A. INTRODUCTION
Given India’s status as a nation with the world’s largest population and a significant online presence, a substantial volume of personal data of its citizens is processed by digital platforms. Following the Supreme Court’s recognition of the right to privacy as a fundamental right in 2017,[1] there emerged a pressing requirement to enact a legislation that would establish extensive measures ensuring robust protection for individuals and their personal data online.
Historically, India’s legal framework governing how digital platforms manage personal data was primarily based on the Information Technology Act of 2000 and its associated rules. However, due to the emergence of artificial intelligence, extensive utilization of personal data by corporate entities and rapid technological advancements at large, the need for a dedicated legal framework to address these intricate issues was underscored.
In response to these challenges, the Digital Personal Data Protection Bill 2023 was introduced. Its principal objective is to safeguard individuals’ personal data and privacy from entities acting as data fiduciaries. This Bill has been approved by both, Lok Sabha and the Rajya Sabha and has recently received the president’s assent on 11th August, 2023. The aforementioned bill was thereafter published in the official gazette as the Digital Personal Data Protection Act 2023 (“Act”).
Thus, it is only a matter of time before the Act is enforced and given this context, it becomes increasingly crucial to grasp the Act’s inclusions and its prominent features.
B. IMPORTANT DEFINITIONS AND KEY TERMS
- “Data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
- “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; (j) “Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf;
- “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
- “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform
- “Digital Office” means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode;
- “Personal data” means any data about an individual who is identifiable by or in relation to such data;
- “Personal Data Breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data
- “Processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
- “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 of the Act;
- “State” means the State as defined under Article 12 of the Indian Constitution.
While the aforementioned definitions offer a certain level of clarity for specific terms, it’s important to note that certain aspects remain to be ambiguous. For instance, under the current Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, there is a precise definition and scope outlined for sensitive personal data or information, distinguishing it from personal data or information. However, in the current context, it seems that sensitive personal data or information might fall within the scope of personal data as defined in this Act. There is a need for clarification in this matter, which could potentially be addressed through additional rules accompanying this Act.
C. WHO THIS ACT APPLIES TO
As per Section 3 of the Act, this pertains to the processing of digital personal data that occurs within the geographical boundaries of India. This includes situations where the personal data is collected:
-
- In digital form directly.
- In non-digital form initially and subsequently digitized.
The Act also extends its jurisdiction to the processing of digital personal data that happens outside the geographical borders of India when such processing is linked to activities associated with the offering of goods or services to Data Principals located within India.
However, the Act does not apply to the following scenarios:
-
- Personal data that is processed by an individual for personal or domestic purposes.
- Personal data that is intentionally or inadvertently made publicly available. This exclusion encompasses situations where the Data Principal to whom the personal data relates, or any other individual who is obligated by prevailing Indian laws to disclose such personal data publicly, takes such action.
The Act does not explicitly define the term “domestic purpose.” However, it does provide some clarification regarding the scope of “personal purposes.” As per Section 17(2)(b) of the Act, it is specified that the provisions of this Act shall not be applicable to personal data that is essential for research, archiving, or statistical purposes, provided that such data is not used to make decisions specific to a Data Principal. Additionally, the processing of this data must adhere to the standards prescribed for such purposes. Consequently, personal data utilized for research, archival, or statistical objectives is exempt from the provisions of this Act.
D. THE APPLICABLE AUTHORITY
The authoritative body designated under the purview of this Act is the Data Protection Board of India (“Board”). This Board assumes the role of an independent supervisory and adjudicatory authority, wielding jurisdiction over all the relevant stakeholders, including both Data Fiduciaries and Significant Data Fiduciaries. It is responsible for overseeing adherence of the provisions stipulated within this Act by all the individuals this Act extends to.
The board is granted to the same powers as are vested in a civil court. In the event that any individual is affected by any decision of the Board, the individual may appeal before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Subsequently, should further appeal be sought, the Supreme Court shall assume jurisdiction over the matter.
E. DATA FIDUCIARIES
- Data Processing
As per Section 4 of the Act, processing of personal data is permissible if it is done in accordance with the provisions of the Act and for a lawful purpose:
-
- With the explicit consent of the data principal for a specified purpose.
- For certain legitimate uses that are not expressly forbidden by law (the concept of “lawful purpose” implies any purpose that is not prohibited by law).
As per Section 5 of the Act, when requesting consent from a data principal for processing of personal data, the data fiduciary must provide a notice containing the following information:
As per Section 7(a) of the Act, a data fiduciary can process personal data for the specified purpose for which the data principal voluntarily provided the data, provided the data principal has not withheld consent.
As per Sections 7(f) and 7(g) of the Act, processing of personal data is allowed for responding to medical emergencies involving threats to life or health. It can also be used for providing medical treatment during epidemics or threats to public health and for ensuring safety or providing assistance during disasters or public order breakdowns.
As per Sections 7(d) and 7(e) of the Act, data fiduciaries may process personal data in compliance with obligations under Indian laws to disclose information to the State or its instrumentalities. Additionally, personal data can be processed for compliance with judgments or orders issued under Indian laws or relating to claims of a person against the State.
- Nature of Consent
The consent given by data principals must fulfill specific criteria:
-
- Free (consent without any undue pressure or coercion);
- Specific(consent pertaining to a well-defined purpose;
- Informed(indicating an understanding of the implications);
- Unconditional and unambiguous;
- Requires a clear affirmative action, signifying an agreement.
- Limited to the necessary personal data for the specified purpose.
As per Section 11(2) of the Act, if any part of the given consent infringes upon the provisions of the Act, its rules, or other applicable laws, that particular portion of consent is considered invalid to the extent of the infringement.
As per Section 11(4) and (5) of the Act, data principals possess the right to withdraw their consent at any time. The ease of withdrawing consent must be comparable to the ease of giving consent. However, the withdrawal’s consequences are borne by the data principal, and it does not impact the legality of prior processing based on consent.
As per Sections 11 (7), (8), (9) and (10) of the Act, data principals have the option to give, manage, review, or withdraw their consent through Consent Managers. Consent Managers are accountable to data principals and act on their behalf. They must be registered with the Data Protection Board, adhering to prescribed conditions. If a dispute arises about consent-based processing, the data fiduciary is responsible for proving that proper notice and consent procedures were followed.
This concept of a Consent Manager within the current framework is a new concept and could do with more clarity which hopefully the Rules will provide, once framed. Although the idea of a Consent Manager could potentially materialize as a repository, the current definition and assigned responsibilities of a Consent Manager fail to provide a definitive insight into the operational procedures and the extent of its engagement.
- Compliance Responsibility
As per Section 8(1) and (2) of the Act, data fiduciaries are mandated to comply with the provisions of the Act and its rules, regardless of any contrary agreement or the failure of data principals to fulfill their duties. Data fiduciaries bear the responsibility for ensuring compliance in all processing activities conducted by them or on their behalf by data processors.
- Data Processor Engagement
As per Section 8(2) of the Act, data fiduciaries are allowed to engage data processors to process personal data on their behalf only under a valid contract.
- Data Accuracy and Consistency
As per Section 8 (3) of the Act, when personal data processed by data fiduciaries is likely to impact data principals’ decisions or be disclosed to other data fiduciaries, the data fiduciaries must ensure the completeness, accuracy, and consistency of the data.
- Security Measures
As per Section 8 (4) and (5) of the Act, data fiduciaries are required to implement appropriate technical and organizational measures to ensure compliance with the Act’s provisions. They must also protect personal data, including data processed by data processors, by implementing reasonable security safeguards to prevent data breaches.
- Consent-Based Erasure
As per Section 8(7) of the Act, upon the data principals withdrawing their consent or when the specified purpose is no longer being served, data fiduciaries must erase personal data in their possession. They are also responsible for ensuring that data processors erase any data provided to them by data fiduciaries.
- Role of Data Protection Officer
As per Section 8(9) of the Act, data fiduciaries must publish the contact information of a Data Protection Officer (DPO) or a representative who can address data principals’ questions regarding personal data processing.
- Grievance Redressal Mechanism
As per Section 8(10) of the Act, data fiduciaries are required to establish an effective mechanism for addressing the grievances of data principals.
Special Provisions for Data of Children:
- Consent for Children’s Data
As per Section 9 (1) and (2) of the Act, data fiduciaries processing personal data of children or individuals with disabilities must obtain verifiable consent from the parent or lawful guardian of the child. The consent of the parent includes the consent of the lawful guardian.
- Well-being and Monitoring
As per Section 9 (1) & (2) of the Act, data fiduciaries are prohibited from processing data that may adversely affect a child’s well-being. Additionally, tracking or behavioral monitoring of children or targeted advertising aimed at children is not allowed.
- Exceptions
As per Section 9(4) of the Act, specific classes of data fiduciaries or purposes may be prescribed as exceptions to the provisions regarding children’s data processing, subject to certain conditions.
Obligations of Significant Data Fiduciaries:
- Identification and Assessment
As per Section 10(1) of the Act, the Central Government may identify significant data fiduciaries based on factors such as the volume of data processed, risk to data principals’ rights, potential impact on national interests, electoral democracy, security of the state, and public order.
- Responsibilities
��As per Section 10(2) of the Act, significant data fiduciaries must appoint a DPO based in India, engage an independent data auditor for data audits, and undertake measures such as Data Protection Impact Assessments (DPIAs), periodic audits, and other prescribed actions.
- Exemptions
As per Sections 10(4 & 5) of the Act, the Central Government may exempt certain significant data fiduciaries from specific obligations if their data processing practices are deemed verifiably safe. The age at which children’s data processing obligations do not apply may also be specified.
F. RIGHTS AND DUTIES OF DATA PRINCIPAL
- Right to Obtain Information (Section 11 of the Act): Data principals have the right to request and obtain specific information from data fiduciaries to whom they have granted consent for personal data processing. This information includes:
-
- A summary of personal data being processed.
- Details of processing activities undertaken by the data fiduciary.
- Identifications of other data fiduciaries and processors with whom personal data has been shared.
- Any additional prescribed information related to personal data processing.
- Right to Correction, Completion, and Erasure (Section 12 of the Act): Data principals possess the right to ensure the accuracy and completeness of their personal data. If inaccuracies or incompleteness are identified, data fiduciaries must:
-
- Correct inaccurate or misleading personal data.
- Complete incomplete personal data.
- Update personal data as required.
Furthermore, data principals have the right to request the erasure of their personal data from data fiduciaries. Data fiduciaries are obligated to erase such data unless retention is necessary for the specified purpose or legal compliance.
- Right to Grievance Redressal (Section 13 of the Act): Data principals have the right to accessible means of grievance redressal provided by data fiduciaries or consent managers. This addresses any grievances related to data fiduciaries’ actions, omissions, or compliance with the Act. The data fiduciaries or consent managers are required to respond to these grievances within a prescribed timeframe.
- Right to Nominate Representatives (Section 14 of the Act): Data principals have the right to nominate an individual to exercise their data rights in the event of their death or incapacity. “Incapacity” is defined as the inability to exercise these rights due to unsoundness of mind or bodily infirmity. The nominated representative is empowered to act in accordance with the provisions of the Act and its rules.
- Duties of Data Principals (Section 15 of the Act):
- Compliance with Applicable Laws: Data principals are duty-bound to comply with all applicable laws while exercising their rights under the Act.
- Providing Accurate Information: Data principals must not impersonate others while providing personal data for specific purposes, and they must ensure that the information provided is accurate and authentic.
- Not Suppressing Material Information: Data principals must not withhold material information while providing personal data for documents, unique identifiers, proofs of identity, or address issued by the State or its instrumentalities.
- Not Registering False or Frivolous Complaints: Data principals have a duty to avoid registering false or frivolous grievances or complaints with data fiduciaries or the regulatory Board established under the Act.
- Furnishing Verifiably Authentic Information: When exercising their rights to correction or erasure, data principals are obligated to provide information that is verifiably authentic, emphasizing the integrity of the data correction process.
G. PENALTIES
As per Section 33 of the Act, If the Data Protection Board determines, following an inquiry, that a breach of the Act’s provisions is significant, it may impose a monetary penalty as specified in the Schedule. This penalty is intended to serve as a deterrent against breaches and ensure compliance with the provisions of the act.
Factors Considered in Determining Penalties: While determining the amount of monetary penalty, the Board considers various factors, including:
- Nature, gravity, and duration of the breach.
- Type and nature of the personal data affected.
- Repetitive nature of the breach.
- Gain or loss resulting from the breach.
- Mitigating actions taken and their effectiveness.
- Proportionality and effectiveness of the penalty in ensuring compliance.
- Likely impact of the penalty on the offender.
Types and Extent of Penalties
Section 34 of the Act outlines specific penalties for different types of breaches:
Offence | Penalty |
Breach of reasonable security safeguards obligation under Section 8(5) of the Act | May extend up to Rs 250 Crores |
· Failure to notify the Board or affected data principal of a personal data breach under Section 8(6) of the Act | May extend up to Rs 200 Crores |
Breach of additional obligations related to children under Section 9 of the Act | May extend up to Rs 200 Crores |
Breach of additional obligations of significant data fiduciary under Section 10 of the Act | May extend up to Rs 150 Crores |
Breach of duties under Section 15 of the Act | May extend up to Rs 10,000 |
Breach of any other provision of this Act or the rules made thereunder. | May extend to Rs 50 Crores |
All penalties collected by the Board under this act are credited to the Consolidated Fund of India, ensuring that penalty proceeds contribute to the general revenue.
Conclusion
The Digital Personal Data Protection Act 2023 seeks to introduce comprehensive measures to safeguard individuals’ personal data and privacy from data fiduciaries, marking a pivotal transition for both the corporate entities and individuals across India. The enforcement of this new Act is anticipated to trigger a paradigm shift, necessitating a profound reevaluation of data management practices by entities dealing with personal data. The Act introduces fresh obligations on data fiduciaries and significant data fiduciaries with substantially large penalties, thereby compelling businesses to reconsider their data handling approaches and necessitating substantial restructurings within their organization, particularly within their IT and Human Resource Departments. In this evolving landscape, attaining precise legal definitions and comprehending the multifaceted obligations of the Act becomes paramount for businesses to thrive within a data-centric environment.
Authored by: Mr. Himanshu Goswami, Partner and Mr. Tejas Chabbra, Associate by Goswami & Nigam LLP.
Footnotes
[1] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017) 10 SCC 1
[2] Section 6(4) of the Act – Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
[3] Section 13 of the Act –
(1) A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.
(2) The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries.
(3) The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board.