Introduction to the Legislation:
On August 11, 2023, a landmark event took place in India as the President signed the "Digital Personal Data Protection Bill" into law. This Act, which received approval from both houses of Parliament, is a significant milestone being India's first-ever comprehensive privacy legislation. The Act establishes a dedicated legal framework for regulating the processing of digital personal data in India. It recognizes the fundamental right of individuals to protect their personal information while acknowledging the legitimate needs of organizations to process data for lawful purposes.
Key Provisions:
Scope:
The DPDP Act 2023 applies to the processing of "digital personal data," which encompasses:
- Information collected online, such as through websites, apps, and social media platforms.
- Information initially collected offline but subsequently digitized, such as scannable documents.
Exclusions: It excludes non-digital data (e.g., paper records), anonymized data (cannot be linked to an individual) and non-personal data (e.g., aggregated statistics).
Structure of the Legislation:
The Act, spanning 9 chapters and 44 sections, outlines the regulations for processing digital personal data. It also includes a schedule detailing penalties for those who fail to comply with its provisions.
Data Fiduciaries: Who are Data Fiduciaries?
A Data Fiduciary is any person or entity that determines the purpose and means of processing personal data. This means they are in charge of deciding why and how personal data is collected, used and stored. It includes:
- Companies: This includes online platforms, social media networks, e-commerce websites, service providers and any organization collecting and using personal data.
- Government agencies: When collecting and processing personal information from citizens, government bodies also act as data fiduciaries.
Significant Data Fiduciaries (SDFs):
Certain Data Fiduciaries may be categorised as "Significant Data Fiduciary" based on the data they process. Significant Data Fiduciary is an entity that handles a large volume of sensitive personal data (like financial data or health information) or uses processing techniques that pose a higher risk to individuals. These entities face:
- Stricter compliance requirements, including mandatory appointment of a Data Protection Officer (DPO).
- Potential audits by the Data Protection Board (DPB).
Individual Rights:
The Act empowers individuals with various rights regarding their personal data, including:
Right to access: Individuals can request copies of their personal data held by a data fiduciary and information about how it is processed.
Right to rectification: Individuals can request correction of inaccurate or incomplete data.
Right to erasure: Individuals can request deletion of their data once the processing purpose is fulfilled.
Right to restrict processing: Individuals can limit the use of their data for specific purposes.
Right to object: Individuals can oppose the processing of their data for specific reasons, including direct marketing.
Right to data portability: Individuals can request their data in a machine-readable format for transfer to another data fiduciary.
Consent Framework:
The Act focuses on informed consent as the foundation for data processing. Consent must be:
- Freely given: Individuals have the choice to accept or decline without adverse consequences.
- Specific, informed and unambiguous: Individuals must understand the purpose of data collection and how it will be used.
- Withdrawable: Individuals can revoke their consent at any time.
Transfer of Personal Data outside India:
The Act promotes the free flow of personal data across borders, with the exception of cases where the Central Government deems it necessary to restrict transfers to specific countries due to security or privacy concerns.
Enforcement and Implementation
Data Protection Board (DPB):
The DPB is the regulatory body established under the Act and is responsible for:
- Issuing regulations and guidelines for data fiduciaries.
- Conducting inquiries and audits to ensure compliance with the Act.
- Addressing grievances from individuals regarding data privacy violations.
Penalties for Non-compliance:
The Act prescribes penalties for non-compliance, including:
Offense |
Penalty |
Failing to implement proper security (Section 8(5)) |
Up to INR 250 crore (approx. USD 30 million) |
Not notifying the Data Protection Board or affected individuals about a data breach (Section 8(6)) |
Up to INR 200 crore. |
Violating the additional data protection requirements for children (Section 9) |
Up to INR 200 crore. |
Breaching the additional obligations for Significant Data Fiduciaries (Section 10) |
Up to INR 150 crore. |
Neglecting the duties of data fiduciaries outlined in Section 15 |
Upto INR 10,000. |
Violating any term of a voluntary undertaking accepted by the Data Protection Board (Section 32) |
Penalty up to the extent applicable for the breach. |
Breaking any other provision of the Act or its regulations |
Up to INR 50 crore. |
Key Steps for your Organizations to prepare for Compliance:
- Understand the Act's key provisions and requirements.
- Identify and map all personal data your organization collects.
- Develop a mechanism to inform individuals about data collection practices.
- Implement a system to obtain and manage informed consent from individuals for data processing.
- Implement stringent security measures to safeguard personal information.
- Evaluate how well your organization aligns with the Act's requirements.
- Create processes to handle data subject rights requests (e.g., access, rectification, erasure).
- Ensure compliant agreements with entities handling your data.
- Continuously monitor changes and updates to data protection regulations.
Veda Dalvi
Hello, I'm Veda, the Legal Analyst with a knack for decoding the complex world of laws. A coffee aficionado and a lover of sunsets, oceans and the cosmos. Let's navigate the Legal Universe together!