The Government of India has recently introduced a codified law on the subject of personal data protection, i.e., The Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “DPDP Act”). The provisions will come into force once notified by the Central Government.
WHAT IS PERSONAL DATA AND PROCESSING UNDER THE DPDP ACT?
Under the DPDP Act, “personal data” means any data about an individual who is identifiable by or in relation to such data and . The definition of “processing” is exhaustive and even includes operations such as collection, recording, storage, in its ambit.
WHO IS A DATA FIDUCIARY AND DATA PROCESSOR UNDER THE DPDP ACT?
“Data Fiduciary” means any person who determines the purpose and means of processing of personal data. The Data Fiduciary can process the data itself or through a third party who is defined as Data Processor under the DPDP Act. The Data Fiduciary is responsible for compliance under the DPDP Act.
“Data Processor” means any person who processes personal data on behalf of a Data Fiduciary.
WHO ARE COVERED UNDER DPDP ACT?
Under the DPDP Act, any person who is processing the personal data of any individual for any purpose other than personal or domestic in any manner or getting the personal data processed by another person will be covered under the DPDP A
WHEN DOES DPDP ACT GET APPLICABLE?
The DPDP Act gets applicable, when the processing of digital personal data is done:
- Within the territory of India where the personal data is collected in digital form, or in non-digital form and digitized subsequently.
- Outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to the Data Principal (individual to whom the personal data relates) within the territory of India.
WHEN CAN PERSONAL DATA BE PROCESSED?
The DPDP Act provides that the personal data can only be processed for a lawful purpose and only in below two situations:
- Where Data Principal has given her consent,
or
- Where the processing is covered under the legitimate uses provided under the DPDP Act.
HOW CONSENT SHOULD BE OBTAINED?
The consent should be obtained by informing the individual about the purpose and the personal data which is intended to be collected and processed. The information given should be unambiguous and in clear and plain language. There should be a clear affirmative action from the side of individual while giving consent.
IS THERE ANY REQUIREMENT OF GIVING NOTICE WHILE OBTAINING CONSENT?
While seeking the consent of the Data Principal before collection of personal data, a notice is mandatorily required to be given to the Data Principal, inter alia, informing the Data Principal about the personal data which is to be processed and the purpose of such processing.
Where the consent of the Data Principal has been obtained prior to the commencement of the DPDP Act for processing of her personal data, the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a fresh Notice. The Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.
WHAT ARE THE OTHER OBLIGATIONS ON THE DATA FIDUCIARY?
The persons covered under the DPDP Act are required to ensure the compliance of the following obligations:
- Appointment of Data Processor to process personal data of the Data Principal on his behalf only under a valid contract.
- Ensure completeness, accuracy and consistency of the personal data where the data processing is likely to be used to make a decision that affects the Data Principal or disclosed to another Data Fiduciary.
- Erase or cause to erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.
- To implement appropriate technical and organizational measures for proper observance of the provisions.
- To build reasonable security safeguards to prevent a data breach to protect the personal data in its possession.
- Inform the Data Protection Board of India and affected persons in the event of a breach
- To establish an effective mechanism for redressal of grievances.
- Publish contact information of Data Protection Officer or any other person acting on behalf of Data Fiduciary
WHO IS A SIGNIFICANT DATA FIDUCIARY?
Significant Data Fiduciary means any Data Fiduciary or class of data fiduciaries as may be notified by the Central Government.
Significant Data Fiduciary has an additional obligation to conduct periodic data protection impact assessments and appoint:
- Data protection officer, and
- Independent data auditor.
WHAT IS A DATA PROTECTION BOARD?
The DPDP Act contemplates the establishment of a Data Protection Board, as an enforcement body, by the Central Government. Civil courts are barred from entertaining suits or proceedings for any matter in respect of which the Data Protection Board is empowered. The Appeal against the decision of the Data Protection Board can be filed within 60 days before the Telecom Disputes Settlement and Appellate Tribunal.
WHO IS A CONSENT MANAGER?
The DPDP Act has introduced the concept of Consent Manager. The Consent Manager means a person registered with the Data Protection Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform and will be accountable to Data Principal.
WHAT ARE THE RIGHTS OF DATA PRINCIPALS?
The DPDP Act, inter alia, provides following rights to the Data Principal:
- Right to access information about personal data
- Right to correction, completion, updating and erasure of personal data
- Right of grievance redressal
- Right to Nominate
- Right to withdraw consent
ARE THERE ANY RESTRICTIONS ON CROSS-BORDER DATA TRANSFERS?
There are no restrictions on cross-border data transfer. The DPDP Act allows for the cross-border transfers of personal data, for processing, by the Data Fiduciaries. However, the Central Government can restrict the countries or territories outside India to which the data can be transferred.
CAN THERE BE ANY PENALTY IN CASE OF NON-COMPLIANCE?
The DPDP Act prescribes certain obligations on the Data Fiduciary and in case of any non-compliance, the Data Fiduciary can be subjected to penalties up to INR 250 Crores (approx. US$ 3,01,00,000).
IS THERE ANY TIME LIMIT TO COMPLY WITH THE DPDP ACT?
The DPDP Act is silent on whether any specific time will be provided to the companies to become compliant once the provisions of DPDP Act are notified. Therefore, it is advisable for the companies to take appropriate steps at this stage to ensure compliance readiness with the provisions of the DPDP Act.
By
Vijay Pal Dalmia, Advocate
Supreme Court of India & Delhi High Court
Email id: vpdalmia@gmail.com vpdalmia@vaishlaw.com
Mobile No.: +91 9810081079
Linkedin: https://www.linkedin.com/in/vpdalmia/
Facebook: https://www.facebook.com/vpdalmia
Twitter: @vpdalmia
AND
Rajat Jain, Advocate
Email id: rajatjain@vaishlaw.com
Mobile No. 9953887311
LinkedIn: https://www.linkedin.com/in/rajat-jain-75772398/
© 2020, Vaish Associates Advocates,
All rights reserved
Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy
Marg New Delhi-110001 (India).
The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.