The Author, Vivek Goswami is GM-Legal at National Skill Development Corporation (NSDC), he was assisted by Ankita Makan Legal Intern at NSDC.
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution…” -Supreme Court
INTRODUCTION
The Digital Personal Data Protection Act, 2023 (DPDP) is a law that aims to regulate and protect the collection, use, storage and sharing of personal information of individuals stored in digital form. The act is also applicable to cases where data is collected in non-digital form and subsequently digitized. With the rise of technology and the internet, personal data is more vulnerable than ever before. The act comes at a time when cybercrime and data breaches are on the rise and there is a growing concern among the public about the use of personal data by companies and government. The act provides guidelines for how data should be collected, stored and processed to ensure it is done securely and with the explicit consent of the individual. The act is essential in safeguarding individual’s privacy and preventing data breaches, which could have devastating consequences for individuals and business alike.
THE JOURNEY
K.S. PUTTASWAMY V/S UNION OF INDIA
In the year 2015, Justice K.S. Puttaswamy, a retired judge of Hon’ble High Court of Karnataka filed a petition before Hon’ble Supreme Court of India challenging the constitutional validity of the Aadhar Card Scheme for infringing the privacy of an individual. A 9-Judge bench of Hon’ble Supreme Court vide Judgement dated 24.08.2017 unanimously recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India.
The bench also recognized the need for legislation protecting individual’s privacy and hence the Srikrishna committee chaired by Justice B.N. Srikrishna was constituted in 2017. The committee presented the draft Personal Data Protection Bill, 2018 to Ministry of Electronics and Information Technology (MeitY) which was further amended to draft Personal Data Protection Bill, 2019.
The draft bill when presented before Joint Parliamentary Committee (JPC) for their inputs was further amended and a new draft Personal Data Protection Bill, 2021 was recommended in the form of a report. On August 03, 2023, Digital Personal Data Protection Bill, 2023 was introduced in Lok Sabha. The bill was passed by Lok Sabha on August 07, 2023 and Rajya Sabha on August 07, 2023.
The bill received the President’s assent on August 11, 2023 and thereafter published in the official gazette.
Prior to DPDP Act, 2023; digital data was governed by Sensitive Personal Data or Information (SPDI) Rules. SPDI Rules are a set of regulations under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information) Rules, 2011 issued by MeitY.
Section 43-A which was inserted by Information Technology (Amendment) Act, 2008 and provided for compensation for negligence in implementing and maintaining SPDI rules stands omitted by Clause 44 (2) (a) of DPDP Act, 2023.
DEFINITIONS
PERSONAL DATA
DPDP Act refers personal data as any information that can identify a person, such as their name, address, phone number, email address, bank account details, medical records or social media profiles.
DATA PRINCIPAL
DPDP Act refers data principal as any natural person who can be identified by data. In the case of a child, it includes parents and guardians and in the case of a person with disability, it includes lawful guardian.
DATA FIDUCIARY
DPDP Act refers data fiduciary as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.
SIGNIFICANT DATA FIDUCIARY
DPDP Act refers significant data fiduciary as any data fiduciary who has been notified based on assessment conducted on certain parameters which include volume and sensitivity of personal data; risk posed to the rights of data principal; potential impact on the security of the state, public order, sovereignty and integrity of India.
DATA PROTECTION OFFICER
DPDP Act mandates significant data fiduciaries to appoint a data protection officer who shall be responsible for conducting data impact assessments and implement appropriate security measures to protect personal data. The data protection officer would ensure compliance with the Act and would handle data protection related inquiries and complaints.
CONSENT MANAGER
Consent manager is a tool used by websites and online platforms to obtain user consent for the collection, processing and sharing of their personal data.
KEY FEATURES
JURISDICTION AND SCOPE
The DPDP Act not only applies to processing of digital personal data within India but also applies to any data processing outside India if the data pertains to a Data Principal within India. The DPDP Act applies to all organizations, whether they are based in India or not, that collect and process personal data of Indian residents. The DPDP Act further empowers Central Government to restrict transfer of personal data outside India for processing.
The DPDP Act applies to all organizations that process personal data, including Government Agencies, Businesses and Non-Profit organizations.
CONSENT OF DATA PRINCIPAL
One of the key features of the DPDP Act is the requirement for data fiduciary to obtain explicit consent from data principal before collecting, using and sharing their personal data. The act also requires data fiduciary to inform data principal about the purposes for which their data is being collected and to provide them with the option to opt-out of such collection or use. Such consent should be free, unambiguous, unconditional and clear. The data fiduciary can process the data until the consent is withdrawn by the data principal. Subsequent to the withdrawal, the data fiduciary is required to delete all the personal data of such data principal.
Therefore, while obtaining consent of a data principal, a data fiduciary must obtain a consent by way of a notice which should mention following information:
a) Personal Data and purpose for which such data would be processed.
b) The manner in which data principal may exercise rights conferred upon data principal under the provisions of the Act.
c) The manner in which a complaint can be filed by data principal before “Data Protection Board” in the case of any infringement.
The Act exempts following “Data Principal” or “person”-
a) Personal data processed by an individual for any personal or domestic purpose;
b) Personal data that is made or caused to be made publicly available
by the Data principal or any other person who is under any
obligation to make such personal data publicly available.
LEGITIMATE PURPOSES FOR PROCESSING OF PERSONAL DATA
DPDP Act specifies some legitimate purposes where data can be processed without obtaining consent from the data principal which are as follows:
a) Voluntary submission of personal data by data principal for a specific use.
b) While performing any function by state or obligation under law. c) Complying with any judgement, decree or order of court.
d) Any medical emergency which involve threat to life and health of data principal.
e) During disaster or break down of public order.
f) For employment purpose and for safeguarding employer from loss
or liability.
g) Providing medical services during epidemic, disease or any threat to public health.
RIGHTS OF DATA PRINCIPAL
DPDP Act assigns following rights to Data Principal:
a) RIGHT TO ACCESS INFORMATION ABOUT PERSONAL DATA: A summary of personal data being processed by the data fiduciary and the processing activities in which the data fiduciary utilizes the data. The identities of other data fiduciaries with whom their data is shared.
b) RIGHT TO CORRECTION AND ERASURE OF PERSONAL DATA: Data principal may require the data fiduciary to erase, complete, update, or remove their personal data, even if they had previously given consent for the processing of such data.
c) RIGHT OF GRIEVANCE REDRESSAL: The data principal shall have access to readily available grievance redressal or consent manager provided by the data fiduciary immediately, in case of any grievance. It is important to note that the data principal can file a complaint with the board only after she has exhausted this right.
d) RIGHT TO NOMINATE: The data principal may nominate a person who may exercise her rights with respect to her personal data in the event of death, unsoundness of mind, or infirmity of body.
DUTIES OF DATA PRINCIPAL
DPDP Act assigns following duties to Data Principal:
a) To comply with all the provisions of the act applicable to them.
b) Ensure that they do not impersonate another person while providing the personal data.
c) Ensure that they do not hide any material facts while sharing their personal information.
d) Ensure not to register any false or malicious complaints before the board.
OBLIGATIONS OF DATA FIDUCIARY
DPDP Act assigns following obligations to Data Fiduciary:
a) ENGAGEMENT OF DATA PROCESSOR: The data fiduciary may engage a data processor for processing personal data on behalf of it only after entering into a valid contract. General penalty for non-compliance - Up to Fifty Crore Rupees.
b) ENSURING COMPLETENESS, ACCURACY AND CONSISTENCY OF DATA: When personal data is used to decide matters affecting data principal or is to be shared with another data fiduciary, in such case it is the duty of the data fiduciary to ensure the accuracy, completeness, and consistency of the data. General penalty for non-compliance - Up to Fifty Crore Rupees.
c) IMPLEMENTATION OF APPROPRIATE MEASURES: The data fiduciary shall ensure the implementation of necessary technical and organizational measures to ensure the observance of the act. General penalty for non-compliance - Up to Fifty Crore Rupees.
d) REASONABLE SAFEGUARDS: To prevent any data breaches the data fiduciary shall implement reasonable safeguards for the protection of the personal data stored by it or by the data processor on its behalf. Penalty for non-compliance - Up to Two Hundred and Fifty Crore Rupees.
e) INTIMATION OF DATA BREACH: The data fiduciary shall ensure that the board and affected data principals are intimated in event of a data breach. Penalty for non-compliance - Up to Two Hundred and Fifty Crore Rupees.
f) ERASURE OF PERSONAL DATA : The data fiduciary shall erase the personal data of the data principal subsequent to his/her withdrawal of consent or as soon as the specified purpose for which the information was provided is no longer being served and require its data processor to do the same. General penalty for non- compliance - Up to Fifty Crore Rupees.
g) PUBLISHING CONTACT INFORMATION OF PERSON RESPONSIBLE FOR COMMUNICATIONS WITH DATA PRINCIPAL: The data fiduciary is required to publish the business contact information of the data protection officer (if applicable), or the person appointed by him to address the queries raised by the data principal. General penalty for non-compliance - Up to Fifty Crore Rupees.
h) GRIEVANCE REDRESSAL: The data fiduciary is responsible for constituting a readily available grievance redressal mechanism to address the grievances of the data principal. General penalty for non-compliance - Up to Fifty Crore Rupees.
OBLIGATIONS OF SIGNIFICANT DATA FIDUCIARY
DPDP Act assigns following obligations to Significant Data Fiduciary:
a) Appoint an India-based Data protection officer, who shall represent the significant data fiduciary under the Act.
b) Appoint an independent data auditor who will conduct a data audit periodically and evaluate compliance with the provisions of the Act.
c) Conduct a periodic Data Protection Impact Assessment.
Penalty for non-compliance of any of the above condition - Up to
Two Hundred and Fifty Crore Rupees.
SPECIAL PROVISION FOR THE PROTECTION OF CHILDREN
It is assumed that children are more vulnerable to crimes and hence to protect children and provide them with a safe and secure environment promoting growth and development, the act requires the data fiduciary to obtain consent from the parent of such child or lawful guardian of a disabled person before processing any information relating to a child (below the age of 18). Data Fiduciaries are not allowed to process any such information about a child which may have a negative effect on the child's well-being.
GRIEVANCE REDRESSAL
ESTABLISHMENT OF THE DATA PROTECTION BOARD OF INDIA
DPDP Act empowers the central government to appoint a Data Protection Board, which shall function independently as a body corporate having a common seal, perpetual succession, with the power to sue or be sued, hold, acquire, and dispose of property in its own name. The chairperson and members of the board shall be appointed by the Central Government and be a person possessing special knowledge or practical experience in fields such as data governance, dispute resolution, consumer protection, etc., holding the office for a term of two years.
POWERS OF THE BOARD
DPDP Act confers the board with various powers and functions such as:
a) Directing urgent remedial or mitigation in case of a personal data breach.
b) Referring any dispute to be resolved by mediation.
c) Enquiring into personal data breaches, and imposing penalties.
While conducting the enquiries, the board shall possess all the powers of a civil court as per the civil procedure code and follow the principles of natural justice.
It is to be noted that all the penalties imposed by the Board are to be credited to the Consolidated Funds of India.
TDSAT—THE APPELLATE BODY
The appellate authority for the purpose of DPDP Act is “Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997.”
Any person aggrieved by the order of the board may file an appeal within sixty days from receipt of the order with the Appellate Tribunal.
The appellate tribunal has been conferred with the powers of the civil court for the purpose of this Act. It may pass such order as it deems fit in respect of the order appealed and send a copy of the order made by it to the board and other parties of the appeal.
CONCLUSION
The Digital Personal Data Protection Act 2023 is a positive step taken by the Indian Government toward the protection of the personal data of individuals available online and to ensure that the personal data held by businesses is appropriately safeguarded to prevent any data breaches.
The Act would evolve in phases. More clarity would come once Central Government releases Rules under the Act.
Picture Source :
