This article is written by Adv. Priyanka. This article covers a detailed analysis of the Digital Personal Data Protection Act, 2023 which includes key features, highlights, principles on which this Act is based, and all the provisions of the Act with relevant examples. Further, an exhaustive differentiation between various drafts of the Digital Protection Bills is explained.

Introduction

Let’s go back to the time when there was no online shopping or food applications and every time you had to visit the malls or the grocery shops to buy what you needed! It feels like a hassle now, in today’s world! But by the end of the 20^th century, when the wave of globalisation and liberalisation started globally, the markets started shifting from physical to virtual platforms. And now you even get a pen delivered to your doorstep!

All these services acquire our personal data by making us accept their terms and conditions or ‘cookies’.Cookies are bits of data that are sent to and from a browser to identify a certain user. These terms and conditions or cookies are so lengthy and technical that most people skip reading them. Starting from online shopping to net banking, from commuting from one place to another to watching online shows and movies everything takes some personal information of an individual. Have you ever thought that between taking a service and paying for it, the virtual service provider also gets the personal data of an individual which can be misused and this misuse can not only affect the individual but also the whole country. These applications collecting the personal data of individuals can impact their right to privacy.

“As it is aptly said that ‘data’ is the new oil, so it is very important to secure and manage the large volumes of data that are being processed in the country daily. After the covid 19 pandemic, not only the business and corporate world but also the state itself shifted to digital databases to securely work in these changing times. A country’s progress and individual’s rights can be balanced by implementing rules and regulations governing the conflicting interests and deciding the extent and nature of the use of digital personal data of an individual which an enterprise or the state can do. Due to the huge multifaceted impact of digital shifting and high-risk factors along with growing dependence on artificial intelligence technologies, the government passed the Digital Personal Data Protection Act (‘DPDPA’), 2023  which addresses all the concerns related to digital personal data privacy.

Data Protection landscape before the Digital Personal Data Protection Act (DPDPA), 2023 

Before the passing of the DPDPA, 2023 in India there were various other acts, rules, bills, cases, and drafts that dealt with the privacy of the personal data of individuals.

The first law that was enacted to secure the digital information of individuals was Information Technology Act, 2000. Later in the year 2011, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 came into force to secure the sensitive personal data or information of individuals. Further, the Ministry of Electronic and Information Technology codified Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 to balance the privacy rights in the interest of national security and public order.

In the case of Karmanya Singh Sareen and Anr vs. Union of India and Ors. (2016), WhatsApp’s 2016 privacy policy to permit WhatsApp to share data with Facebook was challenged before the Delhi High Court, wherein the High Court upheld WhatsApp’s policy and directed them to delete the data of the users who have opted out from this service.

In the case of Justice K S Puttaswamy (Retd.), and Anr. vs. Union of India,(2012), the 9 judges’ bench of the Supreme Court of India declared that the right to privacy is a fundamental right of the person under Article 21 of the Constitution of India. Following this, the B.N. Shrikrishna committee was formed to report on the concerns regarding the digitalization of personal data and propose solutions. The Draft Personal Data Protection Bill, 2018 was drafted by the committee which was presented before the lower house of the Parliament. Later in the year 2019, the draft Bill of 2018 was referred to the joint parliamentary committee for examination and was for public comments.

Now, after 5 years of extensive submissions, discussions, recommendations, consultations, customizations, and deliberation, a final draft of the Digital Personal Data Protection Bill, 2023, which after approval from the cabinet, was finally ready to be presented before the houses of the parliament and finally got passed in the lower house. 

A brief timeline of the Data Protection law in India is reproduced below for ready reference-

Journey of the Data Protection law in India	Year/ Bill/Act Name
First draft of the Bill(submitted by the committee formed under the chairmanship of Justice Srikrishna)	Personal Digital Protection Bill, 2018 (PDP Act)
PDP Act introduced in parliament and referred to Joint Parliamentary Committee (JPC)	December 2019
Report by JPC	December 2021
New version of Data Protection Act	December 2021 The Data Protection Bill, 2021
Draft of Data Protection Bill, 2021 withdrawn	August 2022
Bill replaced (Draft released by Ministry of Electronics and Information Technology)	Digital Personal Data Protection Bill, 2023 (“DPDP Bill, 2023”)
DPDP Bill, 2023 tabled before Parliament	3 August 2023
DPDP Bill, 2023 passed by the Lower House of Parliament	7 August 2023
DPDP Bill, 2023 passed by the Upper House of Parliament	9 August 2023
DPDP Bill, 2023 presidential assent and became law of the land	Digital Personal Data Protection Act, 2023(passed on 11 August, 2023)

Overview of Digital Personal Data Protection Act (DPDPA), 2023

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “DPDP Act” or “Act”) is an elaborative effort of the Indian legislature to protect the privacy of an individual in today’s world where an individual’s personal data is floated digitally for innumerable reasons. 

The main idea of the DPDP Act of India comes from the data privacy regulation of the European Union, which is known as the General Data Protection Regulation, but rather than being prescriptive and extensive, it is a concise and comprehensive draft that incorporates most of the concerns surrounding the data protection regime in India. The current draft proposed is a very pragmatic and thoughtful step taken to establish the data protection regime in India by keeping in mind the rights and concerns of the people of India along with the globalization goals of the Indian economy.

When we read this DPDP Act, we get to see how the legislature has been successful in implementing the balance between data sovereignty and economic growth through globalization. Another major aspect covered by this proposed legislation is the extent of the use of personal data obtained by any business or entity. The Act aims at circumscribing the use of personal digital data collected to limit it within the parameters of legal boundaries. Further, the Act also gives the control to the individual, whose data is collected, to consent, access, and edit their data and make corrections. This results in building the people’s trust in this digital regime and makes them feel secure and empowered. 

Key difference between drafts of various Data Protection Bills

Basis	The Digital Personal Data Protection Bill, 2023	The Personal Data Protection Bill, 2019	The Draft Data Protection Bill, 2018
Scope and Applicability	Does not cover offline personal data and non-automated processing	Covers anonymised personal data	Processing of personal data by government and private entities and entities incorporated overseas.
Transfer of personal data outside India	The Central Government may restrict the transfer of personal data through notification.	Some of the sensitive personal data may be transferred only if explicit consent is provided.	The personal data may be transferred to certain permitted countries or countries under contract with the authorities. This can only be done if consent is provided.
Data Breach reporting	All the personal data breach should be intimated to the Data Protection Board of India and also the affected Data Principal (as hereinafter defined in the course of this article).	Same as the Data Protection Bill of 2018.	All the personal data breach should be intimated to the Data Protection Board of India. The affected Data Fiduciary will only be informed if the Board decides.
Exemptions	Granted by the Central Government through notification. There is no safeguard or procedure for exemption specified.	Granted by the Central Government through order. Exemptions may be granted to some agencies wherein processing is necessary or it is subject to certain procedures.	The Exemption may be granted where processing is authorised by law and as per the procedure established by law.
Right to be forgotten(The individuals have right to limit the disclosure of their personal data on the internet)	Not provided	Provided	Provided
Harm from the processing of personal data	Not provided	Similar to the Draft Data Protection Bill, 2018	This harm includes monetary loss, loss of reputation, and identity theft. Data Fiduciaries need to take measures to mitigate the risk of harm and Data Principal has the right to seek compensation in case of harm caused.
Right to Data Portability	Not provided	Provided	Provided
Regulator	The Data Protection Board of India	The Data Protection Board of India and the Appellate Tribunal	The Data Protection Board of India and the Appellate Tribunal

Objectives of Digital Personal Data Protection Act (DPDPA), 2023 

This DPDP Act, apart from being concise in length, is also written in very simple words and has further simplified by exemplifying the provisions through illustrations. 

One of the unique features of this Act is that for the first time legislation uses the word ‘she’ instead of ‘he’ in the law-making in India. This acknowledgment of women in legislation points toward steps taken by the legislature toward gender equality in law-making. 

The DPDP Act is also free of any provisos. This further reduces the complexity of this proposed legislation. The parties referred to in this Act are ‘Data Principal’ and ‘Data Fiduciary’. The objectives of the DPDP Act are:

• to govern the processing of personal data on the digital platform in India whether obtained online or offline;
• to provide for the protection of digital personal data;
• to lay down grounds for processing personal data;
• to make provisions that will harmonise the ever-evolving digital infrastructure and technological advancement in India with the core fundamental right of privacy of its individuals;
• to place general and in certain cases special obligations on entities that process personal data;
• to confer rights in respect of their personal data on individuals;
• to provide for the duties of the individual while exercising their rights and providing their personal data for certain purposes;
• To lay down a digital design compliance framework for easy and faster implementation of the proposed Act;
• to regulate digital technology by ascertaining the accountability of  AI-driven applications and platforms while handling personal digital data;
• to enable parties in dispute to attempt for mediation;
• to provide for monetary penalties for non-compliance of the provisions of the Act; and
• to enable voluntary undertaking for faster resolution and rectification of lapses.

Highlights of Digital Personal Data Protection Act (DPDPA), 2023

The following are the highlights of the Act:

1. It covers digital personal data.
2. Data Fiduciary or a class of Data Fiduciary including startups are exempted from the provisions of this Act. The power to exempt is with the Central Government who shall inform it through notification.
3. For onboarding a Data Processor (as defined hereinafter) a valid contract is mandatory.
4. Cross-border transfers are valid. However, certain transfers are restricted by the Central Government.
5. The Act excludes personal data that is made publicly available by the Data Principal.
6. Situations labelled as deemed consent in the previous Act have been permitted as ‘certain legitimate uses’.
7. No criminal liability for non-compliance with the provisions of the Act.
8. The personal data of children cannot be used for tracking, behavioral monitoring, or targeted advertising.
9. Introduction of Significant Data Fiduciaries who shall appoint a Data Protection Officer to conduct periodic data protection impact assessments.
10. The privacy notice should be in English or any other language that is specified in the Eighth schedule of the Indian Constitution.
11. The right to nominate for Data Principal has been added.
12. The key stakeholders of this Act are:

1. Data Principal 
2. Data Fiduciary
3. Significant Data Fiduciary
4. Data Processors
5. Consent Manager

Key features of Digital Personal Data Protection Act (DPDPA), 2023

The key features of the DPDP Act, 2023 are as follows:

1. Applicability of the Act: The provisions of this Act will apply to the processing of digital personal data within the territory of India where such data is collected either in the digital form or non-digital form and is digitised. Further, the Act shall also apply to the processing of digital personal data outside the territory of India. In simple words, the DPDP Act also applies to non-citizens living in India. It does not apply to the processing of personal data for domestic or personal purposes by individuals and personal data made publicly available.
2. Consent: The Act allows personal data to be processed only after the consent of the individual is given or for ‘legitimate use (lawful use of the personal data)’. Further, the consent needs to be given only for lawful purpose. Along with the consent the personal data and the purpose for which the consent is given needs to be proposed. The consent given must be ‘free, informed, specific and unconditional’.

Example: A, an individual opens a share trading account using the mobile app or website of C, a share trading website. For completing the Know-Your-Customer formalities A chooses to process her personal data by C through live video-based verification. C shall give a notice to A that will give a detailed explanation of the personal data and the purpose of its processing.

3. Exemptions: The right of the Data Principal and obligations of the Data Fiduciary shall not apply when the processing of data is:

1. for enforcement of any legal right or claim;
2. by the court or tribunal or any other body in India entrusted with the performance of judicial or quasi-judicial or supervisory function;
3. for prevention, investigation, detection, or prosecution of any offence;
4. not within the territories of India;
5. essential for a scheme of compromise, arrangement, or merger, or amalgamation of two or more companies or undertakings;
6. for ascertainment of financial information and assets and liabilities of a person who has defaulted payment due to loans or advances from financial institutions. 

Further, the exemptions also include the processing of personal data:

1. in the interest of the sovereignty and integrity of India, friendly relations with foreign states, state security, and public order; and
2.  for research, archiving, or statistical purposes.

4. Personal data transfer to outside India: One of the features of this Act is that it allows the transfer of personal data outside India, but not to the countries restricted by the central government through notifications issued in this regard.
5. Rights and duties of Data Principal: The Act gives certain rights to the Data Principal which include the right to:

1. access information about personal data;
2. correct and erase personal data;
3. grievance redressal; and 
4. nominate another individual to exercise rights in case of death or incapacity of the Data Principal. 

The duties of the Data Principal include:

1. complying with the provisions of all the laws;
2. ensuring no impersonation of another person while providing her personal data;
3. ensuring no suppression of material information;
4. not registering any false complaint or grievance; and
5. furnishing authentic information. 
6. Data Protection Board of India (DPBI): There shall be a DPBI consisting of a chairperson and other members as appointed by the Central Government. The tenure of the chairperson and other members will be two years and they are eligible for re-appointment. The main function of the board will be to:

(i) direct any urgent or mitigation measure in case of a personal data breach;

(ii) impose penalties;

(iii) monitor compliances; and 

(iv) hear grievances made by the affected persons.

7. Penalties: There are penalties for various offences specified in the schedule of the Act. Some of the penalties include a penalty extending to 150 crore for a breach in observance of duties specified under Section 15.

Principles on which Digital Personal Data Protection Act (DPDPA), 2023 is based

The following are the principles on which the DPDP Act is based:

Principle of consent

This principle denotes how the data must be collected from the individuals. Every data collected must be through lawful means and should follow fair procedure. This fair and transparent procedure means that the concerned individuals must be informed about the nature, purpose, and use of the personal data collected from them. After being informed it is also mandatory that the individuals give their consent to the collection and use of their personal data.

Principle of purpose limitation 

This principle denotes that once consented personal data is collected, the use of it must be restricted to the purpose for which it was collected and the purpose for which consent is received from the individual. Any deviation from the consented purpose is prohibited in the proposed legislation. While obtaining the consent of the individual, the data fiduciary must make sure to comprehensively inform the purpose of such personal data collection to the individual.

Principle of data minimization

This principle speaks of the proportionality between the purpose of the data and the personal data collected in that context. It must be ensured that the personal data collected is not more than the specific purpose for which it is collected. There should not be extra personal data collected in the veil of serving a specific purpose.

Principle of personal data accuracy

The next principle is about updating the personal data collected. The Act allows for certain reasonable measures that can be taken to ensure the accuracy and correctness of the personal data collected from the individual. Also, it is expected that the Data Fiduciary takes reasonable measures to update the personal data collected to its utmost accuracy. This principle is incorporated to ensure the accuracy of the personal data at every level for achieving the specific purpose for which it was collected.

Principle of storage limitation

This principle adheres to the rule against perpetuity. The time period of storage of the personal data must be directly proportional to the specific purpose for which it is collected. Once the said purpose is accomplished, the data must be removed from the access of the Data Fiduciary. The duration of personal data storage should not be perpetual by default. It must be limited to the reasonable time required for the fulfilment of the specific purpose for which it was collected.

Principle of data safeguard with reasonable measures 

Once the Data Fiduciary has acquired the trust and consent of the individual to receive her personal data for a specific purpose, they must ensure that such personal data is secured and it must not be breached, shared, processed, or accessed for any purpose other than the ones which are authorized. This principle gives the outline for protection against any of the unauthorized uses of the personal data collected other than the uses for which the consent was obtained.

Principle of accountability 

One of the most important principles on which any protective law is based is the one of accountability. Any preventive or protective laws decide the accountability of the wrong done or committed. The DPDP Act determines the accountability of the data fiduciary who has collected the personal data of the individual after obtaining her trust and consent. Once the data is collected, any further use, accessibility, sharing, or any other type of processing of such data will be the responsibility of the person in charge of such data. The redressal, penalties, etc. for the breach of the provisions and the trust of the individual are all available in the provisions of this proposed legislation. 

Key terminologies in Digital Personal Data Protection Act (DPDPA), 2023

The definitions are explained in Section 2 of the DPDP Act. There are a total of 28 legal terms defined in the Act. The definition clause is an attempt to give the direction in which the legislators want the interpretation of the terms used in the Act. The definitions are alphabetically arranged and the reference of where to find the exact definition of the mentioned terms. 

The term ‘Appellate Tribunal’ is defined under clause (a) means the Telecom Regulatory Authority of India Act, 1997 under section 14 which establishes the ‘Telecom Disputes Settlement and Appellate Tribunal’.

Clause (b) defines the term ‘automated’ by a very inclusive definition using the terms ‘any digital process’ and ‘instructions are given or otherwise’. It explains that any automatic digital process which is processing data on any given instructions or its own will be termed as ‘automated’. 

Clause (c) is not so much of a definition clause but rather just a clarification clause stating that wherever this Act uses the term ‘Board’ it means the Data Protection Board of India established under section 18 of the DPDP Act by the Union Government. 

Clauses (d), (e), and (f) are more or less referral or clarification clauses. They deal with the terms ‘certain legitimate uses’, ‘chairperson’, and ‘child’. The term ‘certain legitimate uses’ is referred to in section 7 of the DPDP Act, 2023. ‘Chairperson’ is clarified to be construed as the ‘Chairperson of the Board’ and for the question of ‘which board’, refer to clause (c). Lastly, the term ‘child’ is defined as any person who has not attained the age of eighteen years. This is a very generalized blanket, especially concerning the subject that this Act is dealing with i.e. digital privacy and personal data protection. 

The next definition in the row is ‘Consent Manager’ under clause (g). It is defined as a sole intermediary platform that enables the Data Principal to give and access her consent to review, supervise, or recant it at any stage. This transparent medium enables the trust of the Data Principal in the Data Fiduciary and ensures fair and authentic accessibility and processing of the digital data collected.

The term ‘Data’ is defined under clause (h) as any kind of communicable representation that can be communicated, processed, understood, and explained by any individual or artificial intelligence. 

The person determining the objective of collection of personal data and the methods and extent of processing the same is known as a ‘Data Fiduciary’ as defined under clause (i). The definition also states that it can be a single person or several persons who can act as a Data Fiduciary. 

Clause (j) gives an inclusive definition and defines ‘Data Principal’ as any individual whose personal data is collected. It further elaborates that the lawful guardian of a child including parents and the lawful guardian of the disabled person will also come under the term ‘Data Principal’. 

Clause (k) defines the term ‘Data Processor’ as whenever any person processes the personal data of the Data Principal, on behalf of the Data Fiduciary, then that person will be known as a Data Processor.

Clause (l) gives a referral definition to the term ‘Data Protection Officer’. It says that whoever is appointed by the Significant Data Fiduciary under section 10(2)(a) will be a Data Protection Officer. 

Clause (m) defines ‘Digital Office’ as an online mechanism where all the related redressal proceedings from the filing of complaints, appeals, etc. to their disposal are conducted. As stated all of these proceedings are conducted online or digitally. Then, clause (n) defines ‘digital personal data’ as any personal data in digital form. Unlike the earlier regulation, there is no further bifurcation of digital personal data based on its sensitivity in this current DPDP Act.

The next two clauses (o) and (p) define the terms ‘gain’ and ‘loss’. These definitions are just explanatory and not exhaustive. It says that any gain or loss in property or services or opportunity of legitimate remuneration or any financial advantage will be ‘gain’ or ‘loss’ under this Act. 

Clause (q) gives an inclusive definition of the term ‘member’ which is member of the Board including the Chairperson. 

Clause (r) defines ‘notification’ which includes the terms ‘notify’ and ‘notified’ and should be published in the Official Gazette. 

The term ‘person’ is defined under clause (s) in an inclusive definition including any individual, a Hindu Undivided Family, a company, a firm, an association of persons, a body of individuals, whether or not incorporated, the State, and every other artificial juristic person.

‘Personal Data’ is defined in clause (t) as any data that can identify or relate to an individual. 

Clause (u) defines ‘personal data breach’ as the unauthorised processing of personal data or accidental disclosure, sharing, use, or alternation of personal data which leads to compromising its confidentiality, integrity, or availability. 

‘Prescribed’ as defined under clause (v) means any rules that are prescribed under this Act.

Any action taken by the board under this Act is termed a ‘proceeding’ [clause (w)].

The term ‘processing’ is described exhaustively under clause (x). It is related to the processing of personal data and means either wholly or partly automated operations performed on personal data. The personal data in which it should be processed should be digital. Operation includes recording, collection, storing, indexing, organisation, structuring, adapting, retrieving, using, aligning or combining, sharing, disseminating or making available, erasure, restriction, or destruction.

One of the most unique features of this Act is the use of the term ‘she’ which is defined under clause (y).  The term she refers to any individual irrespective of gender.

Clause (z) defines ‘Significant Data Fiduciary’ as any Data Fiduciary or class of Data Fiduciaries. These data fiduciaries or class of data fiduciaries are notified by the Central Government under Section 10 of the Act.

‘Specified Purpose’ as defined under Section (za) means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal. This is done in accordance with the provision of the Act and its rules.

Lastly the term ‘state’ has been defined under clause (zb). Don’t we all remember this term is defined in the Indian Constitution Article 12? It means the same over here.

Rights of Data Principal

The rights of the Data Principal are mentioned in Chapter III of the Act. A Data Principal has four rights under the Act which are as follows:

Right to access information about personal data (Section 11)

The Data Principal has the right to obtain-

1. a summary of the personal data being processed by the Data Fiduciary;
2. the identities of all the data fiduciaries and the data processors to whom the personal data is shared along with the detailed description of the personal data shared; and 
3. any other information related to the personal data from the Data Fiduciary.

But if the Data Fiduciary shared the personal data with any other Data Fiduciary who by law is authorised to obtain the personal data, and the personal data is being shared for carrying out prevention, detection, investigation of cyber incidents or prosecution or punishment of offences, the rights which are mentioned in (b) and (c) shall not apply.

Right to correction and erasure of personal data (Section 12)

If the Data Principal wants she can get her personal data –

• corrected, if there is any inaccurate or misleading personal data;
• updated;
• complete, if the personal data is incomplete; and
• erased (unless retention is necessary for compliance with the law or specified purpose)

The Data Principal needs to request the Data Fiduciary to get this done and once the Data Fiduciary receives the request he is obliged to do it in accordance with the law.

Right of grievance redressal (Section 13)

In case of any grievance, the Data Principal has the right to register a grievance with the grievance redressal mechanisms provided by the Data Fiduciary or the Consent Manager who shall respond to the grievance within the prescribed period notified by the Central Government. Further, the Data Principal must exhaust the redressal opportunity as provided in the section before approaching the Data Protection Board. 

Right to nominate (Section 14)

How can the personal data of a Data Principal be handled after his death or incapacity? Under this section, the Data Principal has the right to nominate any other individual who shall exercise the right of the Data Principal as per the provisions of the rules specified.

Duties of Data Principal

The DPDP Act (Section 15) specifies five Duties that the Data Principal shall perform:

1. Compliance – The Data Principal shall comply with the provisions of all the applicable laws while exercising the rights under the provisions of the Act.
2. No impersonation: The Data Principal must not impersonate another person at the time of providing her personal data.
3. Full Disclosure-  A complete disclosure of the personal data should be provided by the Data Principal. No suppression of any material information must be done. All the documents, proof of identity, or proof of address should be accurately presented.
4. No false or frivolous grievance- The Data Principal should not register any false or frivolous complaint or grievance with the Data Fiduciary or Consent Manager or the Data Protection Board.
5. Authentic information-  Only verifiable authentic information must be provided by the Data Principal while exercising the right to correction or erasure.

Obligations as a Data Fiduciary under the Digital Personal Data Protection Act (DPDPA), 2023

Before knowing the obligations of a Data Fiduciary, let us understand who is a Data Fiduciary. A person who either alone or with some other person decides for what purpose and for what means the personal data is processed. 

The obligations of Data Fiduciary are outlined under Chapter II of the Act. There are two grounds under which the personal data of a Data Principal can be processed:

1. When the Data Principal has given her consent; or
2. When it is used for certain legitimate use.

Moreover, a Data Fiduciary can process the personal data of a Data Principal only for lawful purposes.

Explaining more about the Data Principal, if the Data Principal is a child, it will include their legal guardian or parents. If the Data Principal is a person who has a disability, it will include a legal guardian who will act on their behalf.

Notice to the Data Principal

Any request for consent made to the Data Principal should be accompanied by a notice from the Data Fiduciary specifying the purpose of processing personal data, the manner in which she may exercise her rights, and the complaint mechanism. If this consent is given before the date of commencement of the DPDP Act, the Data Fiduciary is obliged to give notice to the Data Principal specifying the purpose of processing personal data, the manner in which she may exercise her rights, and the complaint mechanism thereof. Further an option will be given to the Data Principal to access the contents of the notice in English or any language specified in the Eighth schedule of the Indian Constitution.

The personal data of the person shall be processed until the Data Principal withdraws her consent.

Consent by the Data Principal

The consent that is given by the Data Principal should be freely given, specific, informed, unconditional, and unambiguous. The consent must indicate an agreement to the processing of personal data for the specified purpose and be limited only to the specified purposes. If any part of the consent violates the Act’s provision it will be considered invalid. The consent presented to the Data Principal should be clear and in plain language. It should also provide the details of a Data Protection Officer, where applicable, or any other person authorised by the Data Fiduciary to respond to a communication from the Data Principal.

Data Principals have the right to withdraw their consent at any time and the consequences of such withdrawal will be borne by the Data Principal. For example, A, an individual orders clothes from the website of B, an e-commerce service provider. A before placing an order consents to process her personal data by B for supplying her order. If A withdraws her consent, B can stop A from placing further orders from her website but can’t stop the processing of the supply of goods already ordered. 

In case of withdrawal of consent, the Data Fiduciary is obliged to cease processing the personal data of the Data Principal within a reasonable time unless such processing is done without her consent or as authorized by this Act or rules or any other applicable Indian laws.

The Data Principal can give, manage, review, or withdraw consent from the Data Fiduciary through a Consent Manager (registered with the Board), who will be accountable to the Data Principal. The Consent Manager acts on behalf of the Data Principal.

If any question is raised against any processing of personal data of the Data Principal, the Data Fiduciary has to prove that the notice was given by her to the Data Principal according to the provisions of the Act.

Certain legitimate uses

Section 7 of the Act states that the processing of personal data of the Data Principal by the Data Fiduciary must be done only for the following purposes:-

1. When the Data Principal has voluntarily provided her personal data to the Data Fiduciary. 

Example: A, an individual goes to a superstore B, to buy groceries. A voluntarily provides B with her personal data and requests B to send the Bill to her mobile phone through a message. B can only process the personal data of A for the purpose of sending the bill.

2. For the state or any of its instrumentality for subsidy, benefits, service, certificate, license, or permit to be provided or issued to the Data Principal. This can be done only in case she has previously consented to process her personal data or such personal data is available in digital form or non-digital form and digitized from the state or any of its instrumentality maintained books, registers, database, or any other document;
3. For the performance by the state or any of its instrumentality for any function under Indian law or in the interest of the sovereignty and integrity of India;
4. For the fulfilment of any obligations on any person to disclose any information to the state or any of its instrumentality;
5. For compliance of decree or judgment or order issued;
6. For compliance with any judgment or order related to claims of a contractual or civil nature being in force outside India;
7. For responding to a medical emergency that involves a threat to the life or immediate threat to the Data Principal or any other individual;
8. For providing medical treatment or health services to an individual during any outbreak of disease, epidemic, or any other threat to health of the public;
9. For taking steps to ensure the safety of or providing assistance to any individual during a disaster or breakdown of public order;
10. For the purpose of employment or safeguarding the employer from loss or liability like maintaining confidentiality of intellectual property or trade secret etc.

General obligations of Data Fiduciary

Apart from the above-mentioned obligations, there are some general obligations of Data Fiduciary outlined in Section 8 of the Act. These are as follows:

1. To adhere to the provisions of this Act and the rules while processing personal data.
2. To engage, appoint, or involve a Data Processor in processing the personal data on its behalf for activities relating to the offering of goods or services to the Data Principal.
3. To ensure data accuracy, completeness, and consistency.
4. To implement technical and organisational measures.
5. To protect personal data in its control or possession.
6. To inform the Board and affected Data Principal about the breach in personal data.
7. On withdrawal of consent by the Data Principal erase the personal data and cause its Data Processor to erase the personal data that was made available to them.
8. Publish the contact information of the Data Processor Officer.
9. Establish an effective redressal grievance mechanism for the Data Principal.

Processing of personal data of children

If the personal data of a child or personal disability is being processed, the Data Fiduciary should obtain verifiable consent from their parent or lawful guardian. The personal data will not be processed if it is likely to harm the well-being of a child. Further, no tracking or behavioural monitoring of children or targeted advertising directed at children will be done.

Additional obligations of Significant Data Fiduciary

Before knowing their obligation let us quickly know about Significant Data Fiduciary. Significant Data Fiduciaries are any Data Fiduciaries or class of Data Fiduciaries that the Central Government notifies. 

• The Significant Data Fiduciary appoints a Data Protection Officer who represents them, is based in India, is responsible to the Board of Directors or similarly governing body of the Significant Data Fiduciary, and is a point of contact for grievance redressal mechanism.
• An independent auditor is also appointed by the Significant Data Fiduciary, who carries out data audits and ensures compliance with the provisions of the Act.
• Periodic data protection impact assessment shall be conducted by the Significant Data Fiduciary. This assessment comprises of description of the rights of the Data Principal and the purpose of processing their personal data, and other matters regarding this process of assessment.
• Periodic audit shall be undertaken by the Significant Data Fiduciary.
• Other such acts/measures shall be done by the Significant Data Fiduciary as consistent with the provisions of the Act.

Provisions of Digital Personal Data Protection Act (DPDPA), 2023

Exemptions

The following exemptions have been provided under Section 17 of the DPDP Act, 2023:

General exemptions

The provision of Obligation of Data Fiduciary [except Section 8 (1) wherein it is provided that the Data Fiduciary shall irrespective of any agreement carry out the duties under this Act, and (5) wherein it is provided that Data Fiduciary shall protect personal data in its possession by taking reasonable security safeguards to prevent personal data breach], provisions of rights and duties of Data Principal, and Section 16 ( Processing of personal data outside India) shall not apply where the personal data –

1. is processed to enforce any legal right or claim;
2. is processed by any court or tribunal for the performance of any judicial, quasi-judicial, or supervisory function;
3. is processed to prevent, detect, investigate, or prosecute any offence;
4. of the Data Principals is not within the territory of India and is processed under any contract entered with any person outside the territory of India;
5. is processed for a scheme of compromise, amalgamation, arrangement, or merger of two or more companies.
6. is processed for ascertaining the financial information and assets and liabilities of any person who defaulted in payment of a loan or advances borrowed from the financial institution.

Exemptions from the Central Government and States

Further, the provisions of the Act shall not apply to the processing of personal data-

1. by any notified agency in the interest of the sovereignty and integrity of India, friendly relations with the foreign state, security of the state, maintenance of public order, etc;
2. for research, archiving, or statistical purposes; and
3. for startups or any other notified Data Fiduciaries or class of Data Fiduciaries by the Central Government.

Data Protection Board of India

The DPDP Act, 2023 establishes a Data Protection Board of India (referred to as ‘Board’) which shall function as an independent body and also try to function as a digital office of the Board. The Board shall try to adopt techno legal measures provided in the Act. The main aim of establishing this Board was to ensure compliance with the provisions enumerated in the Act. The composition of the Board and its establishment is determined by the Central Government.

Composition and qualifications for the Board

The Board shall comprise a Chairperson and other such members who shall be appointed by the Central Government. If necessary for the efficient discharge of function as per the Act, the Board with prior approval of the Central Government can appoint other officers and employees. Section 25 of the Act mentions that the members, chairperson, officers, and employees of the Board shall be public servants as per Section 21 of the Indian Penal Code.

Further, the persons appointed shall be persons of ability, integrity, and having knowledge of data governance, administration, digital economy, information technology, dispute resolution, and other fields that the Central Government deems useful in this regard. At least one of the members of the Board shall be a law expert.

Salary, allowances, and tenure

The salary and allowances of the service shall be prescribed by the Central Government. The tenure of the chairperson and other members shall be two years who are also eligible for re-appointment.

Disqualifications of the Board members

The chairpersons and the members shall be disqualified for appointment and continuation if any of them-

1. has been adjudged as insolvent;
2. has become incapable (physically or mentally) of acting as a member;
3. has been convicted of an offence, which in the opinion of the Central Government involves moral turpitude;
4. has abused the position held; or
5. has developed financial or other interests which shall affect the functions to be performed being such a member.

However, the chairperson or member of the Board shall not be removed from the office unless they have been given the opportunity of being heard.

Resignation of members 

If the chairperson or any other member of the Board wants to resign, she can do so by giving a notice in writing to the Central Government. But this doesn’t mean the resignation will be effective from the date of notice. It will be effective only when-

1. the Central Government permits her to relieve office; or
2. on expiry of a period of three months from the date of receipt of the notice; or
3. a successor enters her office; or
4. her term has expired from the office,

whichever is earliest.

Now the next question that arises here is how will the vacancy be filled. In case of resignation, removal, or death of the chairperson or any member of the Board, it will be filled by a fresh appointment in accordance with the provisions of the Act.

The Act clearly states that if the chairperson or any other member vacates, she shall not be allowed to accept any employment for one year from their last day of working and they also need to disclose to the Central Government about any acceptance of employment with any Data Fiduciary against whom proceedings were initiated by or before such chairperson or any other member.

Proceedings of Board

As per Section 23 of the Act, for holding and undertaking transactions of business at its meeting and authenticating its orders, directions, and instruments the procedure as prescribed in the Act shall be followed. Further, no act or any proceedings will be invalid because of –

1. vacancy or any defect in the constitution of the Board;
2. defect in the appointment of a person acting as the chairperson or other members of the Board;
3. irregularity in the procedure of the Board, not affecting the merits of the case.

Powers of the Chairperson

The DPDP Act, 2023 enumerates certain powers that the chairperson of the Board can exercise, like:

1. general superintendence;
2. giving instructions for all administrative matters of the Board;
3. authorising any officer of the Board to scrutinise any complaint, reference, intimation, or correspondence addressed to the Board;
4. authorising any power of any of the functions of the Board and conduct of its proceedings; and
5. allocating proceedings amongst the members of the Board.

Powers and functions of the Board

As per Section 27 of the Act, the following are the powers and functions of the Board:

1. In case of any personal data breach, inquire about it, direct any urgent remedial or mitigation measures, and impose penalties as specified under the Act. The intimation of the personal data breach should be given by the Data Fiduciary;
2. To inquire into a complaint made by a Data Principal for a personal data breach or a breach in observance by a Data Fiduciary of its obligation with respect to the personal data or rights under the Act or on the reference made by the Central Government or State Government to the Board or in compliance with the directions of any court and impose penalties;
3. To inquire into a breach by the Consent Manager of its obligation and impose penalties. The complaint must be made by the Data Principal; and
4. Inquiring for breach of any condition of registration of a Consent Manager and imposing penalties.

The directions shall be given by the Board only after giving the concerned person an opportunity of being heard and record the reasons in writing. The concerned person is bound to comply with the directions issued. The Board also has the power to cancel, modify, withdraw, or suspend its directions.

Procedure to be followed by the Board

The procedure that the Board needs to follow when they receive any intimation or complaint of reference or directions is listed under Section 28 of the DPDP Act, 2023. The Board shall have similar powers as are vested in a civil court under the Code of Civil Procedure,1908 (CPC). The powers vested in a civil court under the CPC are-

1. summoning and enforcing the attendance of any persona and examining her on oath;
2. receiving evidence of affidavit requiring the discovery and production of documents;
3. inspecting any data, document, book, register, books of accounts, or any other documents; and
4. such other matters as may be prescribed.

The procedure to be followed by the Board after receiving any intimation or complaint of reference is as under-

1. Analyze and determine whether there are sufficient grounds to proceed with an inquiry.
2. If there are no sufficient grounds, the proceedings will be closed and the reason will be recorded in writing.
3. If there are sufficient grounds, the reason will be recorded and the Board shall inquire into the matters. The Board to ascertain if the person is complying with or has complied with the provisions of the act.
4. During the inquiry, the Board or its officers cannot prevent access to any premises or take custody of any equipment/items that can affect the day-to-day functioning of the person. 
5. In case the Board needs the assistance of any police officer or any other officer of the Central Government or a State Government, such officer shall comply with the Board.
6. While the inquiry is in process, the Board can issue an interim order after giving the person an opportunity to be heard. The Board needs to record the reasons in writing for issuing an interim order.
7. When the inquiry is completed and a chance of being heard is given to the person, the Board can close the proceedings. The reasons for closing the proceedings must be recorded in writing.
8. If the Board finds that the complaint is false and frivolous, it may issue a warning or impose costs to the complainant. This can be done at any stage after the receipt of the complaint.

Appeal to Appellate Tribunal

If any person is aggrieved by the direction or order of the Board, the option of appeal before the Appellate Tribunal (herein referred to as ‘Tribunal’) is always open for her. However, the appeal should be made within 60 days from the date of receipt of the order or direction and shall be made in such form and manner as prescribed. The appeal shall be accompanied by fees. Once the appeal is received the Tribunal shall give the parties an opportunity of being heard and pass orders that may be to modify, confirm, or set aside the appealed order. Once the order is passed, a copy of the order shall be sent to the Board and the parties of the appeal. Every endeavour shall be made by the Tribunal to deal with the appeal within 6 (six) months from the date on which the appeal was presented to it. If within six months the appeal is not disposed of, the Tribunal shall record the reasons in writing for not disposing of the appeal within time. The order which is passed by the Tribunal shall be executable as a decree of civil court and the Tribunal shall have the power of a civil court.

The provision of Section 18 of the Telecom Regulatory Authority of India Act,1997 shall apply if an appeal is filed against the order of the Tribunal.

What will happen if a person is not able to file a complaint within 60 days? In that case, the Tribunal may hear the appeal if it is satisfied that there is sufficient cause for not filing the appeal within 60 days.

At any stage of the proceeding in the Tribunal, the Board may accept a voluntary undertaking from any person which may include an undertaking to take such action within the time determined by the Board or refrain from taking such action or publicising such undertaking. If the person fails to adhere to the voluntary undertaking terms it shall constitute a breach of the provisions of the Act and after giving the opportunity of being heard the Board shall impose penalties accordingly.

Alternate Dispute Resolution

There can be cases when the Board may direct the parties to solve the complaint by mediation and appoint a mediator by mutual consent.

Penalties

Before imposing any monetary penalty on any party, the Board shall give her an opportunity to be heard. 

Parties on whom penalties may be imposed

The Board may impose penalties on the following parties and in case of the following circumstances:

1. Consent Manager– In case of a breach in observance of its obligations with the Data Principal’s personal data or any condition of registration of consent manager.
2. An intermediary– In case of breach of its obligation for blocking the access to information when directed by the Central Government to do so.
3. Data Fiduciary– In case of a breach of personal data or a breach in observance of its obligations with the personal data or in exercising Data Principal’s rights.

The question now is – How is the monetary penalty determined? 

The Board shall determine-

1. the nature, gravity, and duration of the breach;
2. the type and nature of the personal data that is affected by the breach;
3. repetitive nature of the breach;
4. if any gain is realised or loss is incurred to the person due to breach;
5. if any actions were taken to mitigate the effects and consequences of the breach by the person;
6. the timeliness and effectiveness of the actions taken by the person to mitigate the effects and consequences of the breach;
7. if the monetary penalty imposed is proportionate and effective; and
8. the impact of the imposition of the breach on the person.

The penalties prescribed in the Schedule of the Act are as follows:

S.no	Breach of provisions of the Act	Penalty
1	Section 8(5) – Breach in taking reasonable security safeguards to prevent personal data breach by the Data Fiduciary	May extend to  Rs. 250 crores
2	Section 8(6) – Breach in giving the Board or affected Data Principal notice of a personal data breach	May extend to  Rs. 200 crores
3	Section 10 – Breach in observance of additional obligations w.r.t children	May extend to  Rs. 200 crores
4	Section 10 – Breach in observance of additional obligations of Significant Data Fiduciary	May extend to  Rs. 150 crores
5	Section 15 – Breach in observance of the duties of the Data Principal	May extend to  Rs. 10,000
6	Section 32 – Breach of any term of voluntary undertaking accepted by the Board	Up to the extent of the breach in respect of which the proceedings under Section 28 were instituted.
7	Breach of any other provision of this Act	May extend to  Rs. 50 crores

The sums realised by way of penalties shall be credited to the Consolidated Fund of India. (Section 34)

Protection of action taken in good faith

Anything that is done or is supposed to be done in good faith by the Central Government, the Board, its chairperson, and any Member, officer, or employee will not be held liable. No suit, legal proceedings, or prosecutions shall lie against them. (Section 35)

Power of Central Government

The Central Government shall have the following powers for the purpose of this Act-

1. To call for information from the Board and any Data Fiduciary or intermediary. (Section 36)
2. To issue directions to any agency of the Central Government or any intermediary to block access by the public or cause to be blocked for access by the public. These directions shall be recorded in writing. (Section 37)
3. To make rules which are consistent with the provisions of the Act. (Section 40)
4. To amend the Schedule by notification. (Section 42)
5. To make provisions that are not inconsistent with the provisions of the Act. (Section 43)

Consistency with other laws

All the provisions of this Act will not be derogatory of any other law which is in force. Further, if the provisions of this Act conflict with any other law, the provisions of this Act shall prevail. (Section 38)

Bar of jurisdiction

The suit or proceeding which the Board is empowered under the provision of this Act shall be entertained by the civil court. Further, no injunctions shall be granted by any other court or authority. (Section 39)

Challenges and concerns related to Digital Personal Data Protection Act (DPDPA), 2023

There are several concerns and challenges related to the DPDP Act, 2023:

Sharing of personal data

1. The consent of the individual can be carried forward by giving a notice. However, that notice is vague and it does not provide any information about what and when will the Data Fiduciary be allowed to keep that data. This raises a concern about whether the trust on which the personal data is shared with the Data Fiduciary can be breached and whether personal information can be corruptly processed.
2. Another major concern of this Act is regarding the use of voluntary sharing of personal data. If an individual is sharing her personal information on any AI application or any digital platform then she has no protection under this proposed legislation. The application may use or share such personal data in any way and there is no accountability for such usage or processing of these voluntarily shared personal data. This concern also extends to anonymous personal data which is also kept outside the scope and purview of this Act.
3. Another issue raised is that while acquiring the consent of an individual to process her personal data for a specific purpose it is not mandatory to mention that the personal data will be shared if it is required to achieve the said purpose. The Data Fiduciary will not be accountable for not sharing information about the transfer of personal data as long as it is for the specified purpose. Mass surveillance is also not actioned in this Act. The union government can easily withhold personal data for an unspecified period which poses a great threat to the privacy rights of an individual.

Cross-border transfer of data

Another concern of this Act is the protection in case of cross-border transfer of data. There is a provision in the Act that states that the Central Government may restrict the transfer of data across countries through a notification, however, there are no clear restrictions mentioned in the Act for transfer of personal data to other countries. This creates a question of whether there is an adequate mechanism for protection in case of cross-border transfer of data.

Ascertainment of children

The persons of age below 18 years are categorized as children and parental consent has been made mandatory for acquiring any of their personal data. Now, there is no clear provision as to how will the Data Fiduciary ascertain that a particular individual is a ‘child’ under this proposed legislation. The Act is very narrow and vague in this aspect. Further, the Act states that the processing will not be done by the Data Fiduciary if it is detrimental to the well-being of the child, but the Act does not define detrimental effect. 

Privacy risks

1. The accountability of the Data Fiduciary is parallel to the ‘reasonable security safeguards’ that they have taken to prevent any kind of breach of the personal data that they have collected. How and on what parameters will this reasonableness be tested is not provided anywhere in this Act. This points out another vagueness of this proposed legislation which will directly affect the privacy of the individual.

Ambiguous Central Government powers

1. The vagueness of the Act concerning the unprecedented powers of the Central Government is of great concern. Most of the provisions use the words ‘as may be prescribed’ without any limitations or clarity of the extent of such prescription that gives unrestricted power to the union government to make rules on data protection and processing. This may hamper the privacy of the individual. Further, without the parliamentary process such delegated legislation can exceed the scope of its parent legislation.
2. Then the words ‘larger public interest’ are used to restrict the use of the information but it does not restrict the government’s power to withhold the information and surpass the Right to Information Act. This weakens the authority of the Act.

Tenure and authority of the Data Protection Board of India

1. The members of the Data Protection Board of India are appointed for only 2 years, however, they are eligible for re-appointment. The concern here is that this short appointment of 2 years may affect the independent functioning of the Board.
2. The most viable concern is regarding the authority of the Board which is set up for grievance redressal. All the powers and functions of the Board along with the very appointment of its members are in the hands of the Central government which raised the question of the conflict of interest, authority, and independence of the Board to address the concerns raised against the government or government bodies. If the judge, jury, and executioner is the government itself, indirectly through a Board then the hope of people that this legislation will safeguard their Right to Privacy will be in great danger and confusion. If that is the case then such a redressal mechanism is just a show of justice with the real intention of keeping the power in the union government’s hands only.

Recommendation for enhancing the comprehensiveness of Digital Personal Data Protection Act (DPDPA), 2023

Here are some recommendations/suggestions to overcome the challenges and concerns related to the DPDP Act, 2023:

1. There should be clear limitations and parameters set while using the phrase ‘as may be prescribed’ to avoid ambiguity.
2. A detailed clause/provision must be there specifying the data to be retained, the purpose, and the duration. This will ensure transparency.
3. The Act should incorporate provisions/clauses for the protection of personal data shared on AI platforms or any digital platform.
4. A provision should be added making it mandatory for the data fiduciaries to inform the individuals about the transfer of their personal data (if it is necessary for a specified purpose). It will ensure accountability.
5. There should be a refinement of the ‘Large Public Interest’ term. It should be defined and the scope of this should be limited to prevent any misuse.
6. Regarding the ascertainment of children’s age, there should be a provision that mentions how the Data Fiduciary ascertains the age for the purpose of this Act.
7. The tenure of the Data Protection Board members should be extended to ensure stability and independence. 
8. A provision for allowing public opinion on some decisions of the Data Protection Board should be incorporated. By doing so, there will be a broader perspective and would enhance the democratic nature of the decision-making.
9. There should be an enhanced redressal mechanism. This can be done by appointing an independent body to handle the grievances against the government bodies. This will result in an unbiased adjudication.
10. Incorporate robust restrictions and guidelines for cross-border transfer of data. It should also specify under what circumstances the transfer of data may be restricted by the Central Government.

Conclusion

The Indian Digital Personal Data Protection Act, 2023 is a unique combination and compilation of the currently existing legislations on data protection around the world. India has learned and taken guidance from data protection regimes like the USA, China, Australia, etc. Though the basic structure of the Act is taken from General Data Protection Regulation, there are some key differences in the Act like wide powers to the Central Government, limited ground for processing, no right to data portability, no strict requirements for data localization, and no provision for special categories of personal data. Through this Act, the legislature has aimed to safeguard the personal data of the individual and has addressed the privacy of individuals and cross-border transfer of personal data. The drafting of this Act is intended to strike a balance between Indian law relating to data privacy and foreign laws on international trade, especially data-driven businesses.

However, the Act still is required to be more refined and detailed in certain aspects which are discussed above and we can expect the evolution of this law according to the changing scenarios of the society through amendments undertaken in future.

Frequently Asked Questions (FAQs)

Is the Digital Personal Data Protection Act, 2023 in force?

The Bill has been passed by both Houses of Parliament and also received the assent of the President of India, however, it is not in force yet. The Act and its provisions will come into force when the Central Government will issue a notification in the Official Gazette.

If the data of Indian Citizens is processed outside India will the provisions of the act apply?

Yes, the provision of the act will apply if the data of Indian citizens is processed outside India.

How to know whether any organisation is covered by the DPDP Act?

If any organisation collects and processes the personal data of any individual like name, Aadhar, PAN card, passport, etc., they will be covered under this Act.

Are there any criminal penalties for non-compliance with the provisions of this Act?

No, there are no criminal penalties for non-compliance with the provisions of the Act.

What is Data Protection Impact Assessment? I own an organisation, do I need to undertake a  Data Protection Impact Assessment?

Data Protection Impact Assessment needs to be conducted by all the Significant Data Fiduciaries. Under this assessment, the organisation needs to assess the manner and the purpose of processing the personal data, the related harm, the measures for mitigating the harm, and any other matter relating to the processing of personal data.

If your organisation is a Significant Data Fiduciary only then it needs to undertake a Data Protection Impact Assessment.

Are startups exempted from the DPDP Act?

No, startups are not exempted from the Act. Certain startups are exempted based on the volume and nature of the personal data that is processed.

Who is a child for the purpose of data processing?

An individual who has not completed the age of eighteen years is considered a child for the purpose of data processing under this Act.

What type of data does the Digital Personal Data Protection Act apply to?

The Act will apply to digital personal data and non-digitised personal data which is intended to be digitised.

Who is a ‘Consent Manager’?

A person who is accountable to the Data Principals and acts on their behalf to manage their consent is known as a ‘Consent Manager’. These consent managers need to be registered with the Data Protection Board of India.

What is the Data Protection Board?

It is an independent body that conducts inquiries, responds to data breaches, issues interim orders, determines non-compliance, and imposes penalties.

Is cross-border personal data transfer permitted?

Yes, it is permitted. However, certain transfers are restricted by the Board.

I am a Data Principal, can I withdraw my consent?

Yes, you being a Data Principal can withdraw your consent.

I have accidentally sent an email that comprised of the personal data of a third party to one of my customers, should I notify the affected Data Principal and the Data Protection Board of India?

Yes, you need to notify the affected Data Principal and the Data Protection Board of India in this case. This will be a case of a Personal Data breach which includes accidental disclosure of personal data that comprises the confidentiality, integrity, or availability of personal data.

What is the right available with the Data Principal in the event of a data breach?

The Data Principal has the right to inform the Board in the event of a data breach.

References

• https://www.meity.gov.in/content/digital-personal-data-protection-act-2023
• https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
• https://prsindia.org/files/bills_acts/bills_parliament/2023/Digital%20Personal%20Data%20Protection%20Bill,%202023.pdf
• https://www.lexology.com/library/detail.aspx?g=1f9a998a-d150-420b-9544-79eb47ecf0c4
• https://www.mondaq.com/india/data-protection/1376950/faqs-on-the-indian-digital-personal-data-protection-act-2023#:~:text=There%20are%20no%20restrictions%20on,the%20data%20can%20be%20transferred.
• https://www.dentonslinklegal.com/en/insights/articles/2023/august/18/faqs-on-the-digital-personal-data-protection-act-2023
• https://www.nishithdesai.com/NewsDetails/10703
• https://www.twobirds.com/en/insights/2023/global/decrypting-indias-new-data-protection-law-key-insights-and-lessons-learned
• https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624
• https://www2.deloitte.com/in/en/pages/tax/articles/Digital-Personal-Data-Protection-Bill-2023.html