notice is required when it is the basis for processing the data, hence not applying to cases where legitimate use is involved. However, under GDPR, notice is required to be given for all kinds of data processing. Moreover, the contents of the notice are much wider under GDPR than the DPDP.

 
Cross Border Data Flow: Restrictions and Requirements

In cases of data breaches, DPDP requires that all kinds of data breaches be reported to both the impacted users and the Data Protection Board.[23] All other details regarding data breaches would be notified by the government through the rules. On the other hand, under GDPR, data breaches have to be reported to the supervisory authority if risks to the rights and freedoms of individuals are involved in the assessment of the controller. If such is not the case, then breaches need not be reported.

When it comes to the cross-border flow of data, DPDP by default places no restrictions. Hence, it allows the free and flexible transfer of data across the border. However, it also mentions the black list regime.[24] This means that the government can restrict the flow of data to another country by way of notification. GDPR, however, prescribes certain conditions for data flow outside the EU, namely that the other country offers an adequate level of data protection for personal data in the assessment of the European Commission. Hence, it follows a whitelist regime.

For the purpose of data retention, there is no such specific time period prescribed by either of them. The data retention period under both of these laws is until the purpose is served. However, while GDPR is a little flexible, DPDP is more prescriptive for deciding when the purpose would be said to be served.


VIII. NAVIGATING THE DPDP ACT: PROMISE, POTENTIAL, AND PITFALLS

The DPDP Act, 2023 came while legislation for protection of data and safeguarding the privacy of citizens was the need of the hour especially after the KS Puttaswamy judgement[25] of 2017 that recognised the Right to Privacy as a fundamental right and a part of Article 21[26] of the Indian Constitution i.e. Right to Life. However, even though it came after six years since Puttaswamy, it is not free from criticism as it has certain lacunae.

One of the major concerns is that some of the provisions are yet to be determined by the central government. This has created uncertainties and ambiguities. Moreover, it can also lead to arbitrary acts by the government as it is in the hands of the government to do so. Hence, the act can be called an incomplete one, the one that came late and that too is not complete. Another word to define the act is ‘unspecific’. Since the rules are yet to be notified by the government, there are still a lot of uncertainties due to the non-specific provisions that the DPDP Act contains. The phrase that is used in the Act is ‘as may be prescribed’. Furthermore, it gives unlimited power to the government to use the citizens data. Hence, the irony is that the act that is made to secure the right to privacy of citizens by protecting the digital data is also violating it by exempting the government entities accessing the information of the citizens on grounds like security of the state, maintaining public order, etc. This leads to the possibility of it being misused by such exemptentities. For example, it is not stated in the act for how long they can retain the unlimited data of the citizens. Hence, it can be the case that the purpose of the exempted entity is served, but still, it is holding the data of the citizens as there is no mention of the time period in the Act.

Another concern that is raised is with respect to Section 3(c)(ii) that says “not apply to— personal data that is made or caused to be made publicly available”.[27] Hence, the information that is shared on social media platforms by individuals can be used by companies without obtaining the owner’s consent. Hence, this part is left unregulated by the act. Questions are also raised about the independence of the Data Protection Board, as the act prescribes a short-term appointment of the members. Moreover, the transparency of the board will be questioned when there is a case of misuse of personal data by the government and the board has to investigate it because the members of the board will be appointed by the central government.[28]

The DPDP Bill also led to amendment in Section 8(1)(j)[29] of the Right to Information Act (RTI), 2005. The Data Act and RTI Act, as the last provision in Section 44 of the Data Act, says 

(3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause (j), the following clause shall be substituted, namely: —, …and (j) the information which relates to personal information.[30]

The National Campaign for People’s Right to Information (NCPRI) raised concerns when the draft bill was out for public consultation and sent a detailed analysis to the Ministry of Electronics and Information Technology (MEITY). However, despite this, the amendment took place. The amendment simply signifies that now, even though it may involve public interest, in the garb of protecting personal data, no private information would be shared by the government agencies. This was also pointed out by MP Adhir Chowdhury in the parliament, as he said, “A new era of corruption will be introduced as personal data like assets and liabilities, education qualifications of corrupt officials, won’t be sought under the RTI Act.” Hence, this amendment may lead to the Right to Denial of Information instead of Right to Information[31] which will undoubtedly not be in the greater public interest.

In contrast to earlier versions of the bill, which required companies to state how long they will store data, whether they will share it with third parties, where the data was collected from, details on any cross-border transfer of the data, etc., the notice to be shown to users when obtaining consent is only required to state what personal data will be collected and for what purpose.[32] Furthermore, businesses are exempt from the requirement, imposed by earlier versions of the bill, to post privacy policies on their website. Additionally, there is no distinction between critical and sensitive personal data which was recommended by Justice B.N. Srikrishna and the Joint Parliamentary Committee and was included in the Personal Data Protection Bill, 2019.[33]

Despite these criticisms, being India’s first legislation on data protection, the act is a positive step towards it. However, the lack of clarity in a few provisions, certain unlimited powers given, exemptions, etc has faded its positive side. Moreover, it is doubtful if it is really about the protection of digital data privacy, as its name suggests, or if it is more about data processing, as its provisions suggest. Therefore, the government should deliberate on these concerns and come up with the required improvements to the act.

 

IX. CONCLUSION

Way back in 2006, the British mathematician Mr Clive Humpy was able to visualize the importance of data and said that ‘Data is the New Oil’[34] and this is true if we look at the current scenario all over the world. At the same time, it is also true that breaches of data privacy are very common, and data is being used and misused without the consent of individuals. In India, according to one estimate, the digital population reached close to 700 million active internet users with 467 million social media users, creating mammoth digital data. As a result, India has emerged as the second-largest internet market. These figures show how important it is to have a law that protects the personal data of the individuals in this digital age. Not just India, but many other countries, such as Singapore have data protection laws.

The Supreme Court recently stated, "The right to privacy is directly infringed when there is surveillance or spying done on an individual, either by the state or by any external agency," in reference to the "Pegasus" surveillance software. The ideals of "personal informational privacy" are violated by the extensive storage and gathering of people's personal data that is obtained without their consent. Every individual has Right to Privacy.  Hence, their privacy should be respected and their breach should not be ignored by law. The ‘consent’ of an individual whose data is being used by any other person or entity is very important. The DPDP Act is thus legislation in the right direction. However, protecting the Right to Privacy of an individual does not mean, that in protecting digital data privacy of individuals, the legislation circumvents the Right to Information of the citizens.

The act specifies the roles of data principals and data fiduciaries. It also mentions cross border data transfers, reports of breaches, penalties, data protection board, consent managers, parental consent in cases of children, etc. Hence, the act addresses some of the major concerns related to digital personal data. It creates responsibilities for the companies that handle the data of individuals and makes them accountable for the same. This act will help to prevent unauthorised data use and will remedy any breach.

The government is yet to notify the rules that are not mentioned in the act and it would be interesting to see if the government carefully formulates the rules, doesn’t miss on anything and improves its earlier mistakes. Overall, it is a welcoming provision that safeguards the data privacy of individuals.

 

Footnotes

[1] Digital Personal Data Protection Act, 2023, Act No. 22 of 2023, Gazette of India, August 11, 2023, https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf.

[2]Digital Personal Data Protection Act, 2023, § 2(g), No. 22, Acts of Parliament, 2023(India).

[3] Anirudh Burman, "The Withdrawal  of the Proposed Data Protection Law Is a Pragmatic Move," CARNEGIE INDIA (August 22, 2022), https://carnegieindia.org/2022/08/22/withdrawal-of-proposed-data-protection-law-is-pragmatic-move-pub-87710.

[4] K.S. Puttaswamy and Another v. Union of India and Others, (2017 ) SCC 1.

[5]Personal Data Protection Bill, 2018, accessed June 6, 2024, http://164.100.47.4/BillsTexts/LSBillTexts/As introduced/373/2019/LS/Eng.pdf.

[6]Personal Data Protection Bill, 2019, Bill No. 373 of 2019, accessed June 6, 2024, http://164.100.47.4/BillsTexts/LSBillTexts/As introduced/373/2019/LS/Eng.pdf.

[7]Report of the Joint Committee on the Personal Data Protection Bill, 2019," 17th Lok Sabha Secretariat, December 16, 2021, https://eparlib.nic.in/bitstream/123456789/835465/1/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf.

[8]The Digital Personal Data Protection Bill, 2022, Ministry of Electronics & Information Technology, Government of India, accessed June 9, 2024, https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf.  

[9]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, May 4, 2016, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.

[10] Geeks for Geeks, Digital Personal Data Protection Bill 2023, Geeks for Geeks (May 2023), available at https://www.geeksforgeeks.org/digital-personal-data-protection-bill-2023/.

[11] NISHITH.TV, Digital Personal Data Protection Bill, 2022: Analysis and Potential Impact on Businesses, NISHITH.TV (Nov. 24, 2022).

[12] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Ministry of Electronics & Information Technology, Government of India, July 27, 2018), available at, https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report-comp.pdf.

[13] Regulation (EU) 2016/679, 2016 O.J. (L 119) 1.

[15]Taylor Wessing, Rewriting India's Decades-Old Technology Laws in 2023, Global Data Hub (May 2023), https://www.taylorwessing.com/en/global-data-hub/2023/may---international-update-2023/rewriting-indias-decades-old-technology-laws-in-2023.

[16]Oumyarendra Barik, "For better compliance, tech transfer, Govt to ease data localisation norms," Indian Express, August 14, 2022, https://indianexpress.com/article/india/for-better-compliance-tech-transfer-govt-to-ease-data-localisation-norms-8088627/.

[17]Suyash Rai & Anirudh Burman, India: Testing Out New Policies on Globalization - Rewiring Globalization, in Rewiring Globalization (Sinan Ülgen et al. eds., Carnegie Europe 2022), https://carnegieindia.org/2022/02/17/india-testing-out-new-policies-on-globalization-pub-86370.

[18]Ben Wolford, What is GDPR, the EU’s new data protection law?, GDPR.eu (2018), https://gdpr.eu/what-is-gdpr/.

[19]Rachit Bahl, Rohan Bagai and Nipun SawhneyIndian Data Protection Law versus GDPR – A Comparison, azb, (Aug 18, 2023) https://www.azbpartners.com/bank/indian-data-protection-law-versus-gdpr-a-comparison/.

[20]The Digital Personal Data Protection Act,2023, § 2(g), No. 22, Acts of Parliament, 2023 (India).

[21]The Digital Personal Data Protection Act, 2023,§9(2), No. 22, Acts of Parliament, 2023 (India).

[22]The Digital Personal Data Protection Act, 2023, § 9(3), No. 22, Acts of Parliament, 2023 (India).

[23]The Digital Personal Data Protection Act, 2023, § 8(6), No. 22, Acts of Parliament, 2023 (India).

[24]The Digital Personal Data Protection Act, 2023, § 16(1), No. 22, Acts of Parliament, 2023 (India).

[25]Supra note 4.

[26]INDIA CONST. art. 21.

[27]The Digital Personal Data Protection Act, 2023, § 3(c)(ii), No. 22, Acts of Parliament, 2023 (India).

[28]Anirudh Burman, Understanding India’s New Data Protection Law,Carnegie India(Oct 3, 2023) https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law?lang=en.

[29]The Right to Information Act, 2005 § 8(1)(j), No. 22, Acts of Parliament, 2005 (India).

[30]The Digital Personal Data Protection Act, 2023 § 44, No. 22, Acts of Parliament, 2023 (India).

[31] M Sridhar AcharyuluHow the ‘strict’ Data Act is diluting RTI, Down To Earth(Sept 8 2023) https://www.downtoearth.org.in/blog/governance/how-the-strict-data-act-is-diluting-rti-91640.

[32]Sarvesh Mathi, Fifteen Major Concerns with India’s Data Protection Bill, 2023, MEDIANAMA (Aug. 4, 2023), https://www.medianama.com/2023/08/223-major-concerns-india-data-protection-bill-2023-2/.

[33]The Digital Personal Data Protection Bill, 2023, PRS Legislative Research, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.

[34]Lukmaan IAS, DOES THE DPDP ACT, 2023 REALLY PROTECT PRIVACY? - Lukmaan IAS Editorials, Lukmaan IAS (Oct. 19, 2023), https://blog.lukmaanias.com/2023/10/19/topic-does-the-dpdp-act-2023-really-protect-privacy/.


Submitted by

Aditi Mittal and Nitya Shukla,

Rajiv Gandhi National University of Law, Punjab


Commentaires


bottom of page