The Digital Personal Data Protection Act, 2023 (the "Act") was approved by the Parliament of India on August 9, 2023 and received the assent of the President of India on August 12, 2023. The Act has been long-awaited and is a comprehensive legislation to regulate the collection and processing of personal data, while empowering individuals by providing transparency and control over their use of their personal data.
Substantial work appears to have been done on the Act since it was withdrawn as a Bill, after criticism from both industry players as well as privacy advocates. The revised version introduced this year appears to have addressed some of these concerns.
To successfully navigate the Act, one must be familiar with certain key terms:
- Any data about an individual who is identifiable by or in relation to such data is defined as "Personal Data".
- Any person who determines "the purpose and means of processing" personal data either alone or with another person is defined as a "Data Fiduciary". For instance, a Data Fiduciary may include any corporate organisation, governmental agency or research organisation which collects personal data.
- Any person may be notified as a "Significant Data Fiduciary" by the Central Government, and be subject to additional compliances under the Act.
- Any person who processes data on behalf of a data fiduciary is a "Data Processor".
- A "Data Principal" is the individual to whom the personal data relates and where such individual is: (i) a child, includes the parent or a legal guardian of such a child; and (ii) a person with disability, includes the lawful guardian.
Now that we have dealt with some of the common terms as defined in the Act and used in this article, we can examine some of the key compliances and requirements of Data Fiduciaries under the Act:
1. |
Procure Prior Consent |
|
Who provides consent to whom? |
Consent is to be obtained from the Data Principal by the Data Fiduciary. In case the Data Fiduciary is a child or a person with a disability, the Data Fiduciary should obtain verifiable consent of the parent or the legal guardian. |
|
When is consent required? |
Consent must be procured prior to collecting and processing the personal data. In relation to personal data collected and consent procured from a Data Principal prior to the Act, the Data Fiduciary must send a notice within a "reasonable period" from the Act coming into effect. Note: The term "reasonable period" is not defined but from past jurisprudence one could argue that where a statute provides for a "reasonable" time, it means that the obligations should be met as soon as circumstances permit. |
|
How is consent requested? |
A request for consent has to be by way of a written notice that should: (i) be in clear and plain language; (ii) be accessible in English, and in any of the 22 Indian official languages; (iii) specify the personal data being sought; (iv) specify the purpose for processing the personal data; (v) set out the manner in which the Data Principal can exercise their rights under the Act; and (vi) set out the manner in which the Data Principal may make a complaint to the Data Protection Board. |
|
Can consent be withdrawn? |
The Data Principal has a right to withdraw their consent at any time. |
|
What happens when consent is withdrawn? |
Upon withdrawal of consent, the Data Fiduciary is required to: a. stop (and cause its Data Processors to stop) processing the personal data of such Data Principal within a reasonable time, unless such processing is required or authorized under applicable law; b. erase the personal data. Note: Most companies rely on automated data backups and redundancies. It is not clear if erasure of personal data from all backups and archives is practical or desirable. The Data Fiduciary is required to retain the personal data if the same is necessary for compliance with any law in force, such as obligation on banks to retain the KYC documents of its clients, after the closure of their accounts. |
|
2. |
Requests from Data Principals |
|
What can Data Principals request? |
The Data Fiduciary is required to provide the following upon request by the Data Principal: a. summary of personal data being processed; b. the activities undertaken with the data; and c. identities of all Data Fiduciaries and Data Processors with whom the data has been shared along with details of the data (except where such sharing has been done to authorized Data Fiduciaries in relation to offences or cyber incidents). |
|
When is data erased? |
The Data Fiduciary (and its Data Processors) shall erase personal data if: a. the Data Principal withdraws her consent, unless retention is required for the specified purpose; or b. it is reasonable to assume that the specified purpose is no longer being served. Personal data can be retained if required for compliance with law. Note: The right to seek erasure of data and the "right to be forgotten" have been the subject of significant debate in jurisdictions which have implemented them. How Data Fiduciaries would approach such requests in India, where retention of data is in the public interest, remains unclear. |
|
Can the data be corrected? |
Upon receipt of a request from a Data Principal, the Data Fiduciary shall: a. correct inaccurate or misleading personal data; b. complete any incomplete personal data; and c. update the personal data. |
|
3. |
Grievances and Breaches |
|
How are grievances addressed? |
The Data Fiduciary should establish a grievance redressal mechanism for Data Principals. Note: Further detailing of the grievance redressal process may be required in the Rules or Regulations to ensure that it is not bureaucratic, complex, or difficult to understand and navigate. |
|
Whom to contact? |
The Data Fiduciary should publish the contact details of a person who is able to answer the questions raised by the Data Principal about the processing of personal data. |
|
What happens if there is a breach? |
In the event of a personal data breach, the Data Fiduciary is required to intimate the Data Protection Board and each affected Data Principal. The Act prescribes the following penalties on the Data Fiduciary: a. a maximum amount of 250 crore rupees, in case of breach in observing reasonable security safeguards for prevention of personal data breach; or b. a maximum amount of 200 crore rupees, in case of failure to provide an intimation to the Data Protection Board or the affected Data Principal in the event of a personal data breach. |
|
What is the process for enforcement of complaints? |
The Data Principal may approach the Data Protection Board for enforcement and adjudication of their complaints, after exhausting all opportunity of grievance redressal. The Data Protection Board may either inquire into and impose a penalty on the Data Fiduciary, or direct the concerned parties to resolve their dispute through mediation. The Data Protection Board will function as an independent body, and is vested with the same powers which are vested in a civil court under the Code of Civil Procedure, 1908, in relation to the following matters: a. summoning and enforcing persons; or b. receiving and inspecting any evidence. Any person aggrieved by an order or direction made by the Data Protection Board may appeal before the Appellate Tribunal. |
Compliance by Data Fiduciaries is key to realizing the potential of
the Act, balancing privacy concerns with the vision of data-driven
progress. Successful implementation of the Act's objectives
would require Data Fiduciaries to put in place suitable personnel,
processes and technology. Data Fiduciaries should also remain
mindful of the rules and regulations which may be issued under the
Act, which are likely to detail the compliances and also provide
relevant formats.
The contents of this article do not necessarily reflect the views/position of Stratage Law Partners but remain solely those of the author(s). This article is meant for general information and shall not be deemed to be a legal advice or opinion. This article is neither intended to be an advertisement or solicitation.