Digital Personal Data Protection (DPDP) Act 2023

What is the Digital Personal Data Protection (DPDP) Act 2023? On August 11, 2023 the Digital Personal Data Protection Act, 2023 (the Act) received the assent of the President of India and was published in the Official Gazette.

The DPDP Act is India’s first data protection Act, and it establishes a framework for the processing of personal data in India.

It provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The Act is concise and SARAL, that is, Simple, Accessible, Rational & Actionable Law, and used the word “she” instead of “he”, to acknowledge women in Parliamentary law-making.

Seven Principles of Digital Personal Data Protection (DPDP) Act 2023

The Act is based on the following seven principles:

• The principle of consented, lawful and transparent use of personal data;
• The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
• The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
• The principle of data accuracy (ensuring data is correct and updated);
• The principle of storage limitation (storing data only till it is needed for the specified purpose);
• The principle of reasonable security safeguards; and
• The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).

Salient Features of the Digital Personal Data Protection Act, 2023

Applicability

• The Act applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized.
• It will also apply to the processing of personal data outside India if it is for offering goods or services in India. Personal data is defined as any data about an individual who is identifiable by or in relation to such data.

Consent

Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. A notice must be given before seeking consent.

The notice should contain details about the personal data to be collected and the purpose of processing. Consent may be withdrawn at any point in time.

Consent will not be required for ‘legitimate uses’ including:

• Specified purpose for which data has been provided by an individual voluntarily,
• Provision of benefit or service by the government,
• Medical emergency, and
• Employment.

For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.

Rights of data principal

Data principal is an individual whose data is being processed. He/She will have the right to:

• Obtain information about processing,
• Seek correction and erasure of personal data,
• Nominate another person to exercise rights in the event of death or incapacity, and
• Grievance redressal.

Duties of Data Principals

Data principals will have certain duties. They must not:

• Register a false or frivolous complaint, and
• Furnish any false particulars or impersonate another person in specified cases.

Violation of duties will be punishable with a penalty of up to Rs 10,000.

Obligations of data fiduciaries

Data fiduciary is the entity determining the purpose and means of processing. Data fiduciary must:

• Make reasonable efforts to ensure the accuracy and completeness of data,
• Build reasonable security safeguards to prevent a data breach,
• Inform the Data Protection Board of India and affected persons in the event of a breach, and
• Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.

In case of government entities, storage limitation and the right of the data principal to erasure will not apply.

Transfer of personal data outside India

The Act allows transfer of personal data outside India, except to countries restricted by the central government through notification.

Exemptions

Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include:

• prevention and investigation of offences, and
• enforcement of legal rights or claims.

The central government may, by notification, exempt certain activities from the application of the Act. These include:

• Processing by government entities in the interest of the security of the state and public order, and
• Research, archiving, or statistical purposes.

Data Protection Board of India

The central government will establish the Data Protection Board of India. Key functions of the Board include:

• Monitoring compliance and imposing penalties,
• Directing data fiduciaries to take necessary measures in the event of a data breach, and
• Hearing grievances made by affected persons.

Penalties

The schedule to the Act specifies penalties for various offences such as up to:

• Rs 200 crore for non-fulfilment of obligations for children, and
• Rs 250 crore for failure to take security measures to prevent data breaches.

Key Issues

Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy.

The Act does not regulate risks of harms arising from processing of personal data.

The Act does not grant the right to data portability and the right to be forgotten to the data principal.

The Act allows transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.

The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment. The short term with scope for re-appointment may affect the independent functioning of the Board.

What is the penalty for data breach under DPDP Act 2023?

The Data Protection Board has the power to issue penalties for data breach under DPDP Act 2023 up to INR 250 crore. INR 250 crore for breach in observing the obligation of a data fiduciary to take reasonable security safeguards to prevent personal data breach. INR 10,000.

What are the salient features of DPDP Act?

The salient features of DPDP Act  are access to their data, correction of inaccurate information, and the right to the erasure of personal data under specific conditions.

Also read:
What is the Future of Cloud Computing in India
Different Generations of Wireless Communication Technology