Table of Contents
The Digital Personal Data Protection Act, 2023, was enacted in India to provide a comprehensive framework for the protection of personal data and to enhance the privacy of individual in the digital age.
DPDP bill, first introduced in 2022, was passed on August 9, 2023, with the aim of regulating the processing of digital personal data in a manner that respects individuals’ rights and freedoms. The Act emphasizes consent-based data processing, grants various rights to data principals, mandates obligations for data fiduciaries and processors, and establishes the Data Protection Board of India to oversee compliance and address grievances.
This legislation marks a significant step in India’s efforts to enhance digital privacy laws in the country, safeguard personal data and align with global data protection standards.
Here are the main points of the Act:
1. Scope and Applicability
Digital personal data protection act applies to the processing of digital personal data within Indian jurisdiction. Along with data collected online it also covers personal data collected offline but digitized for processing. The law is applicable to data fiduciaries as well as data processors.
Data fiduciaries are entities which alone or in collaboration with others determine the purpose and means of processing the data. Data processor refers to a person or an entity that processes data on behalf of a data fiduciary.
2. Consent-Based Data Processing
Under the DPDP Act, consent based data processing makes it a mandate to get explicit consent from individuals (data principals) for processing their personal data. The consent thus collected should be specific, clear and informed. There should be no hidden clauses or underlying intent. There should be mechanisms in place to adjust the consent parameters or withdraw consent at any time.
3. Data Principal Rights
The DPDP Act, 2023 outlines various data principal rights which designed to ensure that individuals have control over their personal data and can seek redressal if their data is mishandled. Here are the key rights of data principals (individuals) under the Act:
Right to Access
Individuals have the right to access their personal data held by data fiduciaries. This includes the right to obtain a copy of the data and information about the processing activities.
Right to Correction and Erasure
Individuals can request the correction of inaccurate or misleading personal data. They also have the right to request the erasure of personal data that is no longer necessary for the purposes for which it was collected or processed, or if the data principal withdraws consent.
Right to Data Portability
Individuals can request their personal data in a structured, commonly used, and machine-readable format. They can also ask for their data to be transferred to another data fiduciary, where technically feasible.
Right to Be Informed
Individuals have the right to be informed about the collection and use of their personal data. This includes details about the purposes of data processing, the categories of data being processed, and the identities of the data fiduciaries.
Right to Consent Withdrawal
Individuals have the right to withdraw their consent to the processing of their personal data at any time. Upon withdrawal of consent, the data fiduciary must stop processing the data unless there are other legal grounds for processing.
Right to Grievance Redressal
Individuals have the right to file complaints with the Data Protection Board of India if they believe their data protection rights have been violated. The Board is responsible for investigating and adjudicating these complaints.
Right to Restrict Processing
Individuals can request the restriction of processing of their personal data under certain conditions, such as when the accuracy of the data is contested, or the processing is unlawful.
Right to Object
Data principals can object to the processing of their personal data for certain purposes, such as direct marketing or profiling.
These rights are intended to empower individuals, giving them greater control and oversight over their personal data while holding data fiduciaries accountable for the responsible handling of such data.
Also read: DPDP Act, India and GDPR, European Union – A Comparative outline
4. Obligations of Data Fiduciaries
Data fiduciaries have an obligation to the data principals / individuals to Implement appropriate security safeguards to protect their personal data. They need to conduct internal audits and Data Protection Impact Assessments (DPIA) for high-risk processing activities. It is important to appoint a Data Protection Officer (DPO) for significant data fiduciaries who will look after data security, lawful processing as well as ensure transparency in data processing activities.
5. Data Protection Board of India
Under the DPDP Act, 2023, Data Protection Board of India (DPBI) is established to oversee and enforce the provisions of the Act. The Board has the authority to investigate and adjudicate data protection breaches and holds the power to impose penalties for non-compliance.
The DPBI issues guidelines, codes of practice, and recommendations to help organizations comply with data protection obligations. It also promotes awareness and understanding of data protection principles. It also works towards building capacity and enhancing the skills of stakeholders in the field of data protection through training programs, workshops, and seminars.
6. Cross-Border Data Transfers
Digital Personal Data protection Act permits cross-border transfer of personal data to countries deemed to have adequate data protection standards by the Indian government. The act mandates the data fiduciaries to have appropriate safeguards for data transfers to other countries.
7. Penalties and Compensation
The Act Imposes penalties for non-compliance, including fines based on the nature and severity of the breach. It provides for compensation to data principals / individuals for harm caused by data protection breaches.
8. Exemptions
The DPDP Act has specific exemptions to balance individual privacy rights with broader public interests and national security concerns. Data processing activities conducted in the interest of India’s sovereignty, integrity, and national security are exempt from the provisions of the Act. This ensures that security operations and intelligence activities can proceed without legal hindrance.
Data processing for the prevention, detection, investigation, and prosecution of criminal offenses or the execution of legal penalties is exempt. There are exemptions for processing data for research, archival, or statistical purposes, provided the data does not identify individuals and is subject to appropriate safeguards. There are exemptions for journalistic and public interest usage subject to adherence of ethical standards.
9. Grievance Redressal Mechanism
The Act establishes a mechanism for data principals to file complaints regarding data protection violations. It ensures timely resolution of grievances.
10. Amendments to Existing Laws
The Act may lead to amendments in existing laws to align with its provisions and ensure comprehensive personal digital data protection.
The Digital Personal Data Protection Act, 2023, aims to balance the interests of individuals in protecting their personal data and the need for organizations to process data for legitimate purposes.
