DPDA Act 2023
THE DIGITAL PERSONAL DATA PROTECTION (DPDP) ACT, 2023
THE DPDP ACT IS INDIA'S FIRST DATA PROTECTION ACT, AND IT ESTABLISHES A FRAMEWORK FOR THE PROCESSING OF PERSONAL DATA IN INDIA.
The Digital Personal Data Protection (DPDP) Act aims to create a framework that respects individuals' right to safeguard their personal data while acknowledging the need for lawful data processing. At a time when technology has become the defining paradigm of the 21st century, India’s ongoing Data Protection regulation underscores the nation’s focus on building a strong data privacy regime. Building strong privacy governance programs is not only a reputational and business risk requirement but is also an integral part of building a transparent and long-term sustainable organization of the future. The DPDP Act, 2023 applies to the processing of digital personal data within the territory of India collected online or collected offline and later digitized. It is also applicable to processing digital personal data outside the territory of India if it involves providing goods or services to the data principals within the territory of India.
SIGNIFICANT DATA FIDUCIARY (SDF)
DPDP Act underlines the role of significant data fiduciary (SDF), which the government will identify using the volume and sensitivity of personal data processed and risk associated. The specific obligations under this include appointing a data protection officer (DPO) based in India; appointing an independent data auditor; and conducting a data protection impact assessment (DPIA).
CITIZENS’ RIGHTS
The Act will empower the citizens of the country as the data principal rights specifically allow:
1. Right to information: Individuals will have the right to seek more information on the hour their data is processed, and the data fiduciary will make this information available in a clear and understandable way.
2. Right to correction and erasure: Individuals shall have the right to correct inaccurate/incomplete data and erase data that is no longer required for processing.
3. Right to grievance redressal: Individuals will have the right to use readily available means of registering a grievance with a data fiduciary.
4. Right to nominate: Individuals can nominate any other individual to exercise these rights in the event of death or incapacity.
PENALTIES
A present, no timeline has been prescribed for implementing the grievance redressal and data principal rights. Another salient feature of the DPDP Act is the penalty clause. There are penalties for non-compliance of the provisions by data fiduciaries up to INR250 crore. Some of these are:
· Breach in observance of duty of data principal up to INR10,000
· Failure to notify the data protection board and affected data principals in the event of a personal data breach is up to INR200 crore
· Breach in observance of additional obligation in relation to children up to INR200 crore
Exclusions
In the act, non-automated personal data, offline personal data, and personal data in existence for at least 100 years have been excluded. The maximum limit of INR500 crore for penalties has been removed. At present, the provision for grievance redressal review is not included. The timeline of 72 hours within which a data breach is to be reported to authorities is excluded.
Sectors impacted
The act is expected to have an impact on the majority of organizational areas, including legal, IT, human resources, sales and marketing, procurement, finance, and information security because of the type and volume of personal data that is collected, stored, processed, retained, and disposed of in India. Hence, organizations in these and related sectors must develop a strong data privacy and protection implementation program in view of the DPDP Act, of 2023.
The novel concept of deemed consent, introduced in the Bill, can be significant.
The DPDP Act is a significant step forward for data protection in India. This act is a step towards showcasing India's dedication to fostering a secure and trustworthy environment for both its citizens and rm
Data Protection Law In India: Analysis Of DPDP Act, 2023 For Businesses – Part I
Recommended by LinkedIn
1. Introduction
On August 11, 2023, India notified the Digital Personal Data Protection Act, 2023 (DPDP Act), paving the way for new digital personal data processing norms. DPDP Act primarily aims to provide statutory recognition to some aspects of informational privacy, while balancing the need to process personal data on lawful grounds. With 44 provisions and a Schedule on penalties, the DPDP Act does not have a sunrise provision and is likely to be implemented in a phased manner, through separate notifications in the Official Gazette. Upon implementation, Section 43A of the Information Technology Act and its corresponding rules, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (SPDI Rules) will be omitted. Other applicable data processing regulations including sectoral ones will continue to apply, provided they do not conflict with the DPDP Act. It also provides for the creation of an independent regulator - the Data Protection Board of India (DPBI), which shall be responsible for implementation, inquiry, and adjudication under the DPDP Act. Different provisions of the DPDP Act are focused on time-tested fundamental principles of data processing, and detailing has been left to rule-making.
2. Who and what is covered under the DPDP Act?
DPDP Act's application is simplified. Subject to exemptions, the DPDP Act applies to Data Fiduciaries and Data Processors processing digital personal data within, or outside India in certain situations. Key associated concepts and analysis are below:
3. Consent as the primary basis of processing
Consent is the primary legal basis for PD processing. DPDP Act elaborates on what are the qualitative and technical attributes of valid consent. Qualitative aspects of consent - must be free, specific, informed, unconditional, and unambiguous. The technical aspect of consent - as a clear affirmative action by the Data Principal signifying agreement to PD processing for a specified purpose.
DPDP Act does not elaborate on these and the question that arises is - what does this mean for businesses?
4. Data Processors and what is at stake?
DPDP Act comes with a bunch of obligations for Data Fiduciaries such as enabling Data Principal rights, implementing reasonable security measures, etc., breach of which may result in steep penalties. Further, the obligation to ensure that there is no data breach is also on the Data Fiduciary. But there is no specific obligation separately called out for Data Processors. DPDP Act states that a Data Fiduciary can engage Data Processor for different processing activities through a valid contract. It also requires Data Fiduciaries to be accountable for the actions and omissions of Data Processors. This approach is logical and aligned with global regulatory trends, given that Data Processors process PD on behalf of Data Fiduciaries. However, conducting detailed data and infosec diligence before onboarding, executing detailed data processing agreements, and periodic audits on the processor's ecosystem would no longer be an optional recourse. It would be imperative that Data Fiduciaries understand the managerial, technical, operational, and physical security measures used by the Data Processor. Data Processors will have to equally align with the DPDP Act, as that would form the basic eligibility criteria, and quite naturally, the stipulations for Data Fiduciaries will flow down to Data Processors through contractual covenants. Alongside, it will be important for Data Processors to evaluate the adequacy and relevancy of existing processing lifecycle, deployed security technologies, breach notification and mitigation measures including business continuity plans, cyber and breach incident insurance coverages, the validity of existing standards and certifications, and most importantly, setting up a detailed communication strategy to set expectations and deliver on contractual mandates.
5. CONCLUSION:
While rules made under the DPDP Act will contain details, the text as-is indicates the urgency for businesses to start understanding the essence of the DPDP Act's provisions to comb through prevalent processes and policies and decide on the next steps. For many businesses such as those not processing sensitive personal data, it would mean dealing with a new set of legal requirements and hence, a longer gestation period to comply. Given that there is no identified sunrise period, it is about time that organizations start prepping. In our second post in the series, we will delve into Data Fiduciaries' obligations, rights of Data Principals, cross-border transfers, and penalties.
Footnotes
1. Section 43A requires bodies corporate processing sensitive personal information to implement and maintain reasonable security practices and procedures, and compensate where failure results in wrongful loss or gain to any person
2. For this, Section 44 of DPDP Act dealing with amendments to other laws needs to be notified. It may also be the case that this is being notified in relation to certain businesses in the first-go, which will result in phased sunset for businesses
3. Data Fiduciary is the person who determines the purpose and means of PD processing and akin to data controllers, and includes joint fiduciaries
4. Data Processor is the person who processes PD on behalf of Data Fiduciary