AN OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

CORPORATE LAW UPDATE

19th December 2023

Issue No.17/23-24

AN OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

India received its first data protection statute governing Personal Data of its citizens on 11th August 2023. The Digital Personal Data Protection Act, 2023 (“DPDP Act”) received Presidential assent and was notified consequently in the E-Gazette making it a one-of-a-kind legislation to recognise both, the right of individuals to protect their Personal Data and the need to process such personal data for lawful purposes by organizations.

BACKGROUND:

The recent pick up in digital India has transformed the lives of Indian citizens and governance in general.  Digital India has also unleashed innovation and entrepreneurship in the digital space in addition to the large global big tech platforms that have significant presence on the internet.

Data and Personal Data in specific are at the core of this fast-growing digital economy and eco-system of digital products, services and intermediation. It has become very clear over the last few years that data and Personal Data must be subject to a framework of rules with the dos and don’ts.

The Government, while drafting the DPDP Act therefore considered the global best practices, including review of the Personal Data protection legislations of Singapore, Australia, European Union and prospective federal legislation of the United States of America.

APPLICABILITY OF THE DPDP ACT:

The DPDP Act applies to digital and digitised forms of Personal Data that is within the territory of India. The DPDP Act defines Personal Data as any data about an individual who is identifiable by or in relation to such data. This would mean someone’s physical identifiers, email address, phone number, Aadhar/ PAN no., residential address, IP address, etc.

Therefore, any organization that processes Personal Data of an individual who is within the territory of India must comply with the provisions of the DPDP Act. The DPDP Act also has extra-territorial jurisdiction similar to the GDPR as it shall also apply to processing of Personal Data that is outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to individuals within the territory of India.

KEY TERMS UNDER THE DPDP ACT:

  1. Who is a Data Principal?

This refers to an individual to whom the Personal Data relates to or belongs to.

The DPDP Act clarifies that where this Personal Data belongs to a child or a person with a disability, the Data Principal shall be the lawful guardian.

  1. Who is a Data Fiduciary?

This refers to the person / organization who alone or in conjunction with other persons/ companies determines the purpose and means of processing of Personal Data.

The DPDP Act also specifies that the Central Government may by a notification classify some Data Fiduciaries as Significant Data Fiduciaries on factors such as the volume and sensitivity of Personal Data processed by them, the risk to the rights of a Data Principal, risk to public order etc. The Central Government will impose such additional obligations on the Significant Data Fiduciary as it may deem necessary for compliance of the provisions under the DPDP Act.

  1. Data Processor:

It refers to any person / organization who processes Personal Data on behalf of a Data Fiduciary.

  1. Processing:

It refers to any action done to Personal Data. In a broader sense it could cover just about anything you can do with data: collection, storage, transmission, analysis, organization, indexing, sharing, etc.

AM I A DATA FIDUCIARY OR A DATA PROCESSOR?

DATA FIDUCIARY DATA PROCESSOR / SUB PROCESSOR
You decide for what reason, in what manner, at what point of time and for how long Personal Data will be processed. You are a third party that processes Personal Data on behalf of a Data Fiduciary.
If you are an owner or an employee in the organization who handles Personal Data, this is you. If you are a person or a company that is a cloud server, acts as a middle man, email service provider, etc. this is you.
You are to ensure compliance of Data Processors under your control to process the Personal Data. You make your own operational decisions but will act on behalf of and under the authority of the relevant Data Fiduciary.

 
Key Indicators:

1.       You decide to collect and process Personal Data.

2.       You determine the purpose of the data processing.

3.       You decide what kind of Personal Data should be collected.

4.       You commercially benefit from processing the data.

5.       The data subjects are in some cases your own employees.

6.       You have a direct connection with the Data Principal.

7.       You are solely in charge of how the data is processed.

8.       You outsourced data to Data Processors to process the Personal Data.

 Key Indicators:

1.       You are processing Personal Data for someone else and under their instruction.

2.       You were given the Personal Data by a third party or instructed on the kind of Personal Data to collect.

3.       You cannot decide the lawful basis for which that Personal Data is collected or used.

4.       You cannot decide what the Personal Data will be used for.

5.       You cannot decide how long the Personal Data will be retained and stored.

6.       You implement decisions pertaining to Personal Data processing as part of a contract with another company.

7.       You are not interested in the overall purpose or result of the processing.

OBLIGATIONS OF DATA FIDUCIARIES

  1. A person may process the Personal Data of a Data Principal only in accordance with the provisions of the DPDP Act and for a lawful purpose for which the Data Principal has given consent for certain legitimate uses.
  1. Every request made to a Data Principal under section 6 of the DPDP Act for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal stating:

(i) the Personal Data and the purpose for which the same is proposed to be processed.

(ii) the manner in which the Data Principal may exercise their rights.

(iii) the manner in which the Data Principal may make a complaint to the Data protection Board,

in such manner and as may be prescribed.

  1. A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process the Personal Data on its behalf only under a valid contract. Such agreements are often referred to as processing agreements.
  1. The Data Fiduciary must ensure completeness, accuracy, and consistency of Personal Data.
  1. The Data Fiduciary shall protect Personal Data in its possession or under its control (when being processed by a Data Processor or other Data Fiduciary) by taking reasonable security safeguards to prevent breach of such Personal Data.
  1. Data Fiduciaries shall implement appropriate technical measures and organisational measures such as holding training workshops etc. to ensure effective observance of the provisions of the DPDP Act and its rules. 
  1. In the event of a personal data breach, the Data Fiduciary shall give the Data Protection Board constituted and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
  1. A Data Fiduciary shall (unless retention is necessary for compliance with any law for the time being in force) upon the Data Principal withdrawing their consent / as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier:
  1. erase Personal Data;
  2. cause its Data Processor to erase any Personal Data.
  1. A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to respond to any grievance on behalf of the Data Fiduciary.
  1. A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.

RIGHTS OF A DATA PRINCIPAL 

  1. Right to obtain from the Data Fiduciary a summary of Personal Data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary.
  1. Right to obtain the identities of all other Data Fiduciaries and Data Processors with whom the Personal Data has been shared by such Data Fiduciary, along with a description of the Personal Data so shared.
  1. Right to correction, completion, updating and erasure of their Personal Data.
  1. Right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager.
  1. Right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal.

LIFE CYCLE OF PERSONAL DATA

Request for consent to be taken from the Data Principal which shall be accompanied or preceded by a notice containing relevant information as well the Data Principal’s rights.

Data Fiduciary and/or Data Processor is allowed to process the Personal Data for the specified purpose and certain legitimate uses.

In the event the Data Principal withdraws consent, the processing must be stopped and Personal Data must be erased immediately.

In case of breach, the Data Protection Board constituted along with the Data Principal is notified immediately and necessary steps are taken.

After completion of the specified purpose, the Personal Data is erased or caused to be erased.

CONCLUSION:

The IT Minister, Rajeev Chandrashekhar has recently stated that some businesses like startups and MSMEs that handle people’s data might get more time to adhere to these rules. This is because they may not have as much experience in handling data as bigger data fiduciaries do. So, they can ask for more time to learn and follow the rules. However, companies that already follow similar legislations like that of the GDPR (EU’s General Data Protection Regulation) should not ask for a very long time to follow India’s new data protection regime.

During a global technology summit held in New Delhi recently, he also stated that the rules of the DPDP Act are ready and will be notified by the end of December or early January 2024. The rules are still to be rolled out.

It is therefore crucial that companies take proactive measures to ensure compliance to the DPDP Act in order to be ahead of the curve.

Disclaimer: This newsletter is for general information only and not intended for any solicitation. Views expressed in this newsletter are as on date and not necessarily of V Law Partners (“VLaw”). While reasonable efforts have been taken to provide correct information, VLaw cannot and does not warrant or guarantee the accuracy of the information provided in the newsletter. Readers are advised not to rely solely on this information when making any decision.

Suggestions: If you do not wish to receive our newsletters or have any comments or suggestions for us, please write to us at – admin@vlawpartners.com