For several years, India has been working toward strengthening the protection of its citizens’ personal data in response to the exponential growth of digital technologies and the increasing amount of personal information being collected online. As the world’s most populous democracy and a fast-growing digital economy, India faces the dual challenge of promoting innovation while safeguarding individual rights.
The Long Journey Towards Enacting a Personal Data Protection Law
In 2019, the Personal Data Protection Bill was introduced in the Indian Parliament. This bill aimed to establish a robust legal framework for managing personal data. However, it faced obstacles, including criticism of certain provisions. Prolonged debates caused significant delays in its adoption.
In August 2022, the Indian government withdrew the initial bill to draft a new version, the Digital Personal Data Protection Bill. This updated bill was passed by both houses of Parliament and became the Digital Personal Data Protection Act.
Digital Personal Data Protection Act
The Act is designed to regulate the processing of digital personal data, both online and digitized offline data. Its goal is to balance the rights of individuals with the operational needs of data fiduciaries — organizations or individuals determining the purpose and means of data processing.
It is underpinned by seven key principles:
- Informed Consent – Data cannot be collected or processed without clear and informed consent from the individual.
- Purpose Limitation – Data must be used only for the purpose for which it was collected.
- Data Minimization – Only the minimum necessary data should be collected.
- Data Accuracy – Organizations must ensure that the data they hold is accurate and up-to-date.
- Limited Data Retention – Data should not be retained longer than necessary.
- Data Security – Adequate technical and organizational measures must be taken to protect data.
- Accountability – Entities handling personal data are accountable for complying with the law and must be able to demonstrate their compliance.
The Act establishes the role of the Data Protection Board of India, tasked with handling grievances and overseeing compliance. However, questions remain about its independence, as its composition and powers are largely controlled by the central government.
The Delicate Balance Between Personal Data Protection and Government Oversight
India faces a significant challenge: reconciling the protection of users’ personal data with the demands of government oversight. The adoption of the Digital Personal Data Protection Act represents an important milestone in regulating digital data processing, ensuring individuals’ rights while allowing authorities to process data under frameworks deemed legitimate.
The Act grants the government the power to exempt certain public bodies from data protection obligations for reasons of state. This raises concerns about potential abuses and threats to citizens’ privacy. Moreover, the lack of a fully independent and operational supervisory authority complicates the effective implementation of the law and oversight of government practices related to data. Thus, India must strike a delicate balance between safeguarding individual rights and addressing national security needs while ensuring greater transparency and accountability in the use of personal data.
Focus on the Aadhaar Government System
The Aadhaar system, which is the world’s largest biometric database, has been widely criticized for its handling of user data protection.
Key concerns include security breaches and data leaks, with incidents involving the publication of hundreds of thousands of Aadhaar numbers online. These violations exposed sensitive information such as names, addresses, phone numbers, and bank details of millions of individuals.
The system has enabled large-scale identity theft, with fraudulent use of biometric data to activate SIM cards or access various services. Civil rights advocates also highlight Aadhaar’s intrusive nature, fearing it could be used as a mass surveillance tool by the Indian government.
While India’s data protection legislation marks a significant step toward digital regulation, it addresses only one aspect of the many regulatory challenges the country faces.
Sources :
https://www.dsavocats.com/reglementation-des-donnees-inde/
L’image est générée par DALL-E
