This note is prepared on the basis of Indian law as on date.
This note only sets out a general outline of Indian laws on certain topics and does not consider any particular set of facts, other than as specifically set out herein. This note does not constitute legal advice.
The Digital Personal Data Protection Act, 2023 (“Act”) applies to personal data that is collected within India through digital form and offline form, which is later digitized and the data; which is collected outside India, if such processing is in connection with activity of offering goods or services to data principals within India. However, the Act does not apply to: (i) personal data processed for any personal or domestic purpose; and (ii) personal data that been in made or caused to be made publicly available.
The Act was notified by the gazette of India on August 11, 2023. The Digital Personal Data Protection Bill, 2023 was introduced by the Ministry of Electronics and Information Technology on August 3, 2023 and passed by the Lok Sabha on August 7, 2023 and Rajya Sabha on August 9, 2023; after the withdrawal of the Digital Personal Data Protection Bill, 2022 (“2022 Bill”) and Personal Data Protection Bill, 2019 (“2019 Bill“). Prior to this, in 2017, the Ministry of electronics and information technology appointed a 10-member committee known as the “BN Shri Krishna Committee’ to draft a comprehensive data protection regime which led to the origin of the 2019 Bill. The 2019 Bill was first proposed in Lok Sabha in December 2019 and referred to the Joint Parliamentary Committee. This Note deals with the key elements on the Act.
3. KEY ELEMENTS OF THE NEW ACT
|Key concepts||· Data Fiduciary: any person who alone or in conjunction with other persons determine the purpose and means of processing personal data.
· Data Principal: the individual to whom the personal data relates and where such individuals is a child includes the parents or lawful guardian of such a child.
· Data Processor: any personal who processes personal data on behalf of the Data Fiduciary under a valid contract, for offering of goods and services to the Data Principal. Under the 2022 Bill, Data Processors has a right to further engage another Data Processor for processing of personal data, however the Act remains silent regarding disclosure of personal data to such third Data Processors.
· Personal Data: any digital data about an individual who is identifiable by or in relation to such data.
· Personal Data Breach: an unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
· Processing: The Act extends the scope to ‘wholly or partly’ automated processing, which means that the non-automated processing is excluded from the scope of processing of personal data.
|Obligations of the Data Fiduciary||· Processing of Data
The Data Fiduciary is required to process personal data for lawful purposes for which the Data Principal has given its consent. The consent can be sought from the Data Principal in the form of a physical or electronic notice in clear and plain language containing an itemised list describing the nature of the personal data collected and the purpose of processing such Data.
· Privacy Notice
a. The Data Fiduciary shall not process personal data of Data Principal without her consent. At the time or before processing of personal data, the Data Fiduciary must send a privacy notice in clear and plain language containing the following details: (i) nature of personal data; (ii) purpose for which it is being processed; (iii) right to withdraw her consent; (iv) right to grievance redressal; and (v) right to raise a complaint with the Board.
b. If the consent is already provided prior to this Act, then the Data Fiduciaries shall send such a privacy notice to those Data Principals as well.
· General obligations
The Data Fiduciary shall:
a. be responsible to comply with the provisions under the Act while processing of any personal data by it or a data processor.
b. undertake reasonable efforts to ensure the accuracy and completeness of the personal data processed.
c. share personal data of the Data Principal with one or more Data Processors only with the consent of the Data Principal under a valid contract. However, it is responsibility of the Data Fiduciary to protect the personal data processed by it and on behalf of the Data Processor, as opposed to the 2022 Bill, where the responsibility was shared between the Data Fiduciary and Data Processor.
d. implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the Act.
e. undertake reasonable security safeguards for protection of personal data breach.
f. notify the Board in case of any personal data breach and the affected Data Principal.
g. cease to retain personal data once the purpose associated to the collection of personal data is complete, unless required to be retained under applicable laws.
h. publish details of the data protection officer or such other person answerable on behalf of the Data Fiduciary to the grievances and queries.
i. create a grievance redressal mechanism.
|Consent||· The Data Fiduciary is not permitted to use the personal data of any Data Principal without freely given, specific, informed and unambiguous consent to process such personal data.
· The consent for processing of personal data is provided for a specific purpose.
· The Data Principal has the option to access the consent request in English or any language specified in the Constitution of India.
· The Data Principal has the right to withdraw her consent at any time, however the consequence of such withdrawal shall be borne by such Data Principal.
· The Data Principal can withdraw, give, manage, review her consent through a Consent Manager. A Consent Manager is a Data Fiduciary accountable to the Data Principal and can act on behalf of the Data Principal. All the Consent Managers must be registered with the Board.
· Lastly, is it the obligation of the Data Fiduciary to prove the existence of consent and the request notice in the event of any dispute or questions regarding the processing of personal data.
|Consent Manager||· Data Fiduciary shall appoint a Consent Manager, who will be registered with the Board. The Consent Manager shall act as a point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform or raise a grievance against the Data Fiduciary.|
|Legitimate Use||· The Act has replaced the concept deemed consent introduced under the 2022 Bill with ‘certain legitimate use’. It includes any specific purpose of which the Data Principal has voluntarily provided her personal data and has not expressly declined her consent to the use of her personal data. The scope of deemed consent has been extended by the Act under certain legitimate use.
· Further, it also includes processing of personal data in several instances such as: (i) medical emergency; (ii) compliance with applicable law, court order, judgement; (iii) safety of the Data Principal during disasters or threat to public order; (iv) in course of employment of the Data Principal; (v) voluntary disclosure of personal data by the Data Principal and so on.
|Processing of Children’s data||· As per the Act, ‘Child’ means a person below the age of 18 (Eighteen) years.
· Prior to processing of any personal data belonging to a child or person with disability (such person having a legal guardian), the Data Fiduciary must obtain verifiable parental consent from a parent or lawful guardian of the child (as the case may be).
· The Data Fiduciary is refrained from tracking or behavioural monitoring of children’s data or use such data for targeted advertisements or process such data in such a manner which is likely to cause harm to the child. However, the Central Government has the right to prescribe exemptions to these obligations, if the Central Government is satisfied with the security measures undertaken by the Data Fiduciary.
· Penalty for any non-compliance under this provision may extend to INR 200 crores.
|Significant Data Fiduciary||· The Central Government has the right to notify any Data Fiduciary or a class of Data Fiduciary as a ‘Significant Data Fiduciary’ basis the factors mentioned in the Act such as volume, sensitivity of the personal data, security of state, potential impact on the sovereignty and integrity of India and such other factors.
· These Significant Data Fiduciary are subject to additional obligations such as:
a. appointment of a Data Protection Officer (“DPO”). The DPO must be based in India and is responsible to the board of directors or such similar governing body of the Significant Data Fiduciary. Further, the DPO is the point of contact for the grievance redressal mechanism.
b. appointment of an independent auditor to evaluate if the Significant Data Fiduciary is in compliance with the Act.
c. undertake data protection impact assessment and periodic audit.
· Penalty for any non-compliance under this provision may extend to INR 150 crores.
|Rights of the Data Principal||· Right to information: Data Principal has the right to summon information from the Data Fiduciary regarding the use and processing of the personal data collected by the Data Fiduciary, along with the identities of all the Data Fiduciaries with whom the personal data has been shared.
· Right to correction and erasure: Much like the right to be forgotten under the 2019 Bill, the Data Principal can request the Data Fiduciary to correct any incomplete or inaccurate personal data in their records and/or to erase the personal data of the Data Principal as soon as the purpose of processing the said personal data is complete, unless the retention of such personal data is necessary for legal purposes.
· Right to grievance redressal: In case of any grievance, the Data Principal has the right to register such grievance with the Data Fiduciary or the Consent Manager. If the Data Principal does not receive a satisfactory response from the Data Fiduciary within the prescribed number of days, the Data Principal has the right to register a complaint with the Data Protection Board of India, established under Section 18 of the Act (“Board”). However, the Data Principal must approach the Board only after exhausting all the opportunity to redress her grievances by the Data Fiduciary.
· Right to nominate: In the event of death or incapacity of the Data Principal, the Data Principal has the right to appoint a nominee to act on its behalf.
|Duties of the Data Principal
|The Data Principal shall ensure that all the information/data provided by her must be verifiably authentic and does not contain any false particulars or supress any material information or impersonate another person especially while applying for documents, service, proof of identity etc. Further, it is the duly of Data Principal to comply with provisions of all applicable while exercising its rights under this Act.|
|Cross Border transfer of data||The Act has given a right to Central Government to evaluate the necessary factors for the transfer of personal data outside the territory of India and notify such countries and territories outside of India where the transfer of personal data of the Data Principal may be restricted, except as may be prescribed under applicable laws in India.
However, the 2022 Bill 2022 entrusted the right to Central Government to evaluate the necessary factors for the transfer of personal data outside the territory of India and notify such countries and territories outside of India where the personal data of the Data Principal may be transferred, allowing a free movement of personal data within notified territories.
|Exemptions||· The Act exempts the application of certain provisions of the Act with regards to processing of personal data in the following instances:
a. enforcement of legal rights or claims;
b. compliance with applicable law, court order, judgement;
c. prevention, detention, prosecution or investigation for contravention of any law;
d. processing data of a data principal who is outside India;
e. implementation of scheme of compromise or merger or amalgamation;
f. debt recovery;
g. in the interests of security, sovereignty and integrity of India, as notified by the Central Government;
h. necessary for research, archiving or statistical purposes, provided if the personal data is not to be used to take any decision specific to a Data Principal.
· In addition to the above, the Central Government has the power to notify certain Data Fiduciary or class of Data Fiduciary who shall be exempted from compliance under certain provisions the Act.
|Data Protection Board of India
|· The Act has empowered the Central Government to established under the Board, which shall operate as in independent body and function as a digital office. Digital office means a mechanism for processing and disposal of complaints through online or digital mode.
· The Central Government has the power to determine the conditions of appointment of the members of the Board and their composition, qualifications, process of selection and various other matters.
· The Board is empowered to conduct hearing providing reasonable opportunity to be heard, so as to determine non-compliance with provisions of the Act, if any. In the event of any non-compliance or data breach, the Board shall issue directions in writing suggesting corrective measures to remedy such data breach or mitigate the harm caused to the Data Principal.
· In addition to above, the Board has the right to impose penalty on the defaulting party not exceeding INR 500 crores in each instance. While determining the financial penalty to be imposed, the Board shall consider the following matters: (i) nature of the non-compliance; (ii) type of the personal data affected; (iii) repetitive nature of the non-compliance; (iv) any gain or avoidance of loss due to the result of non-compliance; (v) actions undertaken to mitigate the effects and consequences if the non-compliance or the absence thereof; (vi) whether the financial penalty to be imposed is proportionate and effective to the non-compliance; (vii) likely impact of imposing a financial penalty on a person.
· Any order passed by the Board is binding and is treated as par with the orders issued by a Civil Court and the Board has the powers granted to a Civil Court in India.
|Appeal||· In the event any person is aggrieved by an order passed on the Board, the person, within 60(sixty) days of passing of such an order, a right to appeal to an Appellate Tribunal.
· The Appellate Tribunal is a Telecom Disputes Settlement and Appellate Tribunal established under the Telecom Regulatory Authority of India.
· All the appeals made to the Appellate Tribunal must be disposed off within the period of 6 (six) months from the date on which it was presented on. In the event the Appellate Tribunal is unable to pass an order within the prescribed period of 6 (six) months then it shall provide a reason in writing regarding such delay.
· Any party aggrieved by orders of Appellate Tribunal shall be dealt with provisions of Section 18 of Telecom Regulatory Authority of India Act, 1997.
The Act has attempted to simplify the laws on data privacy and the same time made it comprehensive to ensure adequate protection of personal data in India. The Act contains a simple framework and plain language to aid any person with a basic understanding of the law to interpret the Act.
The Act has introduced several new concepts and broaden the usage of ‘personal data’. For instance, the Act has introduced the concept of ‘legitimate use’ in broad terms, which allows the processing of data without explicit consent in various instances. Further, along with powers to the Board to ensure protection of personal data and compliance with the law, the Act has created an additional layer of grievance redressal by setting of an Appellate Tribunal.
In our view, over all the Act is a major improvement from the erstwhile legislations in terms of protection of personal data, accountability, penalties, corrective and preventive measures for safety of personal data.
For further information, please feel free to reach out to us.
Krishna Venkat: [email protected]
Priyanka Multani: [email protected]