The Digital Personal Data Protection Act, 2023 (“DPDP”) having received the presidential assent has become the data protection law of India. The DPDP is set to have a profound impact on various industries. With the increasing reliance on digital platforms and data-driven services, the DPDP aims to strike a balance between protecting individuals' personal data and fostering innovation in the technology space. The DPDP Act lays down the following:
I. Applicability: The DPDP is applicable on the processing of digital personal data where the personal data is collected in - (i) in digital form; or (ii) in non-digital form and digitized subsequently. It is also applicable on processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals (“DP”) within the territory of India. However, personal data processed for personal or domestic purposes and publicly available data is excluded from its purview. It may be noted that non-digital data or non-personal data is outside the scope of this Act and that needs deliberations as the country moves along in its journey of data protection.
II. Consent: The DPDP stipulates that personal data may be processed only for a lawful purpose after obtaining free, specific, informed, unconditional and unambiguous consent of the DP with a clear affirmative action which signifies the DP’s agreement to processing of her personal data for the specified purpose. A DF prior to obtaining consent is obligated to present a notice (in English and any other language specified in the 8th schedule of the Indian Constitution) to the DP at the time of seeking consent which comprises of the following:
i. the personal data and the purpose for which the same is proposed to be processed;
ii. the manner in which DP may exercise her rights of withdrawal of consent and grievance redressal before the DF or Consent Manager.
iii. the manner in which the DP may make a complaint to the Data Protect Board of India (“DPBI”).
iv. Stipulation that the DF may continue to process personal data till the time consent is withdrawn.
Consent may be withdrawn at any point in time at which point the DF shall, within a reasonable time, cease and cause its data processors to cease processing the personal data of such DP unless such processing without her consent is required or authorised under the provisions of this Act or the law. The DP may give, manage, review or withdraw her consent to the DF with the help of a Consent Manager who shall be accountable to the DP and shall be registered with the DPBI.
Consent will not be required for ‘legitimate uses’ including:
i. specified purpose for which data has been provided by an individual voluntarily;
ii. provision of benefit or service by the government;
iii. medical emergency, and
iv. employment.
For individuals below 18 years of age or a person with disability, consent will be provided by the parent or the legal guardian. The DPDP specifically states that the DF’s are not to undertake “tracking or behavioural monitoring of children or targeted advertising directed at children.”
III. Obligations of the Data Fiduciary (“DF”): As per the DPDP the DF:
a) Shall process the personal data of the DP in accordance with the prospective legislation and for a lawful purpose (not expressly forbidden by law) wherein the DP has given her consent or for certain legitimate uses.
b) Shall present a notice (as explained above) prior to obtaining consent.
c) May process the data of the DP for:
(i) Specified purposes to which the DP has consented.
(ii) Providing subsidies, benefits, services, certificates, licenses, or permits to the DP by the State or any of its instrumentalities.
(iii) Performing any function under Indian law or in the interest of sovereignty, integrity of India, or state security.
(iv) Fulfilling obligations under Indian laws requiring disclosure of information to the State or its instrumentalities, subject to compliance with other applicable laws.
(v) Complying with judgments, decrees, or orders issued under Indian laws or foreign laws related to contractual or civil claims.
(vi) Responding to medical emergencies threatening the life or immediate health of the Data Principal or others.
(vii) Providing medical treatment or health services during epidemics, disease outbreaks, or threats to public health.
(viii) Ensuring safety, providing assistance, or services during disasters or public order breakdowns.
(ix) Employment-related purposes and safeguarding employers from loss or liability, including prevention of corporate espionage, maintaining confidentiality of trade secrets, intellectual property, or classified information, or providing services or benefits to employee Data Principals.
d) May engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to DP’s only under a valid contract.
e) Shall ensure the completeness, accuracy and consistency of the personal data.
f) Shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
g) Shall upon breach of personal data, intimate the DPIB and each affected DP.
h) Must erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation). In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
i) Shall publish the business contact information of a Data Protection Officer (“DPO”).
j) Shall establish an effective mechanism to redress the grievances of DPs.
VI. Significant Data Fiduciaries (“SDF”): The DPDP stipulates that certain DFs may be designated as SDFs upon taking the following factors into consideration: (i) volume and sensitivity of personal data processed, (ii) risks to the rights of data principals, (iii) security of the state, and (iv) public order. These entities will have certain additional obligations including: (i) appointing a Data Protection Officer, (ii) appointing an Independent Data Auditor; and (ii) undertaking impact assessment and compliance audit.
VII. Rights of the DPs: The DPDP has given wider powers to the DPs including the right to (i) obtain summary of personal data and information about processing activities, (ii) seek correction/ completion/ updation and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal. The DPs are also duty bound to not: (i) impersonate another person, (ii) suppress any material information, (iii) register a false or frivolous complaint, and (ii) furnish any false particulars or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of up to Rs 10,000.
VI. Exemptions under the DPDP: Rights of the DP and obligations DFs (except data security) will not apply:
(i) When processing personal data is necessary to enforce any legal right or claim.
(ii) When processing personal data by courts, tribunals, or other Indian bodies entrusted by law with judicial, quasi-judicial, regulatory, or supervisory functions for the performance of such functions.
(iii) When processing personal data is required for the prevention, detection, investigation, or prosecution of any offense or violation of Indian laws.
(iv) When processing personal data of Data Principals located outside India is done based on a contract with a person outside India by someone based in India.
(v) When processing personal data is necessary for schemes like company compromises, arrangements, mergers, amalgamations, demergers, or transfers approved by a competent court, tribunal, or authority under applicable laws.
(vi) When processing personal data aims to ascertain financial information, assets, and liabilities of a person who defaulted in loan or advance payments from a financial institution, subject to compliance with disclosure provisions in other applicable laws.
VII. Data Protection Board of India: The DPDP also envisages the establishment of DPBI which will be comprise of a Chairperson and other Members appointed by the Central Government, who should possess expertise in various fields relevant to data governance, administration, implementation of laws, social or consumer protection, dispute resolution, information technology, digital economy, law (1 member mandatory), regulation, or techno-regulation. The DPBI shall have the power to direct urgent remedial measures in case of a personal data breach, conducting inquiries into data breaches or violations of data fiduciary obligations based on complaints or references, and imposing penalties as per the Act. The DPBI has the authority to determine the grounds for inquiry and conduct it following principles of natural justice. It possesses the same powers as a civil court for summoning witnesses, examining them under oath, receiving evidence, and inspecting documents. The DPBI may issue interim orders and, after the inquiry, close proceedings or proceed with appropriate action, and impose costs or warning due to in case of false or frivolous complaints.
VIII. Cross-border transfer: The DPDP allows the transfer of personal data outside India, except to countries restricted by the government through notification.
IX. Penalties: The schedule to the DPDP substantial penalties for various offences such as up to: (i) INR 200 crores for non-fulfilment of obligations for children, (ii) INR 250 crores for failure to take security measures and other significant contraventions, (iii) SDF may be fined upto INR 150 crore for not meeting the additional obligations imposed on them, (iv) a general residuary penalty of upto INR 50 crores for breach of any other provision of the Act of rule issued under it.