Are you collecting personal data in digital form? Then the recently passed Digital Personal Data Protection Act, 2023 will definitely matter to you.
After much debate and controversy, The Digital Personal Data Protection Bill, 2023, which was introduced in Lok Sabha on August 3, 2023, was passed by the Lok Sabha on August 7, 2023 and later on unanimously by Rajya Sabha on August 9, 2023. The Bill received presidential assent on August 11, 2023.
However, the Act is not yet notified and hence, not yet in force. This Act for the first time uses feminine gender to literally mean female includes male.
The Act brings in few definitions, the understanding of which are important to analyze the scope and impact of the Act.
Applicability of the Act
The Act has extra territoriality as it is applicable for Data processed within or outside India.
In India: If the personal data is collected in digital form or in non-digital form and digitized later on.
Outside India: If the digital personal data is processed outside India for offering the goods and services to persons (Data Principal) in India. (Person for brevity shall mean the Data Principal).
The pertinent concern of the industry is whether data can be transferred to other jurisdictions? The answer is Yes. The Act permits extraterritorial processing and transfer of Personal Data, except to such countries restricted by Central Government through notification.
The Act specifically excludes from its ambit (a) personal data processed by an individual for any personal or domestic purpose and (b) personal data made publicly available by the person (Data Principal) or by any person under law.
Hence, the Act does not apply if a friend collects your address for his/her personal use, or to those personal information which you may have publicly shared on social media. The Act shall not apply in the event, the personal data is collected outside India but processed inside India for offering the goods and services to persons outside India.
Consent is crucial.
One of the most important rights and its corollary obligation under the Act is Consent. It is the obligation of the Data Fiduciary as well as the right of the Person (Data Principal). The consent has to be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. Vague terms, implied consents, blanket or broad consent, pre-ticked check box etc., used in certain websites and privacy policies, henceforth shall not be deemed to be a proper “consent” in compliance with this Act.
Personal Data collected before the commencement of the Act
The Act makes a distinction between the personal data collected before the Act and after the Act.
In the event the data is collected before the Act, then as per Section 5 (2) of the Act, the Data Fiduciary shall, as far as reasonably practical give notice to the person informing the (i) purpose, (ii) the manner in which the rights may be exercised and (iii) manner in which the complaint can be made. Further, Section 5 (2) (b) of the Act enables the Data Fiduciary to continue to process the personal data unless the consent is withdrawn. The notice as per Section 5 (2) of the Act is nothing but the consent of the Person.
However, Section 5 (2) (b) seems to be in conflict with Section 5 (7) of the Act which mandates that the personal data should be erased by the Data Fiduciary- if the consent is revoked or, if it can be reasonably assumed that the purpose for which the personal data is collected is no longer served, whichever is earlier. Hence, as per Section 5 (7) even if the consent is not revoked but the purpose for which the data was collected in not served, then it is the obligation of the Data Fiduciary to delete the personal data collected however, if such personal data is collected before the commencement of the Act, the question is whether the Data Fiduciary can continue to process the data even if the purpose is not served. The Central Government would be required to make clarity on the same.
The Data Fiduciary ought to state the purpose for which the data is to be collected and the Person has the right to receive notice of such purpose and further has the right to revoke the consent.
The Act specifies that the consent taken should always be connected with the specified purpose for which the personal data is collected. Once, the purpose is accomplished or it can be reasonably assumed that the purpose is no longer served, the personal data has to be deleted. This condition has serious impact on the personal data collected as many originations though their mobile App/website collect data such as photos, contact list, microphone, SMS etc. The Act through illustration(s) make it clear that in case of permission or consent given by a person to access and collect any data which might not be required for the specific purpose, then such permission/consent shall be invalid and hence, such data ought to be deleted. It is in this context, it needs to be seen as to whether Section 5 (2) (b) of the Act would come to the rescue of the Data Fiduciary if the personal data was collected before the commencement of the Act and such consent is not withdrawn. Further, it also needs to be seen how the industry is going to adapt and implement the mandate.
Request for Consent
The Act specifies that the request for consent has to be provided by the Data Fiduciary in clear and plain language in English and/or in any languages as specified in the 8th Schedule of the Constitution. The manner in which such request may be sent by the Data Fiduciary is not specified however, from the illustrations it can be reasonably assumed that an email, web page, mobile app notification etc., would suffice.
Revocation of Consent
The consent given by the person can be accessed by such person and can be revoked any time. It is to be noted that the consent granted is not absolute and is limited for the specific purpose for which it is collected.
If the data is processed based on the consent and a question arises in that regard, then it shall be the obligation of the Data Fiduciary to prove that (i) notice was provided to the person and (ii) consent was given by the person. Precisely, the burden of proof is on the Data Fiduciary.
Consent Manager and Data Protection Officer
The Act introduces a third person called Consent Manager. The Consent Manager has to be registered with the Data Protection Board of India who shall act as single point of contact for the Person and shall be accountable to the Person. The role of the Consent Manager is to enable and assist the Person to give, manage review and withdraw the consent. Interestingly, big organisations would be required to create a post of a Consent Manager to specifically manage the consent of the Person.
If the Data Fiduciary is classified as Significant Data Fiduciary, then it is required to appoint a Data Protection Officer (DPO) who shall represent such Significant Data Fiduciary and shall be the point of contact for the grievance redressal mechanism. The details of such DPO has to be published by Data Fiduciary.
Rights and Duties
Chapter III Section 11 to 15 of the Act specifies the rights and duties of the Person.
Violation of any of the above stated duties would warrant penalty as specified in the Act.
Processing of Data
Data Processor: The Data Fiduciary can appoint under a valid contract, a Data Processor for processing the personal data on its behalf.
The Data Fiduciary may process the personal data
Section 7 (i) of the Act is an enabling provision in favour of the Employer. It enables an employer to process personal data for the purpose of employment or to safeguard the employer from any loss or liability, like corporate espionage, trade secrets, intellectual property, classified information, benefit sought an employee etc.
The Act mandates the Data Fiduciary to implement appropriate technical and organisational measures and reasonable security safeguards to prevent breach of personal data. It is expected that the Central Government may prescribe such technical, organisational measures and reasonable security safeguards. In the event of any data breach, the timeline required for the Data Fiduciary to notify the Data Protection Board of India is not yet notified.
Stringent provisions for processing personal data of children
Any person below the age of 18 is a ‘child’ as per the Act unlike other jurisdictions where the age prescribed is thirteen.
Before processing the personal data of a child, the Data Fiduciary has to obtain verifiable consent of the parent or guardian and if the processing of personal data of the child is likely to have any detrimental effect on the well-being of the child, then Data Fiduciary cannot process such data.
Don’t Track: Another important provision protecting children, is that the Data Fiduciary is prohibited from tracking behavior monitoring or targeted advertising. However, the Central Government can exempt certain Data Fiduciary on being satisfied that such Data Fiduciary has ensured the processing in a verifiably safe manner.
Establishment of Data Protection Board of India:
Central Government shall establish a Data Protection Board of India (Board) with such powers and functions including (i) directing urgent remedial/mitigating measures in case of any breach of Personal Data (ii) inquiring into such breach and (iii) imposing penalties as per the Act. The Board will act as a civil court having original jurisdiction and any other civil court will be barred under Section 39 to entertain any Suit or proceeding in respect of any matter for which the Board is empowered to adjudicate upon under the Act. The appeals against the decisions of the Board shall be made to Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) established under the Telecom Regulatory Authority of India Act, 1997 (TRAI Act).
Overriding Effect of Act:
Another important aspect to be noted is that in the event of any conflict of any of the provisions of this Act with other Act, the provisions of DPDP Act will prevail.
The quantum of penalty prescribed by the Act is considerable compared to other statues in India. Notably even if a person does not comply with her/his duties, such person is subject to penalty.
A quick glance at the penalties prescribed by the Act.
Nature of Breach
Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach
Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach
Non-compliance of obligations in relation to children
Breach in observance of the duties
The DPDP Act comes after much debate and deliberations. On comparison of the Act with GDPR, unlike the GDPR where the focus is on personal data of residents/citizens, the DPDP Act focus on where the data is collected and where the goods and services are offered. The impact of the Act can be assessed only after the rules are notified and public awareness is created. Few provisions would definitely warrant the test of time.
For more details write to firstname.lastname@example.org