This article was written by Atharv Deotarse, pursuing the Diploma in Intellectual Property, Media, and Entertainment Laws from LawSikho, and edited by Koushik Chittella.
Table of Contents
Introduction
To access services on digital platforms, everyone shares their personal data with organisations. In this technology-driven world, personal data has become a precious commodity nowadays. Protecting this data is more critical than ever. India enacted the Digital Personal Data Protection Act in 2023, intending to provide a comprehensive framework for the protection of personal data. The Digital Personal Data Protection Act has set standards for handling your data, ensuring safety and transparency. Under DPDPA, organisations are accountable for implementing strong security measures to protect personal data from misuse and breaches. In this article, key provisions like data collection and processing, data security measures, cross-border data transfer, accountability and compliance, etc. are discussed in detail.
“Data” under the DPDPA, 2023
Before delving into data collection and processing, we should understand what personal data is. Section 2(h) of the Act describes “data” as representation of facts, information, opinions, concepts, or instructions in a manner suitable for interpretation, communication, or processing by human beings or by automated means. In simple words, it means data is information from which an individual is identifiable. Unlike other privacy laws, this Act does not provide any list of examples of personal data. Remember that data can be collected in any form and later digitalised; the Act is still applicable to the same.
Data collection and processing
To comply with the provisions of this Act, data fiduciaries (organisations) require the explicit consent of data principals (users) before collection and processing of data. The consent requested from organisations to their users must be accompanied by a notice that informs users about:
- What kind of personal data has been collected and clearly specifying the purpose of data processing. For instance, e-commerce platforms collect data from users to manage transactions, recommend products to users, and enhance the shopping experience of users.
- specify how users can perform their rights under the Act.
- and how users can file complaints to the Data Protection Board of India (DPIB)
The consent request should be in all 22 languages in the Eighth Schedule of the Constitution and written in a way that is easy to understand. The consent must be free, unconditioned, unambiguous, and informed. The users also have the right to revoke their consent. The organisations only collect the data whichever is required and delete the data that is unnecessary for longer or upon users withdrawing their consent. The right to use collected data of users is limited for the purpose for which consent is obtained. However, these organisations can process data without express consent where users provide data voluntarily; it may involve them providing data to obtain customer support or other similar situations.
There is one exception to these limitations: organisations can use data to comply with laws and court orders. However, they can also use your data to perform government functions, for the protection of the integrity, sovereignty, and security of India, maintaining public order, taking measures in epidemics, and safeguarding employees from losses.
Rights of data principal (individual’s or users rights)
A data principal under the Act is an individual whose data will be processed and an individual whose child’s data is being processed, including the child’s lawful guardian. It also includes an individual who is a lawful guardian or acting on behalf of a person with a disability. There are 5 major rights to this data principal under this Act:
- Right to access: They can obtain information about the activities of data fiduciaries (organisations) and information regarding personal data processed, and its process too. Also, data principals have the right to get information about all data fiduciaries and data processors with whom the data is shared.
- Right to Correction: They have the right to have personal data corrected and updated. Upon request, data fiduciaries correct any inaccuracies and update or complete the personal data.
- Right to erasure: They have the right to have their personal data deleted, including data processed by any third data processor or data fiduciary. However, a data fiduciary or organisation is not obligated to delete such data if required for fulfilling a specific purpose for which it is collected or for legal compliance.
- Grievance Redressal: They can submit their grievances to data fiduciaries asking to resolve any issues regarding any act or omission of the data fiduciary’s obligation or enforcement of the data principal’s rights.
- Right to Nominate: This right is one that not any other data privacy legislation provides to individuals. Under this Act, they have the right to nominate a person to exercise his/her data privacy right in the event of the death of the data principal or his becoming unsound mind or incompetent.
Apart from these rights, he can also revoke the consent provided. The consequences arising from such revocation of data principal are responsible for that. In the event of revocation of consent, the fiduciary shall stop the use or processing of data of a particular data principal.
Data Security Measures
One of the key obligations of a data fiduciary under DPDPA is to implement security measures to protect data from breaches and misuse. The data fiduciary is also responsible for incorporating technical and organisational measures to comply with this privacy law. In case the data fiduciary fails to take security measures to prevent a data breach, a heavy monetary penalty will be imposed on him (Rs. 250 crore). The penalty will only be imposed after the inquiry conducted by the Data Protection Board.
In the event of a data breach, the data fiduciary immediately reports to the Data Protection Board of India and the affected person within the specified timeframe in this Act. The organisations promptly notify the affected individual about the data breach. This notification must contain the complete nature of the data breach, data compromise, and measures taken. Transparency between individuals and organisations is necessary during a data breach, so individuals understand the consequences of a breach and take necessary precautions. In this data breach, affected individuals are required to engage with the data fiduciary’s grievance redressal before presenting the matter to the Data Protection Board.
Data Protection Officer (DPO)
One of the major obligations of a data fiduciary under this Act is to appoint a DPO to comply with the provisions of this Act. A DPO is appointed to handle grievances under the Act. He must be based in India. The DPO is also responsible for reporting to director boards of India as well as similar government bodies of significant data fiduciaries. He is also responsible for ensuring whether data protection practices are in place or not, as well as conducting regular audits and assessments. But the question is, are all data fiduciaries responsible for appointing a Data Protection Officer? The answer is no! Only the data fiduciaries who come under the category of significant data fiduciaries are obligated to appoint a DPO.
The central government determines the class of significant data fiduciary on the following factors: (Section 10(1) of the Act). Section 10 considers the volume and sensitivity of personal data processed, risks to individuals’ rights, potential impacts on India’s sovereignty and integrity, threats to electoral democracy, state security, and public order.
Let us understand the difference between significant data fiduciary and data fiduciary by an example. Facebook (meta) is a significant data fiduciary because it collects and processes the data of millions of Indian users. The data consists of users’ private messages, images, browsing, etc., which is sensitive information. They process data to target ads to users. There will be a huge loss in case of a breach of data. That is why Facebook is obligated to appoint a Data Protection Officer. Say another company provides food delivery service in a local area, having ten thousand active users. The amount of data they collect is not vast. They collect names, addresses, numbers, and emails and process them for the purpose of delivery. So this company will not be required to appoint a significant data fiduciary.
Cross-Border data transfer
Cross-border data transfer is essential for international trade and distribution of goods and services. The initial draft of this Act of 2023 allowed cross-border data transfer under Section 16 to the territories and countries allowed by the Central Government. Such data transfer must comply with the provisions of this Act, such as serve the lawful purpose and are based on valid grounds under Section 7 of the Act.
Remember that the government has the authority to restrict the transfer of data to certain countries or territories. The government will issue the notification with the specified list of countries or territories with whom data transfer is not permitted. Data fiduciaries and significant data fiduciaries have to stay updated with these notifications and avoid data transfer with restricted countries and territories. This restriction on cross-border transfer does not override any existing laws in India that might impose a higher degree of personal data protection.
Accountability and compliance
A significant data fiduciary is obligated to appoint an independent auditor under the DPDPA, 2023. The auditor’s role is to evaluate significant data to determine whether the fiduciary is complying with the Act’s provisions or not. Additionally, significant data fiduciaries shall undertake a periodic data protection impact assessment test for assessing and managing risks to the data principal’s rights. Here is a compliance checklist:
| Step | Details |
| Step 1: Audit Team | Form an audit team experienced in data privacy, legal, and technical domains to plan, execute, and report on audit findings. |
| Step 2: Define Audit Scope. | Clearly state the audit’s scope, including data processing operations, systems, and departments to be reviewed. |
| Step 3: Gather Documentation | Collect relevant documentation related to data processing practices, such as privacy policies, data flow maps, data retention policies, vendor contracts, etc. |
| Step 4: Risk Assessment | Conduct a risk assessment to identify potential data security concerns, considering types of personal data collected, storage methods, processing objectives, and potential data breaches. |
| Step 5: Evaluate Compliance with DPDPA Principles. | Ensure compliance with DPDPA principles: purpose limitation, data minimisation, data accuracy, storage limitation, integrity and confidentiality, and individual rights. |
| Step 6: Identify Gaps and Remediate | Identify gaps or flaws in data processing methods and create a remediation strategy to ensure compliance. |
| Step 7: Document Audit Findings and Recommendations | Prepare a detailed audit report with methodology, findings, recommendations, and a remedial plan. Share the report with top management and key stakeholders. |
| Step 8: Implement Remediation Plan | Implement the remedial plan, including policy revisions, training initiatives, technology changes, or organisational reorganisation. |
| Step 9: Conduct Periodic Reviews | Establish a schedule for periodic assessments to ensure ongoing compliance with the DPDPA and adapt to changing data privacy rules. |
Steps for compliance
To comply with the Act, here are the steps that data fiduciaries and significant data fiduciaries can follow:
- Always secure proper consent before processing personal data.
- Provide a clear privacy notice whenever requesting consent.
- Make privacy notices and consent requests available in English and all 22 languages listed in the 8th schedule.
- Limit data collection strictly to what is necessary for the specific purpose.
- Implement robust security measures to safeguard personal data.
- Obtain verifiable consent for processing data of children and individuals with disabilities.
- Delete personal data promptly if consent is revoked or the purpose is fulfilled.
- Respond to data principals’ requests in a timely manner.
- Avoid tracking, targeted ads, and behavioural monitoring of children.
- Ensure personal data is accurate, complete, and consistent.
- Conduct audits and impact assessments if identified as significant data fiduciaries.
- Refrain from selling personal data to countries listed on the government’s negative list.
- Maintain contractual relationships with data processors.
- Inform the Data Protection Board of India of any breaches, regardless of the level of risk.
Penalties for Non-Compliance
Chapter V of the Act establishes the entity Data Protection Board of India (DPIB) is responsible for imposing penalties. Penalties under this Act are up to INR 250 crores (27.6 million) or 4% of global turnover.
Penalties as per the schedule in the Act:
- For a Personal Data breach, to Rs. 250 crores
- Violations concerning children’s additional obligations, penalties up to INR 200 crores.
- Infractions of significant data fiduciary duties may result in fines up to INR 150 crores.
- Non-compliance with Section 15 obligations, penalties up to INR 10 thousand. Other breaches, fines up to INR 50 crores.
Conclusion
The provisions of this Act are designed to ensure the privacy and security of personal data. Organisations and companies must comply with these provisions to build trust with their users and avoid penalties. By appointing a DPO, implementing strong data protection practices, and maintaining transparency, organisations comply with the DPDPA.
References
- https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
- https://www.ikigailaw.com/article/9/summary-of-indias-digital-personal-data-protection-act-2023#_ftn60
- https://www.cookieyes.com/blog/india-digital-personal-data-protection-act-dpdpa/
