The purpose of this Act is to ensure that the individual’s personal data that are digitized are processed lawfully and such individual’s right to protect their personal data are recognized.
The "right to privacy" was proclaimed a basic right in the historic 2017 ruling by the Hon'ble Supreme Court of India in Justice K Puttaswamy (Retd.) & Another Vs. Union of India & Others.
Eventually the Digital Personal Data Protection Act, 2023 (“DPDPA” or “Act”) is the first comprehensive legislative step towards data protection regime in India.
With regard to data privacy and protection measures, other than the sectoral regulations of RBI, SEBI, IRDAI, India’s legislative framework predominantly is dealt under the Information Technology Act and its rules, along with the Indian Computer Emergency Response Team(CERT-IN) regulations.
The evolution of India’s data protection law’s after years of parliamentary deliberations has paved way to the country’s step forward to align with global laws with respect to data privacy and protection.
DPDPA was published in the Gazette by the Central Government on 11 August 2023 and will come into force on the date(s) appointed by the Central Government. It is anticipated that the Central Government may notify phase-wise, various provisions of DPDPA to take effect at different dates. The first set of rules are anticipated soon.
For a better understanding of DPDPA, it is good to familiarize yourself with some important definitions provided in the Act, namely;
Data means a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.
Personal data means any data about an individual who is identifiable by or in relation to such data.
Digital personal data means personal data in digital form. Data Principal means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf. Child means an individual who has not completed the age of eighteen years.
Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government.
Data Processor means any person who processes personal data on behalf of a Data Fiduciary.
Processing in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction.
Personal data breach means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.
Consent Manager means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.
Data Protection Officer means an individual appointed by the Significant Data Fiduciary.
DPDPA envisages certain grounds for processing the digital personal data viz.,
Lawful purpose: The Act prescribes that the Data Fiduciaries may process personal data only for lawful purpose for which the Data Principal has given consent, or, for certain legitimate uses such as processing for which the Data Principal has voluntarily provided the personal data (e.g. medical treatment, health services), for receiving government benefits, subsidies, reliefs, to comply with judicial obligations, for public order, and employment.
Consent: Data fiduciaries can process personal data by obtaining consent from the data principals. The consent must be free, specific, informed, unconditional, and unambiguous. It should be provided through clear affirmative action and limited to the personal data that is necessary for the specified purpose.
Notice: In order to obtain consent for processing, the data fiduciary must first present the data principal with a notice that specifies as to what personal data is to be collected, the specified purposes for which such personal data will be processed, how the data principal can make a complaint to the Board, how the data principal can exercise their rights under the Act; and the contact details of the relevant data protection officer (DPO) or any other person made responsible for responding to data principals' requests to exercise their rights under the Act.
All Data fiduciaries should be able to demonstrate that consent and notice requirements were met. Therefore Data fiduciaries will need to maintain a record of the delivery of notice and log each data principal's indication of consent. Consent must be capable of being withdrawn as easily as it was given. Once a Data principal has withdrawn consent, the Data fiduciary must cease processing the personal data within a reasonable time, unless such processing is required or authorised under the Act or any other law. The Data fiduciaries may either delete the personal data that they hold or ensure that such data is no longer in the nature of 'personal data' (that is, anonymise it). Once consent is withdrawn, the Data principal will bear the consequences of such withdrawal.
Consent obtained infringing the provisions of the Act or any other law in force, will be invalid to that extent.
If a Data principal had consented to the processing of her personal data before the Act is in effect, the Data fiduciary can continue such processing until the Data principal withdraws her consent. However, once the Act is effective, the Data fiduciary is obliged to notify the Data principal about such processing based on past consent as soon as reasonably practicable.
Languages: Notice and consent must be provided in clear and plain language and data principals should have the option to access such notice in English or one of the 22 regional languages identified in the Eighth Schedule to the Constitution of India.
Data fiduciaries may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.
Where a Data fiduciary processes personal data to make a decision that affects the Data Principal, or to disclose to another Data fiduciary, the Data Fiduciary should ensure the completeness, accuracy, and consistency of such personal data. Data fiduciary should implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder, should protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
In the event of a personal data breach, the Data fiduciary should intimate the Board and each affected Data Principal, about such breach in the manner that will be prescribed by the Act and rules.
Unless personal data retention is necessary for compliance with any law for the time being in force, the Data fiduciary should erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier and ensure its Data Processor erases any personal data that was made available by the Data fiduciary for processing to such Data Processor.
Data fiduciary should publish, the contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions that may be raised by the Data Principal about the processing of her personal data and should establish an effective grievance redressal mechanism to redress the grievances of Data Principals.
Children data: Before processing any personal data of a child or a person with disability who has a lawful guardian, Data fiduciary should obtain verifiable consent of the parent of such child or the lawful guardian. Data Fiduciary should not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child and should not process any tracking or behavioural monitoring or targeted advertising directed at children.
The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, based on certain assessments such as, processing of personal data of children, the volume and sensitivity of personal data processed, risk to the rights of Data Principal, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.
The Significant Data Fiduciary should appoint a Data Protection Officer to represent the Significant Data Fiduciary, be based in India, be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary, and be the point of contact for the grievance redressal mechanism, appoint an independent data auditor to carry out data audit, to evaluate the compliance of the Significant Data Fiduciary, and undertake periodic Data Protection Impact Assessment, periodic audit, and such other measures, consistent with the provisions of the Act.
The Data Principals, with regard to the personal data, have the right to access information, right to correction and erasure, right to nominate any other individual in the event of death or incapacity of the Data principal, and right to grievance redressal.
The Data Principal should comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act, ensure not to impersonate another person while providing her personal data for a specified purpose, not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities, not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board, and furnish only such information as is verifiably authentic, while exercising the right to correction or erasure of personal data.
DPDPA has carved out certain exemptions to process the personal data viz., where it is necessary for enforcing any legal right or claim, processing of personal data by any judicial or regulatory authority, processing in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law, personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India, processing for the purpose of merger or acquisition, processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution.
Central Government will constitute the Data Protection Board comprising Chairperson and Members. The Board will have the powers to inquire the complaints made by a Data Principal or in compliance of the directions of any court, or on receipt of an intimation of breach, to direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty.
DPDPA does not impose any criminal penalties but imposes heavy monetary penalties. The Board while calculating the amount of penalty, will consider certain factors such as the nature, gravity and duration of the breach, the type and nature of personal data affected by the breach, repetitive nature of the breach, whether, as a result of the breach, the data fiduciary realized a gain or avoided any loss, whether the monetary penalty imposed is proportionate and effective, the impact of monetary penalty on such data fiduciary, etc. At any stage of a proceeding the Board may accept a voluntary undertaking by a Data fiduciary including a commitment to take appropriate action within a stipulated timeframe determined by the Board. The board's acceptance would bar all proceedings under the DPDPA against the Data fiduciary.
Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach may attract a penalty up to two hundred and fifty crore rupees; breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach or breach in observance of additional obligations in relation to children, may attract a penalty up to o two hundred crore rupees; breach in observance of additional obligations of Significant Data Fiduciary may attract a penalty up to one hundred and fifty crore rupees; breach of any other provisions of DPDPA may attract a penalty up to fifty crore rupees.
Organizations that process digital personal data, should assess their current state, and start building their data privacy practices and controls. As a first step, organizations that are in the shoes of Data fiduciaries or processors should prepare an inventory of their sources that stores personal data, their third-party suppliers that processes their personal data, revisit their contractual terms, org level policies and practices, to ensure the obligations are set forth aligning with DPDPA. Do a gap analysis to determine the missing controls and place appropriate ecosystem for consent management, contractual obligations, data retention mechanism, grievance redressal, breach notification, incidence response management, awareness and training for its employees.