Updated: Sep 5
The Digital Personal Data Protection Act (“DPDP” or “the Act”) passed by the Indian Parliament and published in the Official Gazette on August 11, 2023 is a landmark legislation that got promulgated post years of contemplation by the think tank of the country and is expected to bring dramatic changes in digital advertising and marketing domain of India.
The Act entails provisions for safeguarding the processing of digital personal data, in both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
The Applicability of the Act is on processing of digital personal data in India, where the data is either (a) collected in digital form; or (b) collected in a non-digitized format and subsequently digitized at a later stage.
The DPDP has application beyond the territories of the Nation, i.e., it applies to the processing of personal data outside of India (irrespective of the location of the entity processing) in connection with offering goods or services to data principals (individuals to whom the personal data relates to) located within the territory of India.
The DPDP Act defines “personal data” broadly to include any data about an individual who is identifiable by or in relation to such data. The DPDP Act also introduces a definition of ‘digital personal data,’ defined to mean personal data in digital form.
The provisions of the DPDP Act do not apply to (i) personal data by an individual for personal or domestic purposes, and (ii) personal data that is made or caused to be made publicly available by (a) the data principal to whom such personal data relates, or (b) any other person who is under a legal obligation to make personal data publicly available.
3. Key Definitions:
The key definitions under the DPDP Act are as follows:
“Data Fiduciary” is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.7
“Data Principal” is the individual to whom the personal data relates. Where such an individual is a child, the term includes the parent or lawful guardian of the child. Where the individual is a person with disability, it includes their lawful guardian acting on behalf of such individual.8 Thus, it is clear that the DPDP Act covers Data of natural individuals only.
“Data Processor” is any person who processes personal data on behalf of a data fiduciary.
“Appellate Tribunal” is Telecom Disputes Settlement & Appellate Tribunal established under Section 14 of Telecom Regulatory Authority of India Act, 1997.
“Board” is Data Protection Board of India established by Central Government under Section 18.
Data Fiduciaries have certain compliance obligations that they need to adhere to, certainly there are exemptions for the Government Data Fiduciaries, nevertheless the Act brings about measures that will help businesses secure the data of their clients/consumers i.e., the Data Principal, this will bring transparency and help the businesses foster trust.
Let us have a brief look at the following measures provided in the Act : -
1) First and foremost, the Data Principal shall be kept informed, hence prior to all a Notice is sent informing the Data Principal about the personal data that is sought for a particular purpose, the Data Principal has ample right to either approve or deny the request for such data;
2) Data Fiduciaries shall as per the direction of Data Principal utilize, retain, edit or erase the data or in other words consent will be of utmost importance as per the Act;
3) There is a concept of "Data Processors" in the Act which are third party Data Processing service providers which keep the data secure, the Data Fiduciaries may engage a Data Processor for safe keeping and securing the personal data shared by the Data Principal;
4) The Government of India will notify a list of businesses that fall under the Significant Data Fiduciary (SDF) category, this will be followed up additional compliances for businesses that fall within the ambit of SDF.
The obligations of SDFs will entail further compliances like;
Appointing of Data Protection Officer to represent the SDF
Appoint an independent data auditor
Carry out periodic Data Protection Impact Assessment, periodic audits and any other measures as prescribed.
However, vital elements of how it will be operationalized are yet to be defined via subordinate legislation.
5. Ideology behind the Act:
a) Consented, transparent and lawful use of personal data;
b) Purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
c) Data minimization (collection of only as much personal data as is necessary to serve the specified purpose);
d) Data accuracy (ensuring data is correct and updated);
e) Storage limitation (storing data only till it is needed for the specified purpose);
f) Reasonable security safeguards; and
g) Accountability (through adjudication of data breaches and breaches of the provisions of the Act and imposition of penalties for the breaches).
6. Rights of Data Principal:
· To access information about personal data processed;
· To seek correction and erasure of data;
· To seek grievance redressal; and
· The right to nominate a person to exercise rights in case of death or incapacity.
7. Obligations of Data Fiduciaries:
· To have security safeguards to prevent personal data breach;
· To intimate personal data breaches to the affected Data Principal and the Data Protection Board;
· To erase personal data when it is no longer needed for the specified purpose;
· To erase personal data upon withdrawal of consent;
· To have in place grievance redressal system and an officer to respond to queries from Data Principals;
· To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure higher level of data protection.
8. The exemptions provided in the Act are as follows:
· Exemption for notified agencies, in the interest of security, sovereignty, public order, etc.;
· For research, archiving or statistical purposes;
· For startups or other notified categories of Data Fiduciaries;
· To enforce legal rights / claims and to perform judicial / regulatory functions;
· To detect, prevent, investigate or prosecute offences;
· To process in India personal data of non-residents under foreign contract;
· For approved merger, demerger etc.; and
· To locate defaulters and their financial assets etc.
9. The key functions of the Board are as under:
· To give directions for remediating or mitigating data breaches;
· To inquire into data breaches and complaints and impose financial penalties;
· To refer complaints for Alternate Dispute Resolution and to accept Voluntary Undertakings from Data Fiduciaries; and
· To advise the Government to block the website, app etc. of a Data Fiduciary who is found to repeatedly breach the provisions of the Act.
· Experts opine that since the Act provides for full access of Individual’s data to Data Fiduciaries in the interest of Public good and National Interest, this implies that Right to Privacy is a concept of yester years as the Act overrides Individual’s consent with an exception for Data Fiduciaries that are Government entities.
· Some experts are of the opinion that this Act will be difficult to implement and might still leave a few loose ends, for instance the Data of minors and parental consent for gaining access to children’s data.
· As the Act aims at fostering trust amongst every data driven business and individual who is the consumer it might hinder the ease of doing business and might not be easy to comply for a long period.
· The Act lacks the aptness to deal with newer concepts like Artificial Intelligence and Deep fakes so unless the Act adapts and inculcates such ever-changing intricacies of the digital world the Act remains nearly futile.
· This Nation is moving in a new Era of digitalization and therefore legislature has deemed it important to secure the digital space for the Data Principal (individuals), the intent of the legislation is to protect the data and secure nation from the individuals who are suspicious based on the data in their systems.
· The Act might bring about a trust amongst Data Fiduciaries and Data Principal which in the long run would help both the businesses and the individuals.
· As India did not have a separate legislation for data protection, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 regulated data protection but in a general and nonspecific way, this Act defines and aims to simplify the concept of Data and also creates limitations on its utilization which in a long run prove to be a milestone development in digital domain.