The Digital Personal Data Protection Act, 2023 of India: Everything you shall know

Digital Personal Data Protection Bill, 2023

 

Privacy is not an option, and it shouldn't be the price we expect for just getting on the internet” ~ Gary Kovacs.

 

The Digital Personal Data Protection Act (DPDP), 2023, has marked a significant turning point in India’s quickly changing digital environment. The landmark judgment[1] of K.S Puttswamy vs Union of India paved the way for the legislation on data privacy.

The Act has inverted the asymmetry that existed with the IT Act of 2000 and empowers the citizens/customers of modern-day India against big social media platforms, corporate houses, and other entities that collect consumer information. It gives them the right to choose the information they would want to provide to these entities, which did not exist with the IT Act of 2000, thus addressing the issue of data privacy a step further and holding these entities accountable in case of Breach of any of the guidelines mentioned in the Act.

 

Some salient features

Processing of personal data

The processing of personal data will apply to the processing of digital personal data within India, where such data is collected online and offline and is digitized.

Applicability Abroad

The DPDP Act governs the management of digital personal data outside India's borders, mainly where such processing involves delivering goods and services to persons in India.

Obligation of data fiduciaries

Data fiduciaries under the Act will be obliged to maintain the accuracy of data, keep data secure, and delete the data once the purpose for which the data has been collected has been accomplished.

Exemptions

The DPDP Act does not cover (i) personal data processed by an individual for personal or domestic purposes or (ii) publicly disclosed by the data principal or any other individual due to a legal obligation.

Illustration- X, while blogging her views, has publicly made her data available on social media. In such case, the provisions of this Act shall not apply.

 

 

Important Definitions 

The DPDP legislation has devised a set of terms to nullify the vagueness in the Indian cyberlaw space. Let us look at them one by one -

·    Data Fiduciary: Data Fiduciary in the Act refers to any person who, alone or in conjugation with another person, determines the purpose and means of processing personal data[2].  It can be a social media website, a business entity, or any website that collects personal information.

·     Data Principal: Data Principal in the Act refers to the individual to whom personal data relates and where such individual is-

o   a child includes the parents or lawful guardian of such a child

o   a person with a disability, including her legal guardian, acting on her behalf[3].

·      Data Processor: Data processor in the Act refers to any person who processes personal data on behalf of a Data Fiduciary[4].

·        Personal Data: Personal data in the Act denotes any data about an individual who is identifiable by or about such data[5]. Such as name, address, telephone number, etc.

·     Processing: Processing, as has been defined in the Act, means a wholly or partly automated operation or set of operations performed on digital personal data and includes operations such as collection, recording, organization, structuring, storage, adaption, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination, or otherwise making available, restriction, erasure or destruction[6].


Rights provided under the Act to Data Principal / Citizens under the Act

Section 11 to Section 15 of the Act gives certain rights to Data Principals against Data Fiduciaries, empowering and giving them control over the information they provide. These rights may be as follows:

·         Right to access personal information: The data Principal shall have the right to obtain from the Data Fiduciary -

o   A summary of the personal data that the Data Fiduciary is processing and its activities concerning such personal data.

o   The identities of all the Data Fiduciaries and Data Processors with whom such Data Fiduciaries have shared personal data.

o   Any other information related to such personal data.

Illustration–' X' is an individual who registers on a social media platform to use it frequently. He provides certain private information related to him on that platform. 'X' later releases a request to get the summary of the personal data processed by the Social Media Platform (data fiduciary here). The platform is bound to provide it.

 

·         Right to correction and erasure of personal data: The data principal shall have the right to

o         Correction

o       Completion

o       Updating

o       Erasure of

The personal data for the processing of which the data principal had previously given consent and the data principal shall have the right to correct the inaccurate personal information, complete the incomplete personal data, or update the personal data[7].

Illustration -' X' is an individual who registers on an insurance company network to look for prospective insurance. He provides details on the insurance company's website regarding his residential address, telephone number, and job profile. Later on, due to a shift in his job, the information about his career and address changes. He requests the insurance company (data fiduciary) to change his address and job profile. The data fiduciary (company) is bound to correct it.

·         Right to grievance redressal: The DPDP act grants the right to a readily accessible means of grievance redressal, which has to be provided by the Data fiduciary or consent manager. The grievance raised has to be regarding the performance of the Data Fiduciary or the Consent Manager regarding the performance of their obligations or the exercise of the rights of the Data fiduciary under this Act. The Data Fiduciary shall be bound to respond to the grievance of the Data Principal within a limited time frame provided by it.[8].

Illustration- ‘X’ is a budding entrepreneur; he registers himself with an online course, wherein he is taught the nuances of entrepreneurship. 'X' gives information about the business model he is planning and the investment he will make. But the Data fiduciary, when the class starts, projects inaccurate information about him.

The data fiduciary has an in-build pop-up for inaccurate data correction on its website; 'X' uses that and requests to correct the incorrect data about him. The data fiduciary is bound to update the data within a limited time frame provided by it.

 

·         Right to nominate: The DPDP act empowers a data principal to appoint another individual to exercise his rights in case of the death of the data principal or under some incapacity. The term incapacity shall refer to the unsoundness of the mind, incapacity of the body, or infirmity of the body.[9].

 

Notice

An essential element of the DPDP Act is the requirement for organizations/data fiduciaries to issue notifications to individuals from whom they collect personal data. These notifications are crucial in empowering individuals to comprehend the utilization of their data and exercise the rights afforded to them under the Act.[10].

·   Each request for consent under the Act under section 6 must be accompanied or preceded by a notification by the Data Fiduciary to the Data Principal. These notifications should encompass details about the specific personal data to be processed, the purpose behind the processing, how the data principal can assert their rights, and the procedure for filing the complaint with the Board.

·      Suppose a Data Principal has previously granted consent before the commencement date of the Act. In that case, the Data Fiduciary must, at the earliest opportunity, inform the Data Principal about the processed personal data, its intended purpose, the means to exercise their rights, and the complaint redressal procedure. The Data Fiduciary can continue processing until the Data Principal decides to revoke their consent.The Data Fiduciary must provide the Data Principal with the option to access the notification content in English or any language specified in the Eighth Schedule to the Constitution.


Obligations or Duties of Data Principal

While dovetailing both sides of the coin, the DPDP act has also designated them with specific duties while giving so many rights to the Data Principles. These are as follows.[11]

·         Compilation – The Act mandates that the data principle shall abide by all the provisions of the applicable law for the time being in force while exercising rights under this provision of this Act.

·         Impersonation – The Act mandates that the data principle shall not impersonate another person while providing personal data for a specified period.

·         To suppress material information–The Act mandates that the data principal shall not `hide any material information while submitting any personal data regarding any unique identifier, proof of identity, proof of address issued by the State, or any other Instrumentality.

·         False or frivolous complaint – The Act mandates that the data principal not file a false or frivolous complaint with a Data Fiduciary or the Board.

·         Furnishing Authentic Information–While exercising the right to correction and erasure under the Act, the data principal shall make sure that the information he is providing is correct and verifiably authentic.

 

Obligations of Data Fiduciaries

Chapter 2 of the Act covers the obligations of the Data Fiduciary. To perform the functions efficiently, The Data Fiduciaries under the Act have been annotated with specific responsibilities. The data fiduciary is supposed to carry out those duties regardless of the activities of the Data Principle.

The obligations are as follows –

·         Engagement of a data processor–A data fiduciary may engage a Data processor under a valid contract to process personal goods or services to Data. Principles[12]

 Illustration- Example: An e-commerce platform (Data Fiduciary) hires a third-party logistics provider (Data Processor) to deliver goods to customers under a contract outlining the terms and conditions of data processing.

·         Ensuring Completeness, Accuracy, and Consistency: If personal data is likely to be used to make decisions affecting the Data Principal or disclosed to another Data Fiduciary, the processing entity must ensure the data's completeness, accuracy, and consistency.

      Illustration - Example: A credit rating agency (Data Fiduciary) ensures that the financial information it processes about individuals is complete and accurate when generating credit scores

·         Implementation of Technical and Organizational Measures: The data fiduciary must effectively implement organizational and technical measures to observe the provisions of the Act and Rules.

     IllustrationAn IT company (Data Fiduciary) implements cybersecurity measures, encryption protocols, and employee training to safeguard the personal data it processes.

·         Protection against Personal Data Breaches – Now and then, personal attacks keep on happening on business entities and various social media platforms. The Data fiduciaries must take every reasonable step to protect the personal data on the data principle.

Illustration-: A healthcare provider (Data Fiduciary) uses encryption and access controls to secure patient records and prevent unauthorized access.

·         Intimidation of personal data breach – In the event of a violation of personal data, the fiduciary must inform the Board and the data principle as prescribed.

IllustrationAn insurance company has a website wherein it collects information about its customers. One fine day, a cyber attack occurred on its website, and the data fiduciary is duty-bound to inform the Board and the customers who have registered on the website about the attack.

·         Erasure of Personal Data:  The Data Fiduciary must erase, with the consent, the personal data provided by the data principal in case the Data Principal withdraws consent, or when any specific purpose is not being served to withhold the information or if any compilation of any law is necessary.

Illustration(I) An online marketplace (Data Fiduciary) erases the personal data of a user (X) after the successful sale of her used car as the specified purpose is completed.

(II) A bank (Data Fiduciary) retains the personal data of an account holder (X) for ten years after account closure, as required by banking regulations.

·         Deeming Purpose No longer served: If the Data Principle does not approach the Data Fiduciary for performance and does not exercise rights for a specified period, the purpose is no longer considered served.

Illustration: The purpose is no longer served if a customer (Data Principal) does not contact their internet service provider (Data Fiduciary) or exercise any data-related rights for a specified period.

·         Publication of Contact Information: The Data Fiduciary must publish the contact information of a Data Protection Officer (DPO) or a person who can answer questions raised by Data Principals about personal data processing.

     Illustration: A technology company (Data Fiduciary) includes the contact details of its Data Protection Officer on its website for Data Principals to raise inquiries.

·         The mechanism for Grievance Redressal: The Data Fiduciary must establish an effective mechanism to address the grievances of Data Principals.

      Illustration: An online streaming service (Data Fiduciary) sets up a customer support system to handle complaints and inquiries about personal data processing.

·       Consideration of Approach by Data Principal: A Data Principal is considered not to have approached the Data Fiduciary if there is no contact initiation for the specified purpose within a prescribed period.

    Illustration: If a customer (Data Principal) does not initiate contact or exercise data-related rights within a specified time, the Data Fiduciary may consider the purpose to be no longer actively pursued.


Significant Data Fiduciaries

The Act has introduced a term known as Significant Data Fiduciary. Certain boxes have to be ticked before a data fiduciary can be classified as a Significant Data Fiduciary, such as;-

·         Volume and sensitivity of Data being processed by the Data Fiduciary.

·         Risks to the Rights of Data Principals.

·         Potential Impact on the Sovereignty and Integrity of India.

·         Risk to Electoral Democracy.

·         Security of the State.

·         Public Order.

The Significant Data Fiduciary will also have to go through certain obligations to ensure that the data being processed is safe. The duties will include appointing a data processing officer, conducting data audits, and undertaking measures like Data Protection Impact Assessments and periodic audits to ensure compliance with data protection regulations. These measures aim to enhance transparency, accountability, and the protection of individual rights in data processing.[13].

 

The Data Protection Board

The new Act has introduced the concept of a Data Protection Board, which the central government will establish to monitor the discrepancies happening in the system and adjudicate the disputes between those whose personal data has been provided to a platform and the platform, which in turn has breached the obligations covered under the Act. The data protection board will be responsible for the following functions –

·         We are monitoring Compliances and imposing penalties.

·         If a data breach occurs, it will have the authority to direct data fiduciaries to take necessary measures.

·         Data principals affected by breaches or other issues now have full-fledged grievance redressal bodies.

The Board members will be appointed for two years, and they will be eligible for reappointment. The central government will describe the board members established and the selection. The Telecom Dispute Settlement and Appellate Tribunal will have the appellate authority over the decisions of the Data Protection Board.

The purpose of introducing a full-fledged Data Protection Board was to deal with the fact that there was no substantive adjudication happening either under the IT Act of 2000 or any other law for the time being. It made grievance redressal a big issue for all the data principals. Due to this, the government had to develop a dispute resolution mechanism that could soundly adjudicate disputes.

Procedure to be followed by the Board 

The following functions will have to be followed by the Data Protection Board as has been mentioned under Chapter 6 of the DPDP Act –

·         It will function as an independent body.

·         The Board, upon receiving intimation, complaints, references, or directions as specified in Section 27(1), will take action by the provisions of the Data Protection Act and the rules established under it.

·         The Chairperson of the Board exercises certain powers: (a) general superintendence and giving direction on all administrative matters of the Board; (b) authorization for any officer to scrutinize intimation, complaint, reference, or correspondence; and (c) authorization to perform Board functions and conduct proceedings by individual Members or groups, with the allocation of proceedings among them.

  • The Board determines if sufficient grounds exist to proceed with an inquiry.

·         If the Board finds insufficient grounds, it may close the proceedings with reasons recorded in writing.

·         If the Board finds sufficient grounds, it may proceed with an inquiry into the affairs of any person to ascertain compliance with the provisions of the Data Protection Act, recording reasons for its actions in the investigation.

·         The Board, for discharging its functions, has powers similar to a civil court under the Code of Civil Procedure, 1908, including summoning and enforcing attendance, examining individuals on oath, receiving evidence by affidavit, inspecting documents, and other relevant matters as may be prescribed.

·         The Board or its officers are not allowed to prevent access to premises or take into custody any equipment or item that may adversely affect a person's day-to-day functioning.

·         The Board may enlist the services of police officers or officers of the Central Government or a State Government to assist in its functions, and such officers must comply with the Board's requisition.

·         During an inquiry, if deemed necessary, the Board may issue interim orders, with reasons recorded in writing, after allowing the concerned person to be heard.

·         After completing the inquiry and allowing the concerned person to be heard, the Board may either close the proceedings or proceed by Section 33, with reasons recorded in writing.

·         At any stage after receiving a complaint, if the Board deems the complaint false or frivolous, it may issue a warning or impose costs on the complainant, with reasons recorded in writing.


Cross Border Data Transfer

·         A Data Fiduciary must comply with the rules of the Act for transferring data across borders. By notification, the Act provides that the central government may restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory situated outside India.

·         The Act also states that the application of law will be restricted, which provides a higher degree of protection or restriction on the transfer of personal data by a Data fiduciary.[14].

 

Penalization

The DPDP Act discusses the penalization that might occur when non-compliance occurs. The schedule under the DPDP Act provides for the penalties for non-compliance. These are as follows.[15]

·         Compromise of Personal Data - The Data Protection Board has the authority to impose fines of up to rupees two hundred and fifty crores on Data Fiduciaries for failing to show their duty to take reasonable security measures to avoid the compromise of personal data as has been provided under the sub-section (5) of section 8.

·         Breach of Personal Data–The Data Protection Board may fine the Data fiduciary for a fine of rupees two hundred crores if it fails to give the Board a notice or information of a breach of personal data as defined in sub-section (6) of Section 8 of the Act.

·         Breach of data regarding ChildrenSection 9 of the Act provides the obligations of a data fiduciary concerning children or disabled persons. The data fiduciary shall, before processing the personal data of a child, obtain verifiable consent of the parent or the child or any lawful guardian. Any breach of such obligation will result in a penalty extending up to two hundred crore rupees.

·         A breach in additional obligations as a significant data fiduciary -  Section 10 of the Act defines when a government can designate a data fiduciary as a 'Significant Data Fiduciary’. Certain obligations are mentioned for the Significant Data Fiduciary. Violations of these obligations as a significant Data Fiduciary shall result in a fine that may extend to one hundred and fifty crore rupees.

·         Breach of Observance of Duties -   As discussed above, section 15 of the Act describes specific duties for the Data Principle. The Data principles have been provided with these duties to dovetail with the rights provided to them. Breach of any of these duties also comes with its due obligation. If a Data Principal breaches any responsibilities mentioned in this section, she may be fined an amount extending to ten thousand rupees.

·         Breach of any voluntary undertaking accepted by the Board under section 32 - Section 32 of the Act states that the Board may undertake a voluntary undertaking in respect of any of the matters related to observance of the provisions of the Act from any person at any stage of the proceedings of the Act under Section 28. The undertaking may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicizing such undertaking. Any breach under this section may lead to a fine extending up to the fine specified for a violation under section 28(functions of the Board)of the Act.

·         Breach under any other provisions of the Act- If Breach occurs under any other provisions, the fine may extend up to fifty crore rupees.

   

     Conclusion

Every other developed country has created privacy legislation in the new age of technology, where data is currency, and privacy has been crucial for consumers/citizens. The European Union came up with General Data Protection Rights in 2018. California in the United States came up with the California Consumer Privacy Act in 2020, similarly given the inefficiency of the Information Technology Act, 200 to deal with the evolving cybercrimes coming up with the evolution of technology and for the protection of Consumer Data of our citizens, we as a country also needed a strong law for our cyberspace. With the arrival of this Act, consumers will feel more empowered, and our nation will stand on the same footing as its counterparts in Europe and America.


~ By Pakhi Garg & Prakhar M. Tripathi 

(Co-founder, WCSF) & (Team Member, WCSF)



[1]K.S Puttaswamy v Union of India (2019) 1 SCC

[2] Digital Personal Data Protection Act, 2023, § 2(i), No. 22, Acts of Parliament,2023 (India)

[3] Digital Personal Data Protection Act, 2023, § 2(j), No. 22, Acts of Parliament,2023 (India)

[4] Digital Personal Data Protection Act, 2023, § 2(k), No. 22, Acts of Parliament,2023 (India)

[5] Digital Personal Data Protection Act, 2023, § 2(t), No. 22, Acts of Parliament,2023 (India)

[6]Digital Personal Data Protection Act, 2023, § 2(x), No. 22, Acts of Parliament,2023 (India)

[7]Digital Personal Data Protection Act, 2023, § 12(1), No. 22, Acts of Parliament,2023 (India)

[8]Digital Personal Data Protection Act, 2023, § 13(1), No. 22, Acts of Parliament,2023 (India)

[9]Digital Personal Data Protection Act, 2023, § 14(1), No. 22, Acts of Parliament,2023 (India)

[10]Digital Personal Data Protection Act, 2023, § 5(1), No. 22, Acts of Parliament,2023(India)

[11]Digital Personal Data Protection Act, 2023, § 15, No. 22, Acts of Parliament,2023 (India)

[12]Digital Personal Data Protection Act, 2023, § 8(2), No. 22, Acts of Parliament,2023 (India)

[13]Digital Personal Data Protection Act, 2023, § 10(1), No. 22, Acts of Parliament,2023 (India)

[14]Digital Personal Data Protection Act, 2023, § 16(1), No. 22, Acts of Parliament,2023 (India)

[15]Digital Personal Data Protection Act, 2023, § 33(1), No. 22, Acts of Parliament,2023 (India)

Comments

Popular posts from this blog

Revised OECD AI Principles Address Emerging Challenges

Navigating the Cloud: Cybersecurity Risks and Best Practices

EDPB provides input on biometric use in airports