After the introduction of most awaited Digital Personal Data Protection Act, 2023 (Act) which was published on August 11, 2023, many organizations are gearing up for ensuring compliance with the Act. The provisions of this Act shall be operational on dates set by the Central Government. Some of the key highlights of this Act are as below:
Application of the Act: The Act applies to how personal data is handled, and it covers: a. digital data in India: When personal data is collected in India, whether it’s in digital form or converted to digital later. b. digital data outside India: It also applies if personal data is processed outside India but related to offering goods or services to people in India. However, there are exceptions when the Act does not apply i.e., a. when an individual processes personal data for their person or household use; b. when personal data is voluntarily made public by the person it belongs to or; c. if there is a legal obligation to make it public.
Key Concepts: Some key concepts discussed under the Act include:
1. Data which means, information, facts, opinions, or instructions presented in a way that can be understood by humans or processed by computers;
2. Digital personal data is personal data in a digital form;
3. Processing includes various operations performed on digital personal data, such as collection, storage, use, sharing and erasure etc.,
4. Data Fiduciary is any person or entity that, alone or with others, decides why and how personal data is processed. This is seen as a concept equivalent to a data controller under the GDPR.
5. Data Processor is a person who handles personal data on behalf of a Data Fiduciary.
6. Data Principal commonly known as data subjects is an individual to whom personal data belongs, and it includes parents or guardians for children or guardians for individuals with disabilities.
7. Significant Data Fiduciary refers to a Data Fiduciary or a category of Data Fiduciaries specified by the Central Government.
8. Consent Manager is someone registered with the board who helps individuals manage their consent for data processing. Interestingly, scenarios viewed as “deemed consent” earlier, have now been done away with and the Act lays down grounds for processing of Data as discussed below.
Grounds for Processing:
1. The Act requires an explicit consent from the Data Principal which should be sought for legitimate uses. When seeking a consent. Data Fiduciary should provide a comprehensive notice to the Data Principal including details such as i. Personal Data to be processed; ii. purpose of such processing; iii. instructions for exercising data rights; and iv. information on how to file complaints with the board set up under the Act. It is noteworthy that, in case consent is given before the enactment of the Act, Data Fiduciary must notify the Data Principal about ongoing data processing; and may continue processing until consent is revoked by the Data Principal.
2. The Act also stipulates the form of consent. Such consent must be i. freely given, specific, informed, unconditional, unambiguous; ii. should require a clear affirmative action from the Data Principal; iii. any consent aspect conflicting with the law shall be considered null and void; iv. consent requests should use plain language and offer language options; v. Data Principals should be given a right to withdraw consent at any time without affecting prior lawful data processing and upon consent withdrawal, the Data Fiduciary must cease data processing unless mandated by law.
3. The Act also throws light on what is a legitimate use which includes processing for: i. specified purpose for which the Data Principal has voluntarily provided personal data to the Data Fiduciary; and ii. in respect of which he/she has not indicated to the Data Fiduciary that he/she does not consent to the use of her Personal Data. Different basis of processing Personal Data such as legal obligation, medical emergencies, employment etc. are bundled into legitimate uses. Where Personal Data is processed under legitimate uses, other than where, given voluntarily, the Data Principals will not have the right to erase, correct and access their personal data or withdraw their consent. The Act takes a narrower approach to the grounds for processing personal data in comparison to the prominent global privacy laws.
Obligations of Data Fiduciaries and Significant Data Fiduciary (SDF): The Act requires the Data Fiduciaries to: a. engage data processors only through valid contracts; b. share accurate, complete, and consistent Data which shall be used by other Data Fiduciaries; c. implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act; d. provide notices upon any breaches; e. irrecoverably delete personal data after the purpose for which it was collected has expired or when the consent has been withdrawn; and f. publish contact details of data protection officer/responsible person capable of answering queries; g. establish a mechanism to address Data Principal’s grievances. The Act introduces concept of SDF which shall be notified by the Central Government based on factors such as volume and sensitivity of data processed, risks to rights of the Data Principals, potential impacts on sovereignty and integrity of India, public order etc., Obligations cast on SFF includes, appointing data protection officer who must be located in India, appointing an independent data auditor to carry out periodic data audit and also conduct a data protection impact assessment periodically. There will be clarity on how the Act intends to implement such obligations upon the Data Fiduciaries and SDF after publishing of rules but organizations processing Digital Personal Data must take active steps to seek consents, provide notices etc., to ensure compliance with the Act.
Other Highlights: While the Act permits cross border data transfers the Central Government in time may notify restrictions on transfers to some countries/territories. The Act does not provide for any criminal liabilities however, non- compliance by Data Fiduciaries may attract financial penalties upto INR Two Hundred Fifty Crore. Data Principals may also face penalties upto INR Ten Thousand for non-compliance. The Central Government may exempt specific companies, including startups, from certain rules like data access, correction, and grievance redressal. Therefore, organisations processing digital personal data of the Indian data subjects/ principals need to take active steps to begin their compliance journey e.g.,
a. putting in place privacy policies,
b. issuing notices & obtaining consents in manner advised under the Act,
c. implementation of requisite technical & security safeguards,
d. revisiting the data collection checkpoints,
e. setting up mechanism for responding to requests from data principals as well as grievance redressal mechanisms etc.
Conclusion:
India’s Digital Personal Data Protection Act 2023 marks a pivotal moment in the nation’s data governance. From consent intricacies to the obligations imposed on data fiduciaries and the emergence of Significant Data Fiduciaries, the Act redefines how data is handled. Organizations must embark on a proactive compliance journey, ensuring privacy policies, technical safeguards, and response mechanisms align with the Act’s requirements. As the digital landscape evolves, so does India’s approach to safeguarding personal data, setting a benchmark for responsible data practices.
Author Bio
