I. |
Background |
The Digital Personal Data Protection Act, 2023 ("DPDPAct") has been passed by both the Houses of Parliament, has received the President of India's assent and has been published in the official gazette on August 11, 2023. The DPDP Act is a result of the fifth iteration of the proposed personal data protection legislation and appears to be based on the draft Bill released by the Ministry of Electronics and Information Technology on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which was open for public consultations. The DPDP Act focuses on digital personal data and does not apply to non-personal data. Once provisions of the DPDP Act are brought into force, the DPDP Act will replace Section 43A of the Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 ("SPDI Rules"). The DPDP Act is proposed to come into force in a phased manner, i.e., as and when the Central Government notifies the provisions of the DPDP Act from time to time. |
|
II. |
Key Highlights |
1.1 |
Applicability -
|
1.2 |
Data Protection Principles - The DPDP Act encapsulates the following essential principles: -
|
1.3 |
No sub-classification of personal data - The provisions of the DPDP Act apply to all kinds of personal data and does not envisage sub-categories of personal data, such as sensitive personal data or critical personal data. Accordingly, the requirements of the DPDP Act will be applicable equally to all forms of personal data agnostic of the nature or type of the personal data. This approach deviates from the current Indian data protection law contained under the SPDI Rules, which make a distinction between 'personal information' and 'sensitive personal data or information' and prescribes incremental compliance requirements for processing of sensitive personal data or information. |
1.4 |
Consent & Notice -
|
1.5 |
Obligations of Data Fiduciary - Data fiduciaries are responsible for compliance with the DPDP Act, including for processing of personal data undertaken by a data processor on their behalf. Where the data fiduciaries are processing personal data that is likely to be used to make a decision that affects the data principal or is to be shared with another data fiduciary, they are required ensure accuracy and completeness of such personal data. Data fiduciaries are also required to delete personal data, if the data principal withdraws her consent or if it is reasonable to assume that the specified purpose is no longer being served, unless such retention is necessary for compliance with law. |
1.6 |
Notification of personal data breach - Personal data breaches need to be intimated by the data fiduciary to the DPB (defined below) and each affected data principal in such manner as may be prescribed. |
1.7 |
Cross-border transfer of personal data - Personal data can be transferred by a data fiduciary to any other country or territory for processing, unless the Central Government restricts such transfer to any notified countries. In other words, the DPDP Act adopts a blacklisting approach which implies that personal data is freely transferable unless the transfer is proposed to be made to a territory or a country which is 'blacklisted' by the Central Government. That said, the DPDP Act clarifies that if there is any other law or sectoral regulation, which provides for a higher degree of protection for, or restriction on, transfer of personal data outside India, whether it is in relation to certain personal data or a class of data fiduciaries, such law or regulation will apply. |
1.8 |
Significant data fiduciaries - The Central Government may notify any or a class of data fiduciaries as significant data fiduciaries taking into account multiple factors (such as volume and sensitivity of personal data processed, risk to the rights of the data principal, security of state, etc.). Significant data fiduciaries need to comply with additional requirements such as – appoint an individual as a data protection officer based in India, appoint an independent data auditor for evaluating compliance with the DPDP Act, conducting periodic audit and data protection impact assessment, and undertake other measures including periodic data protection impact assessments. |
1.9 |
Data of Children and Persons with Disability – Verifiable consent of parent/ lawful guardian is required to process personal data of children and persons with disabilities. The DPDP Act prohibits tracking or behavioral monitoring of, and targeted advertising directed at, children, and processing of children's data that is likely to cause any detrimental effect on the well-being of a child. Notably, the DPDP Act provides an enablement for the Central Government to exempt classes of data fiduciaries and processing for certain purposes from the requirement of obtaining parental consent and prohibiting behavioral monitoring. It also empowers the Central Government to exempt data fiduciaries for processing data of children above a certain age but under 18 years in certain situations without the specific obligations attached to processing children's data. |
1.10 |
Rights of data principals - The DPDP Act provides certain rights to data principals, which include right to access information about personal data including a summary of personal data being processed, the underlying processing activities and any other information as prescribed, and identities of all data fiduciaries and data principals with whom such data was shared; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc. As per the DPDP Act, the data fiduciaries need to offer readily available grievance redressal mechanisms to data principals. In this regard the data principal must exhaust all options for grievance redressal before approaching the DPB (defined below). |
1.11 |
Data Protection Board of India - The DPDP Act contemplates the establishment of a Data Protection Board ("DPB"), as an enforcement body, which will have powers, inter alia, to direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal data breach, inquire into such breach, impose penalties for non-compliances, inspect any document, summon and enforce attendance of any person etc. An appeal may be preferred against an order of the DPB before the Telecom Disputes Settlement and Appellate Tribunal ("TDSAT") established under the Telecom Regulatory Authority of India Act, 1997 within specified timelines, and in the prescribed manner. An appeal against the order of the TDSAT may be preferred before the Supreme Court of India. |
1.12 |
Power to call for information and block access – The DPDP Act empowers the Central Government to call for any information from the DPB, the data fiduciary or any intermediary. Where the Central Government receives a reference from the DPB that it has imposed monetary penalties on a data fiduciary in two or more instances and advises blocking of access by public to any information transmitted on any computer resource, it may by way of a written order, direct blocking of access by public to such information on the grounds of public interest. This order has to be passed in writing and after giving the data fiduciary an opportunity to be heard. |
1.13 |
Penalties -
|
1.14 |
Voluntary Undertaking - The DPDP Act also allows the DPB to accept from a person facing action for non-observance under the law a voluntary undertaking, which may include a commitment - (a) to take action within a time frame as determined by the DPB, or (b) to refrain from taking specified action, and/ or (c) to publicize the voluntary undertaking. Once such voluntary undertaking is accepted by the DPB, it will constitute a bar on proceedings under the law as far as it relates to the contents of the voluntary undertaking. |
1.15 |
Exemptions - The DPDP Act exempts from applicability, (a) all of its provisions, in case of processing by certain notified instrumentalities of State, in the interests of sovereignty and integrity of India, maintenance of public order, etc., and (b) some of its provisions, in case processing is necessary for enforcement of a legal right or claim, merger or amalgamation, investigation or prosecution of an offence, etc. The DPDP Act also provides an enablement for the Central Government to exempt by notification certain data fiduciaries including startups from specified obligations such as notice and retention requirements, those applicable to significant data fiduciaries, etc. |
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.