All You Need To Know About The Digital Personal Data Protection Act 2023

After five years, India finally has a comprehensive legal structure in place to govern the handling of its citizens’ personal data. On August 11, 2023, the Digital Personal Data Protection Act 2023 (“DPDP Act”) received the President’s assent bringing an end to the variability that existed in the realm of data protection in India. The DPDP Act aims to allow the processing of digital personal data while respecting the individuals’ right to protect their personal data. Key insights of the DPDP Act along with our analysis are as follows:-

1. Applicability of the DPDP Act: This Act applies to processing of digital personal data within India where such data is collected online, or collected offline and is then, digitised. The provisions of the Act will also apply to processing digital personal data outside India, if it is in relation to any activity related to offering goods or services in India. However, in cases where the personal data is processed by an individual for any personal or domestic purpose;  or is made or caused to be made publicly available by the individual itself to whom such personal data relates; or any other person who is under an obligation under any law to make such personal data publicly available, the provisions of the DPDP Act shall not apply. The DPDP Act has eliminated the classification of personal data into separate categories of personal data, sensitive personal data, and critical personal data, which were part of the draft digital personal data protection Bill 2019 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”).

2. Processing of Personal Data: Personal data may be processed in accordance with the provisions of the DPDP Act and for a lawful purpose either upon receiving consent of an individual or for certain legitimate uses (defined under point 3). Once the specified purpose of which the consent was obtained is fulfilled or the consent is withdrawn, the data fiduciary shall erase all such personal data unless retention is necessary for compliance with any law for the time being in force.

3. Processing of Personal Data for Certain Legitimate Use: The concept of ‘deemed consent’ has been reintroduced as ‘legitimate use’ which means that the consent of an individual is not required for processing data for issuing a subsidy, benefit, service, certificate, licence or permit, compliance with any judgment or decree or order, responding to medical emergency involving a threat to the life or health, voluntary sharing of personal data, providing medical treatment or health services to any individual during an epidemic, disclosure of information by the State or its instrumentalities, for the purposes of public interest of sovereignty and integrity of India or security of the State, taking measures to provide assistance during any disaster or any breakdown of public order, etc.

4. Processing of Personal Data of Children and Person with Disability: The Act defines ‘child’ as an individual who has not completed the age of eighteen years and mandates certain additional obligations on the data fiduciaries while processing of personal data of a child or a person with disability i.e. (i) obtain verifiable consent from the parent or legal guardian; (ii) processing of such data shall not cause any detrimental effect on the well-being of a child; (iii) shall not track or behavioural monitoring or target advertising directed at children. However, the Act enables the central government to exempt classes of data fiduciaries and processing of data from the aforesaid obligations. Further, the central government may also exempt certain data fiduciaries from observing the aforesaid obligations at a certain age below the age of 18, if it is satisfied that the said data fiduciary is processing such data in a verifiably safe manner.

5. Notice: The DPDP Act mandates the data fiduciaries to give a clear notice to the individuals laying out the (i) description of personal data sought to be collected and the purpose of processing such personal data; (ii) manner in which the data principals may exercise their rights; (iii) format of complaint to the Data Protection Board of India (mentioned under point 12). This requirement is retrospective in nature and requires the data fiduciaries to furnish a notice to all data principals “as soon as it is reasonably practicable” which remains undefined under the Act.

6. Consent: Consent for processing of personal data shall not only be unconditional, free and specific but shall also signify the agreement by the data principal to the processing of its personal data outlining the specified purpose and be limited as is necessary for such specified purpose. A data principal also has the option to withdraw the consent at any time in an equally effortless manner as she gave consent. Once the consent is withdrawn, the data fiduciary shall cease to process the personal data within reasonable time.

7. Consent Manager: The DPDP Act grants the data principals the option of managing, reviewing or withdrawing the consent through a consent manager which shall be registered with the Data Protection Board (“Board”). A consent manager shall be accountable and act on the behalf of the data principals. However, the DPDP Act does not contain any detail regarding the practical technicalities, financials and any other conditions in relation to the consent manager and the same is likely to be notified by way of rules.

8. General Obligations of Data Fiduciaries: Under the DPDP Act, data fiduciaries are responsible for complying with its provisions and any rules made thereunder. Data fiduciaries are required to erase all the personal data, once the data principal has withdrawn the consent or if it is reasonable to assume that specified purpose is no longer being served. Data fiduciaries are also responsible for protecting personal data in respect of any processing by it or on its behalf and shall take reasonable security safeguards to prevent personal data breach. Further, in case of personal data breach, the data fiduciaries are required to notify the Board and each affected data principal of such breach, in the manner as may be prescribed. The Data fiduciaries shall also establish an effective mechanism to redress the grievances of Data principals and publish business contact information of a Data Protection Officer, if applicable who is able to respond to all queries of a data principal in relation to its personal data. Furthermore, the data fiduciaries shall ensure  completeness, accuracy and consistency of the personal data where the processing of such data is likely to be (i) used to make a decision that affects the data principal, or (ii) or disclosed to another data fiduciary.

9. Significant Data Fiduciaries: The central government may by way of notification classify certain data fiduciaries as ‘significant data fiduciaries’ based on factors like amount and nature of personal data, risk to the rights of data principles and electoral democracy, public order and security of State. Significant Data Fiduciaries are required to (i) appoint a Data Protection Officer, based in India; (ii) appoint an independent data auditor and (iii) undertake measures for managing risk of harm and such other matters with respect to processing of personal data under the Act.

10. Rights of Data Principals: The data principals have certain rights under the DPDP Act which such as right to obtain information from the data fiduciaries including a summary of personal data processed as well as processing activities undertaken with respect to such data or any other information, identities of all other data fiduciaries and data processors with whom the personal data has been shared, right to correction, completion, updating and erasure of personal data, right to nominate another individual in the event of the data principal’s death or incapacity. In addition, the data principals also have the right to grievance redressal which shall be provided by the data fiduciary and/or consent manager as the case may be. The data principal shall approach the Board only after the right to grievance redressal is exhausted.

11. Data Localisation: The Act permits transfer of personal data to any other country or territory outside India for processing unless specifically notified by the central government of any restricted countries. This means that the central government shall notify the foreign jurisdictions wherein the personal data cannot be transferred. Nevertheless, the criteria determining the foreign jurisdiction that can be blacklisted under this provision are entirely at the discretion of the central government. Further, the provision regarding the transfer of personal data by a data fiduciary outside India is not unconditional. If there is another law or regulation that provides a higher degree of protection or restriction on transfer of personal data by a data fiduciary outside India, that law will continue to apply, notwithstanding the corresponding provisions of the DPDP Act.

12. Data Protection Board of India: The Act directs establishment of the Board which shall have the power to direct any urgent remedial or mitigation measures in the event of a personal data breach, upon intimation of the personal data breach by the data fiduciary. The Board also has the power to inquire into data breach and impose penalty in accordance with the Act in cases of (i) personal data breach, (ii) data principal’s complaint against a data fiduciary/consent manager for failure in observance of its obligations/condition of registration of consent manager as the case may be or (iii) the exercise of her rights or (iv) on a reference made to it by the Central Government or a State Government. The Board shall have the same powers as a civil court under the Code of Civil Procedure, 1908 i.e., summoning and enforcing the attendance of any person, inspecting any document, data, books of account, receiving evidence of an affidavit requiring the discovery and production of documents etc. Any appeal against the order of the Board shall be filed before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) established under the Telecom Regulatory Authority of India Act, 1997 within sixty days from the receipt of the said order. TDSAT shall endeavour to dispose of the appeal within six months from the date of appeal presented before it.

13. Voluntary Undertaking: The Board may accept a voluntary undertaking from any person facing proceedings in relation to observance of provisions of the DPDP Act which includes (i) an undertaking to take action within the timeline determined by the Board, (ii) refrain from taking a specified action, and/or (iii) publicising such undertaking. Acceptance of the voluntary undertaking shall constitute a bar on the proceedings under the Act in relation to the contents of such undertaking. However, in case of non-adherence of any term of the voluntary undertaking accepted by the Board shall be deemed a breach of the provisions of the DPDP Act and attract penalties.

14. Alternate Dispute Resolution: In cases where the Board is of the view that any complaint may be resolved by mediation, it may direct the parties to attempt resolution of the dispute through such mediation where the mediator may be mutually appointed by the parties concerned.

15. Penalties: Upon finding that breach of DPDP Act’s provisions is significant, the Board may impose monetary penalties for non-compliances (ranging from ten thousand to 250 crores) which shall be credited to Consolidation of Fund of India. The Act encompasses various factors that will be considered by the Board while determining the penalty amount. The factors include nature, gravity, type and duration of non-compliance, repetitive nature of non-compliance, whether the person has gained or avoided any loss as a result, and any actions taken to mitigate the effects and consequences of the non-compliance, etc. The DPDP Act neither contains provision for criminal penalties for personal data breach nor provides any compensation to affected data principals in case of a personal data breach.

16. Right to be Forgotten: Although the Draft Data Personal Data Protection Bills of 2018 and 2019 provided the ‘right to be forgotten’ i.e. the ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic^[1]; the DPDP Act does not grant the said right to the data principals. The Act does not offer any recourse for data principals whose Under the DPDP Act, the data principals have only been granted a  limited right to delete their personal data that they had agreed to have processed earlier. Upon receipt of a request from the data principal, the data fiduciary shall erase her personal data. However, this right is limited and does not extend to deletion of personal data wherein the consent of the data principals may not be required (as mentioned under point C) or where the retention of such data is necessary for the specified purpose and/or for compliance with any law.

17. Exemptions: The Act exempts instrumentality of the State from any or all its provisions for processing of data (i) in the interests of sovereignty and integrity of India, security of State, maintaining friendly relations with the foreign States etc. (ii) for processing by the Central Government of any personal data that such instrumentality may furnish to it, (iii) for research or statistical purposes. Further, the central government may exempt certain entities including start-ups from provisions such as prior notice before consent, ensuring accuracy of personal data, erasure of personal data once its purpose is served, general obligations of data fiduciaries, additional obligations of significant data fiduciaries and data principal’s right to information. The DPDP Act grants complete exemption to all States and related entities from its provisions thereby compromising the protection and processing of personal data of individuals. This exemption also raises concerns about the potential violation of the “right to privacy” of data principals. Ideally, the Act should have imposed certain liability/obligation on the State and its related entities, with the Board being granted the authority to supervise and take action against any person including the State and its instrumentalities, that fails to fulfill its obligations or is involved in a personal data breach.

18. Power to call for Information and Issue Directions: The central government may call for any information for the purposes of the DPDP Act from any intermediary, data fiduciary or the Board. Further, the Act gives authority to the central government to issue direction to its agencies or an  intermediary to block access to an information in the interest of public interests in cases where the Board has imposed monetary on data fiduciary twice or more and advises blocking of access of any information that enables such data fiduciary to carry on any activity relating to offering of goods or services to data principals within the territory of India. Notably, the order shall be in writing and passed after giving an opportunity of being heard to the data fiduciary.

 

19. Replacement of SPDI Rules: In the year 2011, the central government introduced SDPI Rules under Section 87(2)(ob) read with Section 43A of the Information Technology Act, 2000 (“IT Act”) which regulated processing of personal data and sensitive personal data. The DPDP Act omits both Section 43A as well as Section 87(2)(ob) of the IT Act which results in invalidation of the SPDI Rules.

20. Impact on Right to Information Act 2005 (“RTI Act”): The DPDP Act also amends the RTI Act which prohibits disclosure of all personal information to citizens of India under the RTI Act. This amendment imposes limitations on the scope of the RTI Act and poses a negative impact on people’s access to information. Prior to this amendment, the personal information could have been denied to public if, it is proven that the information sought has no relationship to any public activity or any public interest; or information sought would cause unwarranted invasion of privacy unless the authorities under the RTI Act are satisfied that at the larger public interest justifies the disclosure of such information.

21. Rules to be prescribed under the DPDP Act: The central government has the power to make rules consistent with the provisions of the DPDP Act, to carry out the purposes of this Act for the following:-

1. the manner of notice given by the data fiduciary to a data principal about the personal data collection, purpose of processing, rights to exercise and the format for filing complaints to the Data Protection Board of India.
2. the manner notice given by the data fiduciary to a data principal bout the personal data collection, purpose of processing, rights to exercise and the format for filing complaints to the Data Protection Board of India, wherein the consent was obtained before the of commencement of this Act;
3. the manner of accountability and the obligations of consent manager; registration of Consent Manager and the conditions relating thereto;
4. the subsidy, benefit, service, certificate, licence or permit for the provision or issuance of which, personal data may be processed wherein the data principal has given the consent previously or such personal data is available in digital form in, or in non-digital form and digitised subsequently by the State or any of its instrumentalities;
5. the form and manner of intimation of personal data breach to the Board;
6. the time period for the specified purpose to be deemed as no longer being served;
7. the manner of publishing the business contact information of a data protection officer;
8. the manner of obtaining verifiable consent while processing the personal data of children and persons with disabilities;
9. the classes of data Fiduciaries, the purposes of processing of personal data of children and persons with disabilities and the conditions relating thereto;
10. the other matters comprising the process of data protection impact assessment by the significant data fiduciary for the assessment and management of the risk to the rights of the data principals;
11. the other measures that the Significant Data Fiduciary shall undertake consistent with the provisions of the DPDP Act;
12. the manner in which a data principal shall make a request to the data fiduciary to obtain information and any other information related to the personal data of such data principal and its processing;
13. the manner in which a data principal shall make a request to the data fiduciary for erasure of her personal data;
14. the period within which the data fiduciary shall respond to any grievances by the data principal under the grievance redressal mechanism;
15. the manner of nomination of any other individual by the data principal in the event of death or incapacity of the data principal, exercise the rights of the data principal;
16. the standards for processing the personal data for exemption from the provisions of the DPDP Act for research, archiving or statistical purposes;
17. the manner of appointment of the chairperson and other members of the Board and the salary, allowances and other terms and conditions of services thereto;
18. the manner of authentication of orders, directions and instruments by the Board during the proceedings under this Act;
19. the terms and conditions of appointment and service of officers and employees of the Board;
20. the techno-legal measures to be adopted by the Board as well as the other matters for purposes of discharging its functions under this Act;
21. the form, manner and fee for filing an appeal to TDSAT and the procedure for dealing such an appeal;
22. any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules.

            ^[1] Michael J. Kelly and David Satola, The Right to be Forgotten, University of Illinois Law Review (2017) at p. 1.