Decoding the 'Digital Personal Data Protection Act, 2023'

Image: Shutterstock

The Supreme Court of India, in the case of Justice K. S. Puttaswamy v. Union of India (2017) 10 SCC 1, had declared the right to privacy as a fundamental right protected under the Constitution of India. However, since the delivery of the judgment in 2017, multiple efforts have been made to legislate a Data Protection Act. The bills, however, could not pass the legislative hurdles to become an Act. The Digital Personal Data Protection Bill, 2023, was passed by both houses of the Parliament and received assent from the President of India, to become an Act by publication in the Official Gazette.

Under the new Act, personal data has been defined as any data about an individual identifiable by or in relation to such data. 'Data Principal' has been defined as an individual to whom the personal data relates. 'Data Fiduciary' means any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data. Any person who processes personal data on behalf of a data fiduciary has been termed a 'Data Processor.'

The new Act does not apply to non-personal data but applies to the processing of digital personal data only. The Act applies to the processing of digital personal data within India when collected from Data Principal’s online or, if collected offline, is then digitised. It also governs extra-territorial processing of personal data if such processing is in connection with any activity of offering goods or services to Data Principals within India. However, the Act will not apply to any personal data processed by an individual for any personal or domestic purpose or personal data made publicly available by the Data Principal herself.

Consent is the major requirement for the processing of personal data. Also, consent has to be free, specific, informed, unconditional, and unambiguous, with explicit affirmative action. The Data Principal should be provided with an option to access such requests in multiple languages. It should further provide the contact details of the Data Protection Officer or any other suitable person to respond to any communication from the Data Principal regarding the exercise of her rights under the Act.

Data Principal also has the right to withdraw consent at any time, with the same level of ease with which she gave her consent. However, such withdrawal cannot affect the legality of processing personal data based on consent before its withdrawal. The Data Fiduciary then will have to cease and cause its Data Processors to cease processing the personal data of such Data Principal within a reasonable time.

The Act introduces the concept of 'Consent Managers' who have to be compulsorily registered with the Data Protection Board and who will act as a single point of contact to enable the Data Principals to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform. The personal data of a Data Principal can be processed only in accordance with the provisions of the Act and for a lawful purpose for which the consent has been given or for certain legitimate uses. Every request made to a Data Principal for consent has to be accompanied or preceded by a notice issued by the Data Fiduciary informing her of the purpose for which the personal data is proposed to be processed.

Also Read- As Digital Personal Data Protection Bill goes to Parliament, enterprises brace for new compliance standards

Data Fiduciaries have been burdened with the primary responsibility for ensuring compliance with the Act regarding any processing undertaken by them or by data processors on their behalf. Data Fiduciaries have to implement appropriate technical and organisational measures. They have to protect personal data in their possession or under its control by taking reasonable security safeguards to prevent such breaches. In the case of any such violation, they will have to inform the Data Protection Board and all affected Data Principals of such breach. It has the additional duty to establish an effective grievance redressal mechanism for Data Principals. Before processing any personal data of a child or a person with a disability who has a lawful guardian, the Data Fiduciary will have to obtain verifiable consent from the parent of such child or the legal guardian. Also, it cannot undertake any processing of personal data that is likely to cause any detrimental effect on the child's well-being. Tracking or behavioural monitoring of children or targeted advertisements directed at children is also prohibited. The Central Government, based on assessment of certain factors like volume and sensitivity of personal data processed, risk to the rights of Data Principal, impact on sovereignty and integrity of India, public order and so on, can notify certain data fiduciaries as 'Significant Data Fiduciary'. Such Significant Data Fiduciaries will have to meet certain additional compliances.

A Data Protection Board of India has been envisaged under the new Act. This enforcement body will consist of a chairperson and members to be appointed by the Central Government. The Board will have the power to direct any urgent remedial or mitigation measures in case of a personal data breach, enquire into such infringement, and impose suitable penalties. It can also issue suitable directions. An appeal can be preferred against an order of the Board before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). An appeal against the TDSAT order can be preferred before the Supreme Court of India.

The Board has been given the power to impose a hefty monetary penalty of up to Rs250 crores. The Board will have to consider the nature, gravity, duration, repetitive nature of the breach, the type and nature of the personal data in question, unlawful gain in committing such breach, and so on while determining the quantum of penalty to be imposed.

Certain exemptions from the requirements relating to a Data Fiduciary's obligations and a Data Principal's rights have also been included in the Act. Personal data of Data Principals not within the territory of India, which are processed under any contract entered into with any person outside Indian territory by any person based in India, have been exempted from specific requirements of the Act. The State and its instrumentalities can also be provided exemption from obligations under the Act. The Central Government can further notify certain Data Fiduciaries, including startups, as exempt from certain provisions of the Act.

Also Read- How safe is your personal data? Possible data breach of CoWIN portal raises questions

The significance of digital personal data protection law is far-reaching. Various compliance obligations for collecting and processing digital personal details have now been introduced. For non-compliance, high monetary penalties have been envisaged under the Act. This may impact early-stage startups and certain categories of business entities. Other companies can also witness an increase in compliance costs. One of the major changes in the legal landscape is that from now on, customers who have been impacted by a data breach need to be informed. There remain certain areas where legal clarity is lacking; we can expect that the Central Government will notify appropriate rules to clarify these areas.

Rajdeep Banerjee is an advocate and legal consultant and Joyeeta Banerjee is a legal consultant and practicing advocate.

The thoughts and opinions shared here are of the author.