DPDA Act 2023

DPDA Act 2023

 THE DIGITAL PERSONAL DATA PROTECTION (DPDP) ACT, 2023

 

THE DPDP ACT IS INDIA'S FIRST DATA PROTECTION ACT, AND IT ESTABLISHES A FRAMEWORK FOR THE PROCESSING OF PERSONAL DATA IN INDIA.

 

The Digital Personal Data Protection (DPDP) Act aims to create a framework that respects individuals' right to safeguard their personal data while acknowledging the need for lawful data processing. At a time when technology has become the defining paradigm of the 21st century, India’s ongoing Data Protection regulation underscores the nation’s focus on building a strong data privacy regime. Building strong privacy governance programs is not only a reputational and business risk requirement but is also an integral part of building a transparent and long-term sustainable organization of the future. The DPDP Act, 2023 applies to the processing of digital personal data within the territory of India collected online or collected offline and later digitized. It is also applicable to processing digital personal data outside the territory of India if it involves providing goods or services to the data principals within the territory of India

SIGNIFICANT DATA FIDUCIARY (SDF)

DPDP Act underlines the role of significant data fiduciary (SDF), which the government will identify using the volume and sensitivity of personal data processed and risk associated. The specific obligations under this include appointing a data protection officer (DPO) based in India; appointing an independent data auditor; and conducting a data protection impact assessment (DPIA).

 CITIZENS’ RIGHTS

The Act will empower the citizens of the country as the data principal rights specifically allow:

 1.    Right to information: Individuals will have the right to seek more information on the hour their data is processed, and the data fiduciary will make this information available in a clear and understandable way.

 2.    Right to correction and erasure: Individuals shall have the right to correct inaccurate/incomplete data and erase data that is no longer required for processing.

 3.    Right to grievance redressal: Individuals will have the right to use readily available means of registering a grievance with a data fiduciary.

 4.    Right to nominate: Individuals can nominate any other individual to exercise these rights in the event of death or incapacity.

PENALTIES

A present, no timeline has been prescribed for implementing the grievance redressal and data principal rights. Another salient feature of the DPDP Act is the penalty clause. There are penalties for non-compliance of the provisions by data fiduciaries up to INR250 crore. Some of these are:

·       Breach in observance of duty of data principal up to INR10,000

·       Failure to notify the data protection board and affected data principals in the event of a personal data breach is up to INR200 crore

·       Breach in observance of additional obligation in relation to children up to INR200 crore

Exclusions

In the act, non-automated personal data, offline personal data, and personal data in existence for at least 100 years have been excluded. The maximum limit of INR500 crore for penalties has been removed. At present, the provision for grievance redressal review is not included. The timeline of 72 hours within which a data breach is to be reported to authorities is excluded. 

Sectors impacted

The act is expected to have an impact on the majority of organizational areas, including legal, IT, human resources, sales and marketing, procurement, finance, and information security because of the type and volume of personal data that is collected, stored, processed, retained, and disposed of in India. Hence, organizations in these and related sectors must develop a strong data privacy and protection implementation program in view of the DPDP Act, of 2023.

 The novel concept of deemed consent, introduced in the Bill, can be significant.


How DPDP Act will impact e-commerce businesses

The DPDP Act is a significant step forward for data protection in India. This act is a step towards showcasing India's dedication to fostering a secure and trustworthy environment for both its citizens and rm

Data Protection Law In India: Analysis Of DPDP Act, 2023 For Businesses – Part I

 

1. Introduction

On August 11, 2023, India notified the Digital Personal Data Protection Act, 2023 (DPDP Act), paving the way for new digital personal data processing norms. DPDP Act primarily aims to provide statutory recognition to some aspects of informational privacy, while balancing the need to process personal data on lawful grounds. With 44 provisions and a Schedule on penalties, the DPDP Act does not have a sunrise provision and is likely to be implemented in a phased manner, through separate notifications in the Official Gazette. Upon implementation, Section 43A of the Information Technology Act and its corresponding rules, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (SPDI Rules) will be omitted. Other applicable data processing regulations including sectoral ones will continue to apply, provided they do not conflict with the DPDP Act. It also provides for the creation of an independent regulator - the Data Protection Board of India (DPBI), which shall be responsible for implementation, inquiry, and adjudication under the DPDP Act. Different provisions of the DPDP Act are focused on time-tested fundamental principles of data processing, and detailing has been left to rule-making.

2. Who and what is covered under the DPDP Act?

DPDP Act's application is simplified. Subject to exemptions, the DPDP Act applies to Data Fiduciaries and Data Processors processing digital personal data within, or outside India in certain situations. Key associated concepts and analysis are below:

  • Digital personal data (PD) is any structured representation of information, facts, concepts, opinions, or instruction in digital form, about a natural person (Data Principal) who is identified or identifiable using such data. It will include PD that was collected in digital form, or non-digital sets that have been subsequently digitized. Since pseudonym-zed data can be combined with identifiers resulting in the identification of Data Principal, it will be PD and covered under the DPDP Act. It is also deciphered that (i) PD is kept in physical forms such as filing systems, (ii) anonymized data, and (iii) non-personal data are outside the purview. Further, the DPDP Act's application is not dependent on whether PD is sensitive such as health, financial, biometric, etc., although it may be a relevant consideration for the classification of Data Fiduciaries and levying of penalties. As of date, SPDI Rules are focused on sensitive personal data processing, and thus, many organizations that do not deal with sensitive data continue to process PD flexibly depending on practical business needs. With the implementation of the DPDP Act, any organization processing any PD will be required to understand and comply with the DPDP Act.

  • Processing refers to fully or partially "automated" operations performed on PD and will include the entire data processing lifecycle, from collection to destruction. Automated is defined as any digital processing of data that is capable of operating automatically in response to instructions given, or otherwise. So, semi-automated processing will be covered, and only non-automated processes are excluded.

  • Territorial nexus: Where any person (natural or juristic) processes PD within India, they must comply with the DPDP Act, irrespective of whether they are present or incorporated in India, or whether PD belongs to Data Principal in India or outside. For example, if a French company processes the PD of Data Principals located in France but within India, the DPDP Act will apply to such processing. Where processing is outside India, the DPDP Act will apply, only if such processing is for offering goods or services to Data Principals within the Indian territory. The extra-territorial application does not include processing done for the sole purpose of profiling individuals.

  • Exemptions: The DPDP Act states that it shall not apply to the following cases of PD processing (i) for personal or domestic purposes, and (ii) if PD is publicly available due to voluntary actions of Data Principal such as opinions on social media, or due to disclosures made under applicable law. Additionally, the Central Government (CG) has the power to notify state instrumentalities that would be exempt from the DPDP Act in the interest of certain protective grounds such as sovereignty, public order maintenance, etc.5 CG also has the power to exempt different kinds of Data Fiduciaries from any provision of DPDP Act for 5 years from the commencement date.6

3. Consent as the primary basis of processing

Consent is the primary legal basis for PD processing. DPDP Act elaborates on what are the qualitative and technical attributes of valid consent. Qualitative aspects of consent - must be free, specific, informed, unconditional, and unambiguous. The technical aspect of consent - as a clear affirmative action by the Data Principal signifying agreement to PD processing for a specified purpose.

DPDP Act does not elaborate on these and the question that arises is - what does this mean for businesses?

  • Free is likely to mean free consent as understood under the Indian Contract Act, of 1872 i.e., without any coercion, undue influence, fraud, misrepresentation, or mistake. Whether consent is free or not will be determined by facts, the burden of proof will be on Data Fiduciary, and here, it would be relevant to substantiate that all other consent requirements have been fulfilled.

  • Specific brings in the principles of purpose limitation and data minimization. Consent should be for specified purposes i.e., the identified lawful purposes with clear scope. Alongside this, the consent sought should be limited to the processing of PD, which is necessary for such a specified purpose. For example, a telemedicine app obtains Data Principal's consent to (i) process their health data for providing telemedicine services, and (ii) access their phone contact list. The Data Principal gives consent to both, and subsequently, the service provider uses a phone contact list for sending bulk marketing messages. Consent at (i) is specific and valid. Consent at (ii) is invalid, and the consequent processing will be unlawful, as there is no calling out of the lawful purpose, or the PD that is necessary for such purpose. As it stands today, most consent languages are hosted generically, and susceptible to various use cases. A whole variety of data is collected in anticipation of future uses and repurposing. With the implementation of the DPDP Act, such consent notices are likely to become invalid, and as an immediate step, businesses must start necessary internal data screening, review existing data inventory and segregation capabilities, and evaluate essential and non-essential business use cases. In essence, detailed data mapping is the need of the hour.

  • Informed stems from the transparency principle and necessitates that the Data Principal is made aware of PD processing. To this effect, the Data Fiduciary would be required to provide a notice to Data Principal before, or at the time of seeking consent. This notice should inform the Data Principal about (i) the PD that would be processed; (ii) the purpose for processing; (iii) the manner in which they can exercise the right to withdraw consent (as discussed subsequently) and redress grievances; (iv) manner in which they can complain to DPBI; (v) contact details of Data Fiduciary's authorized person acting as SPOC with Data Principal regarding their data rights. The above is a fairly limited information flow as compared to what was contemplated in the earlier proposed drafts. Nonetheless, this brings the requirement of itemized consent notice, again emphasizing the need for businesses to know their controlled and possessed data pools, sources of collection, and use cases. The learnings then would need to be built into consent notices to satisfy the DPDP Act's expectations.

  • Unconditional means that consent should not be made conditional for the supply of goods and services. A necessary corollary is the ability of the Data Principal to be able to withdraw consent. Data Fiduciaries are obligated to implement easy withdrawal mechanisms. Where consent is withdrawn, processing undertaken beforehand is not rendered invalid. However, after withdrawal, Data Fiduciaries must cause their Data Processors to cease processing, unless processing is permitted or required under the DPDP Act, or any other law. For example, let us take the case of a Data Principal who has consented to the processing of PD on an e-commerce platform for purchasing goods, and makes payment for a particular order, after which they withdraw consent. The e-commerce platform must cease processing PD but can continue to process PD for completing the placed order. In an indirect fashion, this would need policies and processes to have selective PD retention strategies and evaluate the need for using privacy enhancement tools (PETs), so that they can undertake mandatory processing activities after consent has been withdrawn, either under law or contract. Further, organizations must start augmenting or implementing consent management and consent preference architecture that would allow an individual to review, revise, and withdraw consents, and enable businesses to take quick actions where consent status changes.

  • Unambiguous would require consent language to be clear and in plain language. Existing consent languages are catch-all and verbose. Such consent forms will be a dilution of what is demanded in the DPDP Act, and it would be imperative to start evaluating this old practice. Further, the DPDP Act mandates Data Fiduciaries to provide consent mechanisms in English as well as other official languages in India.

  • Clear affirmative action is indicative of express consent. It means that the Data Principal takes deliberate and specific action to opt-in, or agree to processing. The existing practice of deemed consent due to default settings, or opt-out mechanisms would not satisfy the DPDP Act's requirement. The time for pre-ticked consent boxes is up! This technical aspect will nudge businesses to adapt to granular opt-in mechanisms (with clear banners and action items like swiping, clicks, or verbal recordings), move away from default settings, and start evaluating the need to upgrade consent collection and management processes. Apart from the above, the DPDP Act provides specific consent-related requirements for PD of children and persons with disabilities. It also recognizes consent flows through registered consent managers. DPDP Act also provides for certain legitimate use bases for the processing of PD. We will be delving into these aspects in our subsequent posts.

4. Data Processors and what is at stake?

DPDP Act comes with a bunch of obligations for Data Fiduciaries such as enabling Data Principal rights, implementing reasonable security measures, etc., breach of which may result in steep penalties. Further, the obligation to ensure that there is no data breach is also on the Data Fiduciary. But there is no specific obligation separately called out for Data Processors. DPDP Act states that a Data Fiduciary can engage Data Processor for different processing activities through a valid contract. It also requires Data Fiduciaries to be accountable for the actions and omissions of Data Processors. This approach is logical and aligned with global regulatory trends, given that Data Processors process PD on behalf of Data Fiduciaries. However, conducting detailed data and infosec diligence before onboarding, executing detailed data processing agreements, and periodic audits on the processor's ecosystem would no longer be an optional recourse. It would be imperative that Data Fiduciaries understand the managerial, technical, operational, and physical security measures used by the Data Processor. Data Processors will have to equally align with the DPDP Act, as that would form the basic eligibility criteria, and quite naturally, the stipulations for Data Fiduciaries will flow down to Data Processors through contractual covenants. Alongside, it will be important for Data Processors to evaluate the adequacy and relevancy of existing processing lifecycle, deployed security technologies, breach notification and mitigation measures including business continuity plans, cyber and breach incident insurance coverages, the validity of existing standards and certifications, and most importantly, setting up a detailed communication strategy to set expectations and deliver on contractual mandates.

5. CONCLUSION:

While rules made under the DPDP Act will contain details, the text as-is indicates the urgency for businesses to start understanding the essence of the DPDP Act's provisions to comb through prevalent processes and policies and decide on the next steps. For many businesses such as those not processing sensitive personal data, it would mean dealing with a new set of legal requirements and hence, a longer gestation period to comply. Given that there is no identified sunrise period, it is about time that organizations start prepping. In our second post in the series, we will delve into Data Fiduciaries' obligations, rights of Data Principals, cross-border transfers, and penalties.

Footnotes

1. Section 43A requires bodies corporate processing sensitive personal information to implement and maintain reasonable security practices and procedures, and compensate where failure results in wrongful loss or gain to any person

2. For this, Section 44 of DPDP Act dealing with amendments to other laws needs to be notified. It may also be the case that this is being notified in relation to certain businesses in the first-go, which will result in phased sunset for businesses

3. Data Fiduciary is the person who determines the purpose and means of PD processing and akin to data controllers, and includes joint fiduciaries

4. Data Processor is the person who processes PD on behalf of Data Fiduciary

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics