INTRODUCTION
The Digital Personal Data Protection Act (DPDP) Act, 2023 was passed by the Parliament and received assent on 12th August, 2023.[1] The Act has become the first ever legislation in India to deal with data protection and privacy. It aims at balancing the rights of individuals and the need for processing personal digital data.
The Act sets forth the rights and obligations of the Data Fiduciary (the entity collecting/processing data) and Data Principal (the individual who gives his/her personal data). The Act applies to all the data collected and processed in a digital form, as well data that has been collected physically but subsequently digitalised. It is also applicable in situations where data is collected/ processed outside the territory of India, in relation to transactions taking place in India. However, the ambit of the Act does not extend to processing or collection of data for domestic/personal purposes.[2]
KEY FEATURES INTRODUCED
- Recognition of the Concept of Consent
The Act recognises the importance of consent and permits the Data Fiduciary to process or collect data only when the Data Principal provides his consent to such collection or processing.[3] It also lays down the manner in which such consent is to be obtained. Further, the Data Principal is also given the right to withdraw his/her consent.[4] Though consent is essential for collecting or processing data, there are certain circumstances when data can be processed without consent. These exceptional circumstances are when:
- the Data Principal has given consent,
- collecting data is necessary for compliance with a judgment,
- it is required for a medical emergency involving threat to life,
[1] Digital Personal Data Protection Bill now an Act, receives Presidents Assent, Times Of India, (12 August, 2023, 14:09), https://timesofindia.indiatimes.com/india/digital-personal-data-protection-bill-now-an-act-receives-presidents-assent/articleshow/102674040.cms?from=mdr.
[2] The Digital Personal Data Protection Act, 2023, Section 3, No.20, Acts of Parliament, 2023
[3] The Digital Personal Data Protection Act, 2023, Section 4, No.20, Acts of Parliament, 2023
[4] The Digital Personal Data Protection Act, 2023, Section 6(4), No.20, Acts of Parliament, 2023
- it is necessary for medical treatment etc.[1]
- Establishment of Data Protection Board of India
The Act introduces an Authority known as the Data Protection Board of India, which shall hold same powers as a Civil Court, and has powers to summon individuals, receive evidences and inspect records. The Board functions in a digital format and inquiries into data breach when it receives a complaint, and has the power to impose penalties as per the Act.[2] This Board is a specified body or authority which deals exclusively with issues related to breach of privacy and data.
- Punishment for Data Breach
One of the essential features of the Act is the introduction of penalty for data breach. The maximum penalty that can be imposed on a Data Fiduciary for breach is 250 crores.
- Classification of Certain Entities as Significant Data Fiduciaries
The Act recognises certain entities as Significant Data Fiduciaries based on volume and sensitivity of the data they process. Such Data Fiduciaries are under the obligation of appointing a Data Protection Officer who shall resolve the grievances of the Data Principal.[3]
CHANGES INCORPORATED
- Data Fiduciary to provide a Notice
The Data Fiduciary processing or collecting Data should provide a notice which contains the purpose for processing the data, the ways in which the Data Principal can exercise his rights, and manner in which complaints can be filed.[4] This provision ensures that the person providing consent is aware of the purpose and has information of the redressal mechanism.
- Data Fiduciary obligated to erase data when consent is withdrawn
[6] The Digital Personal Data Protection Act, 2023, Section 7, No.20, Acts of Parliament, 2023
[7] The Digital Personal Data Protection Act, 2023, Section 23, No.20, Acts of Parliament, 2023
[8] The Digital Personal Data Protection Act, 2023, Section 10, No.20, Acts of Parliament, 2023
[9] The Digital Personal Data Protection Act, 2023, Section 6, No.20, Acts of Parliament, 2023
Each person who provides consent, also has the right to withdraw their consent. Once consent is withdrawn, it is the obligation of the Data Fiduciary to erase the data.[1]
- Appointment of a Consent Manager
The consent manager is a person appointed by a Data Fiduciary who is the point of contact for the Data Principal. The Data Principal can manage, review, or withdraw consent by communicating to this person.[2] The Consent Manager shall also be registered with the Board.
- Telecom Disputes Settlement and Appellate Tribunal has Appellate Jurisdiction
One of the main changes that has been incorporated is that the Telecom Disputes Settlement and Appellate Tribunal established under TRAI Act, 1997 would have appellate jurisdiction in cases relating to data breach. Any person aggrieved by the decision of the Data Protection Board has the right to approach the Tribunal.[3]
- Emphasis on Data Protection of Children
The Act ensures that the rights of children are also recognised when processing data. As per this, the Data Fiduciary has to ensure that consent of parents/guardians are obtained before processing their data. The Data Fiduciary must also ensure that any processing which causes a detrimental effect on the wellbeing of children are not undertaken.[4] Any data fiduciary that fails to act inconsonance with the provisions relating to processing of data of children shall be liable to pay penalty of up to Rs. 250 crores.[5]
- Effective Grievance Redressal
While Significant Data Fiduciaries have to appoint Data Protection Officers, other Data Fiduciaries can establish a grievance redressal mechanism through the Consent Manager. All grievances should be resolved through the internal redressal method before approaching the Board.[6]
[10] The Digital Personal Data Protection Act, 2023, Section 8(7)(a), No.20, Acts of Parliament, 2023
[11] The Digital Personal Data Protection Act, 2023, Section 2(g) and 6(7) and 6(9), No.20, Acts of Parliament, 2023.
[12] The Digital Personal Data Protection Act, 2023, Section 29, No.20, Acts of Parliament, 2023.
[13] The Digital Personal Data Protection Act, 2023, Section 9, No.20, Acts of Parliament, 2023
[14] The Digital Personal Data Protection Act, 2023, Section 33(1), No.20, Acts of Parliament, 2023.
[15] The Digital Personal Data Protection Act, 2023, Section 13, No.20, Acts of Parliament, 2023
IMPACT
The Act has an impact on several sectors that deal with data collection and protection. The sectors such as sales, marketing, finance and banking, human resources, Information Technology sector, legal field etc. are affected by the Act, as they deal with collecting, retaining, and processing of data.[1] Since most entities are engaged in these activities, the Government has planned to provide entities with a timeline of one year to comply with the provisions of the Act.[2]
CONCLUSION
The Digital Personal Data Protection Act, 2023 being the first data protection law in such regime, is an effective legislation. It provides the procedure for obtaining consent, ensures grievance redressal and creates a set of rights and obligations. It has introduced several concepts which had not existed within the ambit of data protection and technology which balances the need for processing data, usage of technology and protection of rights. The incorporation of this Act, has provided statutory protection for the fundamental right to privacy and has given rise to an effective data protection regime in India. However, there are provisions in the Act that would require further mends and developments.
[16] Lalit Kalra, Decoding the Digital Personal Data Protection Act, 2023, EY (23 Aug, 2023),, https://www.ey.com/en_in/cybersecurity/decoding-the-digital-personal-data-protection-act-2023
[17] Entities May be Given A Years’ Time to Comply with DPDP Act: Government, The Hindu Business Line, (18 September, 2023) https://www.thehindubusinessline.com/news/national/entities-may-be-given-a-years-time-to-comply-with-dpdp-act-government/article67325518.ece.
Author – Shyamli Shukla (Associate)
Co-Author – Jyothsna Nanda Kishore (Intern)