Digital Personal Data Protection Act, 2023 (DPDP Act) came into effect on August 11, 2023. The Act, focused on digital personal data, has replaced Section 43A (Compensation to be paid by a body corporate for its failure to protect data) of the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules).
The DPDP Act offers clarity on how user data can be used by corporations, ensuring a procedural framework for companies (including startups) on how they must attain and utilize users’ personal data and consent. The Act comes as an effort from the government, to make industries and sectors respect user’s rights and control over their digital data.
The Act promises to bring forward a regulatory framework in a phased manner, but there are bigger questions regarding this concise Act. How does this bill help curb the misuse of individuals’ data by online platforms? And, how do companies prepare themselves to ensure compliance with the said provisions? Here’s a breakdown:
DPDP Act 2023 comes as a new avatar for processing “digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”
The act includes a set of Data Privacy Principles that organizations must comply with while collecting, storing, and processing personal data. The principles run alongside fair and lawful data processing, data minimization, purpose and storage limitation, accuracy and accountability, security and confidentiality, etc.
It also includes a provision for the importance of obtaining Meaningful Consent from individuals before collecting or processing personal data. This helps them with greater control over their personal data by enabling them to access, modify, or delete data held by organizations.
The Act tackles Cross-border Data Transfers by imposing restrictions on transferring personal data to countries that do not have adequate data protection laws (A notification is yet to be released for the list of countries). However, it allows the use of standard contractual clauses, binding corporate rules, or other approved mechanisms for the lawful transfer of such data.
The DPDP Act 2023 aptly syncs with the saying, “Rome wasn’t built in a day.” The Act comes as a result of a decade-old process and legislative history. Before delving deeper, the businesses that process personal data (“Data Fiduciaries”) need to understand the kind of data they hold before complying with the provisions of the Act. The obligations of Data Fiduciaries are provided under Section 4 of the DPDP Act.
For the purpose of the above, preparation of a data inventory should be the most viable approach. Companies must start conducting a comprehensive Data Inventory exercise. Points to consider here, include the extent and nature of data held, the nature of consent taken at the time of its collection, the rights of the person whose data is being taken, the manner of securing the data, and the relevance of the data.
The next step should be to correlate this data with consent and contact details of the person (“Data Principal”) whose data is being taken for the purpose of this Act.
Thereafter, the company must prepare a systematic consent framework based on the processing practices mentioned in this new Act. The data of users who have remained inactive for a defined period must also be taken into consideration so that they can create a data retention policy. Even in the case of valid consent, an itemized notice should be provided to those whose data continues to be stored or processed for the purpose of the DPDA Act. It is pertinent to note here that the notice has a “retrospective effect”.
This means that for personal data collected even before the Act was rolled out as a bill, Data Fiduciaries shall provide an itemized notice to the Data Principal, describing the nature of personal data and the purpose of processing it in a reasonable time. Please note that the request for consent must be placed in plain and clear language with the contact details of the DPO.
Here, an individual will have the right to withdraw their consent under Section 7 (4) of the DPDP Act. However, the Act additionally qualifies such right by providing consequences of withdrawal, which will be borne by the concerned individual.
The companies must also re-architect their key business processes and implement technological measures to ensure the continued use of data. It can be concluded that these data-related measures must come into play whilst finding a balance between the legal and procedural requirements of the Act.
Interestingly, the DPDP Act also expects organizations to appoint a Data Protection Officer (DPO). The procedure to appoint a DPO is given in Section 10 (2). The concerned person will oversee compliance with data protection regulations and manage data breach incidents. The DPO will act as a contact for the grievance redress mechanism. The process of appointing a DPO is mentioned under Section 10 (2) of the DPDP Act.
The Act also includes the term “consent manager”, assigned to enable an individual to “give, manage, review, and withdraw consent through an accessible, transparent and interoperable platform [Section 7(6)]. A consent manager will act on behalf of the Data Principal, and is required to register with the Data Protection Board of India (DPBI).
Section 33 (1) of the DPDP Act contributes to the Enforcement and Penalties, which empowers the regulatory authority (Data Protection Board of India) to enforce compliance through audits, sanctions, and investigations. However, while determining the monetary penalty for breach, the section provides the following parameters, as mentioned in the Act:
“The nature, gravity, and duration of the breach. The type and nature of the personal data affected by the breach. The repetitive nature of the breach.
Whether the person, as a result of the breach, has realized a gain or avoided any loss. Whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action.
Whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and the likely impact of the imposition of the monetary penalty on the person.”
The Miscellaneous section of the DPDP Act provides for a breach of provisions of the DPDP Act, 2023, a breach in observing the obligations of the Data Fiduciary. This section also provides that no suit, prosecution, or other legal proceedings shall lie against the Central Government, the Board, its Chairperson, or any member, employee, or officer, for anything done or intended to be done in good faith” under the provisions of this Act or the rules made in this Act.
The Schedule attached to this Act reads as under:
S. No | Breach of provisions of this Act or rules made thereunder | Penalty |
1 | A breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent a personal data breach under sub section (5) of section 8 (General obligations of Data Fiduciary) This sub-section means Data Fiduciary is obligated to protect personal data by taking reasonable security safeguards |
May extend to two hundred and fifty crore rupees |
2 | A breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8 This sub-section talks about the intimation of a breach of data to the Board and affected Data Principal |
May extend to two hundred crore rupees. |
3 | Breach in observance of additional obligations in relation to children under section 9 Section 9 requires companies to publish the business contact information of the DPO, and in his absence, a person answerable on behalf of the Data Fiduciary. |
May extend to two hundred crore rupees |
4 | A breach in observance of additional obligations of Significant Data Fiduciary under Section 10. Section 10 gives power to the Central Govt. to identify significant Data Fiduciary who will appoint the DPO, keeping in mind various parameters enshrined under this provision. |
May extend to one hundred and fifty crore rupees. |
5 | Breach in observance of the duties under Section 15 This section talks about the Obligations of the Data Principal |
May extend to ten thousand rupees. |
6 | Breach of any term of voluntary undertaking accepted by the Board under Section 32 This section allows the implementation of Section 28 and the Board can voluntarily undertake the matter |
Up to the extent applicable for the breach in respect of which the proceedings under Section 28 (Powers and Duties of the Board) were instituted. |
7 | Breach of any other provision of this Act or the rules made thereunder | May extend to fifty crore rupees |
Data is an important space. Considering the stringent penalties and a robust legal framework provided under this act, it’s time that organizations gear up to meet the requirements of this act. Interestingly, the Act also offers exemptions to startups to ensure that they have the space to innovate without “undue burden”.