On 11 August 2023, the Digital Personal Data Protection Act, 2023 (hereafter referred to as ‘Act’) received the President’s assent after having been approved by both the Houses of Parliament. The Act aims to regulate digital personal data processing in a way that protects the rights of individuals and provides guidelines for how such data should be handled when required for lawful purposes.
• ‘Processing’ of personal data refers to any operation performed on digital personal data including, collecting, recording, storing, retrieving, sharing, etc. of the personal data.
• The Act is applicable to all digital personal data that is processed within the territory of India and that which is processed out of India if it is related to any activity that involves offering goods or services to individuals in the territory of India.
Note: This Act is not applicable to personal data that is processed by someone for personal or domestic purposes. In addition, it is not applicable to any personal data that is made publicly available. |
Data Principal & Data Fiduciary
- Data Principal: The individual whose personal data is being processed.
- Data Fiduciary: Individual who decides the aim of and the process for personal data processing.
Beneficial Provisions of the Act
Personal data can only be processed while complying with the guidelines of this Act and for legal reasons that the individual has consented to or for some genuine legal purpose. The ‘legal reasons’ mentioned here do not include any purpose that has been deemed illegal.
- The individual’s consent must be free, specific, informed, unconditional, and unambiguous.
- When obtaining consent to process any personal data, the Data Fiduciary must provide a proper notice to the concerned individual and an apt reason for the same. Further, they must also be informed which personal data will be processed by them.
- The notice given must also consist of the process through which the individual, if dissatisfied, can file a complaint with the Board.
- Consent must be requested in plain and simple terms. It can be in English, or any language provided under the Eight Schedule of the Constitution of India.
The Data Principal can choose to withdraw their consent at any given time with the same ease as when it was first provided. If the data being processed belongs to a child (someone less than 18 years old) or an individual with some disability, it is mandatory to obtain the consent of a parent or legal guardian, whichever is applicable.
Obligations of Data Fiduciaries
The Act has imposed certain obligations on Data Fiduciaries:
- When the personal data being processed would be used to make a decision that shall impact the individual, the Data Fiduciary must ensure that the personal data provided is accurate and complete.
- Data Fiduciaries must implement effective technical and organizational measures to make sure there is complete compliance with the provisions of the Act.
- Data Fiduciaries shall be responsible to assure safety of the personal data provided and are required to establish an adequate system in place to safeguard against potential data breaches.
- Data Fiduciaries are responsible for informing the individual as well as the Board in case of any data breach.
- Data Fiduciaries must erase all the personal data obtained once the task for which it was procured is completed. They may only save an individual’s personal data if it is required to comply with some legal provision.
- Data Fiduciaries must also put apt grievance redressal mechanisms in place to resolve all concerns of the individual.
Additional Obligations on Significant Data Fiduciaries
The Act imposed some additional obligations on
Significant Data Fiduciaries (SDF). A data fiduciary may be classified as an SDF by the Central Government based upon certain factors like the volume and sensitivity of the data being processed, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.
The SDF must:
- Select a Data Protection Officer to represent the SDF. They shall be based in the country and act as the point of contact for grievance redressals.
- Appoint an Independent Data Auditor.
- Conduct regular Data Protection Impact Assessment, periodic audits and other similar measures as may be required.
Rights of Data Principals
Some rights granted to Data Principals under this Act are:
- Right to ask for a summary of the personal data processed by data fiduciaries. They also have the right to ask for the details of all other data fiduciaries who have received a copy of the individual’s personal data. However, if the data is shared for purposes like preventing or detecting cybercrime incidents or for prosecution or punishment of offenses, the above-mentioned right shall not be applicable.
- Right to reach out for some correction, to complete, to update or to erase the personal data. However, this shall not be applicable if the data needs to be retained for some other purpose or to comply with some law.
- Right to have an always-available grievance redressal mechanism or any action or omission by the data fiduciaries. Timely redressal of the grievance is necessary.
Duties of Data Principals
- Data Principals must not impersonate anyone else when providing personal data.
- Data Principals must not suppress any material information.
- Data Principals must not register any fake grievances.
Data Protection Board of India
The Data Protection Board of India that has been established under Section 18 of the Act has the following powers and roles:
- In case of personal data breach, direct urgent remedial or mitigation measures.
- Inquire into personal data breach and impose penalties.
Some Concerns with the Act
- The Act does not provide for any compensation to be payable to the Data Principal in case of breach of personal data.
- Though the Act imposes penalties for breach of the provisions of the Act, however the same are to be credited to the Consolidated Fund of India.
- The appointment of the Chairperson and members of the Data Protection Board of India by the Central Government and further a short tenure of 2 years coupled with their eligibility for reappointment may hamper the independent functioning of the Board.
- The provisions of the Act would not be applicable in respect of processing of personal data by any notified instrumentality of the State in the interest of sovereignty, integrity of India, security of State, friendly relations, maintenance of public order. This may result in data collection and retention beyond what is necessary thereby violating the fundamental right to privacy.
- Further, the provisions with respect to notice and consent for processing of personal data are not applicable where:
-Personal data is processed to enforce any lawful right or claim,
-Personal data is processed to prevent, detect, investigate, or prosecute any offence.
- The erasure of personal data is not unconditional and may not be allowed under certain circumstances.
- The Act permits transferring personal data outside India, except to the countries restricted by the Central Government.
- The Act also empowers the Central Government to require the Data Protection Board or any Data Fiduciary to furnish such information as it may call for. There is no guidance given in the Act as to what the nature of such information can be. Presumably, the Data Fiduciary or the Board would have no option but to furnish such information to the Central Government.
Conclusion
The Digital Personal Data Protection Act, 2023 has been established to address the challenges related to digital personal data of individuals, which was not covered under any law previously. While there are still some concerns related to the Act, it inarguably provides an extensive description of the rights granted to data fiduciaries and data principals, while also establishing their roles and responsibilities. With a more comprehensive digital personal data protection law in place, individuals now have an apt redressal mechanism to legally address any issue related to their digital personal data.