BLOG

                           

Critical Analysis of Digital Personal Data Protection Act, 2023

By: Koupal Jain & Ankit Saurashtriya

Student, VI SEMETER, B.A.LL.B (Hons.), Department of Law, Prestige Institute of Management and Research, Indore (M.P.)

 

The Digital Personal Data Protection Bill, 2023 was introduced on 3 August 2023 and was passed by Lok Sabha on 9 August 2023. The bill has received president’s assent and published in official gazette notification and has become law on 11 August 2023. As per the provisions of the act ‘Data means a representation of information, facts, concepts, opinion or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means. A recent news stated that Pro-Palestinian hacker group hacked a company whose services are available to thousands of students across Israel and leaked its data online, including names, contact number, address and E-mail address.

Student’s details were shared by using telegram app. These Malaysian hackers group Dragonforce pick up information from the website of AcadeMe which is one of the largest recruitment networks across Israel for students and graduates seeking work. According to the Ministry of External Affairs the estimated data of Indian students studying in Israel is about 1,218.

DOES THIS DIGITAL PERSONAL DATA PROTECTION ACT, 2023 MAKES THIRD PARTY / HACKERS ORGANIZATION LIABLE?  

As per the Digital Personal Data Protection Act, the provisions of the act shall applies to the processing of digital personal data within India as well as it will also apply to the processing of personal data outside the territory of India, if such processing is in connection with any activity of offering goods and services to the data principals within the territory of India. Here the personal data means any data about individual who is identifiable by or in relation to such data. Data fiduciary means any person who is alone or in conjunction with other persons determines the purpose and means of the processing of personal data. Data principle means the individual to whom the personal data relates. Illustration-A, a data principal, makes a purchase at B, a data fiduciary. A voluntary provides B her personal data and request B to acknowledge receipts of the payment made for the purchase by sending a message to her mobile phone. Here B, a data fiduciary may process the personal data of A, a data principal for the purpose of sending the receipts.

Here are some general obligations of data fiduciary a data fiduciary shall, irrespective of any agreement  to the contrary or failure to carry out the duties provided under this act, be responsible for complying with the provision of this act and rules made in respect of any processing undertaken by it or on its behalf by a data processor. A data fiduciary must make efforts to ensure the accuracy of data and also maintain or build reasonable security safeguards to prevent data breach. Here personal data breach means any unauthorized processing of data or disclosure, acquisition, sharing, use, alteration, destruction, loss of personal data. It is the responsibility of a data fiduciary to erase personal data as soon as the purpose has been accomplished. Illustration- A, an individual, makes a purchase at B, a pharmacy. She voluntarily provides B her personal data for the purpose of payment .B may process the personal data of A for the purpose of sending the receipt. Subsequently, A informs B that the payment has been made. The B shall cease or erase the personal data of A.

As per the news of Times of India the hackers stole the email addresses of more than 200 million twitter users and posted them on an online hacking forum such as dark web. A dark web is the part of Internet. The dark web can be used to sell or stolen personal information. Report says the hacker forums and hacker organization selling data of scraped twitter user profiles. This includes private phone numbers and Email address, usernames, age, screen names, account creation dates. Here again the question arises who is responsible for this attack? No responsibility has taken by the hacker organization for the data breach the only information available is the threat actor named Staymad published data on a hacking platform. This is one of the major drawbacks of the Digital Personal Data Protection Act, 2023 that it does not regulate risk of harm arising out from processing of personal data. Harm includes identity theft, loss of reputation, financial loss, etc. The definition of personal data means any data about individual who is identifiable by or in relation to such data. Here this definition of personal data is very abstract as well as ambiguous because images, audio, video and other sensitive data can also come under the purview of personal data.

Another big loophole is that the act only makes data fiduciary liable whose is responsible for protecting the data but not the third party such as hackers organization who wrongfully gained or misused the personal data of data principals.