In our increasingly connected and digitized world, data privacy has emerged as a fundamental concern and has become an integral aspect of our lives. These days we rely more on the data stored in our hi-end digital phones and devices rather than nerve-recking our memories for the same. Just like two sides of a coin, the heavy reliance on the digital data/ VDRs/ digital storage platforms has its own pros and cons.
To illustrate, being corporate attorneys, we do acquisitions and mergers day-in-day-out. Several kinds of due diligences precede the actual acquisition transaction. The due diligences are streamlined by the target entity by hiring a server to host and maintain its data which is required as per the due diligence checklist sent by us so that the folder and files in the virtual data room (hereinafter referred to as "VDR") can be arranged and indexed in the same manner. Post this point we, i.e., the Law Firm, is asked for names of associates who should have access to the scanned documents in the VDR for completion of the documentary limited legal due diligence. The process from here gets fairly simple, we email the names of the associates and their e-mail addresses and each of the named associate gets an individual link to set up its own password to access the VDR and to download copies.
It is pertinent here to define 'data privacy' which refers to the protection of personal information and sensitive data from unauthorized access, use or disclosure. Now the fascinating part arises wherein we ask ourselves, what happens if there is a data theft prior to us even getting access to the VDR? Talking in the jargon of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the "Act"), the data principal, i.e., the target entity, shall try and pin the liability on the data fiduciary, being us, the Law Firm and its associates. However, the Act lacks the spine to pin the liability of data leaks from other entities who have access to the data, except the data fiduciaries and data processors , for which we have to go back to the liabilities of 'intermediaries' under the Information Technology Act, 2000 read with the Rules made thereunder.
Historically speaking, India has been steadfastly working towards the establishment of a robust and comprehensive data privacy law. A pivotal moment arrived in 2017 when the Hon'ble Supreme Court in the matter of K.S. Puttaswamy & Anr. v. Union of India, (2017) 10 SCC 1, unequivocally recognized privacy as a fundamental right. To quote the Hon'ble Justice Dr. D.Y. Chandrachud:
"Informational privacy was a facet of the right to privacy. The dangers to privacy in an age of information can be originate not only from the state but from non-state actors as well. Present Court commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. ..."
This momentous decision spurred the government into proactive action, initiating the process of crafting a comprehensive data protection legislation for the nation. In August 2017, a committee was constituted to thoroughly examine data protection issues, and to recommend effective solutions whilst drafting a comprehensive data protection bill. This esteemed committee, chaired by the Hon'ble Supreme Court Justice B.N. Shrikrishna, worked diligently and presented its report along with the draft bill to the Ministry of Electronics and Information Technology (hereinafter referred to as "MeitY") on July 27, 2018. Subsequently, MeitY undertook the drafting of several bills related to data protection, which were eventually withdrawn. However, India's endeavour towards establishing a robust data protection and privacy framework achieved its goal with the introduction of the latest Digital Personal Data Protection Act, 2023, i.e., the Act.
This Act received the assent of the President of India on August 11, 2023 and was subsequently published in the official gazette. However, the Act shall come into force in a phased manner, on such date as the Central Government may notify, from time to time. Key highlights of the Act are as below:
- Applicability: The Act casts a wide net when
it comes to its applicability. The Act applies to the processing of
'digital personal data'1 of 'Data
Principal(s)'2 within India, whether it's
initially collected in digital form or converted into digital
format from non-digital sources. Its jurisdiction extends globally
i.e., processing of digital data can be done outside India provided
such processing of digital personal data is linked to offering
goods or services to data principals within India. However, the Act
comes with its own exceptions and challenges. Its ambit does not
cover personal data processed by individuals for personal or
domestic purposes. It also omits personal data intentionally made
publicly available by a Data Principal or as mandated by Indian
law. Further, the Act does not offer protection to Data Principals
in the event where, Data Principals not being present within the
territory of India, enter into any contract with a person outside
the territory of India.
- Non-Classification of Personal Data: The Act
introduces a groundbreaking shift in the realm of data protection
by adopting an all-encompassing approach. Unlike previous
regulations that categorized personal data into sensitive and
non-sensitive categories or provide with limited and specified
(sub) categories of data, the Act treats all personal
data3 This means that every form of personal data will
be subject to the same set of rules and protections. However, the
Act also provides a carve out for any stricter restriction on
transfer of any type of data under other applicable laws, rules and
regulations, for them to prevail over the provisions of the said
- Consent: The Act emphasizes the significance
of 'Consent' and establishes the following grounds for
processing personal data:
- Consent must be free, specific, informed, unconditional, and unambiguous. It must be granted through a clear and affirmative action, signifying an agreement to process personal data of Data Principal for a specified purpose, utilizing only the necessary personal data for that purpose.
- Before requesting consent from the Data Principal, Data Fiduciaries4 must furnish Data Principals with a comprehensive notice, elucidating the nature of personal data, its intended purpose, and the rights they can exercise, including consent withdrawal, utilizing the grievance redressal mechanism and the process for filing complaints with the Board5. It's worth noting that the Act doesn't have retrospective effect, meaning Data Fiduciaries must provide notice to such Data Principals whose consent was given before the commencement of Act, notifying the Data Principals' rights for withdrawing such consent and redressal of any grievance(s). However, the Act does not specify a timeline for providing such notice to Data Principals.
- Any part of the consent that violates the Act, its rules, or other applicable laws will be considered invalid to the extent of such violation.
- The requests for consent must be presented in clear and plain language, allowing access in English or any language specified in the Eight Schedule to the Constitution of India and such request shall also provide the contact details of Data Protection Officer or authorized personnel.
- Data Principals possess the right to withdraw their consent at
any time, with the same ease with which they initially provided it.
However, it's important to note that the consequences of
withdrawal rest with the Data Fiduciaries and the withdrawal of
consent will not impact the legality of personal data processing
that has already occurred based on the initial consent prior to
- Processing of personal data for legitimate
uses: The legitimate uses empower Data Fiduciaries to
process personal data without explicit consent in specific cases.
Such cases include instances where the Data Principal willingly
shared personal information for specified purposes without
objection, processing related to employment, addressing medical
emergencies, fulfilling legal obligations, providing state services
or benefits, along with compliance with judicial orders.
- General obligations of Data Fiduciaries: Data
Fiduciaries are entrusted with the crucial task of adhering to the
Act and its accompanying rules, regardless of any conflicting
agreements or oversights by Data Principals. They have the
authority to engage Data Processors through valid contracts only
for processing personal data related to offering of goods or
services to Data Principals. When personal data processed by Data
Fiduciary is used to make a decision that affects Data Principal or
is disclosed to another Data Fiduciary, Data Fiduciaries must
ensure its completeness, accuracy, and consistency. In the event of
personal data breach, Data Fiduciaries must promptly notify the
Data Protection Board and affected Data Principals in the
prescribed manner. Data Fiduciaries are obligated to erase personal
data upon withdrawal of consent or when the specified purpose is no
longer served, unless retention is mandated by law. Data
Fiduciaries must publish the contact information of a Data
Protection Officer or a representative who can address Data
Principals' queries about personal data processing. Lastly,
they must establish an effective mechanism for redressing Data
Principals' grievances in the manner prescribed.
- Data of Children and Person with Disability:
Prior to processing personal data of a child or a person with a
disability under lawful guardianship, Data Fiduciaries must obtain
verifiable consent from the parent or guardian, as prescribed. The
'consent of the parent' encompasses consent from the lawful
guardian as and when applicable. Data Fiduciaries are strictly
barred from engaging in any form of personal data processing that
could potentially harm a child's well-being. This prohibition
extends to tracking, behavioural monitoring, and any form of
targeted advertising directed at children. It also empowers the
Central Government to grant exemptions for Data Fiduciaries
processing data of children above a certain age, with the removal
of certain obligations tied to the processing of children's
data in select situations.
- Transfer of personal data outside India: The
Central Government is empowered to oversee and regulate the
transfer of personal data from Data Fiduciaries to specific
countries or territories outside India. A formal list of countries
which will be restricted from data processing will be communicated
by the Central Government. However, the Act explicitly states that
if any other law provides heightened protection or imposes stricter
rules on transferring personal data abroad, whether it's about
specific personal data or certain Data Fiduciaries, those stricter
protections will take precedence and be enforced, ensuring robust
data privacy measures.
- Exemptions: The Act introduces essential
exemptions to cater to specific situations. It inter-alia
excludes processing of personal data by certain instrumentality of
the State which will be notified by the Central Government, in
cases related to national sovereignty, security, public order and
preventing incitement to criminal offenses. It also exempts data
processing for research, archiving, or statistical purposes,
provided it does not impact specific decisions concerning Data
Principals. Furthermore, the Central Government has the authority
to notify certain Data Fiduciaries or class of Data Fiduciaries,
including startups, exempting them from specific provisions of the
Act. The Central Government has been given the power to issue
notifications, within five years from the commencement of the Act,
specifying certain Data Fiduciaries or classes of Data Fiduciaries
to whom provisions of the Act shall not apply for a specified
- Overriding Effect: The provisions of the Act
are complementary and do not diminish the authority of any existing
laws currently in effect. In situations where a provision in this
Act contradicts a provision in any other prevailing law, the
provision of this Act will take precedence to the extent of the
conflict, ensuring a consistent legal framework.
- Bar on Jurisdiction: The Data Protection Board is vested with the exclusive jurisdiction over matters falling within the purview of the Act with the Board and the Appellate Tribunal and no civil court has the authority to entertain suits or proceedings in respect of such matters.
Food for thought:
While we expected an over encompassing legislation with all standpoints covered, what we got is a legislation that is in addition to the other law in place, i.e., the Information Technology Act and Rules made thereunder, some of its Rules are presently undergoing amendments. Rhetorically speaking, the nation still lacks one single robust legislation with all its fangs for stringent implementation of the intent of the legislature stated in the legislations in question including the Act.
1. Section 2(n) of the DPDP Act defines "digital personal data" means personal data in digital form;
2. Section 2(j) of the DPDP Act defines "Data Principal" means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf;
3. Section 2(t) of the DPDP Act defines "personal data" means any data about an individual who is identifiable by or in relation to such data;
4. Section 2(i) of the DPDP Act defines "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
5. Section 2(c) of the DPDP Act defines "Board" means the Data Protection Board of India established by the Central Government under Section 18;
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.