Set out below is a note highlighting the key aspects of The Digital Personal Data Protection Act, 2023 as well as the amendments that were made to the erstwhile Draft Digital Personal Data Protection Bill, 2022 (“Draft Bill“).
Background
- Prior to the DPDPA 2023 and the Draft Bill, India did not have a formal data protection regime in place. On 18 November 2022, the Ministry of Electronics and Information Technology (MeitY) introduced the Draft Bill and invited comments from the public and stakeholders. Following this, the MeitY Standing Committee on Communications and Information Technology issued a report on the issue of citizens’ data security and privacy (“Committee Report“).
- The Committee Report was presented before the Lok Sabha on 1 August 2023 following which the Digital Personal Data Protection Bill 2023 was tabled on 7 August 2023 and passed by a voice vote. The Digital Personal Data Protection Bill 2023 was then passed by the Rajya Sabha on 9 August 2023 and received Presidential assent on 11 August 2023.
- While the DPDPA 2023 is now technically a statue, its provisions have yet to come into effect[1] and will be enforceable only once notified by the Central Government in the Official Gazette. Till such time as specific provisions are notified, the Information Technology Act, 2000 (“IT Act“) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“) remain in place as the legislation dealing with personal data in India.
Key features of the DPDPA 2023
- The objective of the DPDPA 2023 is to provide for the processing of digital personal data, giving regard to both the right of individuals to protect their personal data and the need of businesses to process personal data for lawful purposes.
- It applies to the processing of digital personal data in India where the data is (a) collected online or (b) where it is collected offline and then digitised. The Act also applies extra territorially to the processing of personal data outside India so long as such processing is for the purpose of offering goods or services in India.
- Personal Data is defined as any data about an individual who is identifiable by or in relation to such data.[2] While personal data relates to an individual, the definition of “person” is far more extensive and includes individuals, companies, firms as well as the government within its scope.
- “Personal data breach” is also widely worded and includes the unauthorised processing of personal data that compromises its confidentiality, integrity, or availability. Processing in relation to personal data includes the collection, disclosure by transmission, dissemination or otherwise making of such data available.
- The individual whose personal data is collected/processed is the “Data Principal”[3] and a “Data Fiduciary”[4] is any person/entity which deals with the processing of a Data Principal’s personal data. A Data Protection Board (“Board”) will be established to hear complaints/grievances, undertake inquiries and impose penalties for non-compliance with the Act. The Board will have powers akin to a civil court.
- The concept of a “Significant Data Fiduciary” (“SDFs“) has been introduced and the Act clarifies that the Central Government will notify entities as SDFs based on certain factors including the volume of personal data processed.
- On the issue of data transfer, the Draft Bill had earlier said that the Central Government would notify a list of countries to which data could be freely transferred. The DPDPA 2023 amends this position to state that a list of countries will be notified to which transfer of data is not permitted. Transfer will be allowed to countries not on that list.
Consent
- Data Fiduciaries are allowed to collect and process personal data only once a Data Principal has consented (in line with Section 6) to such collection and processing following a formal notice/request from the Data Principal clarifying the purpose for which the personal data will be processed. The DPDPA 2023 does not however apply to personal data that is made public by the Data Principal.
- The Act does away with the consent requirement in respect of “certain legitimate uses”. This allows Data Fiduciaries to process personal data where data principals have not explicitly refused consent and by the State in scenarios where (a) consent has already been provided to a Data Fiduciary; and (b) in sovereign interest.
Rights & Obligations
- Data Fiduciaries are required to ensure that appropriate technical and organisational measures as well as reasonable security safeguards are kept in place to safeguard personal data. In the event of a personal data breach, Data Fiduciaries are now mandatorily required to intimate the Board and “each affected Data Principal” in a manner that will be prescribed.
- SDFs have additional obligations over and above those of Data Fiduciaries including the need to appoint a Data Protection Officer to represent them and act as their point of contact for grievances raised by Data Principals. The DPDPA 2023 also requires that SDFs appoint Independent Data Auditors and undertake periodic Data Protection Impact Assessments.
- Data Principals may engage Consent Managers to give, manage, review or withdraw consent to Data Fiduciaries towards processing of their personal data. Consent Managers must be registered with the Board. Grievances in respect of Consent Managers can be taken by Data Principals to the Board for resolution.
- Data Fiduciaries on the other hand may engage Data Processors to process personal data. Liability to Data Principals for any breaches (in-spite of the involvement of a Data Processor) remains with the Data Fiduciary.
Penalties
- Section 33 of the DPDPA 2023 deals with the issue of penalties and mentions that if after an inquiry, the Board is of the view that any of the provisions of the Act have been breached, the following monetary penalties may be imposed:
- For breaches by Data Fiduciaries in observing reasonable security safeguards (up to INR 250 crores/c. GBP 25m);
- For failing to observe the obligation to notify the Board and affected Data Principals following a personal data breach (up to INR 200 crores/c. GBP 20m);
- For failing to observe the additional obligations applicable to SDFs (up to INR 100 crores/c. GBP 10m)
- For breach of any other rules the penalty may extend to 50 crores ( GBP 5m). In the Draft Bill specific provisions were mentioned but the DPDPA 2023 applies this to “any other provisions”.
2. The Act does however allow for voluntary undertakings to be issued either by Data Fiduciaries, SDFs or Data Principals “in respect of any matter related to observance of the provisions” of the Act. It would appear that in the event of non-compliance, erring parties are allowed to issue undertakings akin to a settlement to avoid formal proceedings/penalties being imposed.
Aspects To Consider
- The wide definition of terms such as “personal data” and “processing” will result in numerous companies falling within the ambit of a Data Fiduciary/Data Processor.
- Significant compliance requirements have been introduced and Data Fiduciaries have to mandatorily notify the Board and Data Principals following a personal data breach.
- Data Principals can register grievances against Data Fiduciaries before the Board both in respect of any non-compliance as well as following a personal data breach.
- There is no visibility on what nature of entities will be categorised as SDFs but heightened compliance requirements will apply to such entities.
- The penalties prescribed by the DPDPA 2023 are significant and can be levied if Data Fiduciaries do not have reasonable security measures in place or fail to intimate the Board/Data Principals following a breach.
- While a settlement mechanism has been contemplated for, it remains to be seen how the Board allows for this option to be exercised.
[1] Sub-section (2) to Section 1 which clarifies that “It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act…“.
[2] A much wider application than the definition of sensitive personal data under the SPDI Rules.
[3] Equivalent to a Data Subject under the European Union’s General Data Protection Regulation (“GDPR“).
[4] Similar to the concept of a ‘Controller’ under the GDPR.
[5] The content and information contained in this note should not be construed as, nor relied upon, as legal advice. Curiam Legal assumes no liability for the interpretation and/or use of the content and/or information contained in this note.