The Indian Digital Personal Data Protection Act, 2023 has been enacted on August 11, 2023, and is expected to be notified imminently.
The Digital Personal Data Protection Act, 2023 applies to processing of Digital Personal Data, within the territory of India as well as outside the territory of India. [1]
The Act strives to recognise the rights of individuals to protect their personal data and the need to process such personal data for lawful purposes and for related matters.
The Act replaces Section 43A of the Information Technology Act, 2000 (the “IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”).
The Act is based on 7 principles, which are as follows:
- the principle of consent and transparency;
- the principle of purposeful limitation i.e., personal data is only used for the specified purpose for which consent is given;
- the principle of data minimisation, wherein only enough data is collected to serve the specified purpose;
- the principle of storage limitation, where data is collected and stored only as long as it is necessary to serve the specified purpose;
- the principle of reasonable security measures;
- the principle of data accuracy; and
- the principle of accountability through adjudication of data breaches and imposition of penalties for violations under the Act.
Comparison between the SPDI Rules and IT Act
The Act defines the terms Data [2], Personal Data [3] and Digital Personal Data [4]. The Act is limited in coverage to the processing of Personal Data, which pertain to an identifable individual. Notably, the SPDI Rules classified personal data into sensitive personal data which means data pertaining to personal and sensitive information such as passwords, bank account details, sexual orientation, biometric data, etc. No such bifurcation exists under the Act – all Digital Personal Data is subject to uniform protection.
Overall, the Act provides for robust mechanisms for the processing and protection of Personal Data. It imposes enhanced responsibility upon Data Fiduciaries to process Personal Data of children and people with disability. The establishment of the Data Protection Board (the “Board”) as a separate adjudicatory authority for data protection creates accountabilty by imposing penalties for violations of the Act.
Key Definitions
- Data Fiduciary – any person who alone or in conjunction with any other person determines the purpose and means of processing Personal Data.
- Data Principal – individual to whom such Personal Data relates.
- Data Processor – any person who processes Personal Data on behalf of the Data Fiduciary.
- Child – an individual below the age of 18 years.
Consent
The Act states that the consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with clear affirmative action. The consent shall be limited to the processing of Digital Personal Data for which it is obtained.
The Data Fiduciary shall obtain the Data Principal’s consent by way of providing notice to the Data Principal, which shall inform the Data Principal regarding the following:
- the Digital Personal Data being processed and the purpose for which it shall be processed;
- the manner in which the Data Principal may exercise the rights under the Act; and
- the manner in which Data Principal may approach the Board.
The Data Principal shall have the right to withdraw consent given to the Data Fiduciary either by herself or through a Consent Manager.
Consent Managers
Consent Managers are persons registered with the Board who act as a single point of contact to enable a Data Principal to give, review, manage and withdraw consent through accessible and transparent platforms.
Every Consent Manager is mandatorily required to be registered with the Board and act on the instructions of the Data Principal.
Processing of Personal Data of a Child or Person with Disability
As per the Act, the Data Fiduciary, before processing Digital Personal Data of a Child or a person with disability, is required to take the verifiable consent of the parent or a lawful guardian. Further, the Act prohibits processing of Digital Personal Data which may have any detrimental effect on the well-being of a Child.
Significant Data Fiduciaries
The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries, on the basis of an assessment on factors such as the volume and sensitivity of Personal Data processed, risk to the rights of the Data Principal, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State and public order. Under the Act, Significant Data Fiduciaries shall appoint a data protection officer and an independent data auditor to carry out data audits.
Rights and Principals Duties of Data
The Data Principal shall be entitled to exercise the following rights with respect to the processing of Personal Data:
- the right to obtain a summary of Personal Data being processed;
- the right to obtain information regarding the identities of all the Data Fiduciaries and Data Processors with whom Personal Data of the Data Principal has been shared;
- the right to correct, complete, update and erase Personal Data; and
- the right to nominate any other individual, who shall in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal.
Obligations of Data Fiduciary Data Protection Board of India
The obligations of Data Fiduciaries are as follows:
- to comply with the provisions of the Act;
- to implement appropriate security, technical and organisational measures to protect Personal Data under the control of the Data Fiduciary, including any processing undertaken by it;
- to ensure accuracy, completeness and consistency of Personal Data being processed;
- to implement security measures to safeguard Personal Data and prevent data breaches;
- to notify the Board in case of any breach of Personal Data;
- to publish the contact information of the Data Protection Officer (if applicable); and
- to delete and erase Personal Data, in case of consent being withdrawn by the Data Principal.
Cross-Border Transfer of Data
The Act authorises the Central Government to restrict the transfer of personal data by a Data Fiduciary for processing, to territories outside India as may be notified. Thus, the transfer of data shall be permitted to all countries expect those expressly prohibited by the Central Government.
The Act provides for the establishment of an enforcement agency called the Board, which shall have the same powers as vested in a civil court under the Code of Civil Procedure,1908. An appeal may be filed against the order of the Board within sixty (60) days, before the Telecom Disputes Settlement and Appellate Authority.
Notes :
[1] Subject to the provisions of this Act, it shall—
(a) apply to the processing of digital personal data within the territory of India where the personal data is collected––
(i) in digital form; or
(ii) in non-digital form and digitised subsequently;
(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;
(c) not apply to—
(i) personal data processed by an individual for any personal or domestic purpose; and
(ii) personal data that is made or caused to be made publicly available by—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
[2] 2(h) “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
[3] 2(f) “personal data” means any data about an individual who is identifiable by or in relation to such data.
[4] 2(n) “digital personal data” means personal data in digital form.
Our advice:
The Act, is a long awaited comprehensive new law, which presents a distinct and strengthened position of contemporary data protection in India. It is advisable that the businesses should evaluate and review their current documentation to comply with the enhanced challenges and compliance requirements.
Siddhartha George and Dharani V. Polavaram
Poovayya & Co.
Lexing India