'Personal data is the new oil, a protection law was much needed'

Rajesh Jauhri / TNN / Updated: Oct 30, 2023, 10:58 IST

Text Size

Small
Medium
Large

Lt Gen Rajesh Pant, the former National Cyber Security Coordinator, has emphasized the need for a law on personal data protection in India. He highlighted the increased digitization due to the pandemic, which has led to the misuse of people's personal data. The Digital Personal Data Protection (DPDP) Act 2023 is in line with the General Data Protection Regulation (GDPR) in the European Union and includes provisions for consent, purpose, and duration of data collection. The Act also introduces penalties, including fines up to Rs 250 crore for data breaches. The formation of a Data Protection Board of India (DPBI) is also proposed.

'Personal data is the new oil, a protection law was much needed'

Retired Lt Gen Rajesh Pant

MHOW: A law on personal data protection is the need of the hour, said Lt Gen Rajesh Pant (retired), who has recently completed his five-year tenure as National Cyber Security Coordinator at the PMO. Talking on Digital Personal Data Protection (DPDP) Act 2023, Pant said, "In the post-Covid-19 scenario, India underwent a digital transformation, as a result of which nearly the entire public and private sector went online.There have been reports of misuse of digitized personal data of the people, due to which a need was felt for such a law."
About its genesis, he said, "In the Justice K S Puttaswamy vs Union of India case, it was said that privacy is a Fundamental Right under Article 21 of the Constitution. Following this, the Justice B N Shrikrishna Committee was formed to draft a bill related to privacy in 2019. He submitted his report on personal data while Krish Gopalakrishnan drafted the bill for non-personal data. A joint parliamentary committee was to look into it, during which many amendments surfaced, after which a complete act of DPDP came."
It is in line with the General Data Protection Regulation (GDPR), which has been in force in the European Union since 2020, which has slapped billions of dollars of fines on violations, the former General said.

What does this Act say? "There are three factors of data, the first being 'Data Principal', which means the individual whose data is taken. Second, 'Data Fiduciary', which is the company or organization that takes data, and the third is 'Data Processor', the third party that processes the data. The Act says that data can't be taken without the principal's consent and the fiduciary will have to tell the principal about the purpose of taking data and the duration for which it will be stored before being deleted. The biggest feature is that there is a penalty of up to Rs 250 crore if data reaches some other organization or company."
About the authority under this Act, he said, "There is a provision to create a 'Data Protection Board of India' (DPBI), which will be like a tribunal that will decide on punishments pertaining to this Act ." Asked why it has not come into force despite being passed by Parliament, he said, "There is a provision in this Act that the government needs to issue notifications for every section of the Act and only then can it be implemented in the country. The process is on and hopefully, its completion will coincide with the setting up of DPBI."

End of Article