Explore the key provisions of the Digital Personal Data Protection Act, 2022, focusing on definitions, applicability, consent, rights of data principals, obligations of data fiduciaries, and grievance redressal. Stay informed about the latest data protection regulations in India.
– The Draft Digital Personal Data Protection Bill, 2022 (DPDP Bill) was released by the Ministry of Electronics and Information – Technology for public feedback on November 18, 2022 with the last date for public feedback being January 2, 2023.
– The DPDP bill was passed unanimously by the Rajya Sabha on August 9 while the Lok Sabha passed the bill on August 7.
– The President has given assent to the DPDP Bill on Friday, 11th August, 2023.
Page Contents
- Important Definition:
- Applicability:
- Grounds for processing digital personal data:
- Notice:
- Consent:
- Deemed consent:
- Grounds for processing digital personal data:
- General obligations of Data Fiduciary:
- Significant Data Fiduciary:
- Rights & Duties of Data Principal:
- Right to correction and erasure of personal data:
- Right to nominate:
- Transfer of personal data outside India:
- Exemptions:
- Amendments:
- Grievance redressal & Financial Penalty:
Important Definition:
- “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
- “Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;
- “child” means an individual who has not completed eighteen years of age;
- “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;
- “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
- “person” includes— (a) an individual; (b) a Hindu Undivided Family; (c) a company; (d) a firm; (e) an association of persons or a body of individuals, whether incorporated or not; (f) the State; and (g) every artificial juristic person, not falling within any of the preceding sub-clauses;
- “personal data” means any data about an individual who is identifiable by or in relation to such data;
- “Personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data,that compromises the confidentiality, integrity or availability of personal data.
- “processing” in relation to personal data means an automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
- “harm”, in relation to a Data Principal, means – (a) any bodily harm; or (b) distortion or theft of identity; or (c) harassment; or (d) prevention of lawful gain or causation of significant loss;
- “loss” means – (a) loss in property or interruption in supply of services, whether temporary or permanent; or (b) a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration.
Applicability:
- The provisions of this Act shall apply to the processing of digital personal data within the territory of India where such personal data is collected:
(a) online;
(b) offline and is digitized.
- The provisions of this Act shall also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India.
- The provisions of this Act shall not apply to:
(a) non-automated processing of personal data;
(b) offline personal data;
(c) personal data processed by an individual for any personal or domestic purpose; and
(d) personal data about an individual that is contained in a record that has been in existence for at least 100 years.
Grounds for processing digital personal data:
A person may process the personal data only in accordance to this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent in accordance with the provisions of this Act. For the purpose of this Act, “lawful purpose” means any purpose which is not expressly forbidden by law.
Notice:
- A notice must be given before seeking consent. Notice should contain details about the personal data to be collected and the purpose of processing.
- On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data.
- “notice” can be a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form as may be prescribed either in English language or any language specified in the 8th Schedule to the Constitution of India
Illustration: ‘A’ contacts a bank to open a regular savings account. The bank asks ‘A’ to furnish photocopies of proof of address and identity for KYC formalities. Before collecting the photocopies, the bank should give notice to ‘A’ stating that the purpose of obtaining the photocopies is completion of KYC formalities. The notice need not be a separate document. It can be printed on the form used for opening the savings bank account.
Consent:
- Personal data may be processed only for a lawful purpose for which an individual has given consent.
- Consent may be withdrawn at any point in time.
- For individuals below 18 years of age, consent will be provided by the legal guardian.
- Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose. For the purpose of this sub-section, “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act.
- Any part of consent referred in sub-section (1) which constitutes an infringement of provisions of this Act shall be invalid to the extent of such infringement.
Illustration: ‘A’ enters into a contract with ‘B’ to provide a service ‘X’ to ‘B’. As part of the contract, ‘B’ consents to: (a) processing of her personal data by ‘A’, and (b) waive her right to file a complaint with the Board under the provisions of this Act. Part (b) of the consent by which ‘B’ has agreed to waive her right shall be considered invalid.
- Where consent given by the Data Principal is the basis of processing of personal data, the Data Principal shall have the right to withdraw her consent at any time. The consequences of such withdrawal shall be borne by such Data Principal. The withdrawal of consent shall not affect the lawfulness of processing of the personal data based on consent before its withdrawal. The ease of such withdrawal shall be comparable to the ease with which consent may be given.
Illustration: ‘A’ enters into a contract with ‘B’ to provide a service ‘X’ to ‘B’. As part of the contract, ‘B’ consents to processing of her personal data by ‘A’. If ‘B’ withdraws her consent to processing of her personal data, ‘A’ may stop offering the service ‘X’ to ‘B’.
- The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. For the purpose of this section, a “Consent Manager” is a Data Fiduciary which enables a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
- The performance of any contract already concluded between a Data Fiduciary and a Data Principal shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.
Illustration: If ‘A’ enters into a contract with ‘B’ to provide a service ‘X’ to ‘B’ then ‘A’ shall not deny to provide service ‘X’ to ‘B’ on B’s refusal to give consent for collection of additional personal data which is not necessary for the purpose of providing service ‘X’.
- In the event of dispute, Data Fiduciary shall be obliged to prove that a notice was served to the Data Principal and consent was given by the Data Principal to the Data Fiduciary in accordance with the provisions of this Act.
Deemed consent:
- Consent will be deemed given where processing is necessary for:
(i) performance of any function under a law,
(ii) where the Data Principal voluntarily provides her personal data to the Data Fiduciary and it is reasonably expected that she would provide such personal data
Illustration: ‘A’ shares her name and mobile number with a Data Fiduciary for the purpose of reserving a table at a restaurant. ‘A’ shall be deemed to have given her consent to the collection of her name and mobile number by the Data Fiduciary for the purpose of confirming the reservation.
(iii) provision of service or benefit by the State,
(iv) medical emergency,
(v) specified public interest purposes such as national security, fraud prevention, and information security, assistance or services to any individual during any disaster, or any breakdown of public order, and
(vi) in public interest
(vii) employment purposes.
- for the purposes related to employment shall include prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance;
- Illustration: ‘A’ shares her biometric data with her employer ‘B’ for the purpose of marking A’s attendance in the biometric attendance system installed at A’s workplace. ‘A’ shall be deemed to have given her consent to the processing of her biometric data for the purpose of verification of her attendance.
- for any fair and reasonable purpose as may be prescribed after taking into consideration: (a) whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal;
(b) any public interest in processing for that purpose; and
(c) the reasonable expectations of the Data Principal having regard to the context of the processing.
Grounds for processing digital personal data:
- A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent in accordance with the provisions of this Act.
- Where a Data Principal has given her consent to the processing of her personal data before the commencement of this Act, the Data Fiduciary must give to the Data Principal an itemised notice in clear and plain language containing a description of personal data of the Data Principal collected by the Data Fiduciary and the purpose for which such personal data has been processed, as soon as it is reasonably practicable.
General obligations of Data Fiduciary:
- A Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective adherence with the provisions of this Act.
- In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed.
- A Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that: (a) the purpose for which such personal data was collected is no longer being served by its retention; and (b) retention is no longer necessary for legal or business purposes.
Illustration (A): ‘A’ creates an account on ‘X’, a Social Media Platform. As part of the process of creating the account, ‘A’ shares her personal data with ‘X’. After three months, ‘A’ deletes the account. Once ‘A’ deletes the account, ‘X’ must stop retaining the personal data of ‘A’ or remove the means by which the personal data of ‘A’ can be associated with ‘A’
Illustration (B): ‘A’ opens a savings account with a bank. As part of KYC formalities, ‘A’ shares her personal data with the bank. After six months, ‘A’ closes the savings account with the bank. As per KYC rules, the bank is required to retain personal data for a period beyond six months. In this case, the bank may retain ‘A’s’ personal data for the period prescribed in KYC Rules because such retention is necessary for a legal purpose.
- Every Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of her personal data.
Significant Data Fiduciary:
- The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary (“SDF”), on the basis of an assessment of relevant factors, including: (a) the volume and sensitivity of personal data processed; (b) risk of harm to the Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; (f) public order; and (g) such other factors as it may consider necessary;
- The SDF shall: (a) appoint a Data Protection Officer who shall represent the SDF and be based in India.
- The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the SDF for the grievance redressal mechanism under the provisions of this Act;
- Appoint an Independent Data Auditor who shall evaluate the compliance of the SDF with the Act; and
- undertake such other measures including Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act, as may be prescribed.
Rights & Duties of Data Principal:
- The Data Principal shall have the right to obtain from the Data Fiduciary:
(1) the confirmation whether the personal data has been processed
(2) a summary of the personal data being processed and the processing activities undertaken with respect to the personal data;
(3) in one place, the identities of all the Data Fiduciaries with whom the personal data has been shared along with the categories of personal data so shared; and
(4) any other information as may be prescribed.
Right to correction and erasure of personal data:
- A Data Principal shall have the right to correction and erasure of her personal data, in accordance with the applicable laws and in such manner as may be prescribed.
- A Data Fiduciary shall, upon receiving a request for such correction and erasure from a Data Principal:
(a) correct an inaccurate or misleading personal data;
(b) complete an incomplete personal data;
(c) update a personal data;
(d) erase the personal data that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose.
Right to nominate:
- A Data Principal shall have the right to nominate, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act.
Transfer of personal data outside India:
- The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
Exemptions:
- The provisions of Chapter 2 except sub-section (4) of section 9, Chapter 3 and Section 17 of this Act shall not apply where:
(a) the processing is necessary for enforcing any legal right or claim;
(b) the processing is necessary for the performance of any judicial or quasi-judicial function;
(c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law;
(d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.
Amendments:
- The Information Technology Act, 2000 (“IT Act”) shall be amended in the following manner:
- Section 43A of the IT Act shall be omitted;
- In section 81 of the IT Act, in the proviso, after the words and figures “the Patents Act, 1970”, the words “or the Digital Personal Data Protection Act, 2022” shall be inserted; and
- clause (ob) of sub-section (2) of section 87 of IT Act shall be omitted.
- Clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 shall be amended in the following manner:
(a) The words “the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information” shall be omitted;
(b) The proviso shall be omitted.
Grievance redressal & Financial Penalty:
- The complaint can be made to the Data Protection Board of India (“Board”).
- Appeal- the Board may review its order, acting through a group for hearing larger than the group which held previous proceedings. An appeal against any order of the Board shall lie to the High Court.
- No civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act.
- If the Board is of the opinion that any complaint may more appropriately be resolved by mediation or other process of dispute resolution, it may refer for the same.
- If the Board determines on conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each.