The Digital Personal Data Protection Act, 2023 ("DPDP Act") which had received presidential assent was notified in the official gazette on August 11, 2023. It will come into force on a date yet to be notified by the central government. The DPDP Act has been introduced as a specific legislation to govern personal data vis-a-vis an individual's right to privacy in India.
At present, the Information Technology Act, 2000 ("IT Act") along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("SPDI Rules") regulates the collection1, disclosure2, transfer3 and security practices and procedures4 for handling of Personal Information5 and/or Sensitive Personal Data/Information6.
The SPDI Rules apply to all body corporates or any persons who on behalf of a body corporate (collectively, "Body Corporates") collect, receive, posses, store, deal or handle Personal Information including Sensitive Personal Data or Information of any person located within India7.
- a clear and easily accessible statement on its practices and policies;
- type of information collected under Rule 3 of SPDI Rules which may include Sensitive Personal Data/Information;
- purpose of collection and usage of such information;
- policy on disclosure to third parties under Rule 6 of SPDI Rules; and
- reasonable security practices and procedures adopted by the Body Corporate under Rule 8 of the SPDI Rules (collectively, "SPDI Requirements").
Other Requirements under the SPDI Rules
Such practices enable the Body Corporate to have in place a blanket document that eliminates the requirement for repetitive updates each time Personal Information and/or Sensitive Personal Data/Information is collected, disclosed, or transferred by a Body Corporate. This practice further enables the Body Corporate to conveniently obtain explicit consent of its users without seeking specific consent for every collection, disclosure or transfer of Personal Information and/or Sensitive Personal Data/Information.
The Digital Personal Data Protection Act, 2023
- category and the purposes of Personal Data to be processed;
- the contact details of the relevant Data Protection Officer18;
- manner in which the Data Principal can make a complaint to the Board19; and
- the manner in which a Data Principal can exercise its rights
under the DPDP Act, which includes the:
- right to withdraw its consent for processing of Personal Data; and
- right to grievance redressal (collectively, "Content").
The DPDP Act states that Data Principals must be provided with the option to access such notice in English or one of the languages identified under the Eight Schedule to the Constitution of India.20
However, the DPDP Act has not provided any explicit provision on the procedure for effecting translation of such notice.
Further, under the DPDP Act, the Data Fiduciaries21 are obligated to obtain verifiable consent of a parent or legal guardian of children or persons with disability prior to the processing of their Personal Data.22
The DPDP Act has laid down certain additional rights of Data Principals such as:
- right to access the Personal Data shared and the processing activities including the names of Data Fiduciaries23;
- right to nominate an individual in the event of a Data Principal's death or incapacity24; and
- right to correct, complete, update and erase Personal Data shared25 (collectively "Rights").
Additionally, the DPDP Act imposes certain obligations on the Data Principals to prevent any exploitation of rights granted under the DPDP Act, such as the duty to26:
- not impersonate another person while providing Personal Data;
- not suppress any material information while providing Personal Data;
- not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
- furnish only such information as is verifiably authentic (collectively "Duties").
However, there is no legal requirement to explicitly notify the Data Principals of such Rights and Duties in the notice mandated under Section 5 of the DPDP Act.
- the Content;
- the manner and procedure for Data Principals to file complaints with the Board;
- Rights and Duties of Data Principals;
- children and persons with disabilities' right to provide consent through their parent or legal guardian (as may be applicable) prior to the processing of their Personal Data; and
- option to view the above provisions in either English or one of the languages identified under the Constitution of India.
GDPR versus the DPDP Act
Much like other data protection laws across the world, the DPDP Act also draws inspiration from the General Data Protection Regulation (EU) 2016/679 ("GDPR") which sets out standards for protection of an individual's privacy. While the GDPR is not applicable to anonymized data27, the DPDP Act has language which could imply that it will not apply to data that cannot identify an individual28. Fundamental principles of obtaining free and informed consent of Data Principals under the DPDP Act29 are in line with the GDPR30. Processing of personal data under both the DPDP Act31 and GDPR32 require a lawful purpose. In a manner akin to the GDPR, the DPDP Act lays down certain legitimate uses33 for the processing of personal data without explicit consent for certain situations such as employment, medical emergencies, or performance of any legal obligation.
While an existing compliance program under the GDPR can be used as a starting point, it is pertinent to note that the DPDP Act has also incorporated certain elements that differ from the GDPR in certain respects. For example, unlike the GDPR, the DPDP Act does not classify personal data into specific categories. While the GDPR also applies to offline data34, the DPDP Act only governs data in digitized form35. Transfer of personal data under the DPDP Act is permitted except to countries which may be prohibited by the central government36, whereas GDPR permits such transfer of data under certain specific conditions. The DPDP Act has also introduced a new set of actors under its purview i.e., the Consent Managers37 to manage consents for Data Principals. Hence, while capturing the essence of the GDPR, the DPDP Act has incorporated certain unique elements within its text.
1. Rule 5 of the SPDI Rules.
2. Rule 6 of the SPDI Rules.
3. Rule 7 of the SPDI Rules.
4. Rule 8 of the SPDI Rules.
5. Rule 2(1)(i) of the SPDI Rules defines "Personal Information" as any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
6. Rule 3 of the SPDI Rules defines Sensitive Personal Data or Information of a person as personal information which consists of information relating to: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the aforementioned information, as provided to the entity for providing service; (viii) any information received under above sub-clauses by an entity for processing or are stored or processed under lawful contract or otherwise. Information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 will not be considered sensitive personal data or information.
8. Rule 4 of the SPDI Rules.
9. Rule 5(7) of the SPDI Rules.
10. Rule 5(6) of the SPDI Rules.
11. Rule 7 of the SPDI Rules.
12. Rule 5(9) of the SPDI Rules.
13. Section 2(x) of the DPDP Act defines "processing" in relation to personal data, as a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
14. Section 2(t) of the DPDP Act defines "Personal Data" as any data about an individual who is identifiable by or in relation to such data.
15. Section 6(1) of the DPDP Act.
16. Section 2(j) of the DPDP Act defines "Data Principal" as the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
17. Section 5 of the DPDP Act.
18. Section 2(l) of the DPDP Act defines a "Data Protection Officer" as an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10 of the DPDP Act.
19. Section 2(c) of the DPDP Act defines "Board" as the Data Protection Board of India established by the Central Government under section 18 of the DPDP Act.
20. Section 5(3) of the DPDP Act.
21. Section 2(i) of the DPDP Act defines "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
22. Section 9 of the DPDP Act.
23. Section 11 of the DPDP Act.
24. Section 14 of the DPDP Act.
25. Section 12 of the DPDP Act.
26. Section 15 of the DPDP Act.
27. Recital 26 of the GDPR.
28. Section 3 of the DPDP Act.
29. Section 6 of the DPDP Act.
30. Article 7 of the GDPR.
31. Section 4(1) of the DPDP Act.
32. Article 6 of the GDPR.
33. Section 7 of the DPDP Act.
34. Article 2 of the GDPR.
35. Section 3 of the DPDP Act.
36. Section 16(1) of the DPDP Act.
37. Section 2(g) of the DPDP Act defines a "Consent Manager" as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.