Digital Personal Data Protection act, 2023: A Closer Look at Data Protection in India

In today’s hyper-connected world, where digital interactions have become an integral part of our lives, the protection of personal data has emerged as a critical concern. As India undergoes a digital transformation, the need to ensure the security and privacy of personal data has led to the formulation of comprehensive data protection regulations. In December 2019, India introduced the Personal Data Protection Bill (“PDPB 2019”), following the example of many other significant data privacy laws being introduced worldwide.
The cornerstone of personal data protection in India is the Digital Personal Data Protection Bill (DPDP). This bill aims to establish a robust framework for the protection of digital personal data and governs how organizations collect, process, store, and share personal information. Drawing inspiration from global best practices such as the European Union’s General Data Protection Regulation (GDPR), the PDPB is designed to empower individuals and person (Dive into our blog for a deeper understanding of the inclusive scope defined under ‘Person’) to ensure their data privacy rights are respected.
The Data Protection Bill of 2021 & 2022
The Data Protection Bill of 2021 (DPB 2021) introduced substantial revisions to its predecessor. Notably, it expanded its scope to cover both personal and non-personal data and imposed stringent guidelines for reporting data breaches. DPB 2021 was poised to become the Data Protection Act of 2021.
However, in August 2022, the Indian government withdrew the bill after three years of discussion and 90 sittings. The decision was based on its failure to meet international standards and emerging challenges.
On November 18, 2022, the Indian Government released a draft of the Digital Personal Data Protection Bill of 2022 (DPDP 2022) for public comments and consultations until January 2, 2023. After extensive deliberations, this revised bill, now known as the Digital Personal Data Protection Act of 2023 (DPDP Act), was presented in the Indian Parliament on August 3, 2023. It was passed by the Parliament on August 9 and officially gazetted on August 12, 2023.
The primary objective of the DPDP Act is to establish standards for the responsible handling of digital personal data, ensuring the protection of individuals’ privacy rights while allowing for lawful data processing. The Act delineates the duties of data fiduciaries, the rights of data principals, and the consequences of non-compliance.
To whom this act applies
The DPDP Act is a set of rules that apply when dealing with personal information, whether it was first collected digitally or in other ways and then turned into digital data. In simple terms, this act applies to digital personal data and not on physical personal data. However, these rules don’t cover using data for personal or domestic purpose nor does it cover personal data made publicly available by the data subject or under legal authority.
For example (from the act) : X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.
Key Definitions: –
Board
Board means the Data Protection Board of India established by the Central Government for the purposes of this Act.
Child
DPDP Act defines a child as an individual who has not yet completed 18 years of age.
Consent Manager
Any individual that is registered with the Data Protection Board of India who acts as a single point of contact to enable the data subject to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
Data Fiduciary
DPDP Act refers to data controllers as “Data Fiduciaries.” A data fiduciary is any person or group of persons who determine the purposes and means of processing the personal data of individuals.
Data Principal
“Data Principals” are essentially data subjects to whom the personal data relates or belongs. If a data principal is a child (an individual under the age of 18 years) or a person with a disability, then the parents or lawful guardian of such a child/individual becomes the data principal.
Person
According to DPDP Act, person means any of the following entities:
- an individual;
- a Hindu undivided family;
- a company;
- a firm;
- an association of persons or a body of individuals, whether incorporated or not;
- the State; and
- every artificial juristic person.
Personal Data
Personal data means any data about an individual who is identifiable by or in relation to such data.
Personal Data Breach
Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
Significant Data Fiduciary
Any data fiduciary or class of data fiduciaries may be designated by the Central Government as a “Significant Data Fiduciary” after taking into account the volume and sensitivity of personal data processed, risk of harm to the data principal or electoral democracy, impact on national sovereignty and security, and public order.
Impact on Foreign Companies (Another blog link)
The DPDP Act applies extraterritorially when the processing of digital personal data is related to offering goods or services to data principals within India. It allows the Central Government to exempt certain data fiduciaries or classes based on the volume and nature of personal data processing from specific provisions.
Penalties for Non-compliance
Non-compliance with data protection safeguards, breach notification, and children’s data processing obligations may result in substantial fines for data fiduciaries and data processors. Data principals who fail to fulfil their duties under the Act may face fines as well. (link to penalties blog)
Key Provisions of the DPDP Act
- Data Principal Rights: The bill grants data principals (individuals whose data is being collected) various rights, including the right to access their data, the right to correction, the right to be forgotten, and the right to data portability. This places the control of personal data back into the hands of individuals.
- Data Fiduciary Responsibilities: Organizations handling personal data, known as data fiduciaries, are required to follow stringent data protection measures. They must obtain explicit consent before collecting and processing personal data, and they are obligated to implement data protection safeguards.
- Sensitive Personal Data: The bill categorizes certain types of data (such as financial data, health data, etc.) as sensitive personal data. The processing of such data comes with additional obligations and safeguards to prevent misuse.
- Data Protection Authority (DPA): The bill proposes the establishment of a Data Protection Authority to oversee and enforce data protection laws. The DPA will have the authority to investigate breaches, issue penalties, and provide guidance on data protection practices.
As India moves towards a more digitized society, the protection of personal data must remain a top priority. To ensure the success of the PDPB and the overall data protection regime, several steps can be taken:
- Conduct Data Mapping and Assessment: Analyse data inventories and categorize where digital personal data about person is stored.
- Awareness and Education: The government, private sector, and civil society should collaborate to raise awareness about data protection rights and best practices.
- Capacity Building: Organizations should invest in building data protection capabilities, including robust cybersecurity measures, to safeguard sensitive information.
- International Cooperation: Collaborating with international stakeholders can help India learn from global data protection experiences and harmonize its regulations with international standards.
- Manage Cross-Border Data Transfers: Identify instances of cross-border data transfer and fulfil the necessary data transfer requirements as mandated by the DPDP Act.
- Employee Training: Educate your employees and workforce on proper data processing methods and their roles in ensuring data protection.
- Transparent Privacy Policy: Develop a user-friendly privacy policy that clearly communicates the rights of data subjects without any ambiguity.
- Breach Response Plan: Prepare a comprehensive breach response plan, including breach notification procedures, to report any data breaches.
In our data-focused world, keeping personal info safe is super important. India’s Digital Personal Data Protection Bill is a big step in guarding people’s privacy. As it becomes law, the entities need to handle challenges and stay updated in the digital world.
Elevate your data protection strategy to the next level. Join us in safeguarding your digital assets with our expert services – your peace of mind starts here.
Leave a Reply