After several years of legislative effort and an inclusive consultation process, the Digital Personal Data Protection Act, 2023 ("DPDP Act") was notified by the Central Government on August 11, 2023. The Lok Sabha passed the Digital Personal Data Protection Bill, 2023 on August 07, 2023, which was subsequently presented and passed by Rajya Sabha. Finally, the bill received Presidential Assent, thereby introducing the first comprehensive personal data protection regime in India. The DPDP Act prescribes various obligations on 'data fiduciaries' and 'significant data fiduciaries' while processing personal data of 'data principals'. The DPDP Act, a landmark statute that was muchanticipated, meets the expectation of the industry to a great extent, is relatively business-friendly and will hopefully meet the global adequacy standards.Once it comes into effect, the DPDP Act, in many ways, will require organisations to re-visit their existing information technology policies and processes, to ensure compliance with this new law.
In order to help you and your organisation understand the intricacies of the DPDP Act and the obligations that you may have to undertake once the same comes into force, we have prepared this document answering pertinent questions on the compliance with the DPDP Act, which could come up frequently. We have prepared a note capturing the key provisions of the DPDP Act, along with a detailed analysis of the same, which can be accessed here.
- . ON APPLICABILITY
- When do the provisions of the DPDP Act come into force?
As on this date, the provisions of the DPDP Act have not been brought into force and will come into force on a date notified by the Central Government. The Central Government may also notify different provisions of the DPDP Act to take effect on different dates, in a phase-wise manner. It is also contemplated that the implementation timeline for certain classes of significant data fiduciaries may be different as compared to other smaller data fiduciaries and start-ups. However, it is likely that the Central Government will engage in further consultations before notifying the transition timelines.
- Would my organisation be considered as a 'data fiduciary' or a 'data processor'?
If your organisation collects personal data of data principals for a specified purpose and determines the manner in which such personal data should be processed digitally, your organisation would be a 'data fiduciary' and would have to comply with the obligations on data fiduciaries set out under the DPDP Act (more particularly described in FAQ No. 2(ii)).
If your organisation only processes personal data on behalf of another organisation, your organisation would be considered as a 'data processor'. In this case, the organisation on whose behalf you are processing such personal data, would be the data fiduciary.
- In what scenarios would my entity be treated as a significant data fiduciary?
There are no prescribed criteria stipulated under the DPDP Act to be construed as a 'significant data fiduciary'. The Central Government may, at its discretion, notify any data fiduciary or a class of data fiduciaries as a 'significant data fiduciary' after an assessment of some relevant factors, such as:
- The volume and sensitivity of personal data processed by the data fiduciaries;
- The risk to the rights of data principals;
- The potential impact on the sovereignty and integrity of India;
- The risk to electoral democracy;
- The security of the state; and
- Public order.
Therefore, your organisation will only be considered a 'significant data fiduciary' if it falls within the specified class of data fiduciaries, and fulfils the prescribed criteria, as may be notified by the Central Government in the future.
- Who is considered as a 'data principal' for the purposes of data processing?
A data principal is the individual to whom the personal data relates. However, when the personal data is in relation to a child, the data principals would include the parents or lawful guardians of such child; and when the personal data is in relation to a person with disability, the data principal would include her lawful guardians acting on her behalf.
Note that 'processing' has been defined under the DPDP Act as a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
- What type of data does the DPDP Act apply to
The DPDP Act is applicable to the processing of personal data in following scenarios:
- Processing of personal data collected in digital form (i.e., digital personal data); and
- Processing of personal data collected in non-digital form and digitised subsequently. However, the provisions of the DPDP Act will not apply if
- You are an individual processing personal data for any personal or domestic use; or
- You are processing personal data that has been made publicly available by the data principal or any other person who is under an obligation under Indian laws to make such personal data publicly available.
- Are there different categories of personal data?
Unlike the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("SPDI Rules"), which categorises personal data into 'personal information' and 'sensitive personal data or information', the DPDP Act does not classify personal data sets into different categories. It treats all digitised personal data uniformly.
- Will the compliances under the Information Technology Act, 2000 remain applicable to my organisation post the implementation of the DPDP Act?
Yes, the compliances under the Information Technology Act, 2000 ("IT Act") will continue to apply post the enactment of the DPDP Act. However, Section 43A of the IT Act (compensation for failure to protect sensitive personal data) and the rules framed thereunder (i.e., the SPDI Rules) - which was largely the existing data protection framework in India prior to the DPDP Act, will be repealed by the DPDP Act. That said, other provisions of the IT Act will continue to remain applicable. However, in case of any inconsistencies between the provisions of the IT Act and DPDP Act, the provisions of DPDP Act would prevail.
Please click here to read the full report.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.