Digital Personal Data Protection Act, 2023: Key Features and Implications for Data Privacy in India
The Digital Personal Data Protection Act (DPDP) of India has successfully navigated its final stages after several years of extensive debates, postponements, and negotiations. The act was passed by the Indian Parliament on August 11, 2023 and received presidential assent on the same day. However, the exact date of its coming into force has not yet been officially announced. The specific release date for the Digital Personal Data Protection Act (DDPA) rules remains unannounced and they’re anticipated to be released sometime in 2024.
The Digital Personal Data Protection Act 2023 is the first-ever privacy law in India that safeguards the personal data of citizens. The DPDP defines “personal data” as any information that relates to an identifiable individual, either directly or indirectly.
Key concepts introduced by the Act include consent, data fiduciary, data principal, significant data fiduciary, sensitive personal data, and critical personal data. The Act also provides for the establishment of the Digital Personal Data Protection Authority (DPDA) as the regulatory body for the implementation and enforcement of the Act.
Applicability of the Act: The DPDP applies to the processing of digital personal data within India, including:
- Data collected in digital form.
- Data in non-digital form that has been digitized.
It also extends to the processing of personal data outside India if it involves offering goods or services to individuals within the country.
Key Features of the Digital Personal Data Protection Act 2023
- This Act protects digital personal data by providing the following:
- The obligations of Data Fiduciaries for data processing.
- The rights and duties of Data Principals (that is, the person to whom the data relates).
- Financial penalties for breach of rights, duties and obligations.
- Obligations of Data Fiduciaries:
- To have security safeguards to prevent personal data breach and take consent of data principal for processing the data.
- To erase personal data when it is no longer needed for the specified purpose.
- To erase personal data upon withdrawal of consent from Data Principal.
- To intimate personal data breaches to the affected Data Principal and the Data Protection Board.
- For fulfillment of certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure higher degree of data protection.
- The data fiduciary shall place grievance redressal system and an officer to respond to queries from redresses.
- Safeguards for Children’s Personal Data – This act provides the safeguards for personal data of children also:
- Parental Consent: Data fiduciaries can only process personal data of children if they obtain clear and verifiable consent from a parent or guardian.
- Protection from Harmful Practices: The Act prohibits any processing of children’s data that could harm their well-being. This includes restrictions on tracking, behavioral monitoring, or targeted advertising aimed at children.
- Rights and duties of Data Principal: A person whose data is being processed (data principal), will have the right to:
- Obtain all the details about processing of activities.
- Correction, updating and erasure of the personal data.
- Nominate another person to exercise rights in the event of death or incapacity.
- Exhaust the opportunity of redressing her grievance before approaching the Board.
Duties: Data principals shall not register a false or frivolous complaint and ensure not to suppress any material information while providing her personal data.
- This act allows to transfer of personal data outside India, except to those countries which will be restricted by the central government through notification.
- Data Protection Board of India: The central government will establish the Data Protection Board of India and following are the key functions of the Board:
- Monitoring of the compliance and imposing penalties in case of Data breach.
- Directing data fiduciaries to take necessary measures or required actions in the event of a data breach.
- Redress the grievances of affected persons.
However, any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal within a period of sixty days from the date of receipt of the order.
Compliance requirements for the Digital Data Protection Act (DDPA): The compliance requirements for the Digital Data Protection Act (DDPA) includes the following key areas-
- Data Fiduciaries must register a Consent Manager with the regulatory Board, adhering to specified technical, operational, and financial standards.
- Data Fiduciaries are required to establish a robust system for effectively handling complaints from Data Principals.
- Upon request, Data Fiduciaries must provide Data Principals with a summary of their personal data and the entities with whom it has been shared.
- Data Fiduciaries must publish the contact details of a Data Protection Officer (DPO) or another designated representative who can address Data Principals’ inquiries about their personal data.
- Personal data can only be processed with explicit consent from the Data Principal for legitimate purposes.
- Consent requests must be presented in clear and understandable language, with options for English or any language listed in the Eighth Schedule of the Constitution.
- Data Fiduciaries are obligated to adhere to the provisions of the DDPA and ensure that any data processing they undertake or delegate complies with the law.
- Data Fiduciaries or their registered Consent Managers must promptly address complaints raised by Data Principals.
- Data Principals must attempt to resolve their complaints through the established grievance mechanism before escalating them to the regulatory Board.
- Data Fiduciaries can use a Data Principal’s personal data to meet any legal obligations that require sharing information with the government or its agencies.
Penalties for Non-Compliance: The Board can impose monetary penalties of up to INR 250 crore per instance of non-compliance or 5% of the total worldwide turnover of the preceding financial year, whichever is higher. These amounts will be credited to the Consolidated Fund of India.
Key Terms Defined in the DPDP Act
- Personal data: Any data about an individual who is identifiable by or in relation to such data. This includes both online and digitized offline data, such as name, email, phone number, biometric data, location data, etc.
- Data principal: An individual whose personal data is processed. For example, a customer who provides their personal data to an online shopping platform is a data principal.
- Data fiduciary: An entity that determines the purpose and means of processing of personal data. For example, an online shopping platform that collects and uses personal data of its customers for providing services is a data fiduciary.
- Data processor”: An entity that processes personal data on behalf of a data fiduciary. For example, a cloud service provider that stores and manages personal data of customers for an online shopping platform is a data processor.
- Processing: A wholly or partly automated operation or set of operations performed on digital personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
- Consent: A clear, specific, informed and free expression of will by the data principal to allow the processing of their personal data for a specified purpose. For example, a customer who agrees to receive promotional emails from an online shopping platform by ticking a box is giving consent.
- Significant data fiduciary: A data fiduciary that has been notified by the Data Protection Board as having significant impact on the rights and interests of data principals due to the volume or sensitivity of personal data processed by them or the risk of harm that may be caused by such processing. For example, a social media platform that processes large amounts of personal data of its users may be designated as a significant data fiduciary.
- Data Protection Board: The regulatory body established under the DPDP Act for the implementation and enforcement of the provisions of the Act. The Board has powers to issue directions, orders, guidelines, codes of practice, etc., and to impose penalties for non-compliance with the Act.
- Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, un-authorized disclosure of or access to personal data transmitted.
Conclusion: The enactment of the Digital Personal Data Protection Act marks a significant advancement in India’s legal framework, recognizing privacy as a fundamental right and establishing a robust structure for data protection. This Act lays the foundation for a safer digital environment for citizens while promoting trust in the handling of personal data.
Disclaimer: This is an effort by Lexcomply.com, to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts.