How does the Act Affect my Life?

Anshi Beohar*

An individual’s personal data is as unique and identifiable as any other biometrics such as the fingerprints or the iris of one’s eye. From using one’s Aadhar card to filling an application form to making an online purchase or even just browsing the internet, we share a piece of our personality. And it is in this kind of daily activities that our individual identity could be recognised. Often this processing of data helps us, like selecting the right products or services, finding jobs or life-partners, or for setting reminders to pay our bills, but this could also be misused to cheat or mislead us.

On August 11, 2023, the Digital Personal Data Protection Act, 2023 was brought into force to attend to some of these concerns. The law deals with digital personal data and the rights and obligations of the stakeholders as well as with penalties in case of violations. Although several provisions need more specification, that is achievable only when the rules are created by the central government.

Some of the frequently asked questions related to the DPDP Act, 2023 are answered below :

1. What is the DPDP Act, 2023?

The Digital Personal Data Protection Act, 2023 is now the primary law that deals with data protection in India. The Act recognises the individual’s right to protect her digital personal data and deals with the need to process such personal data for lawful purposes and for protecting it.

2. When is it applicable?

The personal data of a Data Principal may be processed for lawful purposes and for legitimate uses. The DPDP Act is applicable on:

• The processing of digital personal data within the territory of India where the personal data is collected

→ in digital form, or

→ in non-digital form and digitised subsequently

• The processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.

3. When is it not applicable?

The DPDP Act is not applicable on :

• Personal data processed by an individual for any personal or domestic purpose, and

• Personal data that is made or caused to be made publicly available by—

→ the Data Principal to whom such personal data relates, or

→ any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

4. What are the grounds for processing personal data?

The personal data of a Data Principal may be processed for a lawful purpose - a purpose that is not expressly forbidden by law - only in accordance with the provisions of this Act for which the consent has been given or for certain legitimate uses.

The DPDP Act allows for the following legitimate uses of personal data by Data Fiduciaries:

• where the Data Principal has voluntarily provided her personal data for a specific purpose, and has not indicated that she does not consent to the use of her personal data in that respect.

• where the state or any of its instrumentalities require the personal data for providing any subsidy, benefit, service, certificate, licence or permit to the Data Principal (keeping in mind the policy issued by the central government or any law for the time being in force for governance of personal data), -

→ she has previously consented to the processing of her personal data by the state or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit, or

→ the personal data is either digitally available or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the state or any of its instrumentalities and is notified by the central government

• for the performance by the state in the interest of sovereignty and integrity of India or security of the state; for fulfilling legal obligations; for compliance with judgments; during medical emergencies or disasters, etc.

5. What is the mechanism of processing personal data?

In order to process personal data, the Data Fiduciary must issue a request accompanied or preceded by a notice to the Data Principal, with an option to access the contents of the notice. The notice will contain the personal data, the purpose of processing the data, the manner to provide (or withdraw) consent or access grievance redressal as well as the manner to make a complaint to the Board.

6. What are the provisions for consent under the Act?

The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. Every request for consent shall be presented to the Data Principal. The contact details of the Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal must be provided as well.

The Data Principal shall have the right to withdraw consent at any time where the personal data is processed on the basis of the consent provided. If the consent is withdrawn by the Data Principal, the Data Fiduciary shall cease and cause its Data Processors to cease processing the personal data of such Data Principal within a reasonable time, unless legally authorised.

7. What are the responsibilities of a data fiduciary?

A Data Fiduciary shall be responsible for complying with the provisions of this law for any processing they undertake even if the Data Principal fails to carry out their duties under this law or any other agreement to the contrary.

Data Fiduciaries are responsible to protect personal data in its possession by taking reasonable security safeguards to prevent personal data breach. Any breach in observing the obligation of Data Fiduciary may lead to a penalty extending up to Rs 250 crore.

Data Fiduciary shall intimate the Board and each affected Data Principal if there is a personal data breach. Any breach, subject to legal provisions, may lead to a penalty extending up to two hundred crore rupees.

In addition to this, unless otherwise directed, Data Fiduciaries must:

(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and

(b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor.

Data fiduciaries have to publish the contact details of the Data Protection Officer or a person who will answer the questions about the processing of personal data. Data fiduciaries will have to establish an effective grievance redressal mechanism.

8. Do additional obligations apply to processing of personal data of children or a person with disability?

The DPDP Act imposes additional obligations on data fiduciaries in relation to processing of personal data of children and persons with disability with legal guardians. The Data Fiduciary is mandated to obtain verifiable consent from the parents or legal guardians before processing personal data of children (individuals below 18 years of age) and persons with disability.

The Act however prohibits processing of children’s data that is likely to cause any detrimental effect on the wellbeing of a child or tracking or behavioural monitoring of children or targeted advertising directed at children, unless otherwise authorised under law.

Any breach in observance of additional obligations under section 9 of the DPDP Act, 2023 may lead to a penalty extending up to Rs 200 crore.

9. Who is a Significant Data Fiduciary and do they have any additional obligations?

Any Data Fiduciary or class of Data Fiduciaries as may be notified by the central government on the basis of an assessment of certain factors such as the volume and sensitivity of personal data processed; risk to the rights of Data Principal; potential impact on the sovereignty and integrity of India; risk to electoral democracy; security of the state; and public order.

In addition to the obligations of the Data Fiduciary, a Significant Data Fiduciary must also abide by the following:

• Appoint a Data Protection Officer (DPO) based in India, to represent them. This DPO must be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary and must act as the point of contact for the grievance redressal mechanism.

• Appoint an independent data auditor to carry out data audit, who shall evaluate compliance on their behalf.

• Conduct periodic Data Protection Impact Assessment, a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed.

• Conduct periodic audits

• Undertake such other measures, consistent with the provisions of this Act, as may be prescribed.

Any breach in observance of additional obligations of Significant Data Fiduciary under section 10 of the DPDP Act, 2023 may lead to a penalty extending up to Rs 150 crore.

10. What are the rights of a data principal?

These are the rights available to a Data Principal under this law:

1. Right to access information about their personal data

If the Data Principal has consented, they have a right to obtain regarding summary of personal data being processed, the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared and any other relevant information, subject to conditions.

2. Right to correction and erasure of personal data

A Data Principal can correct, complete, update and erase personal data for which consent has been given previously, subject to legal restrictions.

3. Right of grievance redressal

A Data Principal must be provided by a Data Fiduciary or Consent Manager, with the means to access grievance redressal mechanisms with respect to any act or omission in relation to their obligations or the exercise of the Data Principal’s rights during the handling or processing of their personal data. The Data Fiduciary or Consent Manager shall respond to any grievances within the legally ascertained time period. This right needs to be exercised before approaching the board.

4. Right to nominate

A Data Principal shall have the right to nominate any other individual to exercise their rights in the event of death or incapacity (inability to exercise the rights or unsoundness of mind or infirmity of body) of the Data Principal.

11. What are the duties of a data principal?

This law has assigned the following duties to the Data Principal:

• Compliance with the provisions of all applicable laws while exercising rights under the DPDP Act
• To not impersonate another while providing personal data
• To not suppress any material information while providing personal data
• To not register a false or frivolous grievance or complaint
• To furnish only verifiably authentic information while exercising the right to correction

Any Data Principal found in breach in observance of the duties may face a fine extending up to Rs 10,000.

12. Can data be shared with foreign entities?

The DPDP Act provides that the central government may restrict the transfer of personal data to certain notified countries. If any other law provides for a higher degree of protection or restriction on transfer of personal data by a Data Fiduciary outside India, this Act shall not restrict it.

13. What are the exemptions under DPDP Act?

There are certain circumstances, that are completely exempted from the DPDP Act:

• Where the central government has asked to furnish and process any personal data in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these
• Where the personal data is necessary for research, archiving or statistical purposes but the it is not to be used to derive specific decisions
• Certain other circumstance will attract limited exemptions:
• Where processing of personal data is necessary for enforcing any legal right or claim
• Where the personal data is processed by courts, tribunals etc.
• Where the personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law
• Where the personal data is processed pursuant to a contract with any person outside the territory of India by any person based in India
• Where the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction (or division) by way of demerger or otherwise of a company, approved by a court or tribunal or other competent authority
• Where the processing is done to ascertain the financial information and assets and liabilities of any person who has defaulted in payment against a loan or advance taken from a financial institution In addition to this, the central government may notify and exempt certain Data Fiduciaries.

14. What is the grievance redressal mechanism?

Data fiduciaries have to publish the contact details of the Data Protection Officer or a person who will answer the questions about the processing of personal data. For this, data fiduciaries will have to establish an effective grievance redressal mechanism. Once this measure is exhausted, the Board may be approached to deal with the grievance.

15. What is the Data Protection Board of India?

The DPDP Act proposes to establish the Data Protection Board of India, an adjudicatory body, to regulate protection of digital personal data in India. The central government shall notify, appoint and establish the Data Protection Board of India. The Board shall be a body corporate with perpetual succession, common seal and with the power to acquire, hold and dispose of movable and immovable property. The Board shall also be able to contract, sue or be sued, depending upon the circumstances.

The Board will be headed by the Chairperson along with as many members as per the notification of the central government for a term of two years, with the eligibility to be reappointed. The Chairperson and other Members shall be persons of ability, integrity and standing who possesses special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the central government may be useful to the Board, with at least one expert in the field of law.

16. What are the powers of the Board under this law?

The Board has the power to inquire as well as direct urgent remedial or mitigation measures and impose penalty, if necessary:

• On receipt of an intimation of personal data breach
• When complaint is made by a Data Principal in respect of a personal data breach etc.
• Against a complaint made by a Data Principal in respect of a breach in observance by a Consent Manager of its obligations in relation to her personal data
• On receipt of an intimation of breach of any condition of registration of a Consent Manager
• On a reference made by the central government in respect of the breach in observing any directions issued by them.

If a person is aggrieved by an order or direction made by the Board, they may appeal before the Appellate Tribunal, the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within a period of sixty days. The TDSAT shall function digitally and will be digital by design for the receipt of appeals, hearings and the pronouncement of decisions.

The Appellate Tribunal shall be vested with the powers of a civil court.

17. What are the penalties for violation of law under the DPDP Act, 2023?

If the Board concludes in an inquiry that a person has breached the provisions of this Act or the rules made thereunder, after giving the person an opportunity of being heard, it may impose monetary penalty as per the Schedule. The Schedule prescribes various penalties for the violation of specific provisions.

Breach of any other provision of this Act or the rules made thereunder may lead to a penalty extending up to Rs 50 crore.

While the Act has not mentioned any criminal charges for the offenders, cognisable offences leading to serious sensitive data breach or cybercrimes will automatically attract criminal prosecution separately.

 

---

NEXT »

Common Cause Events >>