The Digital Personal Data Protection Act (NO. 22 OF 2023) was published in the Official Gazette on 11th August 2023. This Act provides the framework for processing digital personal data in a manner that recognises individuals’ right to protect their personal data and the need to process such personal data for lawful purposes and matters connected in addition to that or incidental thereto.
In this digital age, every computer interface requires a record of personal data in a digital platform before an individual can proceed further with any purchase/transaction. Therefore, the ambit of Digital Personal Data is vast. It covers all sectors like health care, retail, hospitality, travel, aviation, insurance, banking, e-commerce and telecom. In such a situation, the Digital Personal Data Protection Act 2023 is a significant step in protecting the rights of consumers. It covers data captured in digital form or physical form if the said data is subsequently digitised.
First and foremost, the DPDP Act does not distinguish between “Personal data” and “sensitive personal data”. Therefore, the same level of care must be accorded to handling all Personal Data. So, what do corporations have to guard against to ensure compliance and avoid falling foul of the new legislation? Are the Data Principals sufficiently aware of the importance of the consent they are giving while sharing data? Is it enough to take the consent by way of capturing an affirmative response while the Data Principal only shares consent as a necessary step to access the website or payment gateway? Are sufficient disclosures being made to ensure the Data Principal is making a well-thought decision to consent to recording the data? These things will need a lot more awareness campaigns and specific elaboration in the yet-to-be-notified Rules.
Before we discuss the main highlights of the DPDP Act, 2023, a caveat is important – all sums realised by way of penalties imposed by the Board under this Act shall be credited to the Consolidated Fund of India. As such, the Data Principal is unlikely to benefit from pursuing any remedy in case of a data breach or unauthorised use of data. This point may get revised once the Rules are spelled out.
As of now, the main points encapsulated in the DPDP Act, 2023 are:
- Data is to be stored only after explicit consent and used only for the purpose for which the consent has been given.
- Data Principals can request the deletion of their personal data if they cease to utilise the services for which the data was collected.
- An exception to this request for deletion can comply with government guidelines, e.g. banks may be required to maintain the data for ten years.
- However, use and retention shall be as per appropriate disclosures to the Data Principal.
A Data Principal shall perform the following duties, namely:—
(a) comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;
(b) to ensure not to impersonate another person while providing her personal data for a specified purpose;
(c) to ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
(d) to ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
(e) to furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.
Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act, the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her (i) the personal data and the purpose for which the same has been processed; (ii) how she may exercise her rights under the Act; and (iii) how the Data Principal may make a complaint to the Board, which will be spelt out in detail in the Rules.
The Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.
6. (1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with clear affirmative action. It shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
Illustration. X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since a phone contact list is not necessary to make telemedicine services available, her consent shall be limited to processing her personal data for making available telemedicine services.
Where consent given by the Data Principal is the basis of the processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
Suppose a Data Principal withdraws her consent to the processing of personal data under sub-section (5). In that case, the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.
The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. The Consent Manager shall be accountable to the Data Principal and act on her behalf in such manner and subject to such obligations as may be prescribed. Every Consent Manager shall be registered with the Board in such way and subject to such technical, operational, financial and other conditions as may be specified.
Where consent given by the Data Principal is the basis of the processing of personal data, and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.
7. A Data Fiduciary may process the personal data of a Data Principal for any of the following uses, namely:— (a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.
(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––
(i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or
(ii)such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.
(c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;
(d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force;
(e) for compliance with any judgment, decree or order issued under any law for the time being in force in India or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;
(f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;
(g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;
(h) for taking measures to ensure the safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order. or
(i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.
A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who can answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.
(10) A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.
(11) For the purposes of this section, it is hereby clarified that a Data Principal shall be considered as not having approached the Data Fiduciary for the performance of the specified purpose in any period during which she has not initiated contact with the Data Fiduciary for such performance, in person or by way of communication in electronic or physical form.
(1) The Data Fiduciary shall, before processing any personal data of a child or a person with a disability who has a lawful guardian, obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
Explanation.—For the purpose of this sub-section, the expression “consent of the parent” includes the consent of lawful guardian, wherever applicable.
(2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.
(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent for the processing of personal data upon making to it a request in such manner as may be prescribed—
(a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
(b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared and
(c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
(2) Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant right to access information about personal data to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.
A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent in accordance with any requirement or procedure under any law for the time being in force.
A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— (a) correct the inaccurate or misleading personal data, (b) complete the incomplete personal data, and (c) update the personal data.
A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for the erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.
A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.
To summarise, the DPDP Act, 2023 is a step in the right direction. A lot more will become clear once the Rules are notified. As of now, it has clarified the intent of the government to provide a framework that elucidates the rights and obligations of Data Principals, Data Fiduciary and Data Processors. We are lucky to be witnessing the evolution of this law, and with the passage of time, it will serve as the bedrock which will evolve the edifice of a robust data privacy structure.