The Digital Personal Data Protection Act, 2023 has received Presidential assent and notified in the gazette on 11th August 2023, thus becoming the data protection law of India. The law has been much awaited, seeing four iteration Bills being introduced in the Parliament before it could be enacted. This update summarizes the key highlights of the law.
(For the earlier 2022 Bill, refer: Digital Personal Data Protection Bill, 2022 introduced with modifications).
The Digital Personal Data Protect Act, 2023 ("the Act"), as per its long title, is a law enacted to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
Key Definitions and Application
‘Personal Data’ has been defined as any data of an individual identifiable by or in relation to such data. The term ‘data’ here refers to any representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
‘Data Principal’ refers to the individual to whom the personal data relates. In the case of a minor or a person with disability, it includes the parents or guardians of such person.
'Data Fiduciary' is any person who, alone or with any other person, determines the purpose and means of processing the personal data.
The law will apply within the territory of India to such personal data that is collected in digital form or is collected in non-digital form and digitized subsequently. Compared to the 2022 Bill, there is a minor deviation here - the 2022 Bill used the words 'online' and 'offline', which have now been replaced with digital and non-digital, to bring clarity.
It also applies to personal data outside the territory of India if the processing of such data is intended to provide goods and services to data principals within India. Thus, to this extent, the Act is extraterritorial in nature. However, the Central Government has the right to restrict the transfer of personal data for processing to certain countries by notifying them. Notably, the reference to 'profiling' of personal data of the Data Principal has been removed from the applicability provision, when compared to the 2022 Bill.
The date of coming into force of the Act is to be notified by the Central Government.
Obligations of Data Fiduciaries
Data Fiduciaries can process the personal data of Data Principals only after obtaining explicit or deemed consent. For this purpose, Data Fiduciaries must provide a notice to Data Principals detailing the personal data to be collected and reasons, in a prescribed form for obtaining her consent.
The Data Principal's consent must be free, specific, informed, unconditional, and unambiguous. The giving of consent should involve a clear affirmative action agreeing to the processing of her personal data for the specified purpose in the notice. If any part of the consent infringes upon this act, it should be deemed invalid.
The Data Principal retains the right to withdraw her consent at any time through the 'Consent Manager'. Here, consent manager refers to a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
The burden of proof in case of disputes lies with the Data Fiduciary to demonstrate that notice was provided, and consent was freely given by the Data Principal. The Act outlines various conditions under which the Data Principal is deemed to have given her consent for processing her personal data if the nature of such processing is deemed necessary.
The general obligation of the Data Fiduciary is to comply with the provisions of this Act and make reasonable efforts to ensure that the personal data to be processed is accurate and complete, especially if the data is used to make decisions that affect the Data Principal or is disclosed to another Data Fiduciary. Additional obligations have been cast upon Data Fiduciaries regarding process of personal data of minors.
Further, there are additional obligations to be followed by Significant Data Fiduciaries (SDF) who shall be notified by the Central Government. SDFs shall be notified by the Central Government on the basis of factors including the volume and sensitivity of personal data processed, risks to the rights of the Data Principal, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. Suggestively, fiduciaries providing large-scale and/or critical services would be classified as SDFs.
Interestingly, the concept of 'harm' to the Data Principal, that was present in the 2022 Bill has been removed from the Act. Earlier, the Data Fiduciary was imposed with additional obligation with respect to minors and was required to ensure that no data processing that could cause harm to the child was carried out. Also, the risk of harm to the Data Principal was one of the bases for classifying a person as an SDF.
Further, the obligations and responsibilities under the Act have been entirely put on the Data Fiduciaries. Earlier, in the 2022 Bill, the Data Processors (persons who process personal data on behalf of Data Fiduciaries) were also made responsible regarding data breaches, along with the Data Fiduciaries. Now, the responsibility is on the Data Fiduciary only.
Rights and Duties of Data Principals
The Data Principal is granted several rights under the Act, including:
The right to information about her personal data being processed, including a summary of processed personal data, a list of data fiduciaries with whom her personal data has been shared, or any other prescribed information.
The right to correction and erasure of her personal data "in accordance with applicable laws and prescribed procedures." However, erasure requests may be denied if data retention is required by law.
The right of grievance redressal allows the Data Principal to register a grievance with the data fiduciary. If unsatisfied or if no response is received within the prescribed period, she may file a complaint with the Board.
The right to nominate another individual to exercise her rights in case of her death or if she is incapacitated due to an unsound mind or body.
Further, the Act outlines duties that data principal must adhere to, including:
Compliance with all provisions of this Act.
Not impersonating another person while providing the personal data.
Refraining from registering false or frivolous grievances or complaints with the data fiduciary or the board.
Not providing false particulars, suppressing material information, or impersonating another person.
Furnishing only verified and authentic information while exercising the right to correction and erasure.
Data Protection Board of India
The Act provides for the establishment of the Data Protection Board of India. The composition of the Board, the process for selecting its members, including the chairperson, and the terms and conditions of appointment and service will be prescribed. The Act outlines the functions of the Board in detail and covers the process the Board must follow to ensure compliance with the provisions of the Act. The Board has the power to inquire against data breaches and impose penalties, inquire for other contraventions of the Act, and exercise the powers of a civil court under the Civil Procedure Code, 1908.
Appeals and ADR
Appeals against the orders of the Board lie before the Appellate Tribunal. The Telecom Disputes Settlement and Appellate Tribunal (TDSAT) established under the Telecom Regulatory Authority of India Act, 1997 is designated as the Appellate Tribunal for the purposes of this Act. Appeals against the orders of the Appellate Tribunal lie before the Supreme Court of India.
The Act provides for Alternative Dispute Resolution, allowing the Board to direct concerned parties to mediation options if it deems a complaint can be more appropriately resolved through mediation or other dispute resolution processes.
Penalties
Monetary penalties for non-compliance with the provisions of the Act have been specified, to be levied having regard to matters such as nature, gravity and duration of the breach, type and nature of personal data affected by the breach, repetitive nature of the breach etc.
Conclusion
The Digital Personal Data Protection Act, 2023 is a milestone achievement for India's data privacy landscape. The law strikes a balance between individual privacy and legitimate data processing needs. By emphasizing explicit consent, defining clear rights for data principals, and establishing the Data Protection Board of India, the Act lays a strong foundation for responsible data handling. It assures Data Principals of control over their data, while also setting guidelines and penalties for Data Fiduciaries. With this Act, India takes a significant step towards ensuring data protection and promoting responsible data processing while respecting individual rights and privacy.
Annexure: Outline of the Act
Chapter I - Preliminary (Ss. 1 to 3)
Chapter II - Obligations of Data Fiduciary (Ss. 4 to 10)
Chapter III - Rights and Duties of Data Principal (Ss. 11 to 15)
Chapter IV - Special Provisions (Ss. 16 to 17)
Chapter V - Data Protection Board of India (Ss. 18 to 26)
Chapter VI - Powers, Functions and Procedure to be followed by Board (Ss. 27 to 28)
Chapter VII - Appeal and Alternate Dispute Resolution
Chapter VIII - Penalties
Chapter IX - Miscellaneous
Schedule
Authored by Jitin Bharadwaj, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinion.