Adv. Lazim Vengattil, Associate, Alishahz Legal LLP
INTRODUCTION
India’s recent enactment of the Digital Personal Data Protection Act in 2023 signifies a major shift in data protection, introducing comprehensive obligations on private businesses, known as “data fiduciaries,” with rules governing data processing, cross-border data flow, and specific parental consent requirements for children’s data, backed by penalties of up to 250 Crores for non-compliance and breaches. This legislation fundamentally overhauls the previous data protection framework, emphasizing the importance of consent, transparency, and accountability, and requiring companies to invest in enhanced data architecture, automation tools, and potentially in-house data privacy officers while impacting various sectors, particularly finance, banking, social media, e-commerce, healthcare, and ed-tech, with a need for companies to begin preparing for compliance immediately to avoid disruptions in data collection and business operations.
WHAT’S DATA PROTECTION?
Data protection is the act of safeguarding personal information, respecting individuals’ privacy rights, and ensuring responsible handling of data, which includes personally identifiable information like names, addresses, and digital footprints.
JOURNEY TO DIGITAL PERSONAL DATA PROTECTION ACT, 2023
In 2017, India recognized privacy as a fundamental right following the Puttaswamy Judgment, setting the stage for transformative changes. This pivotal decision laid the foundation for a series of significant developments that would redefine data protection in India.
- In 2018, a committee chaired by Justice Srikrishna proposed the Personal Data Protection (PDP) Act of 2018.
- By 2019, the PDP Act was in the Lok Sabha and referred to the Joint Parliamentary Committee (JPC).
- In 2021, the JPC introduced the revised Data Protection Act (DPA) to align India’s laws with global standards.
- In 2022, the Ministry of Electronics and Information Technology (Meity) released the draft Digital Personal Data Protection (DPDP) Bill.
- In 2023, the Union Cabinet approved the DPDP Bill, and the President of India signed it into law, establishing the Digital Personal Data Protection (DPDP) Act. This marked a significant moment for data protection and privacy in India’s digital landscape.
THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
The DPDP Act exclusively governs digital personal data, encompassing both data initially collected in digital format and data that was originally non-digital but has since been digitized. Its jurisdiction extends beyond India’s borders, applying when digital personal data processing is linked to offering goods or services to individuals in India.
The DPDP Act does not apply to personal data processed for personal or domestic purposes, nor does it encompass personal data made publicly available by data principals themselves or under legal obligations.
WHO’S WHO IN THE ACT?
- Data Principals
According to the Section 2(j) of the Act, 2023 of India, a “Data Principal” is essentially the data subject to whom the personal data relates or belongs. In simpler terms, if you are providing your personal data to any organization, you are the “Data Principal”. The Act is designed to protect your rights over your personal data and how it is processed.
Data principals hold several rights under the Act, including the right to access personal data information, correct and erase personal data, and nominate an individual to exercise their rights in case of death or incapacitation.
- Data Processor
A Data Processor, as defined in Section 2(k) of this Act, is an entity or individual entrusted with the responsibility of processing personal data on behalf of a Data Fiduciary. These Data Processors act as the hands on executors of data processing operations.
- Data Fiduciary
Data Fiduciary, as per Section 2(i) by this Act, is the entity or individual responsible for determining both the purpose and the means of processing personal data. In simpler terms, they are the custodians of your data. This pivotal role signifies that Data Fiduciaries have a profound impact on how your personal information is collected, used, and safeguarded. Whether it’s a corporation, government entity, or even an individual, if they are involved in processing personal data, they become Data Fiduciaries under the DPDP Act.
Under this act, Data Fiduciaries are obligated to adhere to several responsibilities. These include deleting personal data when consent is withdrawn or when it no longer serves its intended purpose, unless legal requirements dictate otherwise. Data Fiduciaries are also mandated to report personal data breaches to the DPB and notify affected data principals following prescribed procedures. Furthermore, they must establish easily accessible mechanisms to facilitate grievance resolution for data principals.
- Significant Data Fiduciaries
The Central Government has the authority to classify data fiduciaries as “significant” based on several factors, including the volume and sensitivity of personal data processed, potential risks to data principals, and national security concerns. Section 2(z) of the act explain Significant Data Fiduciaries as any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10.
Significant data fiduciaries are subject to additional requirements, including the appointment of a local data protection officer, an independent data auditor for compliance evaluations, periodic data audits, data protection impact assessments, and other measures.
- Consent Manager
According Section 2(g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. a consent manager acts as the representative of the Data Principal, managing all things related to consent on their behalf when granting, managing, reviewing and revoking consent.
UNDERSTANDING ‘CONSENT AND NOTICE’ UNDER THE ACT
The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. Section 6(1) of the act explains this Part with an Illustration.
Consent is a cornerstone of the DPDP Act, requiring it to be freely given, specific, informed, unconditional, and unequivocal. Data principals can withdraw consent easily, without affecting prior data processing.
The Act mandates that data principals receive a notice alongside consent requests, providing information about the personal data’s purpose, withdrawal of consent options, grievance resolution mechanisms, and procedures for filing complaints with the Data Protection Board (DPB).
WHO’S IN CHARGE HERE?
Telecom Disputes Settlement and Appellate Tribunal (TDSAT): According to Section 2(a) of the act TDSAT is the appellate Tribunal where data fiduciaries can challenge Data Protection Board decisions within specified timelines and in accordance with prescribed procedures. This ensures a mechanism for appealing Data Protection Board rulings.
Data Protection Board (DPB): According to Section 2(a) of the act, means the Data Protection Board of India established by the Central Government under Section 18, the DPB is the central enforcement and adjudicatory body responsible for overseeing compliance with the DPDP Act. It has the authority to investigate data breaches, impose penalties, and ensure that data fiduciaries adhere to data protection principles.
Central Government: The Central Government plays a pivotal role in the DPDP Act’s implementation. It is responsible for tasks such as appointing members to the DPB, issuing guidelines and policies related to data protection, and determining the countries or territories to which personal data can be transferred.
Data Protection Officer (DPO): Section 2(l) of the act talks about Data Protection Officer, Significant data fiduciaries are required to appoint a Data Protection Officer based in India. The DPO is responsible for ensuring compliance with the DPDP Act, conducting data protection impact assessments, and serving as a point of contact for data principals and the DPB.
Independent Data Auditor: As per Section 10(2)(b), Significant data fiduciaries must engage an independent data auditor to evaluate their compliance with the DPDP Act. This auditor assesses data processing practices, conducts audits, and ensures adherence to data protection requirements.
ABOUT CROSS BORDER TRANSFER OF PERSONAL DATA
The DPDP Act allows personal data to be transferred by data fiduciaries to other countries or territories for processing unless the Central Government imposes restrictions on transfers to specific nations. However, if other laws or sectoral regulations provide more stringent data protection or transfer limitations, those laws take precedence.
WHAT ARE THE PENALTIES UNDER THE DPDP ACT, 2023?
The Digital Personal Data Protection Act, 2023, establishes a framework of penalties to enforce compliance with its provisions. Below are some key penalties outlined in the act:
- Not Reporting Data Breaches: Failure to promptly report a data breach to the authorities or affected individuals can lead to fines of up to INR 200 Crore. Timely reporting is crucial in mitigating data breach consequences.
- Inadequate Protection of Children’s Data: Mishandling data related to children, contrary to the prescribed standards, can incur penalties of up to INR 200 Crore. Extra precautions are mandated for safeguarding children’s data.
- Neglecting Data Security Measures: Inadequate data security measures leading to a data breach can result in fines of up to INR 250 Crore. This emphasizes the critical role of robust data security practices.
It’s important to note that the act also allows the Central Government to exempt certain provisions for specific data fiduciaries or classes of data fiduciaries, including startups, based on factors such as the volume and nature of personal data processed.
CONCLUSION
It’s crucial for businesses to be aware of and adapt to data protection laws like the Digital Personal Data Protection Act, 2023. These regulations emphasize the need for responsible data handling and privacy safeguards. To thrive in the digital age, businesses should not only comply with existing laws but also remain flexible and ready for future changes in data protection rules. This proactive approach ensures both legal compliance and the trust of customers in an increasingly data-driven world.