In the realm of cyber legislation, it is crucial to explore the landscape of cyber laws and the scope of cybercrimes perpetrated against individuals. To address these concerns, a series of laws has been crafted. The inaugural cyber law dates back to 2000 and has evolved over time. The most recent enactment is the Digital Data Protection Act of 2023. Initially presented to Parliament as the Personal Data Protection Bill in 2019, it underwent thorough scrutiny by a parliamentary committee, with its findings published in 2021. Following this, the bill was retracted and re-introduced in 2022 under the title Digital Data Protection Bill, 2022. Consequently, the law that took effect in 2023 is largely based on this revised bill.
So, in order to learn about the significant provisions of 2023, act we need to understand the provisions of 2019 which proposed a comprehensive, cross-sectoral framework based on preventive requirements for businesses (defined as “data fiduciaries”) and rights for individuals or consumers (“data principals”).
This imposed several obligations on organisations collecting personal data. These include providing individuals with notice and obtaining their consent, ensuring the accuracy and secure storage of data, and using the data solely for the purposes specified in the notice. Additionally, organisations are required to delete data once its intended purpose is fulfilled and to grant consumers rights to access, erase, and transfer their data. Businesses must also maintain robust security safeguards, uphold transparency standards, implement "privacy by design" principles, and establish systems for addressing grievances. The system introduced the Data Protection Authority (DPA) which gives the power to the authority to impose penalties on businesses which do not comply with the rules.
Also Read: Drafting of rules under data protection law in advanced stage; extensive industry consultations soon: Vaishnaw
In addition, the regulation has introduced the role of "consent managers," who act as intermediaries responsible for collecting and managing consent on behalf of individuals.
According to the Digital Personal Data Protection Act 2023, Personal Data is defined as any data about an individual that makes them identifiable by or in relation to such data. Furthermore, Personal Data Breach is described as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, which compromises the confidentiality, integrity, or availability of personal data.
Upon reviewing the provisions of this act, I find it important to highlight the Right to be forgotten by the Data Principal. The introduction of the "Right to be forgotten" signifies a positive progression towards the belief that everyone deserves a second chance and should not be defined solely by their past actions. A noteworthy case regarding this matter is Jorawar Singh Mundy vs Union of India. In this case, the petitioner faced challenges in the USA due to the public availability of his criminal records following his acquittal in India.
Also Read: Tech giants face new regulatory hurdles with India's antitrust law
This hindered his employment prospects, despite possessing a strong academic background. As a result, the petitioner sought the removal of the verdict from various websites, leading to a legal battle involving vLex.in, Google India Pvt. Ltd., Google LLC, and Indian Kanoon. While only vLex.in complied with the request, the others argued against the existence of a "Right to be Forgotten" under the Indian Constitution. Consequently, the petitioner filed a writ petition with the Delhi High Court, invoking the infringement of his Right to Privacy under Article 21 of the Constitution of India.
The court acknowledged the EU precedent, emphasizing that citizens have the right to request the removal of misleading or irrelevant information from commercial websites. Ultimately, the court deemed the Right to Privacy and the Right to be Forgotten as interconnected. Subsequently, the Delhi High Court, with a bench consisting of Justice Pratibha M. Singh, ruled that Google India Pvt. Ltd., Google LLC, and Indian Kanoon are required to remove the petitioner's case from their domain.
