On August 11, 2023, India enacted the Digital Personal Data Protection Act, 2023 (“DPDP Act“). Non-personal data is exempt from the DPDP Act’s provisions, which are focused on digital personal data. Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 will be superseded by the DPDP Act once its provisions come into effect. It is intended that the DPDP Act will take effect gradually, i.e., as and when the Central Government periodically announces the Act’s provisions.
Only Applies to Digital Personal Data – The DPDP Act, 2023 only applies to personal data, whether collected in digital form or non-digital data, which is digitised subsequently.
Overseas Applicability – The DPDP Act applies to digital personal data that is processed outside India, only if such processing is in connection with any activity related to offering of goods or services to data principals (data subjects) in India.
Exclusions – The DPDP Act does not apply to: (i) personal data processed by an individual for any personal or domestic purpose; or (ii) personal data made publicly available by the data principal herself or any other person under a legal obligation.
Data Protection Principles:
Limitation on Purpose: Personal information shall only be processed for legitimate purposes for which the data principal has granted her consent and in compliance with the DPDP Act.
Limitation on Collection: Only required personal information should be gathered
No Sub-classification of Personal Data: The provisions of the DPDP Act apply to all kinds of personal data and does not envisage sub-categories of personal data, such as sensitive personal data or critical personal data. Accordingly, the requirements of the DPDP Act will be applicable equally to all forms of personal data, agnostic of the nature or type of the personal data
Consent & Notice:
Affirmative Consent – Consent is the underlying basis for processing personal data and needs to be free, specific, informed, unconditional and unambiguous. Such consent has to be provided by a clear affirmative action, and signify the data principal’s agreement for processing of her personal data for the specified purpose.
Withdrawal of Consent – The data principal has the right to withdraw consent at any time with same level of ease with which she gave her consent. Such withdrawal of consent will not affect the legality of processing of the personal data based on consent before its withdrawal.
Notice – A notice needs to be provided to the data principal, along with or preceding every request for consent, informing the data principal about the personal data and the proposed purpose of processing; and the manner in which she may exercise her rights to withdraw consent, avail the grievance redressal mechanism and make a complaint to the Data Protection Board (‘DPB’). Where the data principal has given consent for processing her personal data before the law comes into force, a similar notice needs to be provided to her, as soon as it is reasonably practicable and the data fiduciary may continue processing the data principal’s data, till such time that they withdraw the prevalent consent in response to the aforesaid notice.
Notice & Consent in Multiple Languages – The data principal should have the option to view the notice and consent form in English or in any other language specified in the Eighth Schedule of the Constitution of India (which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, etc.).
Obligations of Data Fiduciary:
Compliance with the DPDP Act is the responsibility of data fiduciaries, and this includes any processing of personal data carried out on their behalf by a data processor. Data fiduciaries must guarantee the accuracy and completeness of any personal data they process if it will be shared with another data fiduciary or used to make decisions that could impact the data principal.
Rights of Data Principals: The DPDP Act provides certain rights to data principals, which include right to access information about personal data, including a summary of personal data being processed, the underlying processing activities and any other information as prescribed, and identities of all data fiduciaries and data principals with whom such data was shared; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc. As per the DPDP Act, the data fiduciaries need to offer readily available grievance redressal mechanisms to data principals. In this regard, the data principal must exhaust all options for grievance redressal before approaching the DPB.
Monetary Penalties for Breach – Depending on the nature of contravention, monetary penalties up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, and whether as a result of a breach, the defaulting person has realized a gain or avoided any loss etc.
No Compensation – The DPDP Act does not provide for payment of compensation to data principals whose personal data has been compromised. This is a deviation from the Information Technology Act, 2000 which allows affected data principals to claim compensation from a data fiduciary who failed to implement reasonable security safeguards and as a consequence, have caused wrongful loss or gain. That said, the DPDP Act casts certain duties on the data principals, amongst others, to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB, etc. For any breach in observance of such duties, the data principals may be penalized up to INR 10,000.