含羞草社区

The DPDP Act brings a new age of data protection to the country. While the rules are yet to be made effective, companies need to be up to speed with the legislation, writes LG Electronics legal expert Rajiv Malik

In the relentless pursuit of growth and innovation, businesses have become increasingly reliant on the power of data, often fuelled by advancements in artificial intelligence (AI). This data-driven revolution has transformed industries and redefined consumer experiences.

However, it has also ignited a fierce debate about privacy, security and the ethical implications of data exploitation. The Digital Personal Data Protection Act, 2023 is 含羞草社区 latest attempt to navigate this complex terrain.

The DPDP Act introduces a comprehensive framework for safeguarding digital personal data. While the act aims to balance innovation and privacy, it presents a formidable challenge for businesses, especially those operating in the consumer sector.

The consumer sector, driven by an insatiable appetite for personalised experiences, has become a data-driven powerhouse. Companies collect and analyse vast amounts of personal data, including consumer preferences, choices, purchasing habits, viewing channels, location data (from mobile devices, wi-fi networks, and even in-vehicle systems) and data generated by smart IoT (internet of things) devices. This data, coupled with the power of AI, enables companies to gain deep insights into consumer behaviour, to tailor marketing campaigns, and to optimise product offerings.

While AI-driven data analysis offers immense potential for innovation and improved customer experiences, it also raises significant concerns about privacy and security. The Supreme Court’s recognition of the fundamental right to privacy in the 2017 Puttaswamy judgment and the subsequent enactment of the DPDP Act underscore the need for a delicate balance between technological advancement and individual rights.

The protection triad

The DPDP Act is a significant stride towards safeguarding digital personal data in India. It defines digital personal data as any information, facts, opinions or instructions that can be interpreted or processed by humans or automated systems in digital form.

The data principal is an individual who generates the digital personal data. This includes data generated by adults, children (along with their parents or legal guardians) and individuals with disabilities (represented by their lawful guardians).

The data fiduciary, either an individual or an organisation, determines the data’s purpose and processing methods. Data processors, acting on behalf of the data fiduciary, handle the data processing tasks.

In essence, the DPDP Act establishes a clear framework involving three key stakeholders – the data principal, the data fiduciary and the data processor – ensuring the responsible handling and protection of digital personal data. The act introduces various obligations, including data minimisation, purpose limitation, transparency and accountability. Although the rules are yet to be framed, non-compliance with the DPDP Act will lead to severe penalties, including hefty fines and reputational damage.

Minimisation and purpose

Data minimisation and purpose limitation are fundamental principles of data protection. Businesses must collect only the minimum personal data that is necessary to achieve a specific purpose. By adhering to this principle, businesses can reduce the risk of data breaches and minimise potential harm to individuals.

Consent and transparency

Valid, informed and specific consent is a cornerstone of data protection. Businesses must obtain explicit consent from individuals before collecting and processing their personal data. For example, a healthcare app should clearly explain the purpose of data collection and obtain explicit consent from users before accessing their health information.

Additionally, businesses must be transparent about their data practices and provide clear and concise privacy policies. Transparency builds trust with individuals and helps them make informed decisions about their data.

Security and breaches

Robust data security is essential to protect personal data from unauthorised access, loss or damage. Businesses must implement technical and organisational measures to safeguard personal data – for instance, strong encryption techniques.

In the event of a data breach, businesses must promptly notify affected individuals and relevant authorities. To ensure a swift and co-ordinated response, organisations are mandated by CERT-In guidelines to report data breaches within a specified timeframe, typically within four hours of detection. Timely notification and effective incident response can help mitigate the impacts of data breaches.

Cross-border

Cross-border data transfers are increasingly common in today’s globalised world. However, transferring personal data to countries with inadequate data protection laws can pose significant risks. The DPDP Act imposes restrictions on cross-border data transfers and requires businesses to implement appropriate safeguards to protect personal data.

For instance, a multinational tech company might need to assess the data protection laws of different countries before transferring user data to its global servers.

User rights, access

Individuals’ rights under the DPDP Act include rights to access, correct and erase their personal data. Businesses must establish efficient processes to handle data subject access requests and respond to them in a timely manner. Additionally, businesses must respect the rights of individuals to object to the processing of their personal data and to data portability.

AI and privacy

Increasing use of AI in the consumer sector raises concerns about privacy and security. AI algorithms can analyse vast amounts of personal data to make predictions and decisions. However, the use of AI can also lead to biases and discrimination.

Businesses must ensure that AI systems are developed and used in an ethical and responsible manner. For example, an AI-powered recommendation systems should not discriminate against groups of users based on their personal characteristics.