The Digital Personal Data Protection (DPDP) Act, 2023 is the first cross-sectoral law in India on personal data protection. The act was under consideration for over 5 years. This act aims to sufficiently protect personal data while striking a balance between an individual’s right to privacy and the necessity of processing it for legitimate purposes. The Act is based on the Digital Personal Data Protection bill withdrawn in November 2022. It also outlines the responsibilities of Significant Data Fiduciaries (SDFs). The Ministry of Electronics and Information Technology (MeitY) states that the Digital India Act (DIA), which will supersede the current IT Rules, will soon supplement the DPDPA. This article covers everything you need to know about the Digital Personal Data Protection (DPDP) Act, 2023 including the background of the law, potential problems with it and the variables that will affect data protection laws in India in the coming years.
Personal Data Protection Bill was introduced in December of 2019 in response to the historic ruling of the Supreme Court in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. of 2017 stating that the right to privacy is an essential component of the fundamental right to life under the Constitution of India. The proposed law established a preventive framework by placing requirements on organizations that gather personal data, such as obtaining consent, giving notice, securely storing accurate data, utilizing it only for certain reasons, erasing data, and giving customers the ability to access, delete, and transfer their data.
Additionally, it established a new organization known as “consent managers” to gather and offer consent on behalf of individuals.
The earlier IT Act 2000 fell short of addressing the complexities such as cyberstalking and SIM boxing diverting international calls to a cellular device through the internet. The device is called a SIM box, routes the connections back into the network as local calls, using hundreds of low-cost or even unpaid SIM cards, which are often obtained with forged identities. The Act was crafted two decades ago and only had 5.5 million users and now it has nearly 850 million users the act was ill-equipped to handle the current state of the internet.
A thorough, cross-sectoral framework for data protection was suggested in the 2019 Act, with some firms and entities being excluded from notice and consent obligations in specific situations. Additionally, it gave the government the authority to control non-personal data by imposing rules on commercial organizations about how and when to disclose particular data. The General Data Protection Regulation (GDPR) of the European Union served as the foundation for the 2018 bill that the Srikrishna Committee submitted. This bill recommended data protection standards. Despite its widespread scope, the bill had far-reaching consequences. A new approach to data protection regulation is taken by the DPDP Act, which was proposed in November 2022.
Key Feature Of Digital Personal Data Protection (DPDP) Act, 2023
The DPDP Act of 2023 is a less ambitious measure than the 2019 bill. It offers fewer consumer safeguards and fewer requirements for corporations. The regulatory framework is more straightforward on the one hand, but it also gives the federal government unrestrained discretionary authority in some situations.
Some important definitions in Section 2 of the act are:
“(a) “Appellate Tribunal” means the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997;
(g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
(i) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
(j) “Data Principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with a disability, including her lawful guardian, acting on her behalf;
(z) “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10”
Applicability to Non-residents
The Act applies to both people and businesses that collect data of Indian citizens. Section 3 of the Act envisages the applicability and non-applicability. This is significant since it also applies to non-citizens living in India whose data is processed “in connection with any activity related to the offering of goods or services” outside of the nation. This can have repercussions for instance if a U.S. citizen residing in India purchases digital goods or services while in India from a company based outside of India.
Purposes of Data Collection and Processing
The Act permits the processing of personal data for any legitimate reason. The party handling the data may do so with the consent of the person being processed or for “legitimate uses,” as given under Section 4 of the Act defines that Data Fiduciaries may only use and process data for legitimate purposes.
In Sections 5 and 6, it is emphasized how important it is to obtain consent when processing data. Consent must be freely given, informed, unambiguous, and require clear affirmative action. The information collected must be limited to what is necessary for the intended purpose, and customers must receive a clear notification outlining all of these criteria. Additionally, they must be informed about the grievance redress procedure and the rights of the affected parties. If consent is used as the legal basis for data processing, people can revoke it at any time.
Section 7 of the Act defines several legitimate uses for personal data. These include:
a) cases where an individual has voluntarily provided their data for a specific purpose;
b) instances where a government department or agency provides any type of subsidy, benefit, service, license, certificate, or permit to an individual, provided that the individual has already agreed to receive a similar service from the government. This may pose a potential problem as it allows different government agencies to access personal data stored elsewhere.
c) Personal data may be used to ensure security or sovereignty.
d) It may be necessary to disclose personal data to meet a legal requirement to provide information to the government.
e) Personal data may be disclosed in compliance with court orders, decrees, or judgments.
f) In cases of medical emergencies, threats to life or health, epidemics, or public health, personal data may be disclosed.
g) Finally, personal data may be disclosed in situations of natural disasters or the collapse of public order.
Obligations on Data Fiduciaries
The Act defines Data Fiduciaries as entities responsible for collecting, storing, and processing digital personal data. Sections 8, 9 and 10 of the act outline the obligations that Data Fiduciaries have to follow. These include:
a) Maintaining security safeguards;
b) ensuring the completeness, accuracy, and consistency of personal data;
c) reporting data breaches to the Data Protection Board of India (DPB) in a prescribed manner;
d) erasing data upon consent withdrawal or the expiry of the specified purpose;
e) appointing a data protection officer to establish grievance redress mechanisms; and
f) obtaining the consent of the parent or guardian in the case of children or minors (those under eighteen years of age) under
Section 9. The law prohibits processing that may have a detrimental effect on children and forbids tracking, behavioural monitoring, and targeted advertising.
Although the Act contains broad obligations, it lacks detailed regulations from the bill. The substantive requirements have been reduced, and Significant Data Fiduciaries (SDFs) are designated based on data volume, sensitivity, risks, sovereignty, integrity, electoral democracy, security, and public order. SDFs must appoint a data protection officer and conduct data protection impact assessments.
Rights of Users/Consumers of Data-Related Products and Services
Chapter 3, which consists of sections 11 to 15, outlines the obligations of data fiduciaries. These obligations include maintaining the security of personal data, ensuring its accuracy and consistency, reporting any data breaches, erasing data when required, appointing a data protection officer, and obtaining consent from parents or guardians. The chapter also explains the rights of consumers. The law prohibits the processing of data that is likely to harm a child and allows the government to prescribe exemptions for specific purposes.
Moderation of Data Localization Requirements
The Act, specifically in Chapter 4 from Sections 16 to 17, grants the government the legal power to notify and regulate data flows to certain countries to promote national security. This does not impact sector-specific organizations, such as the Reserve Bank of India, which are still required to enforce localisation rules.
Exemptions From Obligations Under the Laws
Section 17 of the Act provides certain exemptions to data fiduciaries from the consent and notice requirements in certain cases. These cases include processing personal data by courts or tribunals, enforcing legal rights, and processing non-Indian residents’ data within India. Additionally, certain entities and purposes are not covered by the Act’s provisions, such as maintaining state sovereignty and public order. The government also has the power to exempt certain data fiduciaries, including startups, from certain provisions. However, a problematic provision allows the government to declare exemptions for five years without any guidance on categories or exemptions.
New Regulatory Structure for Regulating Data Privacy
The Indian government introduced a new regulatory institution called the Data Protection Board (DPB) under sections 18 to 28 of the Act. The board is responsible for preventing data breaches, conducting inquiries, and issuing penalties as defined under respectively. The government will appoint the board members and prescribe their terms and conditions. The DPB has the power to impose monetary penalties and allows data fiduciaries to provide voluntary undertakings as settlements. The government can also block public access to information under section 37 of the Act, allowing data fiduciaries to provide goods or services in India.
Highlights Of Data Privacy and Protection (DPDP) Act
India’s Data Privacy and Protection Act (DPDP Act) of 2023 is the country’s first law aimed at safeguarding personal data. The law mandates obtaining consent before processing personal data and grants consumers the right to access, correct, update, and erase their data. It also requires businesses to provide notice of data collection and processing and mandates security safeguards for children’s data. The DPB is responsible for handling complaints and issuing penalties. The Act aims to establish minimal standards of behaviour and compliance among data-collecting businesses.
However, certain provisions in the Act could potentially undermine its protections. The exceptions for consent empower the state, placing state imperatives on a different pedestal than private entities. For instance, Section 7(b) allows the government to sidestep consent requirements when a government service beneficiary has consented to receive other benefits from the state. This could allow easier access to personal data but also creates the potential for the government to aggregate databases.
Section 17(1)(c) exempts requirements for notice and consent for investigative, prosecutorial, and national security purposes, but Section 17(2)(a) provides a blanket exemption for any government agency. This creates a separate category of activity beyond data privacy requirements, which is problematic as India is not subject to many constraints as a private entity. The government’s discretionary rule-making powers could also undermine the protections provided in the law. For example, Section 17(5) could allow sunrise industries or startups some time to comply with the law, but it does not provide any guidance on how these exemptions can last.
Under Sections 9(1) to 9(3), the government has the authority to exempt businesses from processing children’s data. However, the provision lacks clear guidelines, making it prone to misuse and failing to specify grounds for exemption.
The Act has been criticized for its lack of guidance and potential violation of the Indian Constitution. The act reduces rights and obligations, such as data portability and the right to be forgotten, and it excludes criminal offences, imposing only monetary penalties directed by the DPB. Moreover, the act eliminates the role of the independent regulator, limiting its powers to ensure data breaches and issuing compliance directions The Indian government’s evolving stance on data protection law reflects its growing recognition of its importance to the economy.
The Act which was in effect for four years, has faced numerous design and implementation issues. The early bill of 2017 and 2018 were motivated by the Supreme Court’s declaration of privacy as a fundamental right and its upcoming ruling on the constitutionality of India’s biometric ID project, Aadhaar. The Supreme Court upheld Aadhaar’s use for certain purposes, resolving potential constitutional law issues. The pragmatic version of the law was drafted after deliberations, but state functions have consistently been exempted from data protection requirements. The 2019 bill allowed the central government to exempt national security agencies and other Government uses of data that do not relate to security.
Aiming Forward to See the Data Protection Law in Operation
The DPDP Act grants significant rule-making powers to the central government, including:
- The manner in which consumer notices are given,
- Consent managers function,
- Businesses have to inform consumers and the DPB about data breaches,
- Parental consent is sought for processing children’s data,
- Consumers exercise their rights against data fiduciaries,
- The appointment of DPB members,
- Data impact assessments, and the procedure for hearing appeals from the DPB.
The DPDP Act in India permits greater experimentation and innovation in the technology sector but also retains significant rule-making powers. The drafters of the law must consider whether it is a first step towards establishing an independent regulator, as the lack of prior regulatory experience in data protection may require greater political input. Decisions made by the DPB in data privacy inquiries will shape jurisprudence and guide businesses in implementing and complying with the law.
The DPDP Act will significantly impact India’s technology markets and data-related policies in the coming years. The central government will incorporate best practices in administrative law and decision-making through procedural rules. The development of data protection regulations will be influenced by the call for sovereign control over Indian data and data businesses, with concerns over sovereignty and security influencing the final law. The Indian government’s Section 37 of DPDP Act allows the central government to block access to information communicated by data fiduciaries. The changing landscape of laws regulating social media companies, IT services, and businesses will also impact data protection regulation. In 2021, the Indian government issued guidelines for social media intermediaries that required, among other measures, the tracing of originators of social media content on over-the-top (OTT) messaging platforms, which is currently being challenged in courts. The increasing adoption of localization by other regulators may render the liberal provisions of the DPDP Act unnecessary.
The DPDP Act is a legal framework for personal data protection that has been in place for five years. However, it may not be enough to ensure complete data privacy. The evolution of the law reflects the government’s changing stance on privacy While the current version of the law has lower charges, it is more beneficial to Indian businesses, it may not always protect privacy interests in certain situations. The effectiveness of the law will depend on the government’s ability to uphold individual privacy rights.
This article is written and submitted by Riya Sood during her course of internship at B&B Associates LLP. Riya is a 3rd year LLB student at Panjab University.