Data is the oil that fuels the digital economy. It is the raw material that powers everything - from online shopping to social media, to artificial intelligence. Just as oil was essential to the industrial revolution, data is essential to the digital revolution. Like oil, it is crucial to regulate data to avoid its misuse, protect privacy, and ensure that its vast potential benefits are harnessed responsibly and ethically.
India has experienced significant developments in the data protection space over the past few months. The Digital Personal Data Protection Bill, 2023, the fifth iteration of India's standalone data protection law, was successfully introduced, passed by both houses of parliament, and received presidential assent in August 2023. As a result, India now has a well-established, dedicated and comprehensive data law, known as the Digital Personal Data Protection Act, 2023 ("DPDP Act"). The DPDP Act is not yet in effect, but once effective, is set to reshape the data protection landscape in India.
SO, WHAT TRANSFORMATIVE CHANGES DOES THE DPDP ACT BRING TO THE TABLE?
The DPDP Act is a landmark piece of legislation that will regulate the processing of digital personal data in India. The DPDP Act is designed to protect the right to privacy of individuals as recognised by the Supreme Court of India, and to give them more control over their personal data. Here are some of the salient features of the DPDP Act:
Consent and notice. Any processing of personal data will be subject to consent. The consent needs to be freely given (through a clear affirmative action), specific, informed, unconditional, and should unambiguously indicate the data principal's affirmation to the processing of his/her personal data for the specified purpose. Implied consent would not work anymore where processing of digital personal data is involved. Additionally, at the time of seeking consent, the data fiduciary is required to provide to the data principal, a privacy notice in clear and plain language.
The requirement to provide a privacy notice has retrospective application i.e., data fiduciaries will be required to issue such notices to all such data principals whose personal data they are currently processing. Lastly, the data fiduciary is required to ensure that the data principal has the option of withdrawing his/her consent with ease (comparable to the ease with which consent was given).
Data retention. The data fiduciaries must cease to retain personal data (a) upon withdrawal of consent; or (b) as soon as the specified purpose (for which the personal data was collected) is no longer being served, unless an applicable law requires a longer data retention period.
Personal data breach. Data fiduciaries are required to implement reasonable security safeguards to prevent personal data breaches. In case of a data breach, the data fiduciary is required to notify the same to the Data Protection Board ("Board"), as well as to the concerned data principals.
Significant data fiduciaries. The Central Government can notify any data fiduciary or class of data fiduciaries as significant data fiduciaries, based on the volume and sensitivity of personal data processed, risk of harm, security of the state, etc. The DPDP Act imposes certain additional obligations on such significant data fiduciaries viz., the need to (i) appoint a data protection officer based in India; (ii) appoint an independent data auditor to evaluate compliance with the DPDP Act; and (iii) undertake periodic data protection impact assessment and compliance audits.
Rights & duties of a data principal. The DPDP Act provides certain rights to data principals such as right to erasure, right to correction, right to grievance redressal, right to nomination, and the right to withdraw consent for processing of personal data, among others. Additionally, the DPDP Act also lists down certain obligations for the data principal including, inter alia, the duty to not impersonate another person, register false or frivolous grievances or complaints, or supress any material information while providing his/her personal data.
Legitimate uses. The DPDP Act stipulates certain 'legitimate uses' for which a data fiduciary can process personal data of data principals without obtaining their explicit consent.
Consent manager. The DPDP Act also introduces the concept of 'consent managers' viz., a person registered with the Board, who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw his/her consent through an accessible, transparent and interoperable platform.
Exemptions. The DPDP Act empowers the Central Government to exempt certain data fiduciaries or classes of data fiduciaries at its discretion, including startups and any 'instrumentality of the state' from certain provisions.
Penalty for violation of the DPDP Act. Penalties of up to INR 250 crore (~USD 30 million) may be imposed for non-compliance with provisions of the DPDP Act. However, no criminal liability has been envisaged under the Act.
Processing of children's data. The DPDP Act requires data fiduciaries to obtain verifiable consent of the parent or legal guardian of a child before processing the personal data of children. Further, a data fiduciary also has to ensure that such processing does not have a detrimental effect on the well-being of a child or that they do not undertake tracking, behavioral monitoring, or targeted advertising directed at children.
In essence, by giving individuals more control over their personal data and preventing its misuse, the DPDP Act creates a more transparent and accountable framework for the processing of personal data. While the date of enforcement of the provisions of the DPDP Act is yet to be notified by the Central Government, it is expected to undergo a phase-wise implementation.
Have questions about the DPDP Act? We have compiled a detailed FAQ document to answer the most commonly asked questions. The same is available here.
Need more information on the DPDP Act? Please see our detailed note on the same here.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.