India’s journey towards robust data protection and privacy regulation reached a significant milestone with the enactment of the Digital Personal Data Protection Act 2023 (DPDP). This transformative legislation, approved by the President and published on August 11, 2023, marks a crucial moment in India’s digital evolution. The DPDP Act is designed to safeguard digital personal data, whether collected online or offline and later digitized. In this article, we explore the DPDP Act, its key provisions, objectives, and its implications for businesses in India’s evolving digital landscape.
To understand the significance of the DPDP Act, it’s essential to consider India’s path towards safeguarding personal data. This journey gained momentum following the landmark case of K.S. Puttaswamy v. Union of India, where the Supreme Court unanimously declared the Right to Privacy a Fundamental Right. This set the stage for national data protection and privacy laws. While previous data protection bills faced obstacles, the DPDP Act achieved a breakthrough in July 2023, swiftly progressing through Parliament, marking a historic moment.
1. What kind of Data is protected?
The primary goal of the DPDP Act is to ensure the protection of all forms of digital personal data. The act defines the personal data as “any data about an individual who is identifiable by or in relation to such data”. Further, it encompasses personal data gathered through digital or online platforms as well as personal data initially collected offline and later transformed into digital format. The Act also aims to regulate the data collected in India but processed outside the country.
2. Consent Defined
Data fiduciaries are obliged to seek the consent of data principals for the collection and processing of their personal data, yet there are specific circumstances where this requirement may not apply. These exceptions pertain to instances classified as “legitimate use,” which encompass scenarios involving government actions, medical emergencies, or matters related to employment. In such cases, obtaining explicit consent may not be mandated under the provisions of the Act.
“Data Principal” means the individual to whom the personal data relates, in simpler terms, a data principal is the owner of the personal data.
a. Rights of DP
The DPDP Act confers significant rights upon data principals concerning the handling of their personal data:
Right to Inquire: Data principals have the right to inquire about how their data has been processed, offering them transparency and insight into the utilization of their personal information.
Right to Withdraw Consent: Data principals possess the authority to revoke their consent at any given moment, providing them with control over the use of their data.
Right to Data Correction: Data principals have the prerogative to request corrections and amendments to the data they have provided, ensuring its accuracy and relevance.
Nomination of Representatives: In cases of incapacity or unfortunate circumstances like death, data principals can nominate a trusted individual to manage their data, safeguarding their interests.
Grievance Redressal: Data principals have the right to seek redressal if their data is mishandled or processed inappropriately, ensuring that their concerns are addressed and rectified in accordance with the law.
b. Duties of DP
The DPDP Act delineates specific duties for data principals as follows:
Truthful Complaints: Data principals are expected not to file unfounded or frivolous complaints in matters concerning personal data.
Veracity of Information: It is imperative that data principals refrain from providing false information or assuming another person’s identity in any context. Failure to adhere to these responsibilities may result in penalties of up to Rs. 10,000.
Data fiduciary is defined as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”. In simple terms, anyone collecting personal data falls under the category of a ‘data fiduciary’ within the context of the DPDP. The duties outlined are as follows:
Ensure data security: The Act requires data fiduciaries to take reasonable measures to secure personal data and create protective measures. Data fiduciaries must notify the Data Protection Board of India promptly of data breaches.
Adherence to the Data storage Limitation: Data fiduciaries must erase collected personal data after the intended purpose is met. Note that this principle does not apply to government institutions.
The DPDP Act paves the way for the establishment of a pivotal authority known as the Data Protection Board of India. This board assumes a crucial role in the adjudication and enforcement of the DPDP Act across the nation.
Foremost among its powers is the authority to block access to intermediaries that violate the provisions laid out in the DPDP Act. This signifies a significant step towards holding intermediaries accountable for their actions in the digital realm.
Despite its status as a landmark piece of legislation, the DPDP Act is not devoid of its fair share of drawbacks. This significant regulation has given rise to several noteworthy concerns, which we will explore in greater detail below:
1. Expansive Government Power: While the Act acknowledges legitimate reasons for the government to access certain data for public interest purposes, critics argue that it should incorporate stronger safeguards to prevent potential misuse or overreach of government powers in collecting and processing personal data.
Weak notice provision: The DPDP Act’s notice provision is criticized for lacking transparency. Data fiduciaries are not required to inform users about data sharing with third parties, leaving individuals unaware of data usage and potentially undermining privacy.
The Digital Personal Data Protection Act (DPDP) in India would affect companies across sectors. DPDP will likely affect businesses differently based on their size, industry, and data protection practises, but here’s a general overview:
Resource Intensity: DPDP compliance demands ongoing efforts in terms of data protection and cybersecurity. Companies must allocate resources for staff training, audits, and assessments, diverting attention and resources from other critical business activities.
Data Audit and Mapping: Companies will need to conduct comprehensive data audits to identify the types of personal data they collect, process, and store. This can be a resource-intensive process, but it is essential for compliance.
Supply Chain Implications: Businesses will need to assess their relationships with vendors and suppliers who handle personal data on their behalf. Ensuring that these partners also comply with DPDP is essential to avoid liability.
Impact on Startups: Startups, which often rely on collecting and processing user data for business growth, may face hurdles in complying with DPDP due to limited resources.
Legal Preparedness: Companies may need to review and possibly revise their contracts, terms of service, and privacy policies to align with DPDP requirements, which can involve legal costs.
Compliance Costs: Companies need to shell out a lot to comply with DPDP. This includes employee training, legal document revisions, website and policy adaptations, audits, and data mapping.
The Digital Personal Data Protection Act of 2023 in India is a significant step forward in terms of data protection and privacy regulations. Furthermore, the DPDP Act holds significant implications for the business landscape. Companies will grapple with the intricacies of compliance, encompassing financial burdens and operational adjustments. Nonetheless, embracing rigorous data protection measures can bestow a competitive advantage by cultivating customer trust and ensuring alignment with global standards. The challenge lies in striking a harmonious balance as businesses evolve within the ever-changing data protection landscape.