India's Digital Personal Data Protection Act, 2023 - Quest for Digital Economy Equity

In a significant stride towards enhancing data privacy and protection, India has embarked on a transformative mission to establish a comprehensive legal framework governing the collection, processing, and use of personal data within its borders. This commitment to shaping the global digital landscape is demonstrated by the adoption of The Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”) in the Indian Parliament on August 11, 2023. The DPDP Act underscores the paramount importance of safeguarding privacy, a fundamental right enshrined in the Constitution of India. Rooted in India's distinctive context and aspirations, this Act assimilates valuable insights from developed democracies while introducing substantial alterations compared to earlier drafts.

The DPDP Act represents the culmination of a five-year undertaking that commenced in 2018, positioning India for a new era of digital governance. It introduces comprehensive compliance prerequisites for the collection and processing of personal data, with specific details slated for determination by the Central Government through forthcoming rules and notifications.

This article aims to present the law in a simple and accessible manner, encouraging readers to delve deeper into the topic for easier adoption and implementation.

Applicability of the DPDP Act

The DPDP Act extends protection, security frameworks, and cross-border transparency measures for personal data. It empowers individuals to control their data while balancing privacy and security.

1. Cross-border Data Protection: The Act shields Data Principals in India, regardless of where their data is processed, digital or non-digital.
2. Overseas Data Processing: The Act's reach extends beyond India for processing digital personal data related to goods or services offered to Indian Data Principals.
3. Exclusions: The Act doesn't cover (a) personal data for personal/domestic use, and (b) publicly available personal data.

Stakeholder Mapping

Stakeholder mapping helps in comprehending the intricate landscape surrounding the enforcement of the DPDP Act. In the realm of data protection and privacy regulations, a multitude of stakeholders, each with their own distinct interests and varying degrees of influence, come together to shape the regulatory environment.

Key Concepts

Digital Personal Data

• Broad coverage: The definition of “data” in the Act is very broad and encompassing any information suitable for communication, interpretation, or processing. Applied to "digital personal data," it encompasses various digital information tied to individuals, including identity, attributes, preferences, or any data directly or indirectly linked to them.
• Shifting landscape: The definition recognises the digital nature of personal data today, extending beyond traditional identifiers to include online behaviour, biometrics, and metadata.
• Practical challenges: Managing this diverse data presents practical challenges. Balancing comprehensive protection with practical implementation is essential to effectively safeguard individuals' rights and privacy in the digital age.

Consent

‍Consent is a pivotal aspect of data protection under DPDP 2023, setting specific criteria for its authenticity. This regulation establishes consent as a robust and unambiguous agreement, prioritizing individual control and transparency in data processing practices.

Consent provided by a Data Principal must adhere to stringent principles to ensure its validity and effectiveness:

1. Freely given: It should be a voluntary choice, free from any form of coercion, pressure, or manipulation.
2. Specific: Consent must be explicit and directly tied to a clearly defined purpose, avoiding vague or overly broad terms.
3. Informed: Data Principals to receive comprehensive information concerning data collection, its intended purpose, processing methods, and potential consequences to make informed decisions about their data.
4. Unconditional: Consent should be transparent, without hidden terms or conditions that could impede an individual's rights.
5. Unambiguous: It should be easy to comprehend, leaving no room for misinterpretation.
6. Clear Affirmative Action: Consent should reflect a deliberate choice to permit the processing of personal data and not be assumed or implied.

Notice

‍DPDP 2023 emphasises the significance of clear and comprehensive notices accompanying consent requests. Every request for consent directed to a Data Principal by a Data Fiduciary must be accompanied by a notice that includes:

1. Personal Data and Purpose: The notice specifies the data involved and its processing purpose, providing clarity to Data Principals.
2. Exercising Rights: The notice must outline how Data Principals can exercise their rights, ensuring accessibility to data control measures.
3. Complaint Process: The notice details the procedure to lodge complaints with the Data Protection Board, offering a recourse for Data Principals in case of violations, bolstering Data Fiduciary accountability.

Additionally, the notice must be clear, itemised and in plain language, allowing the Data Principal to choose between English or any of the 22 languages from the Eighth Schedule of the Constitution. Contact details for a Data Protection Officer or an authorized representative must also be provided for the Data Principal to communicate regarding their rights under this Act.‍

Accountabilities of Prominent Stakeholders

Obligations of Data Fiduciary

A "Data Fiduciary" refers to any individual or entity that, either independently or in collaboration with others, determines the purpose and methods involved in the processing of personal data. This term is often used in the context of data protection and privacy regulations to describe those responsible for handling personal data in compliance with established rules and standards.

1. Consent and Notice:

• Process personal data with consent and for lawful purposes.
• Provide clear, concise, and comprehensible notices to Data Principals.
• Allow processing of personal data for certain legitimate purposes.‍

2. Child Data protection:

• Obtain verifiable parental consent before processing children's personal data.
• Avoid processing personal data that could harm a child's well-being.
• Refrain from tracking or behaviour monitoring of children or targeted advertising toward children.

3. Consent withdrawal:

• Offer a mechanism for Data Principals to withdraw consent and shall promptly ceasing processing upon request by Data Principal, subject to data retention laws.

4. Accountability:

• Burden of proving notice and consent provision in legal proceedings.
• Assume full responsibility for DPDP 2023 compliance, irrespective of agreements or Data Principals' actions, in all processing, whether conducted directly or by a Data Processor.

5. Security measures:

• Implement appropriate technical and organisational measures for Act compliance.
• Safeguard personal data in its possession or control.‍

6. Data breach and grievances:

• Report to the Board and affected Data Principals of any personal data breaches.
• Publish business contact information of the Data Protection Officer or another designated person for Data Principals' inquiries.
• Establish an effective mechanism for addressing Data Principals' grievances.

Significant Data Fiduciary

The Central Government has the authority to designate certain Data Fiduciaries or categories of Data Fiduciaries as "Significant Data Fiduciaries" based on an evaluation of various factors, including the volume and sensitivity of the personal data they handle, potential risks to Data Principals' rights, potential impact on India's sovereignty and integrity, risks to electoral democracy, state security, and public order.

Significant Data Fiduciaries are required to take specific actions, including:

1. appointing a Data Protection Officer based in India,
2. designating an independent data auditor for compliance assessments, and
3. conducting periodic assessments of data protection impact, audits, and other measures as prescribed by the Act.‍

Data Principal

A "Data Principal" is the individual to whom personal data pertains. If this individual is a child, it includes their parents or lawful guardian, and if a person with a disability, it involves their lawful guardian acting on their behalf.

Rights

1. Right to information: Data Principals can request a summary of their processed personal data, sharing details, and relevant information from the Data Fiduciary they've consented to, as prescribed. They also have the right to withdraw consent.
2. Right to correction, completion, updating and erasure: Individuals can correct inaccurate or incomplete data and erase data no longer required for processing.
3. Right of grievance redressal: Data Fiduciary or Consent Manager must respond to grievances raised within periods as prescribed (yet to be notified). If not resolved, Data Principals can escalate the grievance to the Board.
4. Right to nominate: Nominate other individuals who can exercise rights of such Data Principal in the event of death or incapacity.

Duties

1. Complying with applicable laws when exercising rights.
2. Not impersonating someone else when providing personal data.
3. Not concealing material information when sharing personal data for official documents.
4. Not registering false or frivolous complaints with Data Fiduciaries or the Board.
5. Providing only authentic information when requesting corrections or erasure of data.

Board and Appeals (TDSAT)

• The Data Protection Board (”Board”), central to the DPDP Act, operates with a digital-first approach and emphasizes independence, requiring relevant expertise and allowing reappointment.
• The Board holds substantial authority, issuing directives, assessing compliance, and intervening in data breaches. It can also accept voluntary commitments from entities, potentially protecting them from related proceedings if terms are met.
• Appeals against the Board go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), with civil courts barred from handling such cases. This shift raises questions about TDSAT's ability to handle personal data-related matters, given its historical focus on telecommunications and IT, unlike the Board, which exclusively deals with personal data regulation. Further examination is needed to assess TDSAT's suitability for these unique cases.

Penalties

The DPDP Act empowers the Board to impose monetary penalties on those significantly violating its rules. The penalty amount, determined after a hearing, considers factors like breach severity, data type, repetition, gains or losses, mitigation actions, proportionality, and impact on the person. It imposes significant fines on Data Fiduciary of upto INR 250 Crores and imposes INR 10,000 if the Data Principals fail in their duties.

Exemptions

The DPDP Act exempts Data Fiduciary from certain obligations (except for being responsible for its data processor and taking reasonable security safeguards) under specified circumstances, including:

1. Legal Enforcement and Processing Outside India: Processing personal data is necessary for enforcing legal rights or claims, or when personal data is processed outside India under a contract with a person outside India.
2. Judicial and Regulatory Functions: Processing of personal data by Indian courts, tribunals, or bodies with judicial, quasi-judicial, regulatory, or supervisory functions when it's necessary for their functions.
3. Crime Prevention and Investigation: Personal data can be processed in the interest of preventing, detecting, investigating, or prosecuting offences or violations of Indian law.
4. Corporate Transactions: Processing personal data related to corporate transactions like mergers, amalgamations, or restructurings, as approved by relevant authorities.
5. Financial Default: Ascertaining financial information and assets/liabilities of individuals who have defaulted on loans from financial institutions.
6. State Instrumentality: Personal data processing by State instrumentality if it's in the interest of India's sovereignty, security, foreign relations, public order, or preventing incitement to offences. This also includes data processed by the Central Government from such instrumentality.
7. Research, Archiving, and Statistics: Processing personal data for research, archiving, or statistical purposes, provided it's not used to make decisions specific to a Data Principal.
8. Startups: Based on the volume and nature of data processed, the Central Government may notify Data Fiduciaries, including “startups” to whom provisions of Section 5 – Notice, Section 8 (3) - relaxation on obligations on Data Fiduciary to ensure completeness, accuracy and consistency, Section 8 (7) - erasure of data when no longer used, Section 10 - Additional obligations of Significant Data Fiduciary and Section 11 - Right to access information about personal data previously consented will not apply.

Practical Steps for Adoption

As organisations initiate their efforts to align with the provisions of the DPDP Act 2023, they will need to be equipped to adhere to the obligations outlined within the legislation. The adoption will need to be in a phased manner, and the broad outline for the matters to be considered are as follows:

The effectiveness of this action plan may depend on the specific requirements of the Data Privacy and Protection Directive of 2023 (DPDB 2023) and the organization's size, industry, and data processing activities. It's essential to tailor the plan to meet the unique needs and context for the organisation.

The Path Ahead

The DPDP Act represents a significant milestone towards securing personal data in India. Its arrival has been long-awaited, spurred by the exponential growth of Indian internet users, the generated data, and the nation's role in global trade.

While prior data protection laws provided some degree of protection, they lacked a comprehensive foundation. The DPDP Act addresses these gaps by overhauling the framework, replacing outdated laws, and marking a significant advance in safeguarding individual privacy. It introduces an accountable and transparent structure for processing personal data, granting individuals greater control and protection against misuse.

Yet, like any substantial reform, the DPDP Act isn't exempt from critical scrutiny. Some concerns revolve around potential restrictions on innovation and the extent of privacy protection, given the authority granted to the Central Government in data processing matters. The Act's implementation through delegated legislation remains a key consideration, necessitating a well-structured release of multiple rules, ideally through inclusive stakeholder consultations.

In parallel, the provision of a transition period emerges as a necessity. It allows businesses the time to align with the Act's requirements, mitigating potential upheaval and ensuring orderly compliance. To harness the full potential of the DPDP Act, addressing its ambiguities is vital, particularly regarding children's data, breach notifications, practical issues of consent management and exemptions. As the Act shapes a responsible data ecosystem, businesses should actively participate in adoption of these regulations.

Adopting the DPDP Act isn't solely a legal obligation; it represents a chance for leadership, establishing the benchmark for data protection and guiding us towards a digitally secure future.