India’s new Digital Personal Data Protection Act, 2023 (DPDP Act) was given assent by the President of India on August 11, 2023, marking a significant development in data protection legislation. This Act, which supersedes Section 43A of the IT Act, 2000 and the SPDI Rules, 2011, brings about considerable changes to the norms of data protection.
The DPDP Act is lean and principle-based, with details around implementation to be set out in future rules. This new legislation is particularly relevant for entities in countries like the USA, UK, and Singapore that interact with India’s digital ecosystem.
Let’s quickly get acquainted with the 2023 DPDP Act.
Applicability and Scope of the DPDP Act
|Criteria||Territorial Scope||Material Scope (Clause 3)|
|Location of the data subject||Within India||Anyplace|
|Location of the data controller||Within India or outside India, if the processing is related to offering goods and services within India.(Clause 3(b))||Anyplace|
|Format of the data||Digitized or non-digital, if digitized subsequently. (Clause 3(a))||Digitized or non-digital, if digitized subsequently. (Clause 3(a))|
The 2022 Bill applied beyond India if it involved profiling Indian data principals (Clause 4(2), DPDP Act).
Rights of Data Principals:
- Right to Grievance Redressal: Data Fiduciary must respond to Data Principal’s concerns within a set timeframe. (Clause 8(10) & Clause 13(3) DPDP Act)
- Right to Nominate: Data Principals can appoint a surrogate to act on their behalf in case of incapacity or death.(Clause 14(1), DPDP Act)
- Right to Access Information About Personal Data: Data Principals can request confirmation of data processing, a summary of their data, and the identities of Data Fiduciaries and Processors.(Clause 11, DPDP Act)
- Right to Correction and Erasure of Personal Data: Data Principals can contact the Data Fiduciary to manage their personal data.(Clause 12, DPDP Act)
Grounds for Processing Personal Data (Clause 4, DPDP Act)
There are two defined bases for processing under which organizations are allowed to handle personal data: consent and legitimate uses.
- The Data Principal has the ability to grant, manage, review, or withdraw their consent to the Data Fiduciary either directly or via a Consent Manager. (Clause 6(7), DPDP Act.)
- For minors, consent must be procured from the parent or legal guardian. (Clause 9(1), DPDP Act)
- If consent is retracted, the data fiduciary must stop the data processor from processing that individual’s data, unless otherwise authorized. (Clause 6(6), DPDP Act.)
- Data principals can access information in English or any language from the Eighth Schedule of the Indian Constitution. (Clause 6(3), DPDP Act.)
Consent should be: (According to Clause 6(1), DPDP Act.)
- Consent must be free from coercion or pressure.
- Consent must be specific and clearly understandable.
- Data Principals must be informed about how their data will be used.
- Consent must be given without conditions or ambiguities.
|Who will provide consent?||Data Principal|
|Who will ask for consent?||Data Fiduciary|
|How consent should be requested?||How consent should be requested?
In clear and plain language
|How can consent be withdrawn?||By contacting Data Fiduciary or Consent Manager|
The Act acknowledges certain legitimate uses that do not require separate consent, including cases where data is willingly provided or collected as part of a legal obligation. (Clause 7, DPDP Act.)
Scenarios encompassed under Legitimate Uses:
- For data willingly offered by the Data Principal.
- For data processed for any function under any law or judgment issued under law.
- For addressing a medical emergency posing a threat to the life of the Data Principal or another individual.
- For upholding public order and ensuring safety.
- For matters related to employment.
- For executing activities in public interest.
Data Fiduciary as per the DPDP Act 2023:
- Data fiduciaries bear the responsibility for adhering to the Act, even when a data processor carries out processing activities on their behalf. (Clause 8(1), DPDP Act.)
- Report any Personal Data Breaches to both the Data Protection Board and Data Principals. (Clause 8(6), DPDP Act.)
Significant Data Fiduciary (SDFs):
The government can designate ‘significant data fiduciaries’ (SDFs) based on factors like (Clause 10(1), DPDP Act)
- The volume and sensitivity of personal data processed;
- Risk to electoral democracy;
- Risk to the rights of data principal;
- Security of the state;
- Potential impact on the sovereignty and integrity of India;
- Public order.
Obligations of the Significant Data Fiduciary:
- Appoint an India-based Data Protection Officer (DPO). (Clause 10(2)(a) DPDP Act.)
- Appoint a data auditor to assess compliance with the Act. (Clause 10(2)(b) DPDP Act.)
- Conduct Data Protection Impact Assessments (DPIA) and periodic audits as per rules. (Clause 10(2)(c) DPDP Act.)
Personal Data Breach
- A Data Fiduciary must safeguard personal data and prevent breaches, including those by Data Processors (Clause 8 (5), DPDP Act).
- If a breach occurs, the Data Fiduciary must inform the Board and affected Data Principals (Clause 8 (6), DPDP Act).
Cross-Border Data Transfers: Processing of Personal Data Outside India
Processing of Personal Data Outside India: (Clause 16, DPDP Act)
India’s Data Protection Bill shifts from white-list to negative-list for data transfers, excluding regions restricted by government notification.
- Clause 6(1) empowers the Central Government to limit personal data transfer by Data Fiduciaries to specific foreign countries or territories.
- Clause 6(2) ensures that this provision doesn’t override stricter Indian laws governing data transfer.
Government notification criteria for prohibiting data transfers are unspecified. Sector-specific data transfer restrictions, e.g., RBI’s payments data localization mandate, continue to apply.
- Exclusions: Certain provisions of the Act are not applicable to data-processing for:
- Crime investigation; (Clause 17(1)(c))
- Execution of compromise, merger, or amalgamation schemes; (Clause 17(1)(e))
- Detection of financial frauds; (Clause 17(1)(f))
- Handling data of a data principal located outside India, under a contract, among others. (Clause 17(1)(d))
- Government Authority: The government has the authority to exclude the entire application of the Act for specified state agencies in the interests of: (Clause 17(2)(a))
- India’s sovereignty and integrity;
- State security;
- Fostering friendly relations with foreign states;
- Maintaining public order, among other reasons.
- Exceptions: The government may also grant exceptions for: (Clause 17(2)(b))
- Research, archiving, or statistical purposes – provided the data is not used to make any decision specific to a data principal.
- Designation of Data Fiduciaries: Finally, the government can also designate certain data fiduciaries, including startups, that may be exempt from the Act – considering the volume and nature of personal data they process. (Clause 17(3))
The Data Protection Board:
The Indian Central Government has the authority to establish an independent body known as the Data Protection Board of India (Board) through a notification. (Clause 27, DPDP Act)
- The Board shall comprise a chairperson and other members who are appointed by the Central Government.
- Its primary function is law enforcement, including identifying violations, imposing penalties, issuing directives, and mediating disputes.(Clause 27, 27(1); DPDP Act)
- The Board has civil court powers, with appeals directed to the Telecom Disputes Settlement and Appellate Tribunal. (Clause 29 (1), DPDP Act)
Penalties for Violation of the DPDP Act (Clause 33 and Schedule)
- Under Section 15 of the DPDP Act, a penalty of up to INR 10,000 can be levied for failing to fulfill the duties of a Data Principal.
- Under Section 9 of the DPDP Act, neglecting child-related obligations can result in penalties of up to INR 200 Crore.
- Failing to notify about a Personal Data Breach under Section 8 (6) of the DPDP Act can result in penalties of up to INR 200 Crore.
- Data Fiduciaries can face penalties of up to INR 250 Crore for non-compliance with the provisions under Section 8 (5) of the DPDP Act.
Under the Act, the Government holds wide-ranging powers to create additional laws or make decisions on any aspect permitted.
This includes things like managing consent (Clause 6), setting up the process and format for reporting data breaches (Clause 8(6)), dealing with issues related to children’s data processing (Clause 9(4)), defining significant data fiduciaries (Clause 10(1)), and outlining the process for impact assessment (Clause 10(2)(c)(i)and(iii)), among other things.
However, it’s still up in the air whether these rules will be opened up for stakeholder consultation. It’s a complex issue, isn’t it?
The Act proposes a step-by-step implementation approach. This means the government will announce which sections of the Act are going into effect at different times (Clause 1(2), DPDP Act).
But here’s the catch – the Act doesn’t lay out a specific timeline for when these announcements will happen but less wait until March 2024.
The DPDP Act is a necessary response to the increasing threat of cyber-crimes and identity thefts. Though imperfect, it lays the foundation for stronger cybersecurity and data protection by imposing strict obligations on Data Fiduciaries. VISTA InfoSec is committed to helping organizations navigate the road to compliance and ensure their data handling practices are in line with the law. Explore our DPDP Compliance service for more information.