DIGITAL PERSONAL DATA PROTECTION ACT

An estimated 137 out of 194 countries have put in place legislation to taut the protection of data and privacy, with Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively, according to data from the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.

In India, After several iterations of Data Personal Protection Bill, the Ministry of Electronics and IT (MeitY) released the revised Data Protection Bill which is known as Digital Personal Data Protection Bill, 2022 (DPDP Bill). The Bill was introduced after 3 months of the withdrawal of the Data Protection Bill containing 24-page draft, is a noticeably shrunken version from the ones proposed in 2018 and 2019 from 90 to 30 clauses, and levies heavy penalties for data breaches and non-compliance with the law. Draft Bill was released for public consultation. On August 3, 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament. The Lok Sabha approved the bill on August 7, 2023 and Rajya Sabha on August 9, 2023 marking the completion of Parliamentary approval process.

The DPDP Act 2023, received the assent of the Hon’ble President on the 11^th August, 2023. However, the enforcement date of the Act is yet to be notified by the Central Government. We will update the same once it is notified.

The history goes back to August 24, 2017, where in a landmark judgement by a 9 Judges bench of the Hon’ble Supreme Court in the Justice K.S. Puttaswamy. (Retd.) v. Union of India conceded the right to privacy as a fundamental right under the Constitution of India that is an intrinsic part of life and liberty under Article 21. The pronouncement of privacy as a right and a pivotal part of the right to life and liberty was a tipping point in the constitutional history of data protection.

KEY EVENTS

• August 2017: The Central government of India has appointed a Committee of Experts for Data Protection under the Chairmanship of Justice B N Krishna.
• July 2018: The Bill 2018 drafted by such expert committee is presented to MeitY. Subsequently, MeitY begins drafting the next iteration of the Bill.
• December 2019: Bill, 2019 tabled in Parliament for review.
• December 2021: After multiple extensions, and a leadership change, JPC Chairperson PP Chaudhary tabled the report of the JPC on the PDP Bill, 2019, as well as the draft Data Protection Bill 2021, in the parliament.
• August 2022: On August 3, MeitY withdrew the Data Protection Bill 2021 from the parliament, stating that a more “comprehensive legal framework” will be presented soon.
• November 2022: The Draft bill was released for public consultation.
• August 2023: On August 3, 2023 the Digital Personal Data Protection Bill was introduced in Lok Sabha, on August 7, 2023 it was passed by the Lok Sabha and Rajya Sabha on August 9, 2023 marked the completion of Parliamentary approval process.

APPLICABILITY OF DPDP ACT

Section 3 of the Act envisages the applicability and non-applicability:

1. Processing of personal data collected within the territory of India when the data is collected in digital form or in non-digital form and subsequently digitised.
2. Processing of personal data outside of India, if the processing is in connection with any activity related to offering goods and services to Data Principals in India.
3. Does not apply to:
   • Personal data processed by an individual for any personal or domestic purpose
   • Personal data that is made or caused to be made publicly available by:
     1. The data principal to whom such personal data relates
     2. Any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

KEY DEFINITIONS

The Key terminologies defined under Section 2 of the Act are as under:

1. Data: “means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means
2. Data Fiduciary: “Any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data.”
3. Data Principal: “The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child; a person with disability, includes her lawful guardian, acting on her behalf.”
4. Data Processor: “Any person who processes personal data on behalf of a Data Fiduciary.”
5. Personal data: “Any data about an individual who is identifiable by or in relation to such data.”
6. Processing: “An automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”

PRINCIPLES OF THE ACT

The Digital Personal Data Protection Act 2023 is based on the 7 principles of the Data Economy. The following principles have been based on the personal data protection laws in various jurisdictions.

1. Rightful Usage- Usage of personal data by organisations must be done in a lawful, fair and transparent manner to the individuals concerned.
2. Resolute Dissemination- Personal data must only be used for the purposes for which it was collected.
3. Relevant Data Collection- Bare minimum and only necessary data should be collected to fulfill a purpose i.e this principle clearly mentioned for focusing on Data minimisation.
4. Data Reliability- Data collected should be accurate and no duplication shall be there at any point.
5. Period of Data Retention: Personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
6. Authorized collection and processing: There should be reasonable safeguards to ensure there is “no unauthorised collection or processing of personal data.”
7. Accountability of users: The person who decides the purpose and means of the processing of personal data should be accountable for processing of collected data.

OBLIGATIONS OF DATA FIDUCIARY

S.No.	Section	Provision	Explanation
1	Section 4	Grounds for processing digital personal data	Fiduciaries can only process personal data for lawful purposes for which the Data Principal has given or for certain legitimate uses.
2	Section 5	Issue of Notice to seek consent	When seeking consent, or as soon as it is reasonably practicable, Fiduciaries must give the users a notice that describes what personal data will be collected and for what purpose. The notice must be presented in a form as prescribed.
3	Section 6	Consent of Users	The consent given by users must, specific, informed unconditional and must be a clear affirmative action agreeing to the processing of their personal data for the purpose specified in the notice and be limited to such personal data as is necessary. Fiduciaries cannot seek consent for anything that will infringe provisions of this Act. While seeking consent, the contact details of a Data Protection Officer is a must Users should have their right to withdraw consent The Data Principal can “give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager If a Data Fiduciary has a contract with a user to deliver a service or good, the same cannot be made conditional on the consent to the processing of any personal data. If challenged in the courts, Data Fiduciaries will have to prove that a notice was given and consent was obtained to carry out the processing of personal data.
4	Section 7	Certain Legitimate Uses	Data Fiduciary may process personal data of a data principal for any of the following uses: When the user voluntarily provides their personal data. When the state or its agencies need to issue benefit to the Data Principal, or issue any certificate, license, or permit for any action or activity of the Data Principal. For performance by the State or any of its instrumentalities of any function under the law for the time being in force or in the interest of sovereignty and integrity of India or security of state. For fulfilling any obligation under law or any person to disclose any information to the State or any of its instrumentalities subject to processing being in accordance with provisions. For compliance with any judgment or order issued under any law For responding to a medical emergency involving a threat to the life or immediate threat to the health, epidemic, outbreak of disease, or any other threat to public health For the purposes of employment including provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance
5	Section 8	Maintain Accuracy and Retention of Data, prevention of Data Breaches	Data Fiduciaries to make reasonable efforts to ensure that personal data processed is accurate and complete, protect personal data in its possession. Data Fiduciaries must publish the “business contact information of a Data Protection Officer in a format “as may be prescribed.”
6	Section 8(8)	Grievance Redressal Mechanism	Data Fiduciaries shall establish an effective mechanism to redress the grievances of Data Principals.”
7	Section 9	Personal Data of Children	The Data Fiduciary who is obtaining personal data of a child shall obtain verifiable consent of the parent of such child or lawful guardian in such a manner as may be prescribed. A Data Fiduciary shall not undertake such processing of data that is likely to cause harm to a child. A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
8	Section 10	Additional Obligations for Significant Data Fiduciary	The Significant Data Fiduciary shall: Appoint a Data Protection Officer. Appoint an independent Data Auditor to carry out data audit. Undertake other such measures consistent with the provisions.

RIGHTS AND DUTIES OF DATA PRINCIPAL

S.No.	Section	Provision	Explanation
1	Section 11	Right to access Information about personal data	Data Principal shall have the right to obtain from the Data Fiduciary: a summary of the personal data which is being processed by the Data Fiduciary and the processing activities undertaken by the Data Fiduciary with respect to the personal data of the Data Principal the identities of all the Data Fiduciaries and Data Processors with whom the personal data has been shared along with the categories of personal data so shared any other information as may be prescribed.
2	Section 12	Right to correction and erasure of personal data	The Data Principal has the right to make a request with Data Fiduciary for correction, completion, updating and erasure of her personal data for processing of which she has previously given consent in accordance with law. Erasure requests can be denied if data must be retained for legal purposes.
3	Section 13	Right of Grievance Redressal	A Data Principal shall have the right to readily available means of grievance redressal provided by Data Fiduciary or Consent Manager in respect of any Act or Omission regarding the performance of its obligations of its relations to the personal data of such Data Principal.
4	Section 14	Nomination Right	A Data Principal has the right to nominate any other individual to exercise their rights in the event of the Principal’s death or if the Principal is incapacitated.
5	Section 15	Duties of Data Principal	A Data Prinicipal should not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board. Should not impersonate another person while providing her personal data for a specified purpose. To ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities. should not furnish any false particulars or suppress any material information or impersonate another person. should only provide information that is verifiably authentic while exercising their right to correction or erasure.

MISCELLANEOUS PROVISIONS

1. Processing of personal data outside India- Section 16
   The Central Government may, after an assessment of factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
2. Establishment of the Board- Section 18
   A Board shall be established called as the Data protection Board of India and the headquarters shall be at such place as the Central Government may notify.
3. Composition and Qualification for Appointment of Chairperson and Members- Section 19
   The Board shall consist of a Chairperson and such number of other members as the Central Government may notify.
4. Alternate Dispute Resolution- Section 31
   If the Board is of the opinion that any complaint can be more appropriately resolved by mediation or other processes of dispute resolution, the Board may direct the concerned parties to the alternative dispute resolution option through mediation.
5. Voluntary undertaking- Section 32
   The Board can accept voluntary undertakings from entities in respect of any matter related to compliance with provisions of this Act. The undertaking must include specific actions and timelines, and must be publicised. Board can request for the terms of the undertaking to be modified. If accepted, any ongoing relevant proceedings against the concerned entity must be barred unless the terms of the undertaking and not complied with.

EXEMPTIONS

Section 17 of the DPDP Act carries forward the wide and vague exemptions that were provided to the Union Government in Section 35, 36, 37, 38, & 39 of the Data Protection Act, 2023.

1. The central government has the power to exempt certain Data Fiduciaries or a class of Data Fiduciaries, based on the volume and nature of personal data they process, from certain provisions of the Act. Specifically, these Fiduciaries will be exempt from section 6, 9(2), 10, 11 and 12.
2. The Act exempts entities from provisions of chapter 2 (obligations of Data Fiduciaries) except section 2(4), and 2(9), chapter 3 (rights and duties of Data Principals), and section 17 (transfer of personal data outside India) of this Act when:
   • Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law.
   • The processing of personal data is necessary for enforcing any legal right or claim.
   • Processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function.
   • Personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.
3. The central government can exempt entities when the processing of personal data is “necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with standards specified by the [Data Protection] Board.
4. In respect of processing by the State or any instrumentality of the state the provisions of sub section (7) of section 8 and subsection (3) of section 12 and where such processing is for a purpose that does not include making of a decision that affects the Data Principal, subsection (2) of section 12 shall not apply.
5. The Central Government may before expiry of five years from the date of commencement of this Act, by notification, declare that any provision of this Act shall not apply to such data fiduciary or classes of data fiduciary for such period as may be specified.

OTHER ACTS/LAWS After being notified this DPDP Act, 2022 following Acts should be amended:

• In section 14 of the Telecom Regulatory Authority of India Act, 1997, in clause (c), for sub-clauses (i) and (ii), the following sub-clauses shall be substituted, namely:
  • “the Appellate Tribunal under the Information Technology Act, 2000;
  • the Appellate Tribunal under the Airports Economic Regulatory Authority of India Act, 2008; and
  • the Appellate Tribunal under the Digital Personal Data Protection Act, 2023.”
• Information Technology Act, 2000 in following manner:
  • section 43A of the IT Act shall be omitted;
  • In section 81 of the IT Act, in the proviso, after the words and figures “the Patents Act, 1970”, the words “or the Digital Personal Data Protection Act, 2022” shall be inserted; and
  • clause (ob) of sub-section (2) of section 87 of IT Act shall be omitted.
• Clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 shall also be amended

FINANCIAL PENALTIES

Schedule 1 prescribed under Clause 33(1) envisages the applicable penalties described in the below table:

S.No.	Subject Matter of Non-Compliance	Non-Compliance Clause	Potential Penalty
1	Failure to take reasonable security safeguards to prevent personal data breach	Section 8(5)	May extend to ₹250 Crores
2	Failure to notify the Board and affected Data Principals of a personal data breach	Section 8(6)	May extend to ₹200 Crores
3	Non-fulfilment of additional obligations in relation to processing data of children	Section 9	May extend to ₹200 Crores
4	Non-fulfilment of additional obligations of Significant Data Fiduciary	Section 10	May extend to ₹150 Crores
5	Violation of user duties	Section 15	May extend to ₹10,000
6	Breach of any term of voluntary undertaking accepted by the Board	Section 32	Up to the extent applicable for the breach in respect of which the proceedings under clause 28 were instituted
7	For all other non-compliances under this Act	All other Clauses except mentioned above	May extend to ₹50 Crores

The earlier version of the Bill provided for penalties of up to certain amount. However, Section 31(1) prescribes that maximum penalty may extend to a certain amount specified under this Act.

CONCLUSION

The DPDP Act, 2023 is a comprehensive legislation and the government expects to implement DPDP within 10 months. The definitions have been narrowed down for ease of understanding. The primary objective of the Digital Personal Data Protection Act, 2023 is to establish a comprehensive framework for the protection of personal data. This framework extends its jurisdiction to personal data collected within India, both online and offline data that has been subsequently digitized. Moreover, if data processing occurs outside India but involves offering goods or services to individuals within the country, the Act’s regulations will apply. The aim of the regulation of transfer of personal data outside India is to safeguard the privacy of Indian citizens and in the absence of robust data protection laws in another country, data stored there may be more vulnerable to breaches or unauthorised sharing with foreign governments as well as private entities.

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.