Home > Articles > Data Protection > Digital Personal Data...

Digital Personal Data Protection Act, 2023

By: :  Saurabh Kumar
By: :  Saurabh Khanna
Update: 2024-02-10 05:59 GMT

DIGITAL PERSONAL DATA PROTECTION ACT, 2023 The current Act is more open–ended, leaving much to be prescribed by the Central Government and it does away with different categories of datasets (like critical or sensitive data). The Digital Personal Data Protection Act, 2023 (“DPDP Act, 2023” or “the Act”) provides a legal framework for the processing of the digital personal data of...


DIGITAL PERSONAL DATA PROTECTION ACT, 2023

The current Act is more open–ended, leaving much to be prescribed by the Central Government and it does away with different categories of datasets (like critical or sensitive data).

The Digital Personal Data Protection Act, 2023 (“DPDP Act, 2023” or “the Act”) provides a legal framework for the processing of the digital personal data of an individual in India. The Indian Government has been in the process of introducing an extensive data protection law since 2018. The present Act is a significant departure from previous drafts that were made in order to establish this Act by various panels of experts. Taking India closer to the first Data Protection Law to come into force, the Act (initially a Bill) was cleared by the Indian Union Cabinet on July 5, 2023. Thereafter, the Bill was introduced and passed by Lok Sabha and Rajya Sabha on August 07, 2023 &August 09, 2023, respectively. Thereafter, upon receiving the assent of the Hon’ble President of India, the Act came into force on August 11, 2023, by virtue of it being published in the Gazette of India by the Ministry of Law and Justice (Legislative Department) as Digital Personal Data Protection Act, 2023 (No. 22 of 2023).


The current Act is more open–ended, leaving much to be prescribed by the Central Government and it does away with different categories of datasets (like critical or sensitive data). The Data Protection Board of India (“Board”) is the adjudicatory body for enforcement of the provisions of the Act. The term Data Protection refers to the protection of user data safely and securely by the person holding it. It is a protocol that defines the numerous policies on how to restrict the user’s personal data usage and save and prevent it from data breaches.

Personal Data Protection (PDP) refers to a set of tools and policies for practicing, regulating and measuring the privacy and security of an individual’s personal information. It includes the collection, use, storage, and sharing of personal data by organizations and governments while ensuring that individuals have control over their personal data.

The main function of the Act is safeguarding an individual’s privacy and taking steps against misuse or unauthorized access to their personal information by third party.

Personal data primarily includes various types of information, such as names, addresses, phone numbers, e-mail addresses, financial details, medical records, and other identifiers that can be used to identify an individual.

The Act defines compliance regulations for a ‘Data Fiduciary’ who is none other than a person who alone or in conjunction with other persons determines the purpose and means of processing the personal data of an individual.

The built of Personal data protection is based on technologies like Data Loss Prevention (DLP) which ensures end-to-end encryption, built-in data protection, firewalls and more. It is essential in business operations such as research and development, finance business, etc.

What is the Act about

The Digital Personal Data Protection Act, 2023 defines the compliance regulations for Persons1 taking responsibility for using users’ personal data.

The Act establishes requirements for businesses handling and processing data and individual rights. Its main purpose is to prohibit data transfers that happen cross-border, punish Persons for data breaches monetarily, and provide a framework for the establishment of a data protection body to ensure compliance. Non-compliance and failure can result in penalties for Persons since they would also be required to discontinue retaining user data if it no longer serves the original business objective.

No Person will be authorized to process personal data that has “any detrimental effect” on the well-being of the Data Principal2 who shall be an individual to whom the personal data relates.

The Act provides for the following rights of Data Principals:

Right to Information: Data Principals have the right to access information about the processing of their personal data, along with a summary of the data itself.

Right to Withdraw Consent: Individuals can withdraw their consent for data processing at any point and they are entitled to be informed if their data has been shared with a third party.

Right to Correction and Erasure: Data principals have the authority to rectify inaccuracies in their personal data and request the erasure of such data when no longer necessary.

Right of Grievance Redressal: This empowers data principals to register complaints with the Data Fiduciary. In cases of inadequate or unsatisfactory responses, grievances can be escalated to the Board3. The Act outlines certain obligations for Data Principals, including refraining from providing false information and filing false complaints.


Simultaneously, the Act lays down several responsibilities for Data Fiduciaries:

Transparency: Data Fiduciaries must transparently explain the personal data they intend to collect and its purpose and usage behind the collection.

Informed Consent: Prior consent is mandatory for collecting an individual’s personal data without which it shall amount to breach of the provisions of the Act.

Data Accuracy: Measures should be implemented to ensure the accuracy and completeness of processed data.

Security Measures: Adequate security measures must be in place to prevent data breaches. The data should not be misused by any fiduciary as this would lead to legal implications.

Data Retention: Data should only be retained as long as required for the intended purpose. After fulfilling the purpose of the data or after the user deletes the application or website, the fiduciaries should block the personal data to the extent that it should not be available to anyone in the public domain.

Data Breach Notification: In the event of a data breach, both the Board and affected Data Principals must be notified.

Data Sharing: Data Fiduciaries should establish contracts before sharing or transferring data to other fiduciaries or data processors.

For larger data organizations, the Act mandates the appointment of a Data Protection Officer4 and an Independent Auditor for periodic compliance.

Companies and institutions are required to delete user data if it no longer serves the intended business purpose. No corporation or organization will be permitted to process personal data that is likely to have “any detrimental effect” on Data Principal.

Data Protection Board of India

The Data Protection Board of India (“the BOARD”) shall be established for the purpose of this Act and shall be constituted by a Chairman and Members of the Board as may be appointed by the Central Government. The headquarters will be situated in locations as per the discretion of the Central Government. The chairperson and the Members will be appointed for a short term of 2-years and shall be eligible for re-appointment in the Board.

The Board shall function as an independent body and shall function digitally as much as possible and shall adopt the techno-legal methods of functioning of the Board.

The Chairperson has been given the right to exercise his powers in the following matters:

a. general superintendence and giving direction with respect to the administrative matters which may concern the Board.

He may also authorise an officer of the Board to entertain any complaint or any other function that he may deem fit.

The Act provides following powers and functions that the Board may Exercise:

• To direct any urgent remedial or mitigation measures in event of any breach of personal data

• To impose penalties on the offenders

• To grant Person an effective opportunity of being heard

• To modify, suspend or withdraw any direction that it may deem fit

The civil courts are barred to entertain any suit in respect of any matter which the Board is empowered to adjudicate upon and similarly no injunction shall be granted by any other court in regards to any action taken by the Data Protection Board of India.

Appeal and Alternate Dispute Resolution

An aggrieved Person has right to appeal to the Appellate Tribunal within 60 days of order passed by the Board. The Appellate Tribunal shall give a reasonable opportunity of being heard to the respective parties and if it so deems fit, it can direct the parties to settle the matter through mediation.

The Tribunal shall have the same powers as that of a Civil Court and all orders/decree passed by it shall be executable in same manner as that of a Civil Court

Limitations of the Act

Digital by design: The Act stipulates that the Data Protection Board shall be ‘digital by design’, including receipt and disposal of complaints. As per the latest National Family Health Survey, only 33% of women in India have ever used the Internet. The Act, therefore, effectively fails to reach millions of people who do not have meaningful access to the Internet especially in tier 2 or tier 3 cities and rural areas.

Regulation: The Act does not regulate risks of harm arising from processing of personal data.

Personal data outside India: - This mechanism may not ensure adequate evaluation of data protection standards in the countries where the transfer of personal data is allowed.

Independence: The short term of 2 years of the members of the Board with scope for re-appointment may affect its independent functioning.

No compensation: Section 43A of IT Act,2000 imposes an obligation on corporates to award damages to affected persons in case of negligent handling of their sensitive data. However, the Act excludes the application of Section 43A which is a big disadvantage for all the individuals

Data Protection Act – Boon or Bane

A much-needed Act: The Act empowers Data Principals to manage their own personal (digital) data and requires the Data Fiduciaries to treat individuals’ personal data lawfully. Due to the Act’s extraterritorial reach, firms operating outside India that serve persons in India would be expected to follow the provisions of the Act. To be able to fulfil the rights that individuals may exercise, such as the right to access, update, and erase their personal data, Persons will have to assess their existing working methods, particularly for the personal data of persons such as their workers, customers, merchants, vendors, and so on. Noncompliance with the Act’s duties may result in fines and commercial penalties of up to Rs. 250 crore.

Towards compliance & transparency: The Act is seen as a significant milestone towards addressing the data protection concerns that have been a matter of contention for a long time. The Act’s comprehensive framework imposes reasonable requirements on data fiduciaries and processors, guaranteeing responsible digital personal data processing. Citizens’ basic right to privacy is reinforced by the emphasis on free and informed consent. The formation of a data protection board improves the Act by ensuring compliance, corrective actions, and sanctions if needed. The Board’s ability to work as a digital office, processing complaints, distributing cases, and making judgments using techno-legal methods, improves the overall efficiency and openness of the process.

Overall, the Act is a positive step towards safeguarding data privacy, promoting transparency in data practices, and marks a milestone for India’s Digital Future.

More rights for individuals: The Act which has been drafted by the Ministry of Electronics and Information Technology (MeitY) is seen as a forward-looking legislation that has a broad scope across sectors and will have an impact on businesses of all sizes.

The Act strikes an essential balance between safeguarding users’ rights and encouraging digital business innovation. Its significant business-friendly elements include the elimination of criminal penalties for noncompliance and the facilitation of foreign data transfers, among other things. On the other hand, it also guarantees a complete set of rights to data principals, with the goal of creating a transparent and responsible data governance structure in the future. We applaud the DPDP Act as a significant step toward establishing a new legal framework for digital firms and ushering in India’s technological revolution.

Penalties

If the Board discovers severe non-compliance by a person after conducting an inquiry, it may impose a pecuniary penalty of up to INR 250 crore.The Act also imposes particular fines ranging from INR 50 crore to INR 250 crore for failing to implement reasonable security safeguards to prevent personal data breaches, failing to inform the Board and impacted Data Principals of data breaches, and failing to comply with additional Significant Data Fiduciaries responsibilities. The most serious penalties under the Act are for failing to comply with the provisions of data-breach responsibilities. The funds acquired by the Board as imposed penalties under this act shall be credited to the Consolidated Fund of India.

The Act, unlike earlier proposals, does not allow harmed Data Principals to seek compensation for breaches by data fiduciaries. This may disincentivize people from pursuing costly adjudication before the courts.

SK Attorneys’ view

The most crucial acts for Digital India are undertaken by the Ministry of Electronics and Information Technology (Meity) and the Indian Parliament. Whilst, the law will impact every entity in this Country that deals with personal data of individuals in India, tech companies and consumer facing start-ups are perhaps going to be impacted the most.

Overall, there will be a significant behavioural change in the organisations that collect and process data, sharing of data which happens between organisations will certainly change.

Multinational Corporations and global startups operating out of India are likely to see increased cost of operations as they still have to follow social data storage norms as mandated by sectoral regulations despite new data act allowing for easy cross border transfer and processing of several data.

Personal data protection is a critical component in protecting everyone’s privacy. As a result, every Data Fiduciary should have the appropriate Human Resource Management Software that complies with personal data protection laws and procedures.

The Act provides for duties for people, organizations, and governments to gather, use, store, and share personal data.

The Act is sought to govern the processing and protection of personal data in India, as well as to provide individuals more control over their personal data.

However, the export of personal data outside of India is a major concern for huge corporations operating in numerous other international jurisdictions. The Indian government may, however, decide that it is important to alert the nations or territories outside of India to which Indian firms may transfer personal data after evaluating such external considerations. Organisations must re-architect and re-engineer their technology deployment, which is a one- to two-year effort, in order to move the locations where the data is housed.

The high penalty of Rs. 250 crores for non-compliance, is another issue that is a point of concern. The Act, however, omits to acknowledge or describe what compensation users will receive when their personal data has been compromised. If there is a data breach and the company is fined which goes to the government however, what about the person whose data was compromised or breached? Should the person whose data was compromised, not receive some sort of reparation? We leave up to the Government to contemplate on this further, as and when the need arises.

Disclaimer – The information contained in this article is intended solely for the personal non-commercial use of the user who accepts full responsibility for its use. While we have taken every precaution to ensure that the content of this article is both current and accurate however, the information contained in this article is general in nature and should not be considered to be a legal, tax, consulting or any other professional advice. In all cases the reader should consult with professional advisors familiar with your particular factual situation for advice concerning specific matters before making any decisions.

Tags:    

By: - Saurabh Kumar

By: - Saurabh Khanna

Similar News

Navigating compliance with the emerging Data Protection Requirements – Practical steps required to prepare for meeting DPDPA obligations
Regulation of Metaverse: Identifying The Legal Contours of Extended Reality
Legal Nuances of Collecting Digital Evidence in Internal Investigations
Comprehensive examination of the implementing regulations of data protection laws in KSA
Digital Personal Data Protection Act, 2023 – Key Challenges
ChatGPT: The Pandora’s Box Opened?
Digital Personal Data Protection Act, 2023 - Identifying the Data Fiduciary
Contractual Arrangements Under India’s New Data Protection Law: A Data Fiduciary’s Guide to the Data Processing Universe
Digital Personal Data Protection Bill, 2022
Personal and Non-Personal Data in Digital India: Before and After
RBI'S Digital Lending Rules – A Step in The Right Direction