(DPDP-ACT)Digital Personal Data Protection Act

The Digital Pers0nal Data Pr0tecti0n Bill,DPDP-ACT 2023,

which was intr0duced in Lok Sabha 0n August 3, 2023, by the Minister 0f Electr0nics & Information Technology has been passed by the Parliament and has further received Presidential assent on August 11, 2023. The previous Personal Data Protection Bills 0f 2019 & 2022 being ascribed to numerous amendments, laced with several issues relating to data localization, transparency, compliance intensive, etc., had been withdrawn by the Central Government (CG). The said Bill came into being after the Supreme Court, in K S Puttaswamy v.  Uol, upheld the ‘Right to Privacy’ as a part of the fundamental right-‘Right to Life’ enshrined under Article 21 of the Indian Constitution and had suggested the CG to put in place an act/regime for protection of Personal Data.

DPDP -ACT OBJECT AND APPLICABILITY OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (THE ACT):

The primary objective 0f the Act is t0 establish a comprehensive framework for the Protection and Processing 0f Personal Data. “The Act provides f0r the processing 0f digital Personal Data in a manner that recognizes b0th the rights 0f the individuals to protect their Personal Data and the need to process such Pers0nal Data f0r lawful purposes and matters connected therewith or incidental thereto”. The DPDP-Act shall apply t0 the processing of Personal Data in India, including both online and digitized 0ffline data, and shall further extend to the processing 0f such data outside India relating to the 0ffering of goods or services in India. The Act also lays the foundation for various other laws such as the Digital India Act and other industry specific laws around privacy and data protection to augment India’s march towards the adopti0n of Artificial Intelligence (AI) and other future technologies while protecting Personal Data. The Act may also aid Indian businesses to enhance collaborati0n with other businesses located internationally under reciprocal arrangements while safeguarding Personal Data. Notably, the Act is the first-ever central law in India to use she/her pronouns while referring t0 individuals.

DPDP -ACT DEFINITION AND SALIENT FEATURES:

• Data: Any representati0n 0f information, fact(s), concept(s), opinion(s), and instruction(s) which is capable of being communicated, interpreted, and processed by human beings or by automated means. Further, any data about an individual (Data Principal) who is identifiable by or in relati0n to such data has been referred to as Personal Data in the Act.
• Processing of Personal Data: Processing has been defined as the performing of a set of operation(s) by wholly or partly automated means on digital Personal Data and includes c0llection, storage, indexing, sharing, use, disclosure, dissemination, and includes erasure thereof. Such processing can only be undertaken for a ‘lawful purpose’ for which a Data Principal has given her consent and for certain legitimate uses as laid down in the Act.
• Applicability: The DPDP-Act shall apply to the processing of digital Personal Data within India where such data is: (i) in digital form, or (ii) in non-digital form and is digitised subsequently. However, the Act shall also apply extraterritorially to the processing of digital Personal Data if such processing is in connecti0n with any activity related to offering goods or services to Data Principals within India. DPDP-Act shall not apply to the Personal Data when such data is (i) processed by an individual for any personal or domestic purpose, and (ii) is made or caused to be made publicly available by the Data Principal herself or any other person being under an obligation (under any law in force in India during that time being) to make such Personal Data publicly available.
• Consent: It has been provided in Secti0n 6 of the Act that Personal Data may be processed only f0r the specified purpose and after obtaining the consent of the Data Principal (individual). Such consent has to be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. A notice as per Section 5 must be given by the Data Fiduciary before seeking consent, containing details about the Personal Data t0 be c0llected and the purpose 0f processing. The individual whose data is being processed can withdraw her consent at any point of time. Notably, such consent, as per Secti0n 7, shall not be required for ‘legitimate uses’ which inter alia include: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) for the State to provide benefit or service such as subsidy, certificate, license, benefit, permits, etc., (iii) for the security of the State or in the interest 0f sovereignty and integrity of the country (iv) f0r responding to a medical emergency, treatment or health services, (v) for safety, and in interest of the security of the State and public order, and (vi) employment. For individuals with disabilities or below eighteen (18) years of age, the Act provides that their consent will be provided by their parent(s) or legal guardian. However, the State or any instrumentality of the State has been empowered to retain Personal Data or reject any request made for the erasure 0f Personal Data vide Section 17(4).
• Rights and Duties of Data Principal: An individual whose data is being processed shall have certain rights as per Sections 12 to 14 which include the right to (i) obtain informati0n about processing, (ii) seek correcti0n and erasure 0f Personal Data, (iii) nominate another person to exercise rights in the event 0f death or incapacity, (iv) for any grievance redressal and (v) withdraw her consent at any time during or after the processing of Personal Data. Further, as per Secti0n 15, Data Principals will be duty-bound and under an obligati0n not to: (i) register a false or frivolous complaint; (ii) suppress any material informati0n while providing her Personal Data; and (iii) furnish any false particulars or impersonate in specified cases. The breach 0f said duties will attract a penalty as per the Schedule t0 the Act.
• The obligation of Data Fiduciary: The Data Fiduciary as per Secti0n 8 of the Act, must: (i) process the Personal Data only for which the Data Principal has given her consent or deemed consent (when any individual does not indicate to the Data Fiduciary that she does not consent to the use of her Pers0nal Data); or for certain legitimate uses; (ii) make reas0nable eff0rts t0 ensure the accuracy and c0mpleteness of data, (ii) implement appropriate measures to protect Personal Data in its possession or under its control, (iii) Respond t0 any communication from the Data Principal for the purpose 0f exercise 0f her rights, (iv) inform the Data Pr0tecti0n Board of India and affected persons in the event 0f personal breach, and (v) erase Personal Data as soon as the purpose has been met and retenti0n is not necessary for legal purposes (storage limitation). In the case 0f government entities, storage limitati0n and the right of the data principal to erasure will not apply. Any breach of the said obligation is to be dealt in accordance with Secti0n 33 0f the Act read with the Schedule thereto.
• Transfer of Personal Data outside India: Secti0n 16 allows extraterritorial processing and transfer 0f Personal Data, except t0 such countries restricted by CG thr0ugh notification.
• Exemptions: As per Secti0n 17 of the Act, provisions contained in Chapter II (except Section 8 (1) & (5) and Chapter III (except Section 16) of the Act i.e., provisi0ns related t0 ‘obligati0ns of Data Fiduciaries’ and ‘Rights & Duties of Data Principal’ have been made inapplicable (exempted) in specified cases which inter alia includes: (i) prevention, investigation or prosecution of offences, and (ii) enforcement of legal rights or claims (iii) not within the territory 0f India (iv) processing for the purpose of ascertaining financial information, assets, and liabilities. Further, as per Section 17(2), the provisions of the Act shall not apply in case of processing of Personal Data: (i) by the State or any other instrumentality of the State in the interest of the security and public order, and (ii) necessary for research, archiving, or statistical purposes.
• Data Pr0tecti0n B0ard 0f India: CG shall, in terms 0f Chapter V 0f the Act, establish a Data Pr0tecti0n B0ard 0f India (B0ard) c0nsisting 0f a Chairpers0n and 0ther members. The Board will exercise and perform such powers and functions laid down in Secti0ns 27 and 28 0f the Act, which inter alia includes (i) directing urgent remedial/mitigating measures in case 0f any breach 0f Pers0nal Data (ii) inquiring int0 such breach and (iii) imp0sing penalties as per the Act. The B0ard will be a civil court with 0riginal jurisdicti0n to entertain the complaints/matters pertaining t0 the Act and any other civil c0urt will be barred under Secti0n 39 t0 entertain any Suit 0r proceeding in respect 0f any matter f0r which the Board is empowered to adjudicate upon under the Act.
• Appeals: Appeals against the decisions of the Board shall, as per Section 29, lie with the Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) established under the Telec0m Regulatory Authority of India Act, 1997 (TRAI Act). Limitation to prefer such an Appeal is sixty (60) days fr0m the date of receipt of the Board’s decision. Further, the orders passed by TDSAT shall be appealable before the Hon’ble Supreme Court as per Section 18 of the TRAI Act.
• Penalties: The Schedule t0 the DPDP-Act lays d0wn the quantum 0f penalties t0 be imposed for various offences and breaches committed under the Act. i. Monetary Penalties for Breach – Depending on the nature of contraventi0n, monetary penalties up t0 INR 250 crores may be levied by the DPB on the conclusion 0f an inquiry. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, and whether as a result of a breach, the defaulting person has realized a gain or avoided any loss etc. ii. No Compensati0n – The DPDP Act does not provide for payment 0f compensation t0 data principals wh0se pers0nal data has been compromised. This is a deviation from the Informati0n Technology Act, 2000 which all0ws affected data principals t0 claim c0mpensati0n fr0m a data fiduciary wh0 failed t0 implement reas0nable security safeguards and as a c0nsequence, have caused wr0ngful l0ss 0r gain. That said, the DPDP Act casts certain duties 0n the data principals, am0ngst 0thers, t0 furnish 0nly verifiably authentic inf0rmati0n, n0t t0 impers0nate an0ther pers0n while pr0viding pers0nal data f0r a specified purp0se, n0t t0 register a false 0r friv0l0us grievance 0r c0mplaint with a data fiduciary 0r the DPB, etc. F0r any breach in 0bservance 0f such duties, the data principals may be penalized up t0 INR 10000.

DPDP -ACT
IMPACTS AND IMPLEMENTATION:

With this DPDP-Act, the C0mpanies and businesses handling Pers0nal Data in any manner whats0ever w0uld n0w have t0 devel0p a standard 0perating pr0cedure and train their pers0nnel in 0rder t0 0blige with certain c0mpliances such as c00perating with the Data Pr0tecti0n 0fficer app0inted by the Significant Data Fiduciary under Secti0n 10 0f the Act; hiring an Independent Data Audit0r; put in place a c0nsent management mechanism t0 c0llect, maintain, track, and update c0nsent fr0m individuals; d0ing assessments t0 pr0tect data; maintaining valid c0ntracts with data pr0cess0rs; etc. H0wever, the basis 0f classifying c0mpanies, and start-ups as Data Fiduciaries need t0 be clarified especially c0ncerning certain thresh0lds and eligibilities such as net w0rth, assets, size, number 0f pers0nnel, and their qualificati0ns, etc.

DPDP -ACT
A SERIOUS EFFORT TO PROTECT PERSONAL DATA OR AN EYEWASH T0 GAIN LEGITIMATE CONTROL & SURVEILLANCE:

The DPDP-Act in its present f0rm prima facie pr0p0ses t0 pr0tect the Pers0nal Data, but it there may be c0ncerns with the implementati0n 0f the pr0visi0ns technically. F0r instance, as per Secti0n 36, CG has been emp0wered t0 call f0r ‘such inf0rmati0n’ fr0m the B0ard 0r any Data Fiduciary 0r intermediary. Such wide p0wer and br0ad termin0l0gy 0nce viewed with a legislative lens w0uld sh0w the engrained intent 0f surveillance 0f the CG. M0re0ver, Secti0n 17(2)(a) emp0wers the CG t0 exempt any instrumentality 0f the State fr0m the rig0rs 0f the pr0visi0ns in respect 0f the pr0cessing 0f Pers0nal Data. Additi0nally, since Secti0n 8(1)(j) 0f the Right t0 Inf0rmati0n Act, 2005 (RTI Act) is amended by Secti0n 44(3) 0f the Act, the balance struck by the RTI Act between privacy and inf0rmati0nal right, will be l0st as the p0wer 0f a Public Inf0rmati0n 0fficer (PI0) can be seen t0 have been widened as n0w such PI0 can reject an applicati0n made under RTI Act 0n the pretext 0f inf0rmati0n s0ught relates t0 Pers0nal Data.

DPDP -ACT
Benefits of DPDA act

• Increased Transparency and Control: You have the right to know what personal data companies collect about you, why they collect it, and how it’s used. The DPDPA mandates companies to obtain your informed consent before processing your data. This means no more hidden clauses or sneaky data collection practices.
• Right to Correction and Erasure: Made a mistake while providing your information? No worries! The DPDPA allows you to request corrections to any inaccuracies in your data held by companies. Additionally, you have the “right to be forgotten,” meaning you can request companies to erase your data once it’s no longer needed for the purpose it was collected for.
• Stronger Security Measures: Companies are now legally obligated to implement robust security safeguards to protect your personal data from breaches and misuse. This translates to a lower risk of identity theft and data leaks, giving you peace of mind.
• Focus on Legitimate Use: The DPDPA discourages the collection and processing of personal data for irrelevant purposes. Companies can only process your data for specific, lawful reasons they’ve informed you about beforehand.
• Clearer Accountability: The Act establishes a Data Protection Board responsible for overseeing compliance and addressing grievances. If a company mishandles your data, you have a clear avenue to seek redressal.
• Boosting Innovation: The DPDP-Act fosters a climate of trust between individuals and businesses. This can incentivize companies to invest in innovative solutions that respect user privacy while delivering valuable services.

Beyond the Basics:

The DPDP-Act not only empowers individuals but also benefits businesses in the long run. By adhering to stricter data privacy regulations, companies can build stronger customer trust and loyalty. Additionally, the Act promotes responsible data practices, fostering a more secure and healthy digital ecosystem for all.

While the Act has its complexities, its core objective is clear: to empower you and safeguard your personal data in the digital world. With the DPDPA in place, you have greater control over your information and can participate in the digital world with more confidence.

DPDP-ACT Conclusion

The DPDP-Act marks a distinctive approach t0 safeguarding Personal Data, addressing longstanding needs in the context of increasing internet users, data generation, and cross-border trade. However, it is felt that various details regarding implementation need clarificati0n which may happen upon the establishment of the Data Protection Board 0f India and the promulgation of Rules under the Act. In its entirety, the Act signifies India’s unique stance on modern data protecti0n, enriched by extensive post-draft consultations. While the provisions of the Act are less detailed than European Uni0n’s GDPR, it certainly mandates a significant shift fr0m h0w Indian businesses should now approach privacy and Personal Data, while legitimizing CG’s act t0 c0ntrol, retain, and monitor its citizens’ personal information. While the notificati0n of the Sections of the Act for their implementati0n is still awaited, one has to wait and watch how the Courts interpret wide empowering provisions and in what manner the Act evolves.

Speak to us