Recognizing the need to balance the individual’s right to safeguard their personal data and the legitimate purposes of data processing, the Indian Parliament has passed the landmark legislation – The Digital Personal Data Protection Act, 2023. This Act entitles Data Principals (individual linked to the data through which they can be identified), to the protection of their personal data thereby mandating Data Fiduciaries (organizations or entities who, alone or with others, determines how personal data is processed), to seek explicit consent for data collection, providing transparent justifications, and imposing substantial penalties for breaches. It also introduces and includes the Data Processors who process personal data on behalf of a Data Fiduciary.
Introduced on 11 August 2023, India’s Digital Personal Data Protection Act (DPDP Act) replaces the earlier withdrawn Personal Data Protection Bill of 2019.
The DPDP Act, with 44 provisions and penalties, will be implemented in phases through official notifications and it also introduces the Data Protection Board of India (DPBI) to oversee its enforcement. Unlike the conventional use of “he/him” pronouns, the use of “she/her” pronouns in this Act marks a significant shift in the Parliament of India.
Unveiling the DPDP Act: A Guide to Key Definitions
The vital definitions are clarified for operating the legislation central to the DPDP Act of 2023. Digital Personal data is any data related to an identifiable individual collected in digital form or in a non-digitized format where it is subsequently digitized. Concepts such as consent, obligations, and duties of a Data Principal, Data Fiduciaries, and Data Processors, along with the grievance redressal process are also enlisted in this Act. The Act also clearly states under which circumstances it will safeguard the rights of the Data Principal. Data Principals can exercise their right to access their personal data held by an online shopping website, correct any inaccuracies, and even request deletion. Simultaneously, the website, as a data fiduciary, is bound to fulfill these requests and ensure data security in compliance with the Act. However, if an individual makes her data publicly available on social media while expressing her opinions through blogging, the specific provisions of the Act will not apply.
The DPDP Act: Navigating the Landscape of Data Protection
The DPDP Act’s application extends to all entities that collect, process, or store the personal data of individuals within India’s jurisdiction (whether they are located in India or outside the territories of India). It provisions for the Data Protection Board of India, an independent body responsible for enforcing the DPDP Act.
In the prevailing time where data-driven decision-making is frequent, the Act promotes responsible and ethical use of personal data. Organizations need to clearly outline the purpose for which data is being collected and processed. Other critical aspects include valid grounds for processing personal data, the mandate to notify Data Principals in English, or any language specified in the Eighth Schedule of the Constitution, obtaining explicit consent for data processing, exceptions for legitimate uses, general responsibilities, the specific processing of children’s data, and additional obligations for Significant Data Fiduciaries. This Act clearly states that individuals have a right to access, correct, or delete their personal data held by a Data Fiduciary with the same ease at which the consent was given, and they are obligated to comply. The Data Principals, in turn, have a duty to:
a) Adhere to regulations while exercising their rights,
b) Avoid impersonation,
c) Not withhold crucial details for official documents,
d) Refrain from submitting false grievances, and
e) Provide accurate information during corrections or erasures.
The DPDP Act introduces clauses for cross-border data transfers and data localization. Cross-border data transfers are permissible in countries with adequate data protection regulations. Exemptions such as data processing necessary for legal rights or claims, processing under contractual agreements, and for specified legal purposes like mergers and in case of loan defaulters are also provisioned.
The Data Protection Board of India (the Board) will be an independent entity responsible for enforcing the DPDP Act. The Board must investigate complaints, levy penalties as applicable, and issue compliance orders. Individuals dissatisfied with the orders or directions issued by the Board can seek recourse through the Appellate Tribunal. This avenue requires them to file an appeal within sixty days of receiving the order, following prescribed procedures and paying requisite fees. Valid reasons might be considered even if appeals are submitted after this stipulated period. Embracing digital transformation, the Tribunal aims to primarily operate digitally, managing submissions, hearings, and decisions in a digital format.
The Act includes penalties for breach of personal data, going to jail, or not being allowed to use personal data anymore. The monetary penalties collected as a result of such violations will be directed to the Consolidated Fund of India. The government is expected to release further guidance under the DPDP Act in the coming months through official notifications.
Protective measures should be used to avoid potential penalties. As the DPBI’s role is clarified, adherence to issued guidelines becomes vital. Companies that gather or use people’s personal data should be ready for the law to be applied.
ANZEN Technologies Private Ltd. appreciates India’s decision to make digital privacy stronger. The act is expected to have an impact on many organizational areas, including legal, IT, HR, Finance, Information Security, etc., as these collect, store, process, and retain personal data. Organizations will have to step up and develop a strong Data Privacy and Protection Implementation Program under the new act.
With our Data privacy Frameworks, we can help organizations prepare for compliance with Gap Analysis in the current state, prepare asset inventory that holds personal data, and identify the ecosystem of Data Processor, per the Digital Personal Data Protection Act 2023.