The Digital Personal Data Protection Act, 2023 is a major milestone for the legal infrastructure in India, as it is the first privacy Act that aims to protect the personal data of the citizens of the country. It focuses on the importance of the Data Protection Board of India and highlights its main provisions along with the rights and duties of organizations and individuals.
After the Supreme Court, in the matter of
Justice K.S. Puttaswamy vs. Union of India, stated that ‘Right to Privacy’ was an aspect related to ‘Right to Life’ provided by Article 21 of the Constitution of India, the legislature started attempting to draft laws that would provide for the above-mentioned right of an individual.
After being approved by both the Houses and receiving the President’s assent, the Digital Personal Data Protection Act, 2023 (
DPDP Act) became the governing legislation for cases related to digital personal data of individuals. The provisions of this Act shall provide protection in place of the provisions of the Information Technology Act, 2000 (
IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (
SPDI Rules) in matters pertaining to personal data breaches. As a result, the IT Act and the SPDI Rules have been replaced by the provisions of the DPDP Act, which now safeguards the personal data of the citizens in India.
Data Protection Act, 2023 (DPDP Act) aims to safeguard the digital personal data of all persons, firms, companies, & even states in India. |
Data Protection prior to the DPDP Act, 2023
Before the DPDP Act was passed, laws pertaining to data protection were found in Section 43A of the IT Act, 2000 and the regulations mentioned thereunder. However, this Section was entirely omitted from the IT Act by Section 44(2)(a) of the DPDP Act.
Key Provisions of the DPDP Act
Applicability
The DPDP Act applies to digital personal data which is processed within the territory of India (obtained in digital form or when in non-digital form but digitized subsequently) and as well as that which is processed outside India only if such processing is connected to any activity related to offering of goods or services to the individuals within the territory of India.
‘
Processing’ refers to various operations being performed on digital personal data, including collecting, storing, retrieving, using, sharing, etc. of the data.
Data Principal refers to the individual to whom the data is related to. |
Data Fiduciary refers to the individual who decides the aim and methods of processing personal data. |
It must be noted that as per Section 3(c), the DPDP Act is not applicable to any personal data processed by individuals for some personal or domestic purposes or to any personal information that was made publicly available by the individuals themselves.
Processing of Digital Personal Data
The Digital Personal Data of an individual can only be processed according to provisions of the DPDP Act and for legal purposes only, i.e., any purpose that is not specified to be legally forbidden. In addition, such data can only be processed for purposes that the individual has consented for or for legitimate purposes.
- The individual’s consent must be free, specific, informed, unconditional, and unambiguous.
- When requesting an individual to consent to process the personal data, the Data Fiduciary must give proper notice to the individual inter alia informing them of the type of personal data that shall be processed and the purpose behind processing the same.
To learn about more the prerequisites of processing personal data, Click Here.
The Data Principal has the right to withdraw their consent with the same level of ease as when giving consent in the first place. |
Obligations of Data Fiduciaries
Some responsibilities have been imposed on Data Fiduciaries, such as:
- Ensuring the personal data is complete, accurate and consistent since the decision of such processing shall affect the individual.
- Implementing effective technical and organizational measures to ensure due compliance with the Act.
To learn about the other obligations of data fiduciaries, Click Here.
Additional Obligations on Significant Data Fiduciaries
A data fiduciary may be deemed as a ‘Significant Data Fiduciary’ (SDF) by the Central Government based on certain aspects like volume and sensitivity of the date processed, possible impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. SDFs are obligated to perform the following:
- Appointing a Data Protection Officer who shall represent the SDF, reside in India and act as the point of contact for grievance resolution mechanisms.
- Appointing an independent data auditor.
- Conduct periodic Data Protection Impact Assessment, periodic audits and other similar measures that may be prescribed.
Right & Duties of Data Principals
Some rights and duties of Data Principals are:
- Right to ask for a summary of the personal data processed by the data fiduciary along with information about other data fiduciaries that received a copy of such personal data. This, however, shall not be applicable if the personal data is shared with other data fiduciaries to prevent or detect any offence or cyber incidents or for the purpose of prosecuting or punishing offences.
- Right to have readily available method of resolving any grievance related to any act or exclusion by the data fiduciary.
To learn about other rights and duties of data principals, Click Here.
Section 16 of the DPDP Act permits the transferring of personal data outside of India except to the countries specified by the Central Government. |
Data Protection Board of India
The Central Government shall establish a ‘Data Protection Board of India’ that would comprise of a Chairperson and such members as notified by the Central Government. The Board may use certain powers and functions provided under Sections 27 and 28 of the DPDP Act that would inter alia include:
- Directing remedial measures to be taken in case of breach of personal data.
- Inquiring into the breach.
- Imposition of penalties under the Act – the penalties so imposed would be credited to the Consolidated Fund of India.
Section 29 of the Act allows individuals to file an appeal against the Board’s decisions within a period of 60 days to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). |
Can you claim any Compensation under the DPDP Act, 2023?
It must be noted that the DPDP Act does not have any provisions that would provide compensation for personal data breaches. For instance, if there is a contract between parties that makes it mandatory for one party to safeguard the data of the other, a suit must be filed for breach of the contract to claim any compensation for any personal data breach.
Conclusion
In accordance with the provisions as mentioned above, companies and entities which handle personal data in any manner whatsoever would now have to ensure strict compliance with the DPDP Act. Failure to do so may invite stringent penalties as mentioned in the Schedule of the Act.
However, the exact framework which would have to be adhered to by these entities that process personal data would depend on the relevant Rules that are framed by the Central Government.