Rajiv Khaitan offers insights on safeguarding personal data in the digital age
At TechSparks 2023, Rajiv Khaitan, Partner at Khaitan & Co, highlighted the significance of the Digital Data Protection Act in safeguarding personal data in the digital age.
Rajiv Khaitan, Senior Partner at Khaitan & Co, dived into the evolving landscape of data protection and shared an overview of the evolving landscape of data protection at TechSparks 2023, the destination for deliberating, deep-diving, and understanding the promise of India's Great Indian Techade.
In a world where data is often called the new oil, Khaitan shed light on how the Digital Data Protection Act is set to revolutionise the way personal data is safeguarded and used in the digital age.
Data as the new oil: Understanding the analogy
The keynote began with Khaitan addressing the prevailing analogy that ‘data is the new oil’. He explained that just as oil fuelled industries and economies in the past, data now powers businesses, drives innovation, and underpins the modern economy. Data is, in essence, the lifeblood of the digital era.
Khaitan pointed out that data is unique in that it is closely tied to an individual's identity, making it an emotionally charged asset. People are passionate about their data and are willing to share it, but demand the certainty that it will not be misused. This emotional connection with data is a key factor in shaping data privacy legislation.
"In the digital age, data is often compared to the new oil as it has become an integral part of our identity. We are passionate about sharing our data, but only if we are certain it won't be misused. The Digital Data Protection Act of 2023 aims to strike a balance between our need to use data and the responsibility to protect it. This law covers personal data in digital form and empowers individuals to give consent for specific purposes, with the ability to withdraw that consent. It places the primary responsibility for data protection on data fiduciaries, emphasising the importance of securing and processing data,” he said.
Khaitan added that the Act encourages responsible data usage while protecting personal information and imposes strict penalties for violations. “This marks a significant step in our evolving data protection landscape.”
The emergence of data privacy in India
In 2017, India saw the first glimpse of data privacy concerns when the concept was recognised as a fundamental right. A significant milestone was a Supreme Court ruling that data privacy is constitutionally protected as part of the right to privacy.
Following this, the Indian government took on the responsibility of formalising a balance between the need to use data by entities termed ‘digital data fiduciaries’ and the individual whose data is at stake, now known as the ‘data principal’. The aim was to strike a balance between the right to share one's data and protect it from misuse.
Defining personal data in the digital world
Khaitan emphasised that the Digital Data Protection Act primarily focuses on protecting digital personal data. This distinction means that the data in digital form or converted into digital form is what this law is designed to safeguard. Data that remains in non-digital forms, such as handwritten notes in a ledger, is not covered by the law.
He provided a clear example: if you provide your phone number to a security guard upon entering a premises, and they note it down in a physical ledger, this data is not protected by the law. It becomes protected only if the data is digitised and stored in digital format.
Purpose-driven data sharing
The keynote elaborated on the core purpose of the Digital Data Protection Act: to enable data sharing for specific purposes and specific durations while ensuring that individuals retain the ability to revoke their consent. Data sharing, processing, and protection are key components of this framework.
Khaitan underscored that the primary entity responsible for securing individual data is the ‘data fiduciary’, the entity that collects data for specific purposes. Data processors, another entity type, can be used by data fiduciaries, but the core responsibility rests with the entity that acquires and processes the data.