The Digital Personal Data Protection Act 2023: Applicability, Compliance, and the Use of “She/Her” Pronouns
Introduction: In August 2023, the Digital Personal Data Protection Act, 2023 (DPDPA) came into force in India, marking a significant milestone in data protection and privacy legislation. This groundbreaking law not only addresses the critical aspects of data protection and privacy but also introduces a novel linguistic approach, using “she/her” pronouns in place of the conventional “he/him.” The DPDPA also establishes the Data Protection Board of India, a governing body responsible for enforcing the act’s provisions.
Page Contents
Applicability of the DPDPA:
The DPDPA holds broad applicability, aiming to safeguard digital personal data within the territory of India. It covers personal data collected in both digital and non-digital forms, even if later digitized. Furthermore, the act extends its jurisdiction beyond India’s borders, applying to the processing of digital personal data related to goods or services offered to individuals within India from outside the country. This broad scope ensures comprehensive protection of personal data, reflecting the global nature of data in the digital age.
The act’s wide-ranging applicability underlines the government’s commitment to safeguarding individuals’ digital privacy and ensuring that personal data remains secure in an increasingly interconnected world.
Exemptions from Applicability of DPDPA:
Despite its extensive scope, the DPDPA does include some exemptions. It doesn’t apply to personal data processed by individuals for personal or domestic purposes, ensuring that individuals can manage their personal data for everyday use without undue regulation.
Additionally, the act exempts personal data that is publicly available, either through voluntary disclosure by the data subject or under a legal obligation. These exemptions strike a balance between privacy rights and the need for accessible information.
Obligations of Data Fiduciaries:
The DPDPA imposes specific obligations on entities responsible for collecting and processing digital personal data, known as Data Fiduciaries. These obligations are essential to maintaining transparency and accountability in data processing.
Data Fiduciaries can only use digital personal data for lawful purposes, primarily contingent on individual consent or for specific legitimate uses. Consent plays a pivotal role in data processing under this act. Data Fiduciaries must obtain consent from the individual before processing their data.
Before requesting data, Data Fiduciaries must inform the individual about the data being requested and the purpose for which it will be processed. This information ensures that individuals are aware of how their data will be used and can make informed decisions regarding consent.
Request for Data:
When a Data Fiduciary requests an individual’s data, they must provide a notice that includes the contact details of a Data Protection Officer. This notice serves to inform the individual of:
i. The personal data being processed.
ii. The purpose for which the data is processed.
iii. The manner in which the individual can exercise their rights, including the right to withdraw consent at any time.
iv. The process for making a complaint to the Data Protection Board of India.
This approach enhances transparency and empowers individuals to have more control over their personal data. Consent, as emphasized by the DPDPA, must be free, specific, informed, unconditional, and unambiguous. Data Fiduciaries can continue processing personal data until the individual withdraws consent, but the withdrawal will not affect the legality of processing data based on consent given before withdrawal.
The Introduction of Consent Managers:
A noteworthy development introduced by the DPDPA is the concept of Consent Managers. These are third-party entities that leverage an interoperable tech framework to facilitate digital consent management. Data Fiduciaries can engage the services of a Consent Manager to handle individual consent matters, including granting, managing, reviewing, or revoking consent.
One key requirement is that every Consent Manager must be registered with the Data Protection Board of India, ensuring accountability and adherence to the law’s provisions. The introduction of Consent Managers aims to streamline the consent process, making it more accessible and manageable for both data subjects and data processors.
Conclusion:
The Digital Personal Data Protection Act 2023 is a watershed moment for data protection and privacy in India. Its broad applicability, unique linguistic approach, and the introduction of Consent Managers represent a comprehensive effort to safeguard personal data in a rapidly evolving digital landscape. The DPDPA underscores the government’s commitment to protecting individuals’ digital privacy and ensuring that their personal data remains secure in the digital age.
As individuals and organizations adapt to the provisions of the DPDPA, it is crucial to understand and comply with its requirements. By doing so, we can collectively contribute to a safer and more secure digital environment, respecting the rights and privacy of every individual. With the DPDPA in place, India is poised to be a leader in data protection and privacy, setting the stage for a more secure digital future.
Author Bio
