Topics In Demand
Notification
New

No notification found.

Update: the passage of the Digital Personal Data Protection Act of 2023
Update: the passage of the Digital Personal Data Protection Act of 2023

September 1, 2023

346

0

On August 11, 2023, the Digital Personal Data Protection Act received presidential approval and notified in the Gazette. India now has a dedicated legal regime for personal data protection and has shifted away from the limited framework under section 43A of the IT Act. The objective of this law is to regulate the processing of digital personal data for lawful purposes while recognising individual rights.

This Act is the final version of the earlier draft Digital Personal Data Protection Bill that had been released in November 2022 on which we had submitted our feedback (see here). The final Act aligns with several of our suggestions including: (a) greater flexibility on the application of protections for children’s data, (b) removing default data localisation or mirroring requirements, (c) avoiding ‘whitelisting’ of countries.

The Act is available here. An overview of the Act is below.

Scope

  • The Act applies to personal data that is in digital form, or data that was collected non-digitally and has been digitised subsequently. It also applies to the processing of personal data outside India if that is related to any activity for providing goods and services in India.

 

  • The Act does not apply to personal data that is collected and processed for personal or domestic purposes or that is made publicly available either directly by the individual or by any other person who is doing so because of a legal obligation.

Key definitions

  • Personal Data: any data about an individual who is identifiable by or in relation to such data.

 

  • Processing: a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

 

  • Data Fiduciary: the person who decides the “purposes and means” of processing.

 

  • Data Processor: the person who carries out processing on behalf of the Data Fiduciary.

 

  • Data Principal: the individual to whom the personal data relates. In the case of children or persons with disability, their parents, or lawful guardians, respectively.

Obligations

  • The Act does not impose any direct obligations on Data Processors. Data Fiduciaries are primarily responsible for all processing undertaken by Data Processors on their behalf.

 

  • Personal data processing is allowed for lawful purposes, either through consent or certain legitimate purposes (outlined in section 7). When relying on consent, Data Fiduciaries must follow the obligations in sections 5 and 6 regarding notice and consent.

 

  • The Act recognises the concept of the Consent Manager to act on behalf of Data Principals. Consent Managers will be expected to register with the Data Protection Board set up under the Act.

 

  • Section 7 allows processing of personal data if it was provided voluntarily by the data principal without express revocation of consent, for employment purposes, medical emergencies, etc.

 

  • The Act also requires Data Fiduciaries to ensure, when certain conditions are met, that personal data is kept accurate and complete (accuracy principle) and erased (and no longer retained).  

 

  • Data Fiduciaries are to ensure technical and organisational measures are in place to comply with the Act, and reasonable security safeguards are in place to prevent personal data breaches. Data Fiduciaries are also required to report breaches to the Board and affected individuals.

 

  • The processing of children’s personal data necessitates verifiable parental consent. The Act prohibits behavioural monitoring and targeted advertising. The Central Government has the power to exempt certain Data Fiduciaries from these obligations and has the power to notify a lowered age of consent for certain data fiduciary, that will be exempted from these obligations. 

 

  • The Central Government may notify certain Data Fiduciaries as significant. These will then have to meet additional obligations, such as appointing a Data Protection Officer, conducting Data Protection Impact Assessments and periodic audits.

Rights and duties of data principals

  • The Act provides Data Principals the right to request information about their personal data, including its summary, processing activities, and all the Data Processors their personal data is shared with. They can also ask Data Fiduciaries to correct or delete their data and nominate someone to act on their behalf in case of death or incapacity.

 

  • Data Fiduciaries must provide accessible grievance redressal mechanisms for Data Principals. The Act emphasises that Data Principals should exhaust these options before approaching the Data Protection Board (“DPB”).

 

  • Data Principals have certain duties to provide verifiably authentic information when seeking data erasure, must not impersonate others or withhold information when applying for state documents or proofs, among others.

Restrictions on outbound transfers

  • Section 16 empowers the Central Government to restrict data transfers to specific countries as notified. Additionally, if any Indian law offers stronger safeguards or restrictions on personal data transfers by Data Fiduciaries outside India, such laws will take precedence.

Exemptions

  • The Central Government can exempt specific Data Fiduciaries from the Act, while retaining the obligation for reasonable security safeguards under section 17(1). This exemption applies to processing personal data of individuals outside India through contracts between an entity outside India with an entity in India, processing for crime prevention or law enforcement, and more.

 

  • The Act provides exemption to processing carried out in the interest of state sovereignty, security, by any notified state instrumentality or for research/statistics purposes where there is no decision-making about an individual involved, as per standards prescribed in rules.

 

  • The Central Government can exempt Data Fiduciaries, including startups, based on the volume and nature of personal data from obligations such as data retention, accuracy, and notice through notifications. It can exempt certain state instrumentalities from retention, erasure, and correction obligations when the personal data is not being processed to decide about an individual.

Data Protection Board of India and the Appellate Tribunal

  • The Act establishes the DPB as an independent body to inquire and impose penalties in relation to, personal data breaches reported to it, complaints from Data Principals, and references from the Central or State Governments. It will also be registering the Consent Managers.

 

  • The Board will operate as a digital office and adopt techno-legal methods to ensure it is “digital by design”. It has been granted the powers of a civil court.  

 

  • The Act authorises the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) to serve as an appellate authority. Appeals to the TDSAT must be filed within 60 days of the Board's decision.

 

  • The Board can opt for mediation to resolve disputes and has the authority to accept voluntary undertakings during proceedings. Acceptance of such undertakings can bar the proceedings, but if the terms are violated, the Board can impose a penalty.

Penalties and enforcement

  • The Board has the power to impose monetary penalties in case of breach, as specified under the Schedule of the Act. Section 33(2) lists factors to be considered to determine penalty amounts.

 

  • The Board can ask the Central Government to issue a blocking order to an intermediary (as defined in the IT Act) if there are two or more penalties in place against the intermediary and it is in the interest of the public. This will be after giving the intermediary an opportunity to be heard.

For more information, kindly write to varun@nasscom.in or priyanshi@nasscom.in with a copy to policy@nasscom.in


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
priyanshi
Senior Associate, Public Policy and Government Affairs

Reach out to me for everything data, platforms, or export controls!

© Copyright nasscom. All Rights Reserved.