This article is written by Adv. Komal Arora. It covers everything about the data privacy and protection laws in India. The article describes the legal framework for data privacy, its history, applicability, important concepts, etc. It also discusses the rights and obligations of data protection authorities and Data Principals, grounds for lawful processing of personal data, exemptions, penalties and other concepts connected to data privacy and protection.
Table of Contents
Introduction
You have probably come across the expression, “Data is the new oil.” It signifies that data is a valuable asset that is being explored by businessmen in order to extract huge profits. It is naturally unrefined and needs to be converted into something of value. Also, we are now a part of the biggest digital economy, where every person is reduced to data. Data is better than opinions; it is preferred as it is more reliable and predictable. We can predict outcomes based on existing data, get insights for better business performance, make better strategies, etc. But it can be equally disastrous if the data is not handled with care. Data is indeed powerful on its own, but it needs the aid of the law to be regulated. Thus come data protection and privacy laws and India has recently passed its much awaited law on the subject. This article will discuss everything about the data privacy and protection laws in India.
What is meant by data protection and data privacy
There are two aspects present here: data privacy and data protection. Data privacy means when, how, and to exactly what extent the personal data of a consumer can be shared and communicated to others. The personal information can be name, address, ethnicity, phone number, marriage status, etc. With the increase in internet usage over the years, there is an urgent need for data privacy regulations.
Data protection, on the other hand, is the legal safeguarding of data against any loss, damage or corruption. As data is now collected at an unprecedented rate, there is a serious issue of protecting the data collected from unauthorised sources.
Evolution of data protection laws
Data privacy is not a new concept. It has been in existence since the Semayne case of 1604, where it was accepted that the house of everyone is to him as his castle and fortress. The concept of privacy evolved thereafter and was again brought to attention through an article titled, “The Right to Privacy,” written by Attorney Mr. Samuel Warren and Justice Louis Brandeis, where protection of the right to privacy was recognised as the foundation of individual freedom in the modern age. Later in 1984, privacy was recognised statutorily through the Universal Declaration of Human Rights (UDHR) by virtue of Article 12(4). Then came the Organisation for Economic Cooperation and Development (OECD) guidelines on protection of privacy and transborder flow of personal data in 1980. Countries started framing their data privacy laws as early as Germany in the year 1970. The landmark General Data Protection Regulation (GDPR) came into effect on May 25, 2018, revolutionising the data privacy and protection laws.
In the Indian context, privacy has been a matter of debate in the judicial courts, with some addressing privacy as a fundamental right and others not admitting it as a right under Article 21 of our Constitution. Finally, in 2017, the celebrated case of K.S. Puttaswamy v. Union of India (2018) pronounced the right to privacy a fundamental right safeguarded under Article 21. We already had some broken parts of the Information Technology Act (2000), the Indian Penal Code (1860), etc. that dealt with the right to privacy. But there was the absence of a standalone, comprehensive law on the subject. Eventually, after seven years of making and three attempts to pass the privacy legislation, India adopted a full-fledged data protection and privacy law on August 9, 2023.
Role of Justice Sri Krishna committee in data protection laws
In the year 2017, the government of India, through its Ministry of Electronics and Information Technology, appointed a committee of ten members under the chairmanship of Justice B.R. Krishna (a retired Supreme Court judge). This committee was supposed to submit a detailed report on the introduction of the data privacy law in India. The committee finally submitted its report on the data protection framework on July 27, 2018.
- The committee recommended a clear distinction between sensitive personal data and critical personal data and separate provisions for the collection and processing of different kinds of data. It was suggested that the term ‘personal data’ is any kind of data that allows identification of an individual, whether directly or indirectly. However, sensitive personal data is in relation to more intimate matters such as caste, religion and sexual orientation of a person. It was also made clear that the critical personal data should be processed in the centres that are located within the country only.
- The reports suggested that there is a fiduciary relationship between the service provider and individuals whose data is collected. So, the service provider is always under an obligation to deal with the personal data of the individuals in a fair and transparent manner and also to give the individual notice of data collection at various points. Also, the service provider would be bound by the ‘purpose limitation principle’, which states that personal data should be collected only for limited, explicit and specified purposes.
- The law was suggested not to have any retrospective effect and would be enforced for the future, but only in a structured manner.
- The committee strongly suggested that the processing of personal data should have clear, specific and lawful purposes alone. The data should be processed only when it’s consented to by the individual. This consent may, at any time, be withdrawn by the individual.
- A special mention was made in regard to the data on children. It said there needed to be stricter provisions for protection of their data.
- It was also pointed out that there may be four situations in which non-consensual processing of data may be allowed. These are:
- When the processing is relevant for the state in order to do its welfare functions.
- When it’s required to comply with the law or legal orders within India.
- When the processing is necessitated by the need to act upon it promptly.
- in the scenario of employment contracts as well.
- The committee also put forth the idea that all organisations and firms that collect personal data should mandatorily appoint data protection officers. These officers would go on to become the main point of contact for the users who face any grievance in their data collection by the concerned company.
- The committee also made a key recommendation of imposing higher penalties ranging from 2-4% of the company’s worldwide turnover or fines between Rs. 5 crore and Rs. 15 crore, whichever is higher.
- Another highlight of the committee’s report was that the data protection law enacted would have jurisdiction over the processing of personal data when that data has been used, stored, disclosed, or collected anywhere in India; it doesn’t matter where the data is actually processed.
- The report also suggested the setting up of a data protection authority that would be an independent regulatory body responsible for the enforcement and implementation of the data privacy law. This body would be responsible for conducting research and spreading awareness on the issues as well. Any decision rendered by this authority could be appealed against and heard by an appellate body.
- It was also stated by the committee that there are certain rights of an individual, such as the right to access their data, to correct it, withdraw their consent, right to object to the data processing, right to be forgotten, etc.
- As per the report of the committee, there would be amendments needed in laws such as the Information Technology Act, 2000; the Census Act, 1948; the Aadhar Act, 2016, Right to Information Act, 2005.
After receiving the recommendations of the committee and a draft privacy law bill, the bill remained in limbo. Its first draft was made public in July 2018 and then revised again in December 2019. The Bill was then referred to a joint parliamentary committee for its report, which submitted its report two years later, that is, in December 2021. Later, the government decided to withdraw the bill as there were too many proposed changes to be incorporated. Later in November 2022, the Ministry of Electronics and Information Technology released a draft bill for public consultations. Finally, in August 2023, the government introduced the Digital Personal Data Protection Bill, 2022. After much consultation and amendment, the Digital Personal Data Protection Bill of 2023 was finally passed and it received the President’s assent after six years. Throughout this span of six years, there were a total of five different versions of the bill, introducing some amendments to each one of the proposed legislations. Let’s take a look at how the Digital Personal Data Protection Act, 2023 (referred to hereinafter as the “DPDP Act”) differs from the committee’s recommendations:
- It is claimed that the DPDP Act does little for the individuals concerned. It might be useful for government agencies and even for businesses but not for the individuals whose data is collected and processed.
- The DPDP Act talks about only digital data and not data that’s stored in physical mode. The committee recommended that, irrespective of the format the data is stored in, it must be protected. Section 2 states its applicability. It states that the DPDP Act applies only in relation to the processing of digital personal data or data collected in digital form or non-digital data that is digitised subsequently.
- Another weak point of the law as compared to the recommendations of the committee is that the DPDP Act exempts the government from its responsibilities under the Act. A privacy law will serve its purpose only when it is equally applicable to private individuals, entities and the government. Section 17(2) of the DPDP Act exempts the government from such obligations in the interests of sovereignty, integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or to prevent commission of any cognizable offence, etc.
- Not only that, it also states that the Central Government also has the power to exempt certain classes of Data Fiduciaries from the ambit of the DPDP Act, such as startups.
- Moreover, analysing Section 18 of the DPDP Act, it becomes clear that the Data Protection Board in such a case becomes a ‘captive entity’ of the government and works directly under its direction. This abates the independence of the Board and affects its functioning.
- Section 36 of the DPDP Act gives the Central Government an upper hand and allows it to call for any information that it may require. Provisions like these may hinder total security of fundamental right to privacy.
- In addition to a number of rights recommended by the committee, a right to nominate has also been added to the final Act. Section 14 states that the Data Principal has the right to nominate any individual who would, in the event of his death or incapacity, exercise his rights in accordance with this DPDP Act.
- The DPDP Act, through Section 33, states in detail about penalties. While deciding upon the penalties, the Data Protection Board may consider the nature and gravity of the breach, the type and nature of breach, repetitiveness, gains or losses from breach, etc. As per the schedule attached, these penalties may range from Rs. 10,000 to Rs. 50 crore to Rs. 200 crore.
Need for data protection and data privacy laws in India
We cannot deny anymore that we live in a digital age where everything is on our screens. From our data to our currency, from movies and songs to shopping, every domain has been digitised. In such a digitalised world, information proves to be significant. In this age of digitalisation, when everything has been transported to our digital devices, our personal and non-personal information has also been transported. As a result, the perils to our data privacy have increased multifold. India is an economy that’s growing spontaneously and with that growth, the importance of our sensitive data has also been recognised. The introduction of strong data privacy laws in India has recently assumed more significance after the Puttaswamy decision, which held that the right to privacy is indeed a fundamental right.
The need for data protection and privacy laws can be summarised as follows:
- Provides for protection of personal and non-personal information of people- The data privacy laws are aimed at ensuring proper protection and security of the personal and non-personal information of citizens. These laws regulate how the information is collected and processed, the grounds of consent of the individuals, penalties in case the companies do not protect the data as required by the law, etc.
- Builds stronger trust and confidence– These laws are also vital as they build a stronger foundation for trust and confidence amongst the people. When companies prioritise privacy of their users data and use their data scrupulously, it showcases their commitment to protecting their personal data, which in turn helps consumer build a better and stronger relationship with the concerned company.
- Preserves right to privacy- As we have already mentioned, the Indian Constitution acknowledges the right to privacy of an individual as a fundamental right. This implies that every individual has a right to their own data. It allows them to decide how they want their data to be used and when they want to withdraw their consent or object to the processing of their data.
- Increased digital footprints- India has a population of more than a billion people, and it’s no surprise that a significant part of the population is now connected to the internet. With the extensive use of social media such as YouTube, Instagram, Tik Tok, etc., people are leaving behind digital footprints all over the internet. If not handled correctly, this invites major digital data breaches where our personal data and history may be made public.
- Lack of awareness- The sheer lack of understanding of data privacy in our nation also becomes another reason to bring up such a law. People use the internet all the time, but they don’t really understand the law behind it. They are unable to comprehend the consequences of their actions at the time. Once such a law is in place, there will be more awareness about the importance of privacy on digital platforms, and it will be easier to educate people about their rights and obligations while they are active on digital platforms.
- Prevents data breaches, identity thefts, etc.- With the increasing number of people who have joined the digitisation process, there are higher chances of any offence being committed, such as, fraud, identity theft, data breaches, etc. The data privacy laws play a crucial role in putting such mechanisms in place that would help prevent these offences.
- Promotes innovation and economic growth- A country with properly regulated data protection laws can promote a legal framework that balances the individual’s right to privacy with digital growth. With newer companies finding a place, data privacy will also find its pending significance. More nations and companies will consider investing in our companies if their data protection framework is strong.
- Maintains the children’s privacy- Children as well have become more active on all the digital platforms, due to which the need for special laws and provisions to ensure the protection of their data is needed. The issues concerning their consent and their rights need special attention as they are quite different from the normal cases of data collection. A lot of games collect diverse personal information about kids easily in order for them to play their game and kids are unaware of the ramifications of the same. A proper law in place would make sure that not only such data is protected but also that there is more awareness about it.
- Data ethics- These laws not only serve the purpose of data processing and collecting but also data ethics. Data ethics are the principles that ensure that the data collection and strong processing are all based on ethical standards, there is fair and transparent data processing, and the processing is non-arbitrary and non-discriminatory.
- Rights of the individuals- The data protection laws empower the individual in more than just one way. They get a right to know about their data, its collection, storage and transfer, and also get a right of redressal in case of any violation. They are properly compensated for any data breach. It sets up an effective grievance redressal mechanism and makes people aware of the rights they possess in relation to their data.
- Facial recognition and surveillance- New technologies such as facial recognition and surveillance have time and again raised several concerns about the privacy of people’s data. These regulations address these concerns and ensure more responsible data collection by individuals.
Data protection laws have assumed more and more significance throughout different territories of the world as more people have started engaging online. They need legislation that helps them place their trust and faith in the digital mediums. They need to know how and what data of theirs is collected, how it will be used, transferred, stored, disposed of, etc. Through these laws, they will be able to understand the privacy policies of the companies they are interacting with or purchasing products from.
In summary, data protection and privacy laws are of significance as they ensure that our data is kept safe in this digitalised world. Our data is immensely valuable and shouldn’t be misused or, in fact, used without our express consent. If any deviance happens, action would be taken in accordance with the data protection laws in place. However, if there’s no law in place, the offenders would go scot-free and our personal data would be out in the open. Moreover, the government generally possesses more of our data. Any data breach that occurs would put a lot of data in jeopardy. With these laws in place, not only private companies but also government departments and sectors would be bound by them.
Data protection and data privacy laws in India
Overview of the IT Act, 2000
The Information Technology Act came into effect in 2000 and was amended in 2008. Section 43A of the Act states that if a body corporate that is possessing, dealing or handling sensitive personal data or information of an individual is negligent in ensuring reasonable security in the process, which results in wrongful loss or damage, then such body corporate is liable to pay damages. Also, there are Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data or Information) Rules, 2011, which deals with protection of sensitive personal data like: financial information, sexual orientation, medical records, etc. Section 72A of the IT Act provides punishment of a fine extending to Rs. 5,00,000 or imprisonment for a term extending to three years in case of disclosure of information, knowingly and intentionally, without the consent of the person concerned, violating the terms of a lawful contract.
Overview of the Digital Personal Data Protection Act, 2023
The DPDP Act is a recent piece of legislation for the processing of personal data in India. It was finally adopted almost six years after the Supreme Court recognised the fundamental right to privacy in Article 21. The DPDP Act is framed against the backdrop of privacy laws around the world, like the European Union’s GDPR, and thus deals with privacy and protection obligations concerning personal data. It is considered that the DPDP Act borrows some concepts directly from GDPR and has a wide range of applicability extending outside the territory. While on one hand, the Act imposes a stringent obligation for unlawful processing of personal data, on the other hand, there are significant exceptions for governmental bodies. The DPDP Act established a comprehensive framework for the processing of personal data and has replaced the limited provisions of the IT Act. Here are some important aspects of the DPDP Act:
- Bodies formed under the DPDP Act: The Act uses various terms, which can look confusing on the outset. It is important to understand the difference between the terms used like: Data processors, Data Fiduciaries, data principles, data controllers, etc. The person whose personal data is collected is called the data principal. The data fiduciary is body that determines the purpose and means behind processing of personal data. Their position is equivalent to that of a data controller.
- Exceptions allowed under the DPDP Act: Exceptions in the interest of sovereignty and integrity of India, security of state, friendly relations with foreign states, maintenance of public order and preventing incitement to commit offences are allowed under the DPDP Act.
- Applicability of the DPDP Act: The Act has extra-territorial application and has no restriction on international data transfers
- Grounds for lawful processing of personal data: Consent is the primary source for lawful processing of personal data. Also, Data Fiduciaries can identify a legitimate claim for lawful processing of data.
- Data subject rights and obligations: There are rights for the data principles, like the right to access, right to erasure, and the right to object and then there are also obligations, non compliance of which leads to fines and punishment.
Applicability of data protection and data privacy laws in India
The DPDP Act will apply to those organisations that meet the following conditions:
- The organisation processes digital personal data that is capable of identifying the data principal to whom the collected data belongs.
- The data being processed is collected by the organisation in digital form
- The organisation is processing personal data within the Indian territory, or if processing of personal data is done outside India but processing is in connection with an activity offering the goods or services to individuals in India.
Data protection authorities under the DPDP Act
There are various terms used under the Act, which can be confusing. So, let’s understand the meaning of these terms:
- Data fiduciary: Defined under Section 2(i) as any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.
- Data Principal: Defined under Section 2(j) as individual to whom the personal data relates and where such individual is-
- A child, includes parents or lawful guardians of such a child
- A person with a disability includes their lawful guardian acting on their behalf
- Data Processor: Defined under Section 2(k) as any person who processes personal data on behalf of a data fiduciary
- Data Protection Officer: Defined under Section 2(l) as an individual appointed by the Significant Data Fiduciary under Section 10(2)(a).
- Consent Manager: Defined under Section 2(g) as one who enables Data Principals to give, manage and withdraw consent through an accessible, transparent and interoperable platform.
- Significant Data Fiduciary: Defined under Section 2(z) as data fiduciary or class of Data Fiduciary who are notified by the Central Government under Section 10 of the Act.
Innovative facts about the DPDP Act
The DPDP Act is considered to be a transformative legislature, considering that protection of data and ensuring fundamental rights to privacy are sine qua non to our existence. Here are some interesting and innovative facts about the DPDP Act that make it even more imperative in today’s world:
- The DPDP Act follows the concept of being SARAL, which means it uses simple, plain language, contains illustrations for better explanation, contains no provisos and has minimal cross referencing of provisions.
- The DPDP Act is an indication of shift towards individuals capacity and authority to control, supervise and protect their personal data.
- It also instils confidence in the security of data with Data Fiduciaries and ensures diligent processing of data with accountability of authorities.
- The DPDP Act focuses on consent as an important ground for lawful processing of personal data, so it places high command in the judgement of the Data Principal.
- It also allows the Data Principal to rectify their incorrect or incomplete data so given or even withdraw their consent the moment they wish without facing any consequences for it.
- The DPDP Act is revolutionary as it uses the word ‘she’ instead of ‘he’.
- It makes all Data Fiduciaries accountable for acts where the data principal withdraws their consent; the previous bills were silent on it.
What is personal data
The term personal data is defined under Section 2(t) as any data about an individual that can identify him. Information such as the name, location, identification number, mental, economic, cultural, social and physical identity of a person is called personal data. There is no provision detailing what is included in personal data and what is not.
Under the GDPR, Article 4 defines personal data as information that relates to the identifiability of a natural person, directly or indirectly. It doesn’t protect the data of unnatural persons; the DPDP Act specifically provides that the term person as defined under Section 2(s) includes a natural person, a company, a Hindu undivided family, a firm, an association of persons, State or every juristic person. Also, the GDPR focuses on the point of identifiability through data. It means that any piece of information that may be used to identify a person falls under the purview of personal data. This may also include telephone number, credit card number, identification number, address, appearance, number plate, fingerprints, etc.
Sensitive personal data
The term sensitive personal data means any identifiable data which can be considered sensitive to a person, like racial or ethnic origin, sexual orientation, biometric data, health related data, etc. The GDPR distinguishes between personal data and sensitive personal data. Article 9 of the GDPR deals with the processing of sensitive personal data. In the Indian context, at present, the provisions regarding the processing of sensitive personal data are missing from the DPDP Act, 2023.
The 2019 draft of the Personal Data Protection Bill, which included such provisions based on the recommendations of the Sri Krishna Committee, made a classification of data related to sex life, sexual orientation, transgender or intersex status, caste or tribe, religious or political belief or affiliation as sensitive personal data. The data is classified as sensitive personal data depending on factors like potential risk, expectation of confidentiality, potential to suffer significant harm, etc. When any data falls under any of these factors and is considered not safe to be revealed to the public, it is protected as sensitive personal data and is thus processed differently than personal data.
Earlier, we had provisions specifically relating to sensitive personal data in the Personal Data Protection Bill, 2019 and also the IT (sensitive personal data) Rules, 2011. Section 43A of the IT Act, 2000 also allowed compensation due to negligence in the processing of sensitive personal data.
But the eventual DPDP Act, which came into force, surprisingly had no provision for sensitive personal data. There is no reference to the term in the whole Act, no definition, no processing guidelines and no compensation in case of any damage.
Key principles of data protection
With the unprecedented significance that data has taken in recent times, abiding by the principles that aim to protect data protection and privacy has become paramount. Let’s take a quick look at the indispensable principles governing data protection laws.
Data minimization
Considered to be one of the most crucial principles that aims to minimise data collection, this principle forms the bedrock of recent legal developments throughout the world. The purpose of the principle is to focus on the collection of the required data alone and disallow any such gathering if it has no purpose to serve. The reason behind this is that any unnecessary data increases potential societal risks and might breach an individual’s privacy. Following this approach, it’s significant for the data collectors to mention the reason for their data collection too, so that the data isn’t collected for one reason and then used for another without the valid consent of the data principle. This principle tries to strengthen the trust and faith posed by people in organisations that collect their personal data.
Valid consent
Consent is undoubtedly the cornerstone of any data collection. For the collection of private data by any person to be legit, it must be accompanied by a valid and express consent. The user can only give valid consent when they are not kept in the dark about the data collection, their usage, their rights, etc. Once the relevant information is given to them, only then can the data principles offer their explicit consent for any purpose. It is for this reason that most of the laws now have preferred opt in clauses over opt out clauses.
It means that every individual has the power to select if they wish to share their information; their inaction doesn’t substitute for explicit consent. This promotes proper transparency between the concerned parties and allows users to make well-informed decisions about their information. This principle has recently been recognized in the recently enacted Indian privacy law in Section 4, to be read with Section 6. It states that the consent given should be a free, specific, informed and unambiguous indication of one’s wishes.
Lawful data collection
This principle states that the purpose of data collection should be lawful and fair. Whatever the reason for data collection, it should be legit and not contrary to the law. For example, data collection in furtherance of contractual purposes or legal obligations is considered lawful. The collection should not result in discrimination or any harm or injury to individuals. This doesn’t mean that only the purpose of collection should be lawful but also that the data collection should have strict adherence to local and global laws that may impact data collection. This data aims to promote ethical standards and practices that must be followed for data collection and processing. This principle also finds place in the Indian privacy law under Sections 4 and 7 of the DPDP Act. The Section explains that a lawful purpose means any purpose that’s not expressly forbidden by law.
Accuracy
The collected data should also be accurate and up to date. The data controller should make an effort to ascertain that the data collected, if inaccurate, must be corrected with regard to the purpose for which the data was collected. The data controller should take active measures to ensure that the information isn’t only correct but also complete and reliable. Any data collection can serve its true purpose only if the information is reliable and correct. This also means that the data should be verified time and again. There should be mechanisms in place to regularly review and update the information. Proper documentation of accuracy measures also must be maintained. Section 8 of the DPDP Act also states a similar principle. It states that the Data Fiduciary should make reasonable efforts to ensure its completeness, accuracy and constancy.
Limitations on the storage of the data
This principle makes sure that the data is collected only for a limited duration and isn’t kept for infinity. The data should be gathered, stored for minimum time and later disposed of safely. The data should not be kept for a time that’s longer than necessary so once the purpose for which the data was collected is fulfilled, the data should be accordingly disposed of. So, when the data has reached the end of its retention period, it can be disposed of using secure methods such as data shredding, encryption or other secure methods. The principle of data retention can be seen in Section 8 of the DPDP Act as well. It was mentioned that the Data Fiduciary shall delete the retained data when the consent for the same is withdrawn or when it serves the purpose for which it was collected.
Confidentiality
Confidentiality is considered one of the most vital principles governing data protection. It states that the personal data should be collected, stored and transferred in a manner that is confidential and prevents any unauthorised access. This principle doesn’t just mean that the Data Collector must be meticulous in data collection but should also maintain the security of the storage system. Using proper encryption, access and storage systems are major players in maintaining confidentiality. Not only that, it also ensures that the transfer of the data is secure and protected. A similar provision can be seen in Section 8 of the DPDP Act as well, which states a bunch of general obligations of the Data Fiduciary which are detailed below.
Accountability
Another principle that forms a very important facet of data protection law is the principle of governance and accountability. It refers to the obligation on the data collectors to establish a robust framework for data collection that not only outlines their receptibilities but also a system for grievance redressal. It mandates the appointing of data protection officers, conducting data protection assessments, and doing proper monitoring and auditing of the processing activities. All of these additional obligations of a data fiduciary can be noticed in Section 10 of the DPDP Act. Where the fiduciaries are expected to appoint data protection officers and independent data auditors, undertake data protection impact assessments, periodic audits and other measures.
To summarise, these principles of data protection and privacy in the digital age demand a more open and holistic approach. These principles are the pillars on which the laws of data protection stand strong and robust. As we delve deeper into technological advancements, relying on these principles becomes increasingly crucial.
Rights of data principals
In this digital era, our data flows quite smoothly through different channels for different purposes, even if we are not aware of it. Data privacy laws fulfil quite an essential purpose in this situation, which is safeguarding the right to privacy of individuals. The individuals are generally referred to as the data subjects. As our societies become more and more reliant on digitalisation, there is a growing need to recognize certain principles that ensure that our data is treated carefully. These laws thus have a plethora of rights accorded to individuals for better handling and processing of their personal information. These rights may differ from jurisdiction to jurisdiction. However, there are a few common rights that are provided under Chapter 3 of the DPDP Act, which include the following:
Right to information
Individuals have a right to be well informed about any collection, processing and storage of their personal data. They should know the purpose of the collection, the categories of data involved, the confirmation of the processing, a summary of the information collected or any other information such as the transfer of the data to any third parties as may be needed under the specific laws. This ensures better transparency in the data collection process, which is vital for individuals to gain trust in the companies that collect their data. Once people have this requisite information, they can exercise better control over their data.
Right to access
The individuals also have a right to access their personal data, even when it has been collected by the organisation. This gives them power over their acquired data and ensures that the information they have collected is true and accurate. The companies that collect the personal data are obligated to give them access to their data, too, within a reasonable time period. This right doesn’t just guarantee them a right to get all the requisite information but also a copy of it. It gives the individual crucial information such as the purpose of data collection, categories of data, period for which it will be stored, if it’s used for automated processing, source of data collection, etc.
Right to rectify the information
The data subjects also have a right to correct the information if it is inaccurate or old. This right has been included in the DPDP Act under Section 12. It states that a data collector or fiduciary, as the Act provides, shall be bound to correct the incorrect or misleading personal data or complete any incomplete personal data. He is also bound to update any information that may be outdated.
Right to be forgotten
The individuals also have a right to be forgotten, where they can claim that any information that pertains to them is deleted if it’s no longer necessary, if it has fulfilled the purpose that it was collected for, or when the consent has been withdrawn. This right directly links to the principle of data minimisation which states that less data should be collected from individuals and only that data must be collected that has a purpose to serve. These rights can be seen in Section 12 of the DPDP Act. It states that if a data fiduciary receives a request from the data principal to erase personal data that’s no longer necessary for the purpose, he must be removed unless its retention is necessary for some legal purpose.
Right to data portability
The individuals have another right to request a copy of their personal data in a readable format that also allows them to transfer the data to another person. This right as well tries to uplift the rights and control of individuals over their own data so that they can facilitate the sharing of their data as per their needs and wishes.
Right to object to the processing of the data
The data subject also has the right to object to the processing of their data. If there are legit grounds to deny such processing, then they can object to the processing of the information. This right grants the individual ownership over their data so that they can curtail its access and limit unwanted users of their data. Their rights give a similar consequence to the case when the individual withdraws his/her consent. The reasons for such withdrawal should be accompanied by the objection application.
Data Protection Impact Assessment (DPIA)
The data privacy laws also provide for organisations to conduct data protection assessments for any activities that may pose a high threat to the privacy of individuals. These assessments are aimed at analysing the necessity, proportionality and compliance of the companies with the data privacy laws. By means of these assessments, companies that collect our data can take active measures to identify any data privacy risks and address those risks before they result in major breaches.
Right to lodge complaint
The individuals have a right to lodge complaints with the data protection authorities. In the DPDP Act, Section 13 grants the right of grievance redressal to individuals, where they can register their grievances with the Data Fiduciary. The DPDP Act also provides that if the data principal isn’t satisfied with the response of the data fiduciary, he may, within seven days, register a complaint with the Data Protection Board. Though the data protection laws grant individuals these rights, there are certain points that must be kept in mind while exercising these rights to reap their maximum benefits. While exercising these rights, you should act in a spontaneous manner, without any delay. Whenever your right arises, try exercising it as soon as possible. Sitting over your breaches creates an estoppel against you.
If you communicate with your data controller or fiduciary in reference to any of these rights, then that communication must be clear, concise and intelligible. Try keeping records of every communication and engagement with them. While exercising these benefits, keep proofs of your identity handy, as they may be required to confirm your identity. As the world delves deeper into digitalisation, these rights serve as the bedrock of a fair, accessible and transparent data system. It protects the individuals from various breaches and reinforces their faith in the collector and the system. It makes them more vigilant about their rights and how to exercise them. These rights have been designed in such a manner that they emphasise the privacy of an individual, help maintain their autonomy and also commit to a responsible culture of data collection. These rights undoubtedly help create a delicate balance between innovation, growth and individual autonomy.
Obligations and responsibilities of data fiduciary
A Data Fiduciary is an important part of the framework. They are responsible for non- compliance of legal provisions, for failure to perform duties assigned to the data principles, etc. Their obligations are covered under Chapter 2 of the DPDP Act and can be summarised as follows:
- A Data Fiduciary may engage or appoint a Data Processor to process the personal data on its behalf for offering goods and services to the Data Principals.
- A Data Fiduciary is under obligation to ensure that the data is complete, accurate and consistent when it is to be used to make a decision that affects data principal or is disclosed to another data fiduciary.
- He must carry out his duties and responsibilities, irrespective of agreement to the contrary.
- He shall adopt appropriate technical and organisational measures to make sure that there is effective observance of the provisions of this Act and its rules.
- He shall protect personal data in his possession or under his control, which also includes processing undertaken by him or on his behalf by a data processor, by taking reasonable safeguards to prevent personal data breach.
- When there is any data breach, the Data Fiduciary is under duty to give intimation regarding it to the Board and Data Principal in manner and form prescribed under the DPDP Act.
- The Data Fiduciary shall erase personal data when the Data Principal withdraws consent or when it is reasonable to assume that the purpose specified is no longer being served, whichever is earlier, and make the Data Processor erase personal data made available by the Data Fiduciary. The exception is when retention of data is required under the law. For example: A decides to close her savings account with a bank. The bank is required by law to maintain the record of A’s identity for a term of ten years beyond closing of account. It is permissible to retain the data.
- Data Fiduciary shall publish business contact information of the data protection officer or any person who is able to answer on behalf of data fiduciary about any questions raised by the data principal regarding processing of personal data.
- Data Fiduciary shall also establish a mechanism for redressing grievances of the Data Principles.
There are also some additional obligations for the Significant Data Fiduciary given under Section 10 of the DPDP Act. The significant Data Fiduciaries are notified by the central government on the basis of assessments of factors such as:
- Volume and sensitivity of personal data processed
- Risks to the data principal
- Potential impact on the sovereignty and integrity of India
- Risk to electoral democracy
- Security of the state
- Public order.
The additional obligations of a significant Data Fiduciary include the following:
- He shall appoint a Data Protection Officer who
- Shall represent the Significant Data Fiduciary under the provisions of the DPDP Act
- He should be based in India
- He should be an individual responsible to the Board of directors or similar governing body of Significant Data Fiduciary
- He should be the point of contact for the grievance redressal mechanism under the provisions of this Act
- He shall appoint an independent data auditor to carry out the data audit and who shall evaluate the compliance of Significant Data Fiduciary with the Act
- He shall undertake the following measures:
- Periodic data protection impact assessment
- Periodic audit
- Such other measures which are consistent with the provisions of the DPDP Act.
Grounds for collecting data
Section 4 of the DPDP Act provides for two basic grounds for collecting personal data, one is consent and the other is legitimate use.
Consent
Definition of consent
Consent as a ground is also mentioned in the GDPR and Article 4 (11) defines consent as a freely given, specific, informed and unambiguous indication of an individual’s wishes by which they signify agreement to the processing of their personal data through a statement or clear affirmative action. Section 7(1) of the DPDP Act defines consent on quite similar lines and also adds the element of a specified purpose. It means that the purpose for which personal data is processed should be specified in the notice through which consent is sought.
Notice
Section 5 of the DPDP Act provides for the requirements for a notice. It states that every request made to a Data Principal under Section 6 for consent shall also be accompanied by a notice given by the Data Fiduciary with these essentials:
- Information about the personal data and the purpose for which it is proposed to be processed,
- Manner in which the Data Principal may exercise their rights under Sections 6 and 13’ and
- Manner in which the Data Principal may make a complaint to the Board, in such a manner and as maybe prescribed.
The notice can be in electronic form, a separate document or part of the same document through which personal data is sought to be collected.
Duty of Data Fiduciary
Article 7 of the GDPR and Section 7 of the DPDP Act both provide that in case any question of consent arises in any proceedings, the Data Fiduciary will be required to prove that he has provided appropriate notice and that consent has been obtained pursuant to the notice.
Withdrawal of consent
Under Section 6(4) of the DPDP Act, Data Principals have a right to withdraw consent anytime with ease, comparable to the ease of giving consent. Further, Section 6(5) provides that the consequences of such withdrawal are to be borne by the data fiduciary. Subsection (6) states that in cases where the data principal withdraws her consent, the data fiduciary shall, within a reasonable time, cease and desist from the processing of personal data of such principal. There is also a Consent Manager who will manage the process of withdrawal of consent.
Similarly, Article 7 of the GDPR provides for withdrawal of consent, but it doesn’t specifically state that the consequences of withdrawal are to be endured by the data fiduciary. So, it is considered to be fresh and required to take on responsibility for withdrawal of consent.
Consent Manager
The DPDP Act creates an important authority called the Consent Manager after the recommendation of the J. Sri Krishna committee. Section 2(g) defines the term as a person registered with the Data Protection Board who is the sole contact between the data principal and the data fiduciary for consent. His role is to enable an individual to give, manage, review and withdraw consent through a platform that is transparent, accessible and interoperable. It is not mandatory to appoint a consent manager under the Act. A data fiduciary may elect to appoint a consent manager to give, manage or withdraw consent. There is no set of obligations for consent managers; however, Section 40 provides that the Central Government has the power to make rules on it.
The Reserve Bank of India made Account Aggregators (AAs) in September 2021. These AAs are launched in order to facilitate the consented transfer of financial data between financial entities like banks or insurance companies. Their function is to manage the consent of the customers for the sharing of their financial data. Some people agree that the roles of AAs and consent managers are almost the same, except that they exist in different fields.
There are three entities in the framework for consent managers.
- Information providers: These are the original custodians of data who collect and store data of individuals.
- Information users: These are entities that require data from the Data Principals in order to provide certain services.
- Consent managers: These entities facilitate consent for the sharing of personal data.
The process begins with the Data Principals selecting information for users to opt for a service. The information user then sends an electronic data transfer request to the Consent Manager. Once reviewed and consented to, the Consent Manager will intimate it to the information provider, who then transfers the data to the information user in encrypted form.
Legitimate use
The second ground for lawful processing of data, as given in Section 4 of the DPDP Act, is that of legitimate use. Section 7 provides details on the concept by listing out the legitimate uses of the data collected:
- Voluntary giving of data: The data can be collected for a specific purpose for which the Data Principal has voluntarily provided personal data to the Data Fiduciary, and where it is not indicated by the Data Principal that she does not consent to use of personal data. For example: When A goes to a pharmacy, he voluntarily gives his personal data while making payment for the purchase or if A contacts B, a real estate broker, to find a suitable accommodation, he shares his personal data for this purpose. It is said that A has voluntarily given personal data in such scenarios.
- State and its instrumentalities: The State and its instrumentalities can collect the data for providing benefits, services, certificates, licences, subsidies or permits in these cases:
- If Data Principal has previously consented to the processing of personal data by the state or its instrumentalities
- Such personal data is available in digital form or in non-digital form and digitised subsequently from database, register, book or other document maintained by the state or its instrumentalities.
For example: A is a pregnant woman who enrols herself on a website to avail herself of the government’s maternity benefits scheme and thus consents to sharing her personal data. The government may process her personal data to determine if she is eligible for the benefit.
- Performance of legal obligation: Another legitimate use mentioned is when the State and its instrumentalities have to perform any function under law for time being in force in India or in interest of sovereignty and integrity of India or the security of India.
- In accordance with disclosure provisions: Personal data can also be collected for fulfilling an obligation under law for the time being in force on any person to disclose information to the state or its instrumentalities, subject to it being in accordance with provisions for disclosure of information in any other law for time being.
- Compliance with the court’s order: It is permissible to collect personal data to comply with the judgement, order or decree issued under any law for time being in force in India, or any judgement or order that is related to claims of a contractual or civil nature under any law for time being in force outside India.
- Medical emergency: Personal data is permitted to be collected in cases of medical emergencies that may involve a threat to life or an immediate threat to the health of the data principal or any other individual.
- Medical treatment: Also, other than collecting personal data for the purpose of a medical emergency, it can be allowed to take measures to provide medical treatment or health services to any individual during epidemic, outbreak of disease or any other threat to public health.
- Ensuring safety: Personal data is allowed to be collected for taking measures to ensure safety, providing assistance or providing services to any individual during a period of disaster or breakdown of public order.
- Employment: The last legitimate use for collecting data is for the purpose of employment or safeguarding employers from loss or liability. For example: prevention of corporate espionage, maintenance of confidentiality of trade secrets and intellectual property, or providing benefits sought by the data principal who is an employee, etc.
Processing personal data of children
When the data principal is a child, it also includes their parents or lawful guardian; similar is the case for persons with disabilities. A minor or person with special abilities cannot consent to the processing of their personal data. It is essential in such cases for the Data Fiduciary to obtain the verifiable consent of the parent or guardian under Section 9 of the DPDP Act. It also provides that a Data Fiduciary shall not undertake any processing of personal data that is likely to cause detrimental effects on the well-being of a child. He shall also not undertake tracking or behavioural monitoring of children or targeted advertisements directed at children.
Data Protection Board of India
Chapter 5 of the DPDP Act deals with the Data Protection Board of India (DPBI). Section 18 establishes DPBI by the Central Government. It shall be a body corporate with perpetual succession and a common seal that can contract, sue or be sued.
Composition and term of Board
The Board comprises a Chairperson and other members as notified by the Central Government. In order to be eligible, the Chairperson and other members shall be persons of ability, integrity and standing who have special knowledge or practical experience in the field of data governance, administration or implementation of laws that relate to social or consumer protection, dispute resolution, information and communication technology, digital economy law, regulation or techno-regulation or in any other field that, in the opinion of the Central Government, may be useful to the Board and at least one among these people must be an expert in the field of law. The term of the Chairperson and other members is two years, and they are eligible for re-appointment.
Powers of the Chairperson
By virtue of Section 26, the Chairperson shall have the following powers:
- He can exercise general superintendence and give direction with respect to all administrative matters of the Board.
- He can authorise any officer of the Board to scrutinise any intimation, complaint, reference or correspondence addressed to the Board.
- He can authorise performance of any functions of the Board, conduct its proceedings by an individual member or group of members and allocate proceedings among them.
Powers and functions of the Board
Section 27 of the DPDP Act details the powers and functions of the Board, in the following manner:
- On getting intimation of any personal data breach, under Section 8(6), the Board shall direct urgent remedial or mitigation measures, inquire about such personal data breach and impose penalties as provided.
- When a complaint is made by a Data Principal regarding personal data breach, or breach in observance by Data Fiduciary of its obligations, or reference is made by Central Government or State Government, or in compliance with court’s orders, to inquire about such breach and impose penalty accordingly.
- When a complaint is made by the Data Principal for breach of obligations by the consent manager, then the Board has to inquire into such breach and impose a penalty as per the provisions of the Act.
- On getting intimation of breach of any condition from Consent Manager, the Board will inquire into breach and impose penalty.
- In case of reference made by the Central Government regarding the breach of Section 37(2), the Board will inquire into it and impose a penalty.
It also further clarifies that for the effective discharge of its functions, the Board shall give the person concerned the opportunity of being heard and record its reasons in writing, and then it shall issue such directions as considered necessary. Such direction can be modified, suspended, withdrawn or cancelled by the Board on a representation made by such person and also impose conditions for it.
Exemptions
Section 17 of the DPDP Act deals with exemptions by stating that Chapter II (obligations of data fiduciary) shall not apply in these cases:
- The processing of personal data is necessary to enforce any legal right or claim.
- The processing of personal data is required in accordance with a Court’s or tribunal’s order entrusted with performance of any judicial, quasi-judicial or regulatory or supervisory function.
- The processing of personal data is done in the interests of prevention, detection, investigation or prosecution of any offence or contravention of any law for time being in force in India.
- When processing of personal data relates to the Data Principals not within the territory of India in accordance with a contract entered into with any person outside the territory of India by any person based in India.
- When processing is necessary for a compromise, arrangement, merger or amalgamation of two or more companies or reconstruction by way of demerger or otherwise of a company or transfer of undertaking of one or more companies or involving division of one or more companies approved by court, tribunal or other authority competent to do so by any law for time being in force.
- When processing is necessary for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due to account of a loan or advance taken from a financial institution, subject to provisions relating to disclosure of information.
Further, Section 17(2) provides when the provisions of this Act shall not apply, for instance:
- Processing of personal data by an instrumentality of the State as Central Government notifies in the interest of sovereignty and integrity of India, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these and processing by the Central Government of any personal data that such instrumentality may furnish.
- Processing of personal data is necessary for research, archiving or statistical purposes if the personal data is not to be used to make specific decisions by Data Principal.
Important cases
Though now we recognise the right to privacy as the bedrock of our democracy, it wasn’t always the case. The Indian jurisprudence has developed a lot throughout the years. The Supreme Court of India, through a slew of landmark decisions, has allowed the organic growth and expansion of the right to privacy. Let’s take a look at the legal development of the right throughout the years:
- M.P. Sharma v. Satish Chandra (1954): It is one of the first cases in India that dealt with the right to privacy in India. An eight judge bench of the highest court of the land sat down to decide upon the constitutionality of the search and seizure provisions of the Code of Criminal Procedure. The Court here doesn’t recognise any right to privacy and held that the search and seizures weren’t, in fact, violative of the right to privacy. As there is no provision in the Indian Constitution that deals with the right to privacy, it can’t be violated as well.
- Kharak Singh v. State of UP (1962): Another case where the Apex Court decided in relation to privacy rights. The Court examined the wide powers of police surveillance and its overarching powers in relation to privacy. Here, the Court for the first time, was faced with issues pertaining to the right to privacy as a part of Article 21. The court didn’t explicitly recognise any right to privacy, but J. Subba Rao stated in his dissent that the right to privacy is inherent in our Constitution. This famous dissent helped initiate the growth of the right to privacy.
- Gobind v. State of MP (1975): This is the decision where the Supreme Court was again faced with a similar question of right to privacy. The facts of the case were such that it dealt with police surveillance by domiciliary visits. The Supreme Court recognised the significance of the right to privacy but said that it should give way to a larger state interest. It states that the right to privacy has its own set of restrictions, such as public order, morality, national security, etc.
- In the decision of Maneka Gandhi v. Union of India (1978): The Hon’ble Court, speaking through a bench of seven judges, said that the term ‘personal liberty’ includes a variety of rights within its ambit. The rights so recognised must fulfil the triple test, that is, they must prescribe a procedure; that procedure must follow the test of fundamental rights under Article 19 and also withstand the tests of Article 14.
- Another landmark decision pertaining to the matter was that of People’s Union of Civil Liberties v. Union of India (1996).This decision rendered in 1997 was decided in favour of the right to privacy of an individual. The case centred around telephone tapping of people without their consent and whether doing so infringed on their right to privacy. It was a PIL filed against rampant phone tapping by the CBI. The Court disallowed such phone tapping without consent, stating that it is an important facet of Article 21. The Court declared that doing so amounts to a rather serious infringement of the right to privacy. In declaring the same, the Court marked an important step in the journey of protection of the right to privacy.
- Another popular case is that of R. Rajagopal v. State of Tamil Nadu (1994), where the Apex Court recognised the right to privacy of prisoners as well. More popular than the ‘Auto Shankar case’, it allowed the prisoner the right to publish his autobiography without any restrictions. In declaring the same, the court emphasised on the right to be left alone and, more particularly, to be in jail. This also includes an individual’s right to control the dissemination of information regarding their private life and the power to control any unwarranted intrusion into their rights.
- Mr. X v. Hospital Z (1998) was another case where the court was faced with a clash between two different fundamental rights: the right to privacy on the one hand and the right to public morality on the other. The appellant was a patient whose diseases were announced in public by the hospital. The Court recognised the right to privacy in such circumstances, stating that every person has a right to life and a healthy lifestyle under Article 21. It was mentioned that disclosure of even true private facts has the capability of breaching someone’s peace of mind and privacy.
- Such another case is that of District Registrar and Collector, Hyderabad v. Canara Bank (2004), where the Hon’ble Court rules on the significance of financial privacy of an individual. It stated that the right to privacy also extends to maintaining the confidentiality of bank account details and related information as well. This decision basically widened the scope of the right to privacy and also covered the financial aspects of the right.
- The Naz Foundation v. Government of NCT of Delhi (2009) decision that was given by the Delhi High Court turned out to be a significant development on the issue of consensual homosexuality. The Court gave its verdict on the validity of Section 377 of the Indian Penal Code, 1860. The Court ruled that Article 21 also protects a person’s right to become whoever he wants and to remain himself. They said that all individuals need a place of sanctuary where they can be free from societal expectations. Then this case was overturned by the Court. However, in Navtej Singh Johar v. Union of India (2018), the Apex Court through a five judge Bench, unanimously struck down Section 377 of the IPC to the extent that it criminalised the same -sex relations between two consenting adults. In doing so, it was declared that the State can’t intrude into one’s choice of partner, personal intimacy or love. The right to privacy is a fundamental right and the right to sexual orientation is an intrinsic part of that right.
- The case of Selvi & Ors v. State of Karnataka (2010), also serves as a crucial stepping point in the growth of privacy as a fundamental right. The Supreme Court here made a distinction between physical and mental privacy. The Court here decided that no individual should be forced to take any tests, such as narcotics or polygraph tests, against their own consent, as allowing that amounts to an intrusion into one’s personal space and liberty.
- Even though in most of the cases, courts didn’t explicitly recognise the right to privacy, the highest court of the country ruled in favour of the existence of the right in the landmark decision of K.S. Puttaswamy v. Union of India (2018).The decision delivered in 2018 by a 9 judge bench read the right to privacy within the ambit of Article 21, which is the right to life and liberty. In declaring that the right to privacy is intrinsic to life and personal liberty, the Court overruled earlier decisions of MP Sharma and Kharak Singh that held that privacy wasn’t protected as per the Indian constitution. The Bench declared the following in the decision:
- The recognition of the right to privacy in no way means amending the Constitution or granting a new freedom; it is just the interpretation of already existing provisions.
- Privacy aims to protect personal intimacies, sanctity of personal life, marriage, reproduction, sexual orientation, etc.
- Privacy also means the right to be left alone.
- Just because a person sets out his foot in a public place doesn’t mean he surrenders all his rights to privacy. It is attached to a person, no matter where he is or goes.
- The Constitution must be interpreted liberally to allow growth and development with technological changes.
- However, even though the right to privacy is a basic right, it’s not an absolute right. Like every other fundamental right, it also has a set of reasonable restrictions imposed upon its usage.
- Privacy has both positive and negative connotations. The negative part restricts the state from doing any act that may violate an individual’s right to privacy and the positive connotation denotes the proactive duty imposed on the state to protect the right to privacy.
- The recognition of the right to privacy as a fundamental right protects the inner sphere of an individual from interference by state and non-state actors.
- The right to privacy can’t be denied, even if there’s a tiny fraction of people who are affected by it.
- Unique Identification Authority of India v. Central Bureau of Investigation (2014): The court in this fascinating case decided on the issue of whether collection of biometrics by the UIDAI without the consent of the person violated the right to privacy. The court upheld the constitutionality of the Aadhar but also imposed certain restrictions on the data collection to allow people to safeguard their privacy. The decision assumes even more significance as it tries to maintain a delicate balance between the aim of the government with that of an individual’s privacy rights.
- The significance of the right to privacy can also be seen in the decision of Joseph Shine v. Union of India (2018), where the Apex Court decriminalised adultery mentioned in Section 497 of the IPC. Justice Chandrachud, writing the concurring opinion on the subject matter, stated that Section 497 criminalises adultery that was put in place to reinforce the idea that in marriage, a woman loses her autonomy and agency. She loses her own identity and is restricted to the patriarchal norms of society. J. Chandrachud employed the concept of right to privacy in deciding to decriminalise adultery as an offence.
- In a recent case of X v. The Principal Secretary, Health and Family Welfare Department, Govt. of NCT of Delhi & Anr. (2022), rendered by the Apex Court, the reproductive autonomy of an unmarried woman was upheld. As per the facts of the case, the Bench permitted a 25 year old woman to undergo abortion as her right to bodily autonomy is guaranteed in Article 21 of the Constitution. The right to privacy enables a person to exercise bodily autonomy under Article 21.
- In a case, more popularly titled as, the Hadiya marriage case (2018), the Apex Court noted that an individual’s right to marry a person of one’s choice is a part of her privacy and that the state has no role and no power in interfering with the right. It was held that the right to privacy also includes an essential aspect of making decisions on close matters of one’s life.
- Internet Freedom Foundation v. Union of India (2019): Considered to be another landmark decision in the realm of the right to privacy, the case dealt with the issue of internet shutdowns and how they impact the right to privacy. The Supreme Court held that the suspension of internet services is against our fundamental rights and must not be permitted unless they adhere to the principles of necessity and proportionality.
The cases mentioned above highlight the evolution of the right to privacy in the Indian context. These decisions reflect how the right to privacy has adjusted to different societal concerns, technological advancements and constitutional values. As can be seen from the start, there was indeed an absolute resistance to recognise the right to privacy, as it didn’t find an explicit place in the Indian constitution. But overtime, the judiciary, speaking through different Benches, underlines the role of the right to privacy in one’s right to life and personal liberty enshrined under Article 21. It can’t be doubted that as we go forward, there will emerge more and more technological challenges and to face them head on, these decisions will go a long way in guiding us towards a better and more secure future.
Penalties and fines for violating data protection laws
Chapter 8 of the DPDP Act deals with penalties and adjudication. Section 33 provides that the Board will impose a monetary penalty after concluding an inquiry on the breach of provisions of this Act and after giving the person concerned a reasonable opportunity of being heard. In order to decide the amount of the monetary penalty, the Board shall consider the following factors:
- Nature, gravity and duration of the breach.
- Type and nature of the personal data affected by the breach.
- Repetitive nature of the breach.
- Whether the person, due to consequences of such breach, has gained or avoided any loss.
- Whether the person concerned took any action in order to mitigate the effect and consequences of the breach, and timeliness and effectiveness of such action.
- Whether the monetary penalty to be imposed is proportionate and effective considering the need to ensure observance of provisions and to have a deterrent effect.
- Considering the likely impact of the imposition of a monetary penalty on the person concerned.
Further, the amount of compensation is provided under Schedule 1, as follows:
Subject matter | Section of the DPDP Act | Penalty |
Failure to take reasonable security safeguards to prevent personal data breach | Section 8 (5) | May extend to Rs. 250 crores |
Failure to notify the board and affected Data Principals of a personal data breach | Section 8 (6) | May extend to Rs. 200 crores |
Non- fulfilment of additional obligations in relation to processing of data of children | Section 9 | May extend to Rs. 200 crores |
Non- fulfilment of additional obligations of significant data fiduciary | Section 10 | May extend to Rs. 150 crores |
Violation of user duties | Section 15 | May extend to Rs. 10,000 |
Breach of any term of voluntary undertaking accepted by the board | Section 32 | Up to an extent applicable for beach in respect of proceedings were instituted under Section 28 |
For all other non compliance under the Act | Every other section | May extend to Rs. 50 crores |
Is the DPDP Act adequate in Indian landscape
The DPDPA, the first ever domestic data privacy legislation, took more than six years to make. It is a set of robust provisions focused on granting the right to privacy to individuals within India. The Act is a sincere effort to construct comprehensive and detailed legislation that leaves no stone unturned in this battle of privacy. The DPDP Act has been initiated with promising momentum, showcasing these key features:
- The scope of the DPDP Act is pretty wide, and it even has extra-territorial application as it is applicable when the data is processed beyond India if it relates to goods or services within India.
- It provides a comprehensive definition of personal data—that’s any data that pertains to an identifiable individual. Not only that, the Act has widened the scope of the data principal and now it also includes parents, lawful guardians of children, and persons with disabilities as well.
- The DPDP Act has a separate provision for dealing with the processing of personal data about children. It states that before doing so, it requires consent of the lawful guardian. The Data Fiduciary shall not undertake any processing of data that may cause a detrimental effect on the well-being of the child. Also, they shall not undertake tracking or behavioural monitoring of data or targeted advertising directed at the children.
- The DPDP Act accommodates start-ups and creates an exemption for them. This way, it recognises the issues faced by these start-ups in implementing this dynamic legislation to motivate creativity and innovation.
- The DPDP Act has separate provisions for stating the obligations imposed on the Data Fiduciaries such as implementing the provisions of this Act, implementing reasonable security measures to prevent any breach, giving of notice for consent, etc.
- The DPDP Act has granted the Data Principal a slew of rights that they can exercise in relation to their data. These rights include the right to access information, right to correct data, complete data, right to nominate and right to grievance redressal, etc.
- The Act requires consent to allow processing and collection of personal data. In case of processing of personal data in relation to a child, it calls for verifiable parental consent. This consent must be free, specific, informed, unconditional and unambiguous. This consent can later be withdrawn as well. Moreover, the Act imposes a duty on the data fiduciary to provide a detailed notice to the data principal either during or before seeking consent. This notice should explain what data is collected and for what purposes, description of their rights and grievance redressal.
- The DPDP Act also introduced the concept of consent managers. These managers are the ‘managers’ of consent and act as intermediaries for consent collection, modifications and revocation.
- The DPDP Act makes a distinction between data fiduciary and a significant data fiduciary. This distinction is based on a number of factors, such as data volume, sensitivity, risk involved, security, etc. These significant Data Fiduciaries have additional obligations, such as having to appoint data protection officers, conduct data protection impact assessments and undergo periodic compliance audits.
- The DPDP Act introduces Data Protection Boards. It sets out the framework for the constitution of the board, qualifications of the members, salary and allowances given to the members, cases where they may be disqualified, resignation by members, etc. This board has the power to take urgent remedial or mitigation measures in cases of breach of personal data, initiate inquiry in cases, impose penalties, etc. The Act declares the board to be an independent body that would function as a digital office.
- The DPDP Act furthermore states that in a case where the complaint may be resolved through mediation, then the board has the power to direct the parties to attempt a resolution that they want.
Criticism of DPDP Act
While initially, the DPDP Act seems like a commendable effort to acknowledge privacy and its allied rights, in reality, it has more gaps than the significant void that existed in its absence. It’s imperative to take a look at these shortcomings:
- It deals only with digital data or non-digital data that is digitised later, but not otherwise. This means that the Act has a biassed application and would protect your right to privacy only when that data is in digital format somewhere and not when it is offline.
- The DPDP Act doesn’t make categories of data such as sensitive data, critical personal data, etc. These distinctions were introduced in the bill of the Act but were later removed. This alteration is definitely a huge setback for privacy rights. The more serious and private the data, the more robust it should be. However, the Act fails to recognise that.
- The DPDP Act has significant exemptions, and it’s not just limited to start-ups to promote innovation and growth; these exemptions also cover government and other government instrumentalities that result in unrestricted and unchecked power with the government to collect and process data.
- Another criticism that the DPDP Act faced is that it curtails access to information under the Right to Information Act. Section 8 of the RTI Act provides for an exemption clause where personal information is exempt from disclosure if it has no relation to public activity. However, the DPDP Act exempts all personal information from disclosure. This goes to strike at the very root of transparency and accountability in the system.
- Though the DPDP Act provides for a separate provision for data transfer, it doesn’t do much to protect the data from breaches that may arise at the time of transfer. In reference to the cross border transfers, the Act states that the Central Government has the power to restrict it. Following this approach, not enough protection is granted to the personal data of an individual through the Act.
- Another serious concern raised in the Act was the issue of the independence of the Data Protection Board. The Act states it to be an independent body, but considering the term of the appointment and the role of the government in its functioning, it’s hard to accept that the board would be independent.
- The success of the DPDP Act depends on people’s awareness about their rights and duties. They should be aware about the significance of their personal data, how it is collected and processed and how to redress their grievances as well. The Act is a new addition to the Indian privacy landscape and not a lot of people are aware of its existence and how it works. There is no provision in the legislation that imposes an obligation on the concerned Government or the Data Protection Board to sensitise people about their data and their rights.
The DPDP Act marks a historic step in the battle to safeguard our right to privacy. It addresses the gigantic chasm that existed before the Act. Its comprehensive provisions demonstrate a sincere attempt at addressing the growing concerns of the digital age. The Act has promising features, as discussed above. It can’t be denied that the Act also comes with a few concerns. The Act’s limitation to only digital data, lack of distinction between categories of data, and exemption of the government from its applicability raise concerns about its fairness.
Comparison of DPDPA with GDPR
The General Data Protection Regulation, more popularly referred to as the GDPR, is touted as one of the most robust data privacy legislation that there is. It is the privacy legislation of the European Union and was made effective on May 25, 2018.
The GDPR and the DPDP Act are pretty comprehensive legislations that have quite a few similarities between them. The provisions that are similar in both of them are as follows:
Provisions | General Data Protection Regulation(GDPR) | Digital Personal Data Protection Act (DPDPA) |
Personal data | Article 4(1) of the GDPR defines the term personal data as any information that may directly or indirectly relate to an identified natural person. | Section 2(t) of the DPDP Act defines personal data as any data by the virtue of which an individual may be identified. |
Extent | Article 3 of the regulations spells out the applicability of the GDPR to establishments even outside the European Union. It states that when these organisations target citizens of the European Union, they will be governed by the GDPR even if they are not themselves based in the EU. Also, the GDPR has extra territorial jurisdiction and applies in respect of European citizens, residents and institutions that have a presence in the EU. | But it also must be noted that, pursuant to Section 3, the Act is applicable to digital data alone and not for offline personal data or non-automated processing of personal data. |
Data collection and processing | Article 5 of the GDPR requires that the personal data of an individual be collected only for lawful, fair and transparent reasons. Furthermore, Article 6 states the situations in which the processing would be considered to be lawful. These are as follows:When the data subject has given consent for the processing of their personal data.When the processing is necessary for the performance of the contract.When processing is necessary for compliance with legal obligations to which the data controller is bound.When processing is necessary to protect the vital interests of the data subject.When processing is necessary for the performance of tasks carried out in the public interest pursued by the controller. | Section 4 of the Act states that for any processing of the data to be in accordance with the Act, it needs to be done for lawful purposes for which the data principal has given consent.Section 5 requires a notice to be given to the Data Principal regarding what information about him is being collected and for what purposes.As per Section 7 of the Act, the Data Fiduciary may process the personal data of the data principal if voluntary consent has been provided in respect of the same or for the state to issue or provide to the Data Principal subsidy, benefit, licence or permit as prescribed under the Section or for the performance of functions of the state under any law for the first time, or fulfilling obligations under any law for the time being in force in India, for compliance with any judgement or decree or order issues under any law for the time being in force, for responding to a medical emergency, for taking measures to ensure safety or to provide assistance to individuals during any disaster. |
Data minimization | The principle of data minimization was introduced for the first time in the GDPR. It states that the personal data collected shall be adequate, relevant and limited to what is actually necessary and in relation to the purpose of the collection. The same can be seen in Article 5 of the GDPR. | There is no similar provision to be seen in this Act. |
Consent | GDPR predominantly relies on consent to verify if data has been collected and processed lawfully or unlawfully. Consent in these cases would be considered valid only when it’s freely given, clear, affirmative and capable of easy withdrawal.It does have a provision to withdraw consent at any point and it finds its place in Article 7 of the GDPR. | Section 7 of the Act elaborates on the requirements of valid consent. Here as well, the consent seems to be freely given, informed, specific, and unambiguous, and it must indicate the data principal’s wishes regarding the processing of the data. |
Rights of individuals | The GDPR was the very first legislation that accorded rights to data subjects.As per the regulations, the following rights have been granted to the data subjects:Article 15 grants the data subjects the right to request information from the data controller about what personal information has been collected and how it will be used or processed.Article 16 provides the right to rectify any inaccurate or incomplete data.Article 17 of these regulations allows the data subjects to erase their personal data when it is no longer required and has served the purpose for which it was collected.The right to restrict the processing of personal data has been enshrined in Article 18.By virtue of Article 20, the people also have a right to request a copy of their personal data, and that too in a readable format.As per Article 21 of the regulations, the data subjects can also object to the processing of their personal data. | Following the path of the GDPR, the DPDP Act has granted people a bunch of rights. Though not all of them, a few of them, such as:Section 11 of the Act grants the Data Principal’s right to information about their personal data. He has a right to obtain information about the processing of his personal data, summary of the data being processed, categories of data shared or other information as needed.Section 12 provides for the right to correct and erase personal data when it’s no longer required or for the purpose for which it was collected. The data principal can correct the misleading data, complete any incomplete personal data or even update the data.Section 13 states the right to avail grievance redressal as soon as possible.Section 14 of the Act provides for the right to nominate. It states that the Data Principal has a right to nominate any other individual who, in case of his death or incapacity, may exercise his rights in accordance with the Act. |
Assessment | Article 35 of the GDPR provides for a data protection impact assessment.It states that if any business does any work that involves a high risk to data privacy, then they need to conduct a data protection impact assessment. It is mandatory when the business is involved in automated decision making, or is processing special categories of information or criminal records or is monitoring in a public area. | As per Section 10, not every Data Fiduciary is required to appoint a data protection officer. Only a Significant Data Fiduciary is required to go through the process of appointing a Data Protection Officer. To decide what constitutes Significant Data Fiduciary, these have to be considered:Volume and sensitivity of personal dataRisk of harm to the data principalPotential impact on the sovereignty and integrity of IndiaRisk to electoral democracySecurity of the statePublic ordersOr other factors as it may consider necessaryThese data protection impact assessments are essentially a process that describes the purpose, harm, measures taken to manage the risk, etc. |
Role of data controller | Article 24 of the regulations states that a data controller has the responsibility of ensuring compliance with the GDPR.Article 25 similarly imposes a duty on the data controller to ensure that he uses adequate data protection measures and safeguards to protect the data of the data subjects. | Section 8 of the DPDP Act prescribes the general obligations of the data fiduciary. He is obligated to protect the personal data and take reasonable security safeguards to prevent any breach of the data. He is bound to appoint a data processor. In case any breach of the personal data occurs, he is also meant to give notice of such breach to the Board in the manner and form as prescribed. |
Penalties | In case organisations do not comply with the regulations, they can be fined up to 4% of their global turnover or €20 million, whichever is greater. | As per Section 33 of the DPDP Act, the data protection authority can impose penalties on organisations if they fail to comply with the Act. This penalty may be up to 5% of their annual turnover or Rs. 500 crores, whichever is higher. While determining the amount of the monetary penalty, the Board will consider these:Nature and gravity of breachType and nature of the personal data affected by the breachRepetitive nature of the breachGain or loss from the breachWhether the penalty is proportionate and effective or notLikely impact of the monetary penalty on the person |
It can be safely said that both of these legislations work on similar patterns on the major vital areas such as consent, personal data, processing and collection of personal data, data protection impact assessment, penalties, etc. However, there are a few provisions that differ in both the legislations as well. These are as follows:
- The GDPR has different categories of personal data; however, the DPDP Act applies the same way to all the data. There is no categorization as such. Article 9 of the GDPR is about the processing of special categories of data, while Article 10 is about then processing of personal data in relation to criminal offences.
- As per the GDPR, a notice is required to be given to the data subject regarding the processing of their personal data. The notice requirements aren’t linked only to the consent of the individual. The details provided to the data subject in that notice are much wider in ambit. In the DPDP Act, notice must contain the requisite information that allows the person to exercise their consent.
- Unlike the GDPR, DPDP Act also lists out duties of the Data Principals, not just their rights. These duties include the following:
- To comply with the provisions of all the applicable laws for the time being in force.
- To ensure not to impersonate another person while providing their personal data
- To not suppress any material information while giving the personal data
- To not register a false or frivolous complaint with the data fiduciary or the Board
- To furnish the information that’s authentic
- The right to nominate isn’t seen in GDPR, which allows a person to nominate another person to exercise rights under the law in case of the death or incapacity of the data principal.
- The GDPR has more stringent requirements for the transfer of personal data outside the EU. However, the provisions for out of border transfers in the DPDP Act are not that strict. Section 16 of the DPDP Act states that the central government shall have the power to restrict the cross-border transfers. However, Section 17 grants the exemptions to above stated provision. These exemptions may include the processing of personal data for enforcement of legal claims or rights; processing of personal data by court or tribunal; if it’s in the interests of prevention, detention, etc., it’s necessary for a scheme of compromise, arrangement, merger or amalgamation of two or more companies; or its necessary for ascertaining financial information and assets and liabilities of a person.
- While the GDPR also applies to offline personal data, the DPDP Act protects only digital data and not offline personal data.
- Unlike the DPDP Act, the GDPR doesn’t impose a duty on the data subjects to resolve their grievances before making a complaint to the supervisory authority mentioned in the regulations.
- There is a new concept of consent managers introduced in the DPDPA. These are people registered with the Data Protection Board of India who would be the contact point between the Data Principals and data subjects.
Career opportunities in data protection and data privacy
Data protection and privacy management are indeed critical aspects of running a successful business and their non-compliance can lead to huge fines, loss of business, and a negative impact on reputation. So, there is no doubt that law firms and businesses across the world are building up a team to specifically cater to privacy regulations. Hence, there is a huge career trend in privacy law and now, with the DPDP Act, the career opportunities in the field are exploding. Remember, a career in privacy is not limited to the legal field; it actually expands to healthcare, technology, pharmaceuticals, media, hospitality, etc., as every business needs to cater to privacy laws. Let’s take a look at the prevalent career opportunities:
Data protection officer (DPO)
Who is DPO
A data protection officer is a mandatory authority under the DPDP Act to make sure that the company is following the data privacy laws. And there are various upcoming career opportunities, such as:
What is the role of DPO
As a DPO, your role is to fulfil the following responsibilities:
- Ensuring that data principals, data controllers and everyone else involved in the process are duly informed of their rights and responsibilities.
- They have to maintain records of all processing operations and their compliance with privacy laws.
- They also serve as the main contact for the organisation and the relevant public authorities on data protection.
- Making sure that the institution they are working with complies with the laws helps them be aware of the consequences of failure of non compliance
- Their role also includes making training plans, framing guidelines for employees and promoting a culture of data protection and compliance.
How to become DPO
To become a DPO, you must fulfil these requirements:
- Obtain a degree in a relevant field; remember that law, information technology or computer science are all acceptable degrees.
- It is crucial to get a deep understanding of privacy laws in India as well as GDPR.
- Get a certification in data protection, such as Certified Information Privacy Professional (CIPP) or Certified Data Protection Officer (CDPO). Please note that the certification or course requirements may change with the job.
- After completing the certificate course, you are eligible to start looking for jobs in companies that require a DPO.
- Some companies require a few years of experience in the field of data protection and security compliance, so it is recommended to get experience in the role.
Pay scale of a DPO
As a DPO, you may earn approximately Rs. 30,000 per month. Please note that this figure is just an average estimate and may vary according to the job description.
Privacy lawyer
Who is a privacy lawyer
A privacy lawyer is a professional who helps in compliance with privacy laws and regulations and may be employed by the data subjects in case of a data breach.
What is the role of a privacy lawyer
A privacy lawyer ensures compliance with privacy laws and advises on the best practices and policies for collecting, storing, using and sharing personal data. They also guide individuals towards remedies in unfortunate cases of data breaches. Their role is to represent the best interests of tier clients in court. They also draft data privacy, compliance and protection agreements.
How to become a privacy lawyer
To become a privacy lawyer, you must acquire the following qualifications:
- Complete your law degree from any institution duly recognised by the Bar Council of India.
- It is mandatory for the candidate to clear the All India Bar exam and enrol with the Bar Council of your state.
- To become a privacy lawyer, you should be familiar with privacy laws, threats, principles, etc. Many jobs require a certain number of years of experience or a course dedicated to data privacy.
- It is recommended to take part in a certificate course, or privacy impact assessments, reviewing privacy policies, etc., which offers practical exposure to the field. Also, networking and taking guidance from experienced privacy professionals can increase your credibility.
Pay scale of a privacy lawyer
As a privacy lawyer, you may earn approximately Rs. 35,000 per month. Please note that this figure is just an average estimate and may vary according to the job description.
Chief privacy officer
Who is chief privacy officer
A chief privacy officer (CPO) is a senior-most executive who is responsible for developing, managing and implementing data privacy compliance regulations in order to protect data from unauthorised access.
What is the role of chief privacy officer
A CPO is the central decision making authority in any privacy related decisions. Their role is to increase the organisation’s data security measures and monitor and process the data to comply with legal requirements.
How to become chief privacy officer
To become a CPO, you must fulfil these requirements:
- To become a CPO, you can have a bachelor’s degree in computer science, IT law, or cybersecurity.
- You may also obtain a Master’s degree in data privacy and cybersecurity, as it will add to your knowledge and skills.
- Get a certification in data protection, such as Certified Information Privacy Professional (CIPP) or Certified Data Protection Officer (CDPO). Please note that the certification or course requirements may change with the job.
- Working as a CPO is a high level profession and requires expertise and skills that can be developed through working in the field and gaining practical insights.
Pay scale of a Chief Privacy Officer
As a CPO, you may earn approximately Rs. 35,000 per month. Please note that this figure is just an average estimate and may vary according to the job description.
Privacy managers
Who is a privacy manager
A privacy manager is someone who manages the data and its privacy concerns within the company. The role of a privacy manager is incredibly in demand. Take a look at these opportunities:
What is the role of a privacy manager
As a privacy manager, your responsibilities include the following:
- Conducting comprehensive review of the existing privacy policies of the company and assessing its compliance with applicable practices.
- Developing data privacy policies and conducting data privacy audits.
- Ensuring data subject rights management, including data request, data rectification, etc.
- Conducting employee training and awareness courses in the company.
How to become a privacy manager
To become a privacy manager, you must fulfil these requirements:
- To become a data privacy manager, you can have a bachelor’s degree in computer science, IT law, and cybersecurity, and having a master’s degree in data privacy and cybersecurity is preferable.
- Professional certifications like CIPP, CIPT, etc. are also preferable.
- Generally, the companies require certain years of experience in data privacy management and a strong understanding of global data privacy regulations.
Pay scale of a privacy manager
As a privacy manager, you may earn approximately Rs. 40,000- 50,000 per month. Please note that this figure is just an average estimate and may vary according to the job description.
Privacy analysts
Who is a privacy analysts
A privacy analyst is someone who manages the legal risks surrounding critical and sensitive information and assesses business operations. The role of a privacy analyst is in high demand. Take a look at these career opportunities:
What is the role of a privacy analysts
A privacy analyst works on ensuring compliance, testing it with the team, working with stakeholders on the remedies and helping manage the projects of the company. They work with the managers and directors to schedule the compliance audits and testing of updated privacy regulations.
How to become a privacy analysts
To become a privacy analyst, you must fulfil these requirements:
- Obtaining a degree in a relevant field, for example, law, information technology or computer science, are all acceptable degrees.
- It is crucial to get a deep understanding of privacy laws in India as well as GDPR.
- Having privacy compliance experience or professional experience in a privacy correlated field is also required, as the job demands that expertise.
- Understanding privacy tools and technology, data platforms, etc. is also required.
Pay scale of a privacy analysts
As a privacy analyst, you may earn approximately Rs. 40,000- 50,000 per month. Please note that this figure is just an average estimate and may vary according to the job description.
Conclusion
In conclusion, the data privacy and protection laws in India reflect the global landscape of the emerging supremacy of data in a digitally advanced age. The implementation of the DPDP Act is a step forward to protect personal data, allow greater autonomy for Data Principals over their data and establish accountability for data protection authorities. The Act emphasises key principles such as data minimisation, accuracy, accountability, purpose limitation, etc. and also introduces the rights of Data Principals. It keeps a check on the execution of obligations of Data Fiduciaries and imposes a penalty for non compliance with provisions. In its entirety, the DPDP Act serves the purposes for which it was made, but it is also not immune from criticism. The provisions on sensitive personal data have disappeared from the original bill while making it an Act. Many claim that the DPDP Act is ambiguous on how consent is collected and how data is processed and it creates wide exemptions for the government, so it is basically a missed opportunity. It is expected that the Act would find the right balance between its achievements and criticism and uphold the Supreme Court’s judgement on privacy.
Frequently Asked Questions (FAQs)
What are different laws governing data protection and privacy in India?
Before the current legislation, the only law that dealt with privacy was the Information Technology Act of 2000. Other than that, we have the Sensitive Personal Data Information Rules, 2011 and the Information Technology Rules, 2011. But now, it is the Digital Personal Data Protection Act (DPDP) 2023 that prevails in respect of data protection and privacy.
What is the decision of KS Puttaswamy judgement vis-a-vis privacy?
The landmark case of KS Puttaswamy upheld the fundamental right to privacy under Article 21 of the Constitution. Before the judgement, our privacy laws were restricted but with recognition of privacy as a fundamental right, the laws were framed through the DPDP Act in order to protect and safeguard it.
When was the DPDP Act enforced?
The Act was enforced on August 11, 2023.
What kind of information is protected under the law?
The law protects ‘personal data’, which is defined under the Act as information that can identify a person. Personal data may include details like name, address, age, contact number, etc. The Act is silent on the applicability of sensitive personal data.
Who is required to comply with the provisions of the DPDP Act?
Section 3 of the DPDP Act states that it applies only in reference to digital personal data and not offline personal data. It does apply to business conducted within India and even outside India if it involves goods or services within India. The Act applies to organisations that meet the following conditions:
- The organisation processes digital personal data which is capable of identifying the data principal, to whom the collected data belongs.
- The data being processed is collected by the organisation in digital form.
- The organisation is processing personal data within the Indian territory, or if processing of personal data is done outside India but processing is in connection with an activity offering the goods or services to individuals in India.
In what circumstances does the DPDPA not apply?
Section 3 of the DPDP Act states that it doesn’t apply in the following circumstances:
- when personal data is processed by an individual for personal or domestic purposes.
- Personal data that is made publicly available by the person himself to whom the data relates.
What are the key principles provided under the Act?
The DPDP Act is based on the following key principles:
- Principle of consent for lawful and transparent use of personal data.
- Principle of data minimization.
- Principle of limiting data usage to the purpose for which it was collected.
- Principle of data accuracy.
- Principle allowing data storage only till the time it’s necessary.
- Principle of accountability.
- Principle of securing data from any breach.
What is the difference between a data fiduciary and a data processor under the Act?
Data fiduciary is defined under Section 2(i) as any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data. And a Data processor is defined under Section 2(k) as any person who processes personal data on behalf of a data fiduciary. It is important to understand that it is the data fiduciary who complies with the provisions and the same is given under Chapter 2 of the Act under the heading obligations of the data fiduciary.
What rights do Data Principals have as provided under the Act?
Chapter 3 of the Act provides the rights of Data Principals, such as:
- Right to information.
- Right to access.
- Right to correction of personal data.
- Right of grievance redressal.
- Right to be forgotten.
- Right to data portability.
- Right to object to data processing.
- Right to lodge a complaint.
Does the Act apply to foreign companies operating in India?
Yes, the Act has extra-territorial jurisdiction, which means that it applies to foreign companies offering goods and services to Indian Data Principals.
What are the provisions of the consent manager?
Section 2(g) of the Act defines the term as a person registered with the Data Protection Board of India who is the sole contact between the data principal and the data fiduciary for consent. His role is to enable an individual to give, manage, review and withdraw consent through a platform that is transparent, accessible and interoperable. It is not mandatory to appoint a consent manager under the Act.
What are the penalties for non compliance under the Act?
Chapter 8 of the Act deals with penalties and adjudication. Section 33 provides that the Board will impose a monetary penalty after concluding an inquiry on the breach of provisions of this Act and after giving the person concerned a reasonable opportunity of being heard.
What kinds of transactions are exempt from the purview of law?
Section 17 of the Act provides exemptions in situations such as:
- The processing of personal data is necessary to enforce any legal right or claim.
- The processing of personal data is required in accordance with court’s or tribunal’s order entrusted with performance of any judicial or quasi-judicial function.
- The processing of personal data is done in the interests of prevention, detection, investigation or prosecution of any offence or contravention of any law for time being in force in India.
- When processing personal data relates to Data Principals not within the territory of India in accordance with a contract entered into with any person outside the territory of India by any person based in India.
- When processing is necessary for a compromise, arrangement, merger or amalgamation of two or more companies.
- When processing is necessary for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due to account of a loan or advance taken from a financial institution, subject to provisions relating to disclosure of information.
References
- https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624
- https://blog.didomi.io/en/india-digital-personal-data-protection-dpdp-act-2023-everything-you-need-to-know
- https://blog.ipleaders.in/data-protection-laws-in-india-2/
- https://www.scobserver.in/journal/digital-personal-data-protection-act-2023-a-missed-opportunity-for-horizontal-equality/
- https://thewire.in/rights/digital-personal-data-protection-law-raises-questions-about-consistency-with-right-to-privacy-ruling
- https://blog.ipleaders.in/data-protection-and-privacy-policies-in-cyber-law/
- https://www.natlawreview.com/article/india-welcomes-landmark-data-protection-law
- https://www.lexology.com/library/detail.aspx?g=1bc32ef8-e7ed-41d6-8671-bac0684a602f