BLOG POSTS

HOME > BLOG POSTS

Deciphering The Digital Personal Data Protection Act, 2023

 

(The views expressed here are not to be considered as legal opinion. You may not rely on this article as legal advice. You should reach out to me (chetana@legalcornerllp.com) so as to get legal advice specific to your business needs).

On August 11, 2023, the “Digital Personal Data Protection Act” (the “Act”) came into being as the President officially enacted it after receiving approval from both houses of the Indian Parliament. This momentous development heralds the establishment of a distinct legal framework within India. It signifies a landmark achievement, representing India’s inaugural privacy legislation designed to protect the digital personal data of its citizens. This event shines a spotlight on the introduction and significance of the Data Protection Board of India, the core elements of the Act, and the responsibilities and privileges it imparts to both participatory organizations and individuals.

 

Citizens’ Rights for Personal Data Protection 

The Act will empower the citizens of the country as the data principal rights specifically allow: 

  • Right to information: Individuals will have the right to seek more information on how their data is processed, and the data fiduciary will make this information available in a clear and understandable way.
  • Right to correction and erasure: Individuals shall have the right to correct inaccurate/ incomplete data and erase data that is no longer required for processing.
  • Right to nominate: Individuals can nominate any other individual to exercise these rights in the event of death or incapacity.
  • Right to grievance redressal: Individuals shall have the right to use readily available means of registering grievances with a data fiduciary.

Key Provisions of The Digital Personal Data Protection Act, 2023

Applicability: If digital personal data is processed in India and is either (i) gathered online or (ii) collected offline and converted to digital form, the Act is applicable. If processing is done to provide goods or services in India, it also applies to processing done outside of India. Any information on a person who may be identified from or in connection with that information is referred to as personal data. The term “processing” refers to any fully or partially automated action taken on digitally stored personal data. It comprises gathering, keeping, using, and sharing. 

Consent: Only with the individual’s consent and for a legal purpose may personal data be used. Before requesting consent, notice must be given. Information about the personal data to be gathered and the processing goal should be included in the notice. The ability to withdraw consent is always available. For “legitimate uses”, which include (i) the specific purpose for which data has been willingly submitted by an individual, (ii) the government’s supply of a benefit or service, (iii) a medical emergency, and (iv) employment, consent won’t be necessary. The parent or the legal guardian must give consent on behalf of minors under the age of 18. 

Rights and duties of data principal: A person whose data is being processed (the “data principal”) is entitled to the following rights: (i) information about processing; (ii) deletion of personal data; (iii) designating a substitute for themselves to exercise rights in the case of death or incapacity; and (iv) grievance redressal. Certain obligations will fall on data principals. They may not (i) file a fictitious or baseless complaint, (ii) provide any false information, or (iii) impersonate another individual in certain circumstances. Duty violations are penalized by fines of up to Rs 10,000. 

Obligations of data fiduciaries: The entity responsible for deciding the purpose and method of processing, or “data fiduciary,” is required to (i) take reasonable steps to ensure the accuracy and completeness of the data; (ii) put in place reasonable security measures to prevent a data breach; (iii) notify the Data Protection Board of India and any affected individuals in the event of a breach; and (iv) erase personal data as soon as the purpose has been satisfied and retention is no longer required for legal purposes (storage limitation). Government organizations are exempt from storage restrictions and the data principal’s right to erasure. 

Exemptions: In certain circumstances, the rights of the data principal and the duties of the data fiduciaries (aside from data security) do not apply. These consists of (i) crime prevention and investigation, and (ii) the upholding of legal rights or claims. Certain activities may be exempted by the central government from the Act’s application through notification. These consist of (i) processing by government agencies for the sake of state security and public order, and (ii) gathering information for research, archiving, or statistical purposes. 

Data Protection Board of India: The Data Protection Board of India will be established by the central government. The Board’s main duties include (i) enforcing penalties for noncompliance, (ii) directing data fiduciaries to take appropriate action in the event of a data breach, and (iii) listening to grievances brought forth by impacted parties. Members of the board will be appointed for two years with the possibility of reappointment. The number of Board members and the procedure for choosing them will be specified by the central government. 

Penalties: Penalties for various offenses are outlined in the schedule to the Act, including up to (i) Rs 200 crore for failing to fulfill obligations to children and (ii) Rs 250 crore for failing to take security precautions to prevent data breaches. The Board will impose penalties following an investigation. 

Importance of The Digital Personal Data Protection Act, 2023 

The enactment of the Digital Personal Data Protection Act of 2023 in India marks a significant milestone in the realm of data privacy and protection. This legislation not only establishes a robust legal framework but also underscores the nation’s commitment to safeguarding the personal data of its citizens. With its comprehensive provisions, the Act empowers individuals by granting them certain fundamental rights in the digital landscape. 

Under this Act, citizens are endowed with crucial rights that give them control over their personal data. These rights include the right to seek information about how their data is processed, the right to rectify inaccurate or incomplete data, and the right to erase data that is no longer necessary for processing. Furthermore, individuals can nominate trusted representatives to act on their behalf in case of incapacity or demise, ensuring the continued protection of their data. The Act also facilitates the grievance redressal process, allowing individuals to voice their concerns and seek resolution through accessible means. 

Consent plays a pivotal role in data processing under this legislation. Personal data can only be processed with the individual’s explicit consent and for a lawful purpose. The Act mandates the provision of prior notice to individuals, detailing the data to be collected and the purpose of processing. Importantly, individuals have the right to withdraw their consent at any time. However, there are exceptions for legitimate uses, such as data submitted voluntarily, government services, medical emergencies, and employment, where consent may not be required. For minors under the age of 18, parental or legal guardian consent is mandatory. 

In conclusion, the Digital Personal Data Protection Act of 2023 ushers in India’s new era of data protection, compelling organizations to safeguard sensitive data with the utmost diligence. Compliance with this legislation is not only a legal obligation but also a moral imperative, as it upholds the fundamental rights of individuals in an increasingly digitized world. This Act underscores India’s commitment to data privacy and is a significant step towards ensuring the security and integrity of personal information for its citizens. 

 

We are well experienced in handling legal issues pertinent to tax filings and wealth management. Please email me at chetana@legalcornerllp.com to get a nuanced understanding of your legal issues or if you wish to set up a free consultation.