In our virtual expansion, the majority of operations are now online, so monitoring digital activity and adhering to cyber laws are paramount.
The Digital Personal Data Protection Act, which was introduced in 2019, is an important piece of legislation that protects people’s right to privacy. The goal of this legislation proposal is to control how personal data is gathered, stored, processed, and transferred online. The DPDP Bill underwent 81 revisions after it was introduced, culminating in a thorough revision to its current form.
With a fundamental emphasis on privacy and security, the DPDP Act intends to develop a comprehensive framework that solves the difficulties posed by data processing in the digital era. The DPDP Act, 2023’s principal provisions are as follows:
Definitions in the DPDP Act bear resemblance to concepts found in the EU’s GDPR framework, yet there are nuances in terminologies.
a) Data fiduciary
This entity, independently or collaboratively, determines the purpose and methods of processing personal data (akin to a data controller). The government can designate certain data fiduciaries as ‘significant data fiduciaries’ (SDFs). Criteria for this classification include the nature of processing (like volume and sensitivity of data) and broader societal concerns (such as impact on India’s sovereignty, electoral democracy, security, and public order). SDFs have heightened compliance obligations.
b) Data principal
Individuals whose personal data is collected and processed (similar to data subjects)
c) Data processor
An entity handling digital personal data on behalf of a data fiduciary
d) Consent manager
Registered with the Data Protection Board, this individual serves as a contact point for Data Principals. They facilitate giving, managing, reviewing, and withdrawing consent through an accessible, transparent, and interoperable platform.
Applicability
The DPDP Act is applicable to all data, whether it was initially offline or online and subsequently digitized, within India. Furthermore, it extends to the processing of digital personal data outside India’s boundaries, especially when involving the provision of goods or services to individuals within Indian territory.
Personal data breach
A personal data breach refers to any unauthorized processing of personal data or unintended disclosure, acquisition, sharing, utilization, modification, destruction, or loss of access to personal data, jeopardizing its confidentiality, integrity, or availability.
Establishment of a Data Protection Board
The Data Protection Board, functioning as a neutral adjudicatory entity, will address privacy-related grievances and conflicts among relevant parties. As an independent regulatory body, it holds the authority to identify instances of non-compliance with the Act’s regulations and levy appropriate penalties.
The appointment of the Data Protection Board’s chief executive and members will be overseen by the central government, ensuring a transparent and fair selection process. Additionally, an appellate body will be established to enable customers to challenge the Data Protection Board’s decisions.
This appellate body may be assigned to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), tasked with adjudicating data protection disputes and reviewing appeals against the Data Protection Board’s rulings.
Permission From Each Individual To Use Data And Data Principle Rights
In adherence to the new regulations, personal data will be utilized and processed solely upon explicit consent from the individual, except in cases related to national security, law, or order where alternate measures may apply.
Regarding data principal rights, individuals retain various rights, including access to information, correction, erasure, and the right to address grievances. Additionally, they have the privilege to designate someone else to uphold these rights in situations of incapacity or demise. However, the timeline for implementing grievance redressal and data principal rights remains unspecified at present.
Additional responsibilities of SDFs
Significant data fiduciaries (SDFs), based on the volume and sensitivity of the data they handle, have specific obligations outlined in the DPDP Act. Each SDF must appoint a Data Protection Officer (DPO) tasked with addressing the queries and issues raised by data principals—individuals whose data is collected and processed.
Regarding the transfer of data across borders, the DPDP Act allows data fiduciaries to transfer personal data for processing to any country or territory outside India. However, the central government retains the authority to impose restrictions via notifications.
These restrictions will be formulated after evaluating pertinent factors and establishing necessary terms and conditions to ensure the preservation of data protection standards during international processing.
Voluntary Commitment
The Data Protection Board holds the power to accept voluntary commitments in compliance with the DPDP Act’s regulations from any data fiduciary during any phase of complaint proceedings. Such commitments may involve specific actions to be taken or avoided by the concerned party. Moreover, if deemed necessary, the Board can modify the terms of this voluntary commitment.
This commitment acts as a legal safeguard, preventing proceedings related to the commitment’s subject matter unless the data fiduciary fails to comply with its terms. Failure to adhere to these terms constitutes a breach of the DPDP Act, and the Board holds the authority to impose penalties for this violation. Additionally, the board may choose to make the commitment public at its discretion.
Penalties for Non-Compliance
Data fiduciaries failing to adhere to the provisions may face penalties up to INR 2.5 billion. These penalties encompass various violations, such as fines up to INR 10,000 for breaching duties towards data principals and penalties up to INR 2.5 billion for neglecting to establish reasonable security measures to prevent personal data breaches.
Fines reaching INR 2 billion for not notifying the Data Protection Board and affected data principals following a personal data breach; fines up to INR 2 billion for contravening additional obligations concerning children’s data; penalties of INR 1.5 billion for failing to comply with significant data fiduciary obligations; and a penalty of INR 500 million for violating any other provisions outlined in the DPDP Act, 2023, and its related regulations
Alternative Disclosure Procedure
This approach facilitates the resolution of complaints between two parties through mediation assistance.
Contradiction with Current Laws
The DPDP Act’s provisions will complement and not override any existing laws. However, if there is a clash between a provision of this Act and another existing law, the provision of this Act will prevail to the extent of such disagreement.