Introduction
In a significant move towards bolstering data privacy and protection, India has introduced the Digital Personal Data Protection Act, 2023 (DPDP Act). This landmark legislation was published in the official gazette on August 11, 2023, following approval from both houses of the Indian parliament and the President of India. The DPDP Act represents a comprehensive overhaul of India’s existing data protection framework, primarily governed by Section 43A of the Information Technology Act, 2000, along with the accompanying Information Technology Rules (IT Rules). Several factors, including rapid technological advancements, the absence of a dedicated data privacy law, and a Supreme Court ruling recognizing privacy as a fundamental right, have paved the way for this transformative legislation.
Defining Data: Broad and Inclusive
The DPDP Act takes an inclusive approach to defining various forms of data. It distinguishes between “data,” “personal data,” and “digital personal data.” “Personal data” is defined as any data that can identify an individual, while “digital personal data” encompasses personal data in digital form. Unlike some regulations, such as the European Union’s General Data Protection Regulation (GDPR), the DPDP Act does not classify data into ‘sensitive’ or ‘special’ categories. Instead, it mandates that entities processing digital personal data must implement suitable technical and organizational measures to ensure compliance, irrespective of data categorization.
Key Actors: Data Principal, Data Fiduciary, and Data Processor
The DPDP Act introduces a clear distinction among three principal roles in the data ecosystem:
1-Data Principal: The individual to whom personal data relates, including parents or guardians, if the individual is a ‘child’ (under 18 years) or a person with a disability.
2-Data Fiduciary: Any entity, individual, or organization that, either alone or jointly with another, determines the purpose and means of processing personal data.
3-Data Processor: Any entity or person that processes personal data on behalf of a data fiduciary.
Scope and Applicability
The DPDP Act applies to two broad scenarios:
1-Digital personal data processing within India’s territory, whether collected in digital or non-digital form and subsequently digitized.
2-Processing of digital personal data outside India, if linked to activities offering goods and services to Indian data principals.
However, certain exemptions exist, such as personal data processed for personal or domestic purposes and data made publicly available by the data principal or under Indian law. The Act also allows for research, archiving, or statistical processing under specific conditions.
Key Rights and Obligations
The DPDP Act bestows various rights upon data principals, including access to their personal data, correction or erasure, grievance redressal mechanism, and nominating a representative in case of incapacity or death. Data fiduciaries must ensure the completeness, accuracy, and security of personal data, and they are required to promptly report any breaches to the Data Protection Board of India.
Transfer of Personal Data
The Act permits the transfer of personal data outside India, subject to certain restrictions determined by the government. Other sector-specific regulations, such as those related to financial institutions or insurers, may also apply.
Significant Data Fiduciaries
The government can designate certain data fiduciaries as ‘Significant Data Fiduciaries’ based on prescribed factors. These entities must adhere to additional obligations, including appointing a data protection officer and conducting regular data protection impact assessments and audits.
Child Data Protection
When processing the personal data of children, data fiduciaries must obtain verifiable parental consent, refrain from tracking or targeted advertising, and avoid processing data that could harm a child’s well-being.
Administrative Framework
The DPDP Act establishes a Data Protection Board of India (DPBI) comprising technical and subject-matter experts. The DPBI provides a platform for individuals to address grievances and appeals, with decisions subject to judicial review. Mediation is also encouraged as an alternative dispute resolution process.
Government Powers
The government wields significant powers under the DPDP Act, including rule-making, exemption granting, and the ability to impose additional obligations on entities. It can also take strict measures against repeat offenders.
Consent Managers
The Act introduces consent managers, entities that facilitate consent management for data principals. These entities must be registered with the DPBI and act as a single point of contact for consent-related matters.
Penalties
Non-compliance with the DPDP Act can result in monetary penalties ranging from INR 10,000 to INR 2.5 billion. Significant Data Fiduciaries that fail to meet their obligations may face fines of up to INR 1.5 billion.
Conclusion
India’s Digital Personal Data Protection Act, 2023, marks a significant step towards enhancing data privacy and security in the digital age. It provides a comprehensive legal framework for protecting personal data and places clear responsibilities on data fiduciaries. Organizations operating in India must prepare for compliance with the Act, reviewing their data processing practices, enhancing cybersecurity, and adapting to the new requirements for notice and consent. As the Act becomes effective, entities must take proactive measures to safeguard digital personal data’s confidentiality, integrity, and accuracy, ensuring that they align with the evolving data protection landscape.
