Once regarded as the world’s most precious resource, oil fueled industrialization, transportation, and a wide range of scientific developments. Similarly, data has now become the cornerstone of the modern digital economy.
Algorithms and artificial intelligence are powered by data, enabling enterprises to –
- make better decisions,
- customize user experiences,
- expedite processes, and
- develop new business models.
For individuals, sharing personal data such as contact details, financial records, etc. (basically any information that identifies an individual) has become simply unavoidable to avail various services.
Whether it’s shopping on e-commerce platforms, using quick commerce services, managing banking transactions, or receiving personalized healthcare recommendations, personal data has become the key that unlocks convenience.
As businesses increasingly rely on data to improve their services and provide personalized experiences, users often find themselves trading privacy for convenience, making data sharing an integral part of modern life.
Why do we share personal data?
The increasing demand for personalized and seamless experiences has led individuals to exchange their personal data on digital platforms. Companies process this information to engage customers and drive business strategies. Much of the data sharing is statutorily or genuinely required, but some of it is also optional. For instance:
- Users must provide their bank account information or credit/debit card information in order to use the online payment feature on websites and payment applications.
- For health-tech apps, users are required to upload their prescriptions to order medicines to comply with legal health regulations.
- E-commerce websites often use our browsing history or past purchases to offer personalized product recommendations. While sharing this information is not mandatory, it can greatly enhance our shopping experience.
- Location-based apps, such as weather or navigation services, often ask for access to geographic data to provide real-time updates. While this feature adds value, one can always choose to disable location tracking on a live basis or manually enter the location for a limited purpose instead.
- Additionally, many websites use cookies to monitor the browsing activity and customize future visits to the websites, making for a smoother online experience. Users have the option to opt out of non-essential cookies if they so wish.
- Apps may also request optional permissions, like access to contacts or media, to enable specific features. While one can decline these requests, doing so may limit certain app functionalities.
From the above instances, individuals may choose not to share additional data if it is not required to be given mandatorily. The companies, on the other hand, must disclose clearly which data field is optional or mandatory.
Challenges
With the growing dependence on personal data, organizations are leveraging data more than ever to influence market trends and make strategic decisions. This widespread use of data has led to an unprecedented surge in the volume of data being collected, processed, and stored, which also increases the risk of misuse.
According to the IDC’s (International Data Cooperation) recent ‘Global Data Sphere Forecast’, the global volume of data generated, captured, copied, and consumed is projected to reach 181 zettabytes by 2025 — almost triple the amount recorded in 2020.
Changing Landscape: The Digital Personal Data Protection Act, 2023
In response to these growing concerns over data privacy and misuse, the Indian government introduced the “Digital Personal Data Protection Act, 2023” to align with international privacy standards.
The Act aims to safeguard the right to privacy of individuals and establishes a mechanism for how personal data is processed and used by organizations. As per the Act, any unauthorized access, disclosure, or processing of personal data resulting in the compromise of confidentiality, integrity, or availability of personal data is a “Personal Data Breach.”
The Act uses the terminology “Data Fiduciary” to refer to an individual or entity that determines the purpose and means of processing personal data. It also employs the term “Data Principal” to describe the individual to whom the personal data pertains, and whose consent is required for processing.
The Act also provides for a comprehensive definition of “Processing” which includes any operation on personal data, whether automated or not, including activities such as collection, storage, use, transfer, or erasure.
The Act applies to all entities that collect, process, store, and use digital personal data of Indian citizens unless notified otherwise by the Central Government.
Key Provisions of the Act: The Act is drafted around seven principles of privacy, setting forth obligations for data fiduciaries. The seven privacy principles and corresponding obligations are outlined below:
- Consent, Lawful, and Transparent Use of Personal Data: Data fiduciaries are obligated to obtain prior consent from data principals specifying the –
- purpose of data collection,
- intended use, and
- mechanisms for addressing breaches.
- Purpose Limitation: The Act restricts data processing to the purposes specified by the data principal’s consent. If the data principal requests modification or erasure of personal data, the data fiduciary must fulfill this request.
- Data Minimization Principle: Data fiduciaries can collect only the personal data that is essential for processing.
- Accuracy of Data: Data fiduciaries are required to ensure the accuracy and reliability of personal data, and data principals are expected to provide accurate information.
- Storage Limitation: Data fiduciaries must delete personal data once the purpose for processing has been fulfilled.
- Reasonable Security Safeguards: Data fiduciaries are expected to implement robust technical and organizational security measures to safeguard personal data. In the event of a data breach, fiduciaries must promptly notify the ‘Data Protection Board’ and the data principals.
- Accountability: Data fiduciaries bear the responsibility for compliance with all provisions of the Act. The Act includes specific provisions for collecting and processing children’s and disabled people’s personal data.
While the non-compliance with the Act can lead to hefty monetary penalties ranging from ₹10,000 up to ₹250 Crores (~ $30 Mn) it also provides flexibility for startups and small-scale companies, ensuring innovation while maintaining robust data protection standards.
Takeaway
While oil drove the industrial age, data is driving the digital era, propelling economies forward in ways we’re only beginning to understand.
As use of data grows, the Digital Personal Data Protection Act, 2023, is a welcome step and serves as a guiding force, empowering individuals and organizations to handle personal data responsibly while allowing businesses the flexibility needed to innovate.
With the growing power of data, our responsibility to safeguard it intensifies. Ensuring privacy, security, and ethical handling of data is not just important — it’s essential. As you reflect on your own data-sharing practices, are you comfortable with the level of personal information you are providing for convenience?
Author:
Agrima Singh
