INDIA'S NEW DATA PROTECTION LAW: THE DPDP ACT OF 2023
Oct. 17, 2023 • Leona, LL.M graduate from Christ (Deemed to be) University, Bengaluru.
Introduction
There were gaps in India's existing regulations regarding data privacy, and the country lacked a comprehensive privacy law. This created concerns among citizens and businesses alike, as data breaches and misuse became increasingly common. As a result, there was a pressing need for the government to address these issues and establish a robust framework that safeguarded individuals' personal information and promoted responsible data handling practices. In Justice K.S. Puttaswamy (Retd.) v. Union of India,[i] a Constitutional Bench of the Supreme Court of India upheld that privacy is a basic right enshrined in Article 21 of the Constitution. A thorough Personal Data Protection Bill 2019 was created as a result of this judgment.
The Digital Personal Data Protection Act
The President of the Government of India has given ascent to the new Digital Personal Data Protection Act of 2023 on 11th August 2023. This Act clearly mandates that the personal data of an individual that is available digitally should be used only for lawful purposes and should be processed only in a manner recognizing the right of the individual to protect their own personal data. The Act has not yet come into force but will come into application within the preceding 10 months.
Application of the Act
The Act applies to the processing of personal data in the territory of India where it is collected in digital form or when it is made digitalized later on. The Central Government has the right to impose restrictions on the transfer of personal data by a data fiduciary for processing outside of India. But as long as it has to do with supplying products or services to Indian citizens, the Act is applicable to the management of digital personal information, even if it happens outside of India. This provision of the Act does not apply when an individual makes available his personal data digitally for any personal or domestic use or when he has an obligation to make available the personal data digitally.[ii]
Main Definitions
‘Personal data’, as per the Act, means any data which is connected to an individual.[iii] The ‘digital personal data’ here means the personal data of an individual which is made available in the digital form.[iv] The individual to whom the personal data is connected is called the ‘data principal’[v] and this includes a child as well as a person with a disability.[vi] In the case of the child or a person with a disability, the parents or lawful Guardian also falls under the purview of the definition. A notable feature of the Act is that the Data Principal is mentioned as ‘She’ as per the definition part.[vii] This is a new move and the DPDP Act deserves special mention in using this pronoun to refer to individuals irrespective of their gender. A ‘consent manager’ is a person who helps the Data Principal to give, manage, review, and withdraw her consent.[viii] ‘Data Fiduciary’ determines the purpose and means of collection and processing of personal data.[ix] ‘Data Processor’ processes personal data on behalf of a Data Fiduciary.[x]
Consent of the Data Principal
The personal data of an individual which is available digitally can be processed by the data fiduciary only by the consent of the individual for legitimate purposes as per the provisions of this Act and for lawful purposes.[xi] The consent of the data principal should be expressly sought through a notice before the data is processed by the data fiduciary.[xii] This shall specify the reasons for which they are collecting and processing the data. The consent can also be withdrawn by the Data Principal after informing the Data Fiduciary.
Legitimate Uses
The personal data shall be processed only for the specified purposes mentioned in the Act. This includes situations wherein:[xiii]
- A Data Principal voluntarily gives consent for the use of the data.
- The State and any of its instrumentalities to provide or issue to the Data Principal any subsidy, benefit, service, certificate, license, or permit as the case may be.
- To perform any function or to fulfill any obligation mentioned under the law.
- To comply with any judgment, order, or decree of the court.
- To respond to any life-threatening medical emergency.
- To make available medical services to the individual during epidemics or public health issues.
- To ensure safety and assistance to the individual during any disaster.
- For any employment-related purposes.
Obligations of a Data Fiduciary
There are certain general obligations that a data fiduciary should comply with when they process the personal data of a data principal. They should ensure the completeness, accuracy, and consistency of the data. It is the duty of the data fiduciary to obtain consent from the data principal. They should take all measures to safeguard personal data. In the case of any personal data breach, the data fiduciary should inform the Board and all the affected Data Principals in the manner which is prescribed under the Act. There should be mechanisms for proper redressal of grievances. The Data Fiduciary must erase the data when the Data Principal withdraws the consent or when the purpose relating to which the data was collected is accomplished.[xiv]
Apart from this, additional obligations relating to ‘Significant Data Fiduciaries’ are mentioned under Section 10. This provision also mentions the appointment of a ‘Data Protection Officer’ and ‘Independent Data Auditor’ by the Significant Data Fiduciary. They should carry out periodical impact assessments.[xv]
Data relating to a child
For processing the personal data of a child, the consent of the parent or the local guardian must be sought. It should not cause anything detrimental to the well-being of the child. Tracking, behavioral monitoring, or any targeted advertising against children should not be carried out using their personal data. The central government can exempt certain classes of data fiduciaries from processing the personal data of a child if such processing is carried out in a ‘verifiably safe’ manner. But what falls under the same hasn’t been made clear in the Act.[xvi]
Rights and Duties of a Data Principal
Chapter 3 provides detailed rights and duties of the Data Principal. The Data principal has the right to:[xvii]
- Receive the summary of personal data that is being processed.
- Identify all the other data fiduciaries and data processes who hold the personal data.
- Know any other information that is relevant relating to the personal data.
- Correct and erase personal data.[xviii]
- Grievance redressal under Section 13. The remedy provided under this section must be exhausted before approaching the Board.[xix]
- Nominate a person in the event of his or her death, or incapacity to exercise the rights provided under the Act.[xx]
The Act not only prescribes the rights of a Data Principal but also mandates the duties:[xxi]
- To comply with all the provisions of the Act.
- Impersonating any other person regarding personal data is prohibited.
- Not to register false or frivolous grievances against the Data Fiduciary.
- Not to register false or frivolous grievances against the Data Fiduciary.
- Only furnish that information that is authentic while exercising the right under Section 12.
Exemptions
The provisions of this Act won’t be enforceable when the processing of personal data is:[xxii]
- Necessary for reinforcing any legal right or claim.
- Done by any court or tribunal.
- Necessary for any arrangement, merger, or amalgamation of companies or for demerger, etc.
- For the purposes of ascertaining financial information- assets and liabilities- of any person who has defaulted in payment.
- Related to the sovereignty, and security of the state, friendly relations with other foreign states, etc.
- Necessary for any research or statistical purposes.
Data Protection Board of India
The Central Government shall establish a Board to be called the Data Protection Board of India, consisting of a chairperson and such other members as the central government may determine.[xxiii] Everything connected to the Data Protection Board of India is given under Chapter 5. Chapter 6 mentions the ‘powers and functions’ of the board and the ‘procedures’ of the board under Sections 27 and 28 respectively. The consent managers are registered with the Board.
Appeal and ADR
Appeals from the Board are filed to the Appellate Tribunal. The Act gives emphasis to ADR by attempting to resolve their dispute through mediation. This method may save time and money as well as ensure a more amicable mode of settlement of disputes, especially when it comes to sensitive issues like personal data protection. The Appellate Tribunal shall function as a digital office.[xxiv]
Penalty provisions
The Act prescribes a lump sum amount of penalty for any kind of data breach of the personal data of a data principal. The penalties are mentioned in the Schedule. When the Data Fiduciary fails to take reasonable measures to safeguard the personal data thereby resulting in a data breach, the monetary penalties may extend to 250 crore rupees. When there is a breach in observing the obligation to give notice of the data breach to the board and the data principal, the penalty may extend to Rs.200 crore. Any breach of additional obligations of significant data fiduciary may result in Rs.150 crore. Breach of duties, which are mentioned under section 15 may cost a penalty of Rs.10,000.The breach of any other provisions of the Act may cost a monetary penalty that may extend to 50 crore rupees.[xxv]
Pros and Cons of the Act
DPDP Act will now open new doors for the business prospectus. Business organizations, startups, and companies will now have to strictly adhere to strict compliance procedures in handling or processing the sensitive personal data of stakeholders. They should be vigilant, especially in trans-border data transfers. This also provides them with an opportunity to enable business growth by gaining trust and competitive advantage.
Even though the new Act is a changemaker, its scope is somewhat restricted when it comes to the fact that it does not protect the data publicly put on by the Data Principal. Concerns arise when it comes to the factor that the data can still be collected for legitimate use even without the consent of the Data Principal. It is also mentioned that some Data Fiduciaries can be exempted by the Central Government from complying with certain provisions of the Act. The Act has also made amendments to several related legislations. One such is the Section 8(j) of the RTI Act which deals with the exemption from disclosure of information. Now any information that relates to the personal data of an individual will not be shared under any circumstances.
Conclusion
The DPDP Act was a long-awaited piece of legislation. Perhaps it is India’s only privacy law so far. It opens a new horizon for personal data protection in India. Moreover, the Act has come out with very structured penalty provisions, ensuring that the personal data of an individual will get the utmost security in this digital age. This is a significant step from the side of the government in upholding privacy rights and safeguarding the rising concerns of the citizens over their personal data protection.
References
[i] Justice K.S. Puttaswamy (Retd.) v. Union of India, Writ Petition (Civil) No. 494/ 2012.https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf
[ii] Section 3 of the DPDP Act of 2023.https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[iii] Section 2(t)
[iv] Section 2(n)
[v] Section 2(f)
[vi] Section 2(f)(1) and (2)
[vii] Section 2(y)
[viii] Section 2(g)
[ix] Section 2(i)
[x] Section 2(k)
[xi] Section 6
[xii] Section 5
[xiii] Section 7
[xiv] Section 8
[xv] Section 10
[xvi] Section 9
[xvii] Section 11
[xviii] Section 12
[xix] Section 13
[xx] Section 14
[xxi] Section 15
[xxii] Section 17
[xxiii] Section 18
[xxiv] Sections 29 and 31
[xxv] Section 33, See the Schedule to the Act.
Disclaimer: The author affirms that this article is an entirely original work, never before submitted for publication at any journal, blog, or other publication avenue. Any unintentional resemblance to previously published material is purely coincidental. This article is intended solely for academic and scholarly discussion. The author takes personal responsibility for any potential infringement of intellectual property rights belonging to any individuals, organizations, governments, or institutions.
About the Author:
Leona is a practicing Advocate in Kerala holding a Master’s degree (LLM) in Corporate and Commercial Law from the School of Law, CHRIST(Deemed to be University) Bengaluru, Karnataka.