This article is co-authored by Bhuvnesh Manchanda and Sukriti Verma, pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from LawSikho and edited by Shashwat Kaushik.
It has been published by Rachit Garg.
Table of Contents
“Right to privacy of any individual is essentially a natural right, which inheres in every human being by birth. Such right remains with the human being till he/she breathes last. It is indeed inseparable and inalienable from human being.”
-Supreme Court of India
The architects of our Indian Constitution had the vision of making a secondary document wherein society could find answers when in a state of bafflement. When individuals are in a state of bafflement, they may turn to holy books. Whereas when society is in such a situation, the Constitution has guided it to light. The drafting committee of the Constitution recognised that the Constitution should adequately adapt to the changing demands of society. Since the constitutional makers have departed, the judiciary has adamantly preserved constitutional values.
The Digital Personal Data Protection Act, 2023 (“DPDPA” or “Act”) is the result of such judicial activism. The foundation of the Act was laid when a son overruled his father’s judgement for the sake of justice (K.S. Puttaswamy (Retd.) vs. Union of India (2018)) and accepted the right to privacy as an intrinsic part of the right to life and personal liberty enshrined under Article 21 of the Indian Constitution. The Hon’ble Supreme Court of India in the K.S. Puttaswamy judgement said, “We commend to the Union Government the need to examine and put into place a robust regime for data protection.” Had the view of the Supreme Court been any different, the possibility of an act like DPDPA being legislated was very minuscule or if it were legislated, then it could be a tiger without claws. Because no state would want to cut its hands by giving its citizens more rights.
However, the date of commencement of this Act is yet to be released and is subject to notification in the Official Gazette. Also, different provisions of the Act may come into effect on different dates. Furthermore, the rules/ regulations under the Act have to come out. Also, the Act is at an early stage and ripper towards data breaches happening across the country. The Act is a pioneer, considering the market it has to regulate. One can expect this Act to have many developments in the coming future.
Jurisdiction and scope of the DPDPA, 2023
According to the first part of Section 3 of the DPDPA, it applies to the whole of India where personal data is collected in digital form or non-digital form if that is to be digitalized at a later stage. The applicability of DPDPA stretches outside India as well if such data processing is in connection with any activity relating to the offering of goods or services within India.
However, the Act does not apply when personal data is processed for domestic or personal purposes or when the data is available in the public domain.
Under sub-clauses (b), (c), and (d) of Section 8, the state is free to process personal data for the reasons specified therein. Furthermore, under sub-section (2) of Section 17, the state has left a vaguely huge ambit to process personal data. The state has granted itself complete immunity against any kind of data processing breach under this Act. We may probably expect the judiciary to scrutinise these provisions of complete immunity to the state under the ambit of DPDPA in the near future.
Cross-border data transfer
The DPDPA’s applicability also extends outside India if such processing is in connection with any activity related to the offering of goods or services to data principals within India. The cross border transfer of data is governed under Chapter VI of the Act. The Legislature has kept it open for it to restrict the transfer of personal data to certain territories outside India. The legislature has also kept it open for the laws of different countries, such as the General Data Protection Regulation (GDPR), which has a higher degree of protection or restriction of personal data, to supersede the DPDPA.
Before getting into this article, we must familiarise ourselves with the definitions used in the Act for better comprehensibility, as follows:
- Personal data: means any data about an individual who is identifiable by or in relation to such data.
- Processing: In relation to personal data, it means a wholly or partly automated operation or set of operations performed on digital personal data and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
- Data fiduciary: Any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.
- Consent manager: A consent manager represents the data principal and takes action on their behalf when granting, managing, reviewing, and revoking consent.
- Notice: A notice shall be given by the data fiduciary for processing data to the person whose data is being processed. It should be clear, itemised, and in simple language.
- Data principal: an individual to whom the personal data relates.
- Significant data fiduciary: means any data fiduciary or class of data fiduciaries as may be notified by the Central Government on certain grounds as defined in Section 10 of the Act.
The applicability of the DPDPA has certain exemptions governed under Section 17 of the Act, classified as follows:
- When the personal data is made or caused to be made publicly available or when the law mandates the personal data to be made publicly available.
- When the processing of the data is done for the purposes of prevention, detection, investigation, or prosecution of any offence or contravention of any law.
- When the processing of personal data is done to enforce any legal right or any claim of any nature.
- When the processing of personal data for the performance of any judicial or quasi-judicial functions by any Indian court/tribunal or any other body.
- When the processing of personal data by data principals is done outside the territory of India under any contract entered into with any person outside the territory of India by any person based in the territory of India.
- When the processing of personal data is necessary for a merger/amalgamation or similar arrangement as approved by a court or any other competent authority.
- When the processing of personal data is done to ascertain the financial information, assets, and liabilities of any person who has made a default in payment due on account of a loan or advance taken from a financial institution, this shall be subject to the provisions regarding disclosure of information or data in any other law.
Compliance under the DPDPA, 2023
For starters, the data fiduciary shall, in a reasonable time, give a detailed notice relating to the personal data to the data principal if the data has already been processed before the commencement of this Act. The processing of data by the data fiduciary, after the commencement of this Act, shall be preceded or accompanied by a detailed notice of purpose, manner, and processing of data and a withdrawal of consent for processing personal data.
DPDPA vs GDPR
- Date: GDPR came into force on 25th May 2018 , whereas India came with its own data protection law on 11th August 2023. Apparently, India may have just begun its data protection journey, but it is not lagging much behind the EU.
- Basis: One of the major differences between both laws is that the EU’s legislature made a law as the need arose but in India, the Apex Court had to take the matter into its own hands and commend the Union Government for making a law for the same.
- Scope and applicability: The GDPR governs the processing of personal data wholly or partly by automated means or such personal data that will form part of the filling system, whereas the DPDPA governs such personal data that is digital or will be digitalised.
- Penalty: The penalty that can be imposed under the GDPR has no fixed cap, i.e., it can be a maximum of 20 million euros or 4% of the defaulting firm’s worldwide annual revenue from the preceding financial year (whichever is more), whereas in DPDPA there is a fixed cap of INR 250 crores.
- Parental consent: In GDPR, parental consent is required to process data on minors up to the age of 16 years, whereas in DPDPA, the consent of the parent or guardian is required up to the age of 18 years.
- Maintaining records: There is no provision in DPDPA putting an obligation on the data fiduciary to maintain records of processing activities (ROPA).
- Reporting: The GDPR has a strict timeline of 72 hours to report data breaches to the Supervisory Authority and possible affected subjects, whereas, for the DPDPA, the government has not yet notified any such timeline.
- Notice: It can be found that in the DPDPA, the data fiduciary is required to give notice to the data principal in any of the 22 languages given in the eighth Schedule of the Constitution, whereas in the GDPR there is no provision, as it is English Centric.
Legitimate use and limits for processing data
The Act explicitly mentions in Section 7(a) that the data fiduciary can only process the personal data to the extent to which the data principal has given her consent and if the data principal has not consented to the same, it may be assumed that she has not given consent for the same. For a crystal-clear understanding, here’s an illustration from the Act:
X, an individual, electronically messages Y, a real estate broker, requesting Y to help identify suitable rented accommodation for her and sharing her personal data for this purpose. Y may process her personal data to identify and intimate to her the details of accommodation available for rent. Subsequently, X informs Y that X no longer needs help from Y. Y shall cease to process the personal data of X.
Other legitimate uses under the Act include that the data fiduciary may process data for performing the functions of the state, for any obligation under law to disclose information to the state, for compliance with any judgement/decree/order, for responding to a medical emergency (involving a threat to life or health), for taking measures to provide medical treatment during an epidemic, for taking measures to ensure safety during any disaster, and for safeguarding employers from loss or liability, including corporate espionage, maintenance of confidentiality of trade secrets, and intellectual property.
The DPDPA sets the limits and boundaries for processing personal data for data fiduciaries. Like consent for processing the data, it shall be unambiguous and specific. It can also be in English or any other language specified in the Eighth Schedule of the Constitution. The data fiduciary can only process the personal data of a data principal under “certain legitimate uses” defined under Section 7 of the Act. Otherwise, it may attract a penalty of up to INR 50 crores.
Rights of data principal
The data principal shall have the following rights:
- Right to access information: The right to obtain from the data fiduciary a summary of the data that is being processed, a list of identities of other data fiduciaries with whom such personal data has been shared, plus a description of such personal data, and any other information that may be prescribed by the legislature.
- Right to amend/ withdraw data: The right to correction, completion, updating, and erasure of her personal data for which she consented.
- Right to grievance redressal: The right to readily available means of grievance redressal.
- Right to nominate: The right to nominate a person on his behalf on account of his incapacity.
Duties of data principal
Most of us would fall under the category of data principals under the Act. With great rights come great responsibilities, so let us get through our duties as data principals; otherwise, it may attract a penalty of INR 10,000.
- To comply with the provisions of all applicable laws while exercising rights under the provisions of this Act.
- To ensure not to impersonate another person while providing her personal data.
- To ensure not to suppress any material information while providing her personal data.
- To ensure not to register a false or frivolous grievance or complaint with a data fiduciary or the Board.
- To furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.
Significant data fiduciary
The Act has not adopted a size-fit approach for compliance. The data fiduciaries are divided into two structures:
- Data fiduciary, and
- Significant data fiduciary (SDF)
At present, the government has not defined the criteria for significant data fiduciaries, but it will soon notify the factors for determining significant data fiduciaries. However, such factors will revolve around the following:
- volume and sensitivity of personal data processed;
- risk to electoral democracy;
- risk to the rights of the data principal;
- security of the state;
- Potential impact on the sovereignty and integrity of India; and
- public order.
For significant data fiduciaries, there are additional obligations.
- The SDFs are obligated to appoint a data protection officer (DPO) based in India, who shall be responsible to the governing body under the Act. The DPO appointed by the SDF shall handle the grievance redressal mechanism under the Act.
- The SDF shall appoint an independent data auditor who shall carry out data audits and evaluate the complaints of the SDF. Moreover, periodic audits of personal data are going to be there.
Grievance redressal under the DPDPA, 2023
The grievance redressal mechanism under the DPDPA is three-fold:
- The first one is via a consent manager to the Data Protection Board of India.
- The second is through the concerned data fiduciary.
- Thirdly, by approaching the Data Protection Board of India. An appeal can be filed with the Telecom Disputes Settlement and Appellate Tribunal against the order of the Board.
The Board shall follow the following steps while deciding the dispute:
- Firstly, the Board shall determine whether there exists sufficient ground to proceed with an inquiry. If the grounds are insufficient, then the board will close the proceedings after recording reasons for the same.
- Upon finding sufficient grounds for inquiry, the Board shall be obligated to find out whether there has been a violation of compliance with the act, rules, or regulations.
- Thereafter, if the board finds default, it shall impose a monetary penalty as necessary.
Appeal against the order of Board
An appeal against the order of the Board can be filed within 60 (sixty) days from the date of receipt of the order or direction appealed against to the Appellate Body, i.e., the TDSAT (Telecom Dispute Settlement and Appellate Tribunal). The TDSAT shall expeditiously dispose of the appeal within six months, and if unable to do so, the TDSAT shall record reasons for the same in writing. The TDSAT shall not be bound by the Civil Procedure Code (CPC), 1908, but rather by the principles of natural justice and the provisions of this Act, but it shall have the power of a civil court under the CPC, 1908.
Appeal to the Supreme Court of India
An appeal against the order (except an interlocutory order) of the TDSAT within ninety days from the date of the decision or order appealed against. There are certain grounds specified in Section 100 of the Code of Civil Procedure, 1908. That is, these appeals must include a substantial question of law that may either be presented by the party in a memorandum of appeal or the court may itself formulate such a question.
Online portal for public grievance redressal
Grievance Redressal under the Centralised Public Grievance Redress and Monitoring System (CPGRAMS) is governed by a nodal agency called the Department of Administrative Reforms and Public Grievances. Its role is to formulate policy guidelines for citizen-centric governance and the redress of citizen’s grievances. This portal is provided to citizens by the government to help them effectively redress their grievances.
Loopholes in the DPDPA, 2023
Certain loopholes in the Act can lead to disruption of the data protection mechanism; some of such loopholes that need to be addressed are as follows:
- Data storage: There are no clear guidelines on how data fiduciaries can retain or store personal data; this leaves chances of potential misuse or data leaks. The government should notify the public of some standards of security to be adhered to while storing data. This standard shall store data in such a way as to make it highly confidential and shall be only accessible to persons with a passcode.
- Storing consent: The Act does not have any procedure for storing consents. There needs to be some mechanism for storing consents. For example, the government is establishing a procedure for storing parental consent on the Digilocker platform and soon it will be implemented.
- Period for data retention: The sub-section 11 of Section 8 stipulates that “a data principal shall be considered as not having approached the data fiduciary for the performance of the specified purpose, in any period during which she has not initiated contact with the data fiduciary for such performance, in person or by way of communication in electronic or physical form.” This leaves ambiguity as the term “any period” can be misinterpreted. For instance, if an individual uses an application once a year but every year, the liability that arises upon such application is that of collecting consent, i.e., the application shall be liable to collect consent every year or on the first instance of the use of the application. This implies a need for an expiration date for consent in such cases. This may be within the powers of the Data Protection Board of India (DPBI) to clarify further for each case.
- Record keeping: The Act has no provision for record keeping, unlike the GDPR, which has provisions for maintaining records of processing activities (ROPA).
- Governmental interference: The government is free to process personal data for various reasons and for an unlimited period. There is a need for an established mechanism or procedure for the state agencies to obtain personal data for prevention, detection, investigation, etc., i.e., there shall be accountability of the governmental organisations. Also, there needs to be maintenance of records of inter-departmental sharing of personal data with them.
- Public data: The Act does not provide whether the data fiduciaries are free to process the data available publicly. The act also doesn’t provide guidelines for the use of public data. The fact that the Act does not apply to public data doesn’t mean that one can arbitrarily use the public data.
- Procedure for disclosure to another data fiduciary: If personal data has to be transferred, there is a need for establishing a procedure that shall secure the transfer of data from one data fiduciary to another to maintain the security of data during such transfer.
- Procedure for cross-border data transfer: When data travels internationally, there arises a need for a stringent protocol to be adhered to by the data fiduciaries, which is absent in the present DPDPA.
- Missing timeframes: The Act does not provide for timeframes for responding to the requests of Data Principals by the Data Fiduciaries, timeframes for resolving their concerns, timeframes for reporting data breaches, timeframes for the functions of the DPBI, etc.
- Compensation: The Act does not provide for a provision that gives a right to the data principals to claim compensation or a power to the Board to award compensation for data breaches. Also, data privacy is a matter that can affect the mental and emotional condition of an adult as well as a child. Therefore, the Act fails to provide for a provision for compensation on account of a loss of mental well-being. The Act only provides that all the sums procured by way of penalty shall form part of the Consolidated Fund of India. The procedure or ratio for distribution of this fund to the affected data principals needs to be specified by the government.
- Exceptions to start-ups: The penalty for breach of the provisions of this Act for start-ups shall be different, rather than completely omitting them from the application of some crucial provisions of the Act. The Legislature can set a limit to the penalty for start-ups under the Schedule.
- Missing titles for sections: There are no section titles for each section in the DPDPA; apart from this, all the other acts have a title for each provision.
- Compliance-based Act: The DPDPA does not have provisions regarding cyberattacks, hackers, ransomware attacks, etc. The fact that the Information Technology Act of 2000 governs this aspect makes room for the DPDPA to be a compliance-based act.
- Potential gaps in the regulatory framework: Apart from the two procedures stated above, several other gaps need to be filled by the legislature through the medium of rules and regulations under the Act.
Penalties can reach up to INR 250 crore for various data breaches under the Act. Although the previous draft of the bill had a penalty of up to INR 500 crore. Furthermore, there are no provisions for imprisonment in the Act and only monetary penalties are there.
The K.S. Puttaswamy judgement gave the citizens of India a sword of right to privacy, and after the DPDPA came into existence, the blunt sword began to get its sharpness. It shall be up to the judiciary to increase the sharpness of this sword through the means of orders and judgements. The sword has to be made sharper, because right now, in case of a data breach, the most any affected person may get is a detailed notice of the concerned breach. The Sword’s capabilities are limited to imposing a monetary penalty on a data breach offender by making him pay a fortune.
The sword shall be intimidating in this field, as cases of data breaches in India were the second highest globally, according to a report by digital security firm Gemalto. Some of the major data breaches that occurred recently include the Dominos India Cyberattack (May 22nd 2021) resulting in the data breach of 180 million orders; the Air India Cyberattack; the State Bank of India Cyberattack that exposed the personal and financial data of the customers; the Aadhaar attack in early 2018, wherein anonymous sellers on WhatsApp provided unrestricted access to the Aadhar database; and many more.
Considering these data breaches happening across the country, implementing the sword of privacy is the need of the hour, and the execution of this sword has to start immediately. Looking on the bright side of this Act, one interesting fact of DPDPA is that it acknowledges a person as ‘she’ and ‘her’. This is indeed a heart-warming gesture by the legislature.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: