Digital Personal Data Protection Act

Digital Personal Data Protection Act, 2023

by

Digital Personal Data Protection Act Introduction-

  • Introduce in the lok sabha on 03.08.2023
  • Passed by the Lok Sabha on August 7 2023
  • Passed by RS on 09.08.2023 and became law as DPDP Act, 2023
  • Notified in the official gazette on 11.08.2023
  • 44 provisions and a schedule of penalties
  • Sec 43A if IT Act and its rule will be omitted
  • Objective

Objective:-

Objective of DPDP Act is to provide a comprehensive legal framework for the protection of personal data in India. It aims to regulate the collection, processing, and storage of personal data by individuals, companies and the government ensuring that individuals privacy rights are respected and their data is handled securely. It seeks to establish mechanism for accountability and enforcement to prevent misuse of personal data.

Application:-

  • Applies to personal data collected in digital form  or in non digital form which digitalized subsequently
  • Exempted- Non digital data, data processed for personal or domestic purposes, data that has been publicly available
  • Applies outside India only in case if it is related to offering goods or services to data principals located within India.

What Is Personal Data:-

  • Personal data refers to any information that relates to an identified or identifiable individuals. This can include-
  1. Basic identity information- Name, Identification Number (such as Aadhar, PAN, Passport etc.), DOB and similar information.
  2. Contact Information- Email address, Phone Number, residential address or other contact details.
  3. Biometric Data- Fingerprints, facial recognition data, iris scans or other biometric identifiers.
  4. Financial Information- Bank Account details, credit card number, income information or financial transactions.
  5. Health Information- Medical History, Health conditions, genetic information, or other health related data.
  6. Location Data- GPS Coordinates, IP address, or other data indicating the geographical location of an individual.
  7. Online Identifiers- Username, IP Addresses, device identifiers or other online identifiers that can be used to identify an individual online.

Personal data can be collected, processed, stored and transmitted by various entities including governments, businesses and organizations and it is important to protect this data to ensure individuals privacy rights are respected.

Who is affected:-

  • Data Fiduciaries-These businesses define the “purpose and means” of processing, known as data controller globally, They make decisions about users data,They decide the need, usage and retention of data, responsible and accountable for users data under the law.
  • Data Processors-These businesses process data for fiduciaries, Examples include cloud and KYC, service providers, Fiduciaries instruct them on what to do.

Rights of Data Principles:-

  1. Right to Consent- Data Principles have the right to provide or withdraw consent for the processing of their personal data.
  2. Right to Access- Data Principles have the right to access their personal data held by data fiduciaries
  3. Right to Rectification- Data principles have the right to request the correction of inaccurate or incomplete personal data.
  4. Right to erasure- Data principles can request the erasure of their personal data under certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected.
  5. Right to Data Security- Data Principles have the right to expect that their personal data is processed securely and protected against unauthorized access, disclosure, or destruction.
  6. Right to Compensation- Data principles may be entitled to compensation for any harm suffered as a result of a data breach or non compliance with the provisions of the Act.

These rights empower individuals to have greater control over their personal data and ensure that their privacy is respected by entities processing their data.

Responsibilities of Data Principles:-

  • Providing Accurate Information- The data principal should provide accurate and up to date information when providing personal data to organizations.
  • Giving Consent- They have the responsibility to give informed consent for the processing of their personal data by organizations
  • Reporting Breaches- If they become aware of any unauthorized access or disclosure of their personal data, they should promptly report it to the relevant authorities or organizations.

Consent:-

Consent plays a crucial role in ensuring that individuals have control over how their personal data is collected, processes and used.

  1. Informed Consent- Organizations collecting personal data must obtain informed consent from the data subjects. This means individuals should be provided with clear and understandable information about how their data will be used before giving consent.
  2. Purpose Limitation- Consent should be specific and tied to a particular purpose. Data controllers should not use the data for purposes beyond what was agreed upon without obtaining additional consent.
  3. Voluntary Consent- Consent should be freely given without any coercion or pressure. Individuals should have a genuine choice in whether to provide their consent or not.
  4. Withdrawal of Consent- Individuals should have the right to withdraw their consent at any time. Data controller should make it easy for individuals to revoke their consent and stop further processing of their data. If consent is withdrawn, data processing must cease unless it is authorized by law
  5. Users can access information in English or  any language listed in eighth schedule of Indian Constitution

Data Processing:-

Data processing encompasses wide range of operations performed on personal data, including collection, recording, storage, retrieval, use , disclosure and deletion. Data Processing must have a lawful basis such as consent from the individual, necessity for the performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task carried out in public interest, or legitimate interest pursued by the data controller or a third party.

Processing Without Consent:-

Data processing without consent under digital protection data protection act is generally permitted in certain specific situations where consent is not required or where an alternative lawful basis exists. Some are as follows;-

  1. Contractual Obligation- Processing Personal data may be necessary for the performance of a contract.
  2. Legal Compliance- Data Processing may be necessary for compliance with legal obligation to which the data controller is subject. For instance, businesses may need to process personal data to fulfill tax or regulatory requirements.
  3. Vital Interests- Processing personal data may be necessary to protect the vital interests of the data subject or another individual. This could include processing medical data in emergency situations where obtaining consent is not feasible.
  4. Public interest- Processing personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. For example government agencies may process personal data for public health or national security purposes.
  5. Legitimate interests-Processing personal data may be necessary for the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Legitimate interest could include fraud prevention, network security, or direct marketing.

Duties of Data Fiduciary:-

  • Transparency- Data fiduciaries are required to provide clear and concise notices to individuals regarding the processing of their personal data. This include informing individuals about the purposes for which their data is being processed, categories of data being processed, the recipients or categories of recipients with whom the data may be shared and their rights in relation to their data.
  • Lawful basis for processing- Data fiduciaries must ensure that there is a lawful basis for processing personal data. This may include obtaining consent from individuals, fulfilling contractual obligations, complying with legal obligations, protecting vital interests, performing tasks in the public interest or pursuing legitimate interests.
  • Purpose Limitation- Personal data should only be processes for specified, explicit and legitimate purposes. Data fiduciaries must ensure that personal data is not processed in a manner that is incompatible with the purposes for which it was collected.
  • Data Minimization- Data fiduciaries should only collect personal data that is necessary for the purposes for which it is being processed. They should not collect excessive or irrelevant data.
  • Security- Data fiduciaries must implement appropriate technical and organizational measures t ensure the security of personal data and protect it against unauthorized or unlawful processing, accidental loss, destruction or damage.
  • Accountability- Data fiduciaries are accountable for complying with the principles of data protection. This may include maintaining records of processing activities, conducting data protection impact assessments where necessary and cooperating with data protection authorities.

Significant Data Fiduciaries:-

A significant data fiduciary refers to an entity that meets certain outlines in a digital personal data protection act, making it subject to additional obligations and regulatory oversight due to such scale, volume, sensitivity or nature if the personal data it processes.

The designation of significant data fiduciary varies depending on the specific legislation in place, but it often includes factors such as:

  1. Volume of Data- Entities that process a large volume of personal data may be designated as significant data fiduciaries. This could include social media platforms, e- commerce websites, or large corporations that collect and process data form a large number of individuals.
  2. Sensitive Data- Organizations that process sensitive personal data such as health information , financial information, biometric data, or information related to children, may be classified  as significant data fiduciaries due to the heightened risk associated with processing such data.
  3. Impact on Society-Entities whose data processing activities have a significant impact on social, economy or democratic processes may be considered significant data fiduciaries. This could include platforms or organizations that play a crucial role in public discourse, elections or national security.
  4. Cross BORDER Data Flows- Entities that engage in cross border data transfer or operate globally may be subject to additional scrutiny and obligations as significant data fiduciaries, especially if they transfer personal data to jurisdictions with less stringent data protection laws.

Regulations typically impose additional requirements on significant data fiduciaries such as conducting data protection impact assessments, appointing a data protection officer, implementing privacy by design and default principles and adhering to stricter security and accountability measures.

Compliance for companies and business under act:-

  1. Develop and train personnel in a standard operating procedure
  2. Appoint and Cooperate with the data protection officer
  3. Implement a consent management mechanism
  4. Conduct data protection assessments
  5. Maintain valid contracts with data processors
  6. Map data interactions and identify teams and functions
  7. Revise interface to display pop up notices
  8. Update privacy policies
  9. Review vendor arrangement

Responsibility of an organization :-

  • Employee Data- Companies often collect and process personal data of employees for various purposes, such as payroll, HR Management and safety regulations. The act imposes obligations to protect this data and respect employees’ rights.
  • Customer Data- Companies may collect personal data from customers for sales, marketing and after sales services. Compliance with the act ensures that customer data is handled securely and transparently, enhancing trust and reputation.
  • Supply Chain-Companies interact with suppliers, distributors and partners sharing data such as contact information and payment details. Compliance with the Act extends to ensuring that data transfers within the supply chain are lawful and secure.

Responsibility of Data Protection Officer:-

  • Monitoring Compliance- Ensuring that the organization complies with data protection laws and regulations.
  • Advising on Data Protection-Providing guidance and advice to the organization audits employees on data protection matters, including data handling procedures, data breaches and privacy impact assessments.
  • Data Processing Oversight- Overseeing data processing activities to ensure they are carried out in accordance with the DPDPA, including data collection, storage and sharing practices.
  • Handling Data Subject Requests- Managing requests from data subjects regarding their personal datasuch as access requests, correction requests or requests for data deletion.
  • Data Breach Management- Developing and impemeting procedure for responding to data breaches, including notifying authorities and affected individuals as required by the DPDPA.
  • Training and awareness- Providing training to employees on data protection principles, policies and procedures to ensure compliance throughout the organization.
  • Engaging with regulatory authorities- Promoting a culture of privacy within the organization and integrating privacy considerations into the design and development of products, services and systems.

Regulation and Enforcement:-

Organizations are required to comply with the provisions of data protection laws, which often include obtaining consent for data protection laws. This can include issuing warning, imposing fines, ordering corrective measures and even initiating legal proceedings against non-compliance organizations.

Data protection laws often authorize the imposition of fines and penalties for violations. These fines can vary widely depending on the severity of the violation, the sensitivity of the data involved and the organizations size and resources.

In order to download whole act you may visit at -https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

Leave a Comment