Personal Data Protection: Tighten Your Belts, It’s Time to Take Off
Kaushal Kishore, Chartered Accountant
The Digital Personal Data Protection Act, 2023 received the assent of the President of India on 11th August, 2023, after it was passed by both houses of the parliament. The Act provides for the processing of digital personal data in a manner that recognises both the rights of individuals to protect their personal data and the need to process such personal data for lawful purposes and matters incidental thereto. The Act addresses the need to protect the fundamental rights of a citizen that “no person shall be deprived of his or her personal liberty, except according to established legal procedures”. To achieve the objective, the Act creates significant obligations on Data Fiduciaries and imposes severe penal actions for non-compliance. It’s time to align and make an honest effort, with a genuine posture to invest in infrastructure and comply.
Personal Data Protection, a matter of focus, globally and in India, has been fuelled by sensitive terms like ‘privacy being fundamental and constitutional right of an individual’. Upheld in the matter of Justice K S Puttaswami vs. Union of India, the Apex Court in 2017, impressed upon the Legislature to establish a robust data protection regime.
Certain developed economies have already adopted stringent data privacy regulations, with wider coverage, beyond geographical boundaries, due to obvious commercial and other reasons. Besides an inevitable growth in the digital economy, social media interactions are only rising, both fuelling the matter further. The Government, recognising the importance of safeguarding citizens’ rights, has focused towards a comprehensive framework. All stakeholders dealing with personal data would have to invest in a much-needed eco-system towards personal data protection. Penal actions are scaringly significant.
GLOBAL TRENDS AND BENCHMARK: EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (‘EU GDPR’) AND OTHERS
As a major benchmark, the EU, in 2018, implemented the GDPR, not just for EU entities, but also, for organisations across the globe, so long as such organisations deal with EU citizens’ data. Penalties under GDPR may go up to Euro 20 million or 4 per cent of the consolidated annual turnover of an organisation. EU GDPR is considered a comprehensive framework, dealing with personal data processing and the rights and obligations of the parties involved. Even the USA and China have followed stringent personal data privacy regulations.
NEED FOR A ROBUST DATA PROTECTION FRAMEWORK
Limitations in the existing regulation The current Information Technology Act, 2000, and related Rules of 2011 (SPD Rules) (together with the 2000 Act) are outdated. In any case, the safeguards around personal data protection in the 2000 Act are unable to deal wit