Compliance Digital Personal Data Protection Act, 2023
OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
- Scope of the DPDP Act, 2023
- The DPDP Act 2023 concentrates on regulating personal data (“PD”) without establishing tiers of PD (such as sensitive PD or critical PD).
- Personal data is defined as ‘any data about an individual who is identifiable by or in relation to such data’. Moreover, ‘processing has been defined as wholly or partially automated operation or set of operations performed on digital personal data, and include operations such as collection, recording, organisation, structuring, storage, adaptation retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction’.
- The DPDP Act of 2023 applies to the processing of digital PD, which is defined as PD in digital form. In particular, the DPDP Act 2023 will regulate certain processing activities that occur in India. It will also govern the extraterritorial processing of digital PD if such processing is performed in connection with offering products or services to Indian data principals.
- The DPDP Act 2023 will not apply when PD is made or caused to be made publicly available on the basis of a legal obligation by the data principal or any other person – a criterion that was absent from the DPDP Bill 2022.
- Key Definitions
- “Data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
- “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
- “Data Principal” means the individual to whom the personal data relates and where such individual is—
- a child, includes the parents or lawful guardian of such a child;
- a person with disability, includes her lawful guardian, acting on her behalf;
- “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
- “Data Protection Officer” means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10;
- “Personal data” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
- International Data Transfers
- The Central Government can restrict the transmission of PD by a data fiduciary to any country or territory outside India through a notification. This “blacklist” approach represents a significant departure from the DPDP Bill 2022, in which transmission was permitted only to countries designated by the Central Government.
- Notably, the DPDP Act 2023 clarifies that if any other existing Indian law regulates the transfer of PD outside India to a greater extent, then that law will continue to apply. This clarification may accommodate existing sectoral statutes containing restrictions on cross-border data transfer, such as the Reserve Bank of India’s data localisation mandate.
- Consent and Notification Obligations
- Consent remains the primary justification for processing PD. The DPDP Act 2023 specifies a strict consent standard. In other words, consent must be a free, specific, informed, unconditional, and unambiguous indication of the data principal’s wishes, given through a distinct affirmative action.
- Types of Consent are as follows:
- Every consent request should be accompanied by a notice from a data fiduciary. A notice must include information on how a data principal may exercise their right to withdraw consent and their right to grievance redressal, as well as how they may submit a complaint with the Data Protection Board (“Board”), as prescribed by the Central Government. The DPDP Act 2023 introduces the requirement of providing such additional information and the central government’s prescription of formats for such notices.
- A similar notice should be provided as soon as “reasonably practicable” for processing PD for which assent was obtained before the DPDP Act 2023 took effect. The statute does not stipulate a lookback period for this exercise. The DPDP Act 2023 clarifies, however, that data fiduciaries may continue to process PD until a data principal withdraws assent.
- A Notice much be given each time consent is sought, and fresh notice must be provided where processing has been consented to previously. Allowing these notices to be received, and consents managed through the framework of consent managers which has been retained in the Act, may help solve for some of the consent fatigue that may result from the above.
- Data Fiduciaries can continue to process Data for whose processing consent was collected prior to enactment of the Act, by providing notice is prescribed form, and in a move that will be welcomed by businesses, the Act clarifies that Data Fiduciaries may continue to process personal data until the Data Principal withdraws consent.
- Undertaking modification of User Interface across services for integrating consent management tools to manage consent of the Data Principal and declare various purposes of data processing.
- Maintenance of details while taking consent (name of the consenting entity, timestamp, version of the application, etc.)
- Legitimate Uses
- The DPDP Act 2023 reexamines the ‘deemed consent’ concept proposed by the DPDP Bill 2022. In accordance with the DPDP Act of 2023, a data fiduciary may process the PD of a data principal without their authorization for certain “legitimate uses.” These include:
- for specified purposes when a data principal voluntarily provides their PD to a data fiduciary and has not indicated that they do not consent to the use of their PD; and when a data principal has not indicated that they do not consent to the use of their PD.
- For purposes of employment or for safeguarding an employer from loss or liability. The use of the phrase “safeguarding an employer from loss or liability” is new to the DPDP Act 2023, however, it continues to relate to incidents such as corporate espionage and safeguarding proprietary rights.
- for fulfilling an existing legal obligation on a person to disclose information to the State (as defined under Article 12 of the Indian Constitution) or its instrumentalities. This is, however, subject to the processing being in accordance with information disclosure requirements under any other law in force.
- Responding to a medical health emergency involving a threat to life or immediate threat to health
- Ensuring safety or providing assistance during any disaster or breakdown of public order.
- Compliance with any legal order or judgment.
- There arises a need to inform data principals about the specific purpose of processing data.
- Undertake a data mapping exercise to determine the categories and purposes of processing past, present, and potential employees’ data shall be a good practice. Businesses should then demarcate which purposes are related to employment, and which purposes require consent for processing.
- Businesses provide a readily available grievance redressal mechanism as well as a portal allowing data principals to nominate their representative in case of their death or incapacity.
- Responsibilities of Data Fiduciaries
- A data fiduciary is primarily responsible for assuring compliance with the law for any processing performed by it or on its behalf by a data processor. As part of this, the DPDP Act 2023 imposes certain erasure requirements on data fiduciaries. The law specifies the circumstances under which every data custodian must delete PD, such as when it is reasonable to presume that a specified purpose is no longer being served.
- New to the DPDP Act 2023 is the ability for the Central Government to prescribe time periods for various classes of data fiduciaries to determine when such a purpose is no longer considered to be served.
- The DPDP Act 2023 additionally imposes PD breach reporting requirements on a data fiduciary. The law broadly defines ‘PD breach’ to include any ‘unauthorised processing’ or ‘accidental disclosure’ of PD that compromises the confidentiality, integrity, or availability of PD.
- Processing Children’s PD
- The DPDP Act 2023 continues to define ‘child’ as a person who has not reached the age of majority in India, which is 18 years old.
- Before processing PD belonging to a child or a person with a disability with a legal guardian, data fiduciaries are required to obtain verifiable parental or guardian consent. The requirement to acquire verifiable consent from a disabled person is new to the DPDP Act of 2023.
- In addition, data fiduciaries are prohibited from tracing or monitoring children’s behaviour or targeting them with advertising. They are also prohibited from processing PD that is likely to have a negative impact on the well-being of a child.
- The government may, however, exempt certain classes of data fiduciaries from the obligations regarding verifiable consent and tracking/monitoring/targeted advertising, subject to any conditions it may prescribe.
- In addition, by way of a new provision, the Central Government is empowered to notify the age above which certain data fiduciaries will be exempt from these obligations, if it is satisfied that the processing of children’s PD is conducted in a ‘verifiably secure’ manner by a data fiduciary.
- Obligations of Significant Data Fiduciaries (“SDFs”)
- The law continues to recognise an “SDF” as a special category of data fiduciary, as designated by the central government based on a number of criteria. In accordance with the law, SDFs are required to (a) conduct periodic audits, (b) conduct data protection impact assessments, and (c) appoint an independent data auditor and a data protection officer. A ‘data protection officer’ should be domiciled in India and answerable to the SDF’s Board of Directors / relevant governing body. In addition, they must serve as the point of contact for the SDF’s grievance resolution mechanism.
- Data Processor Duties
- The DPDP Act 2023 imposes no obligations explicitly on data processors. This is a departure from the DPDP Bill 2022, which required data processors to implement appropriate technical and organisational measures to comply with the law and imposes PD breach reporting requirements.
- However, as stated previously, a data fiduciary is required to ensure compliance with the law, including when a data processor processes data on its behalf. As part of this, data fiduciaries must ensure that data processors cease processing PD when consent is withdrawn, delete PD when a processing activity is complete, and safeguard PD in their possession or control. It is probable that data fiduciaries will contractually transfer such responsibilities to data processors.
- Further Exemptions
- Regarding the processing of PD for BPO operations, exemptions from the requirements relating to the obligations of a data fiduciary, the rights of a data principal, and cross-border data transfers have been granted. That is, when PD of non-Indian data principals is processed pursuant to a contract with a non-Indian party by a person located in India.
- The DPDP Act 2023 extends these exemptions to processing activities for a scheme of compromise or arrangement, merger or amalgamation of two or more companies, etc., as approved by the relevant authorities, or for determining a debtor’s financial information and assets and liabilities.
- The State and its instrumentalities have extensive exemptions from the DPDP Act 2023’s obligations, including a general exemption that may be granted to any notified instrumentality for reasons such as national security and public order.
- In addition, the Central Government may exempt certain data fiduciaries (or divisions of data fiduciaries), such as startups, from certain provisions of the law. In addition, within 5 years of the law’s enactment, it may notify any provision(s) that will not apply to certain data fiduciaries (or classes of data fiduciaries) for a specified period.
- Rights of a Data Principal
- Key rights (with the exception of the right to data portability) granted to data principals in prior versions of the DPDP Act 2023 have been retained. For instance, data principals have the right to:
(a) access information about their PD processed by a data fiduciary to whom consent has been given or where consent is assumed;
(b) seek correction, completion, update, or erasure (under certain circumstances) of PD; and
(c) avail grievance redressal within timelines to be prescribed by the Central Government, including escalation to the Board. Few of these rights may be circumscribed when processing is conducted on the basis of ‘legitimate use’.
- Consent Managers
- The DPDP Act 2023 introduces the concept of “consent managers,” which are envisioned as a single point of contact for data principals to provide, revoke, and otherwise administer their consent via a “accessible, transparent, and interoperable” platform. A consent administrator must be registered with the Board and answerable to the data principal. Consent managers may also file complaints with the Board on behalf of the data principal, and may be investigated by the Board if any of their registration conditions are breached.
- Data Protection Board
- The Board’s responsibilities include:
(a) investigating PD violations and directing urgent remedial or mitigation measures in such cases;
(b) investigating and imposing penalties in the event of a person’s noncompliance with the law; and
(c) issuing binding directives to any person for the effective discharge of its functions under the law.
However, the Board lacks the authority to enact subordinate legislation under the DPDP Act of 2023.
- The DPDP Act of 2023 contains a comprehensive appeals mechanism. Those who are dissatisfied with any order or direction issued by the Board may submit an appeal with the Telecom Disputes Settlement and Appellate Tribunal and, if necessary, the Supreme Court within specified time frames.
- Authority of the Central Government
- The DPDP Act 2023 grants the Central Government the authority to issue notifications and establish regulations. This leaves a significant portion of the law to be specified in subordinate legislation. In addition, the Central Government may direct the Board or any intermediary (as defined by the Information Technology Act of 2000) to provide any information to it for the purposes of the law.
Upon receiving a reference from the Board, the Central Government may also issue a blocking order to a government agency or intermediary to prevent a data fiduciary from offering products or services to data principals within India. Both of these Central Government authorities are new to the DPDP Act 2023.
- Voluntary Commitments & Penalties
- Any person subject to proceedings before the Board for noncompliance with the DPDP Act of 2023 may provide a voluntary undertaking to rectify the violation. Acceptance of a voluntary undertaking by the Board precludes further proceedings under the DPDP Act of 2023 regarding the contents of the voluntary undertaking. The DPDP Act 2023 now specifies that a violation of a voluntary agreement will be considered a violation of the law itself.
- In the event of noncompliance, the DPDP Act of 2023 provides for a civil liability regime. The penalties specified in the Schedule extend from INR 10,000 to INR 250 crore. These are consistent with the penalties envisioned by the DPDP Act of 2022, with the addition of a penalty for violation of a Board-accepted voluntary undertaking.
Information Technology Act Compliance
Information Technology Act came into existence in the year 2000 and was substantially amended in the year 2008.
- Information Technology (amendment) Act, 2008 covered Definitions of various Offences, Data Protection and Privacy in India.
- Established a self regulatory framework
- Mandatory Reasonable security practices and Procedures
- Articulated Sensitive Personal data or information
Such policy shall be published on website of body corporate or any person on its behalf.
- E-Contracts and Legal vetting of web content
We provide vetting of all types agreements and our firm has been doing the same for many Banks and IT Companies.
- Reasonable Security Practices & Procedures, Data Protection and Privacy
It is mandatory under Information Technology Act to follow reasonable security practices as under:
A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures.
EU General Data Protection Regulation Compliance (GDPR) and Training to Body Corporates.
What is GDPR?
Is a regulation enacted by the European parliament and the council of the European union (EU);
Applies to the protection of EU data subjects’ personal data such as name, last name, phone number, passport number, social security number (or equivalent), impacting elements such as;
Provides significant penalties for infringements, including fines up to EURO20 million or 4% of worldwide annual turnover (whichever is higher) for the most significant breaches.
Provides individuals the right to compensation for violations of the GDPR.
Data protection authorities have enhanced powers to enforce compliance with the new requirements by entities subject to the GDPR, including powers to prohibit certain data processing activities