India has taken a significant step towards protecting the personal data of its citizens with the enactment of the Digital Personal Data Protection Act, 2023. This landmark legislation comes after years of debate and discussion, with the aim of safeguarding individuals’ personal data while promoting the growth of digital technologies and services. In this comprehensive overview, we will delve into the key aspects of the Act, its objectives, definitions, rights, and implications for businesses and individuals alike.

 

Background

 

India found itself in dire need of robust personal data protection legislation. On one front, India has been diligently advancing its digital infrastructure, with systems like Aadhaar (a unique government-issued identification), the Unified Payments Interface (UPI), and DigiLocker. These initiatives not only fostered a surge in private third-party service providers utilizing this digital ecosystem but also led to a significant expansion of the internet user base.

 

Additionally, the surge in cyber-attacks and data breaches highlighted the vulnerability of personal data in the digital age. The Act seeks to address these concerns by establishing clear guidelines for data protection, consent management, and data breach reporting.

 

Objectives and Applicability

 

The primary objective of the Act is to create a comprehensive framework for the protection and processing of personal data. It emphasizes the importance of balancing individuals’ rights to protect their personal data with the lawful processing of such data for legitimate purposes. The Act applies to the processing of personal data in India, whether in digital or digitized offline form. Furthermore, it extends to the processing of such data outside India if it relates to offering goods or services in India.

 

Key Definitions

 

Data : Any representation of information, facts, concepts, opinions, or instructions that can be communicated, interpreted, and processed by humans or automated means. Personal data refers to data about an identifiable individual.

 

Processing of Personal Data : This encompasses a range of operations on digital personal data, including collection, storage, indexing, sharing, use, disclosure, and erasure. Processing must be for a lawful purpose with the consent of the data principal or for certain legitimate uses outlined in the Act.

 

Consent Management

 

The Act places significant importance on obtaining informed and unambiguous consent from data principals (individuals) before processing their personal data. Consent must be free, specific, and can be withdrawn at any time. Data fiduciaries are required to provide clear notices to data principals, detailing the data to be collected and the purpose of processing. However, certain legitimate uses do not require explicit consent, such as those related to state benefits, security, and emergencies.

 

Rights and Duties of Data Principals

 

Data principals have several rights under the Act, including the right to access information about data processing, request corrections and erasures, nominate representatives in the case of incapacity, and seek grievance redressal. They also have specific duties, such as not registering false complaints or suppressing material information while providing personal data.

 

Data Fiduciaries’ Obligations

 

Entities referred to as data fiduciaries have obligations to process personal data only for specified purposes with consent or legitimate uses. They must ensure data accuracy, implement security measures, respond to data principal communications, and erase data when the purpose is fulfilled. However, government entities have exceptions regarding data erasure and the right to process data in certain situations.

 

Transfer of Personal Data

 

The Act allows extraterritorial processing and transfer of personal data, subject to any restrictions imposed by the Central Government. The Act does not override any laws providing higher data protection standards.

 

Significant Data Fiduciaries

 

The Act empowers the Central Government to designate significant data fiduciaries based on factors like data volume, sensitivity, and impact on sovereignty and public order. These entities must comply with additional obligations, including appointing data protection officers and conducting data protection impact assessments.

 

Data Protection Board of India

 

A Data Protection Board, consisting of a chairperson and members, will be established to enforce the Act. The Board will conduct inquiries, respond to data breaches, issue interim orders, and impose penalties for non-compliance.

 

Penalties

 

Penalties for non-compliance with the Act can be substantial and are laid out in a schedule. They vary depending on the nature of the offense and may include fines and other actions as determined by the Data Protection Board.

The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches.  Penalties will be imposed by the Board after conducting an inquiry.  

 

Grievance Redressal

 

Data principals must first seek redressal from data fiduciaries or consent managers. If dissatisfied, they can approach the Data Protection Board, which has the authority to inquire into complaints and issue orders. Appeals can be made to the Telecom Disputes Settlement and Appellate Tribunal, and further to the Supreme Court.

 

Conclusion

 

The Digital Personal Data Protection Act, 2023, represents a significant step forward in India’s approach to data protection. While it provides a framework for safeguarding personal data, many implementation details and clarifications are expected to emerge as the Act is put into practice. It is poised to transform how businesses handle personal data and how individuals exercise their rights in the digital age. As the Act takes effect, both businesses and consumers will need to adapt to the new data protection landscape, which combines the imperative of data privacy with the growth of digital technologies.

 

The Act has not yet come into force, and further rules and notifications are expected to clarify its implementation.

 

Official Document:

https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf