The Digital Personal Data Protection Bill, 2023 was introduced in Lok Sabha on August 3, 2023. The Bill seeks to provide for the protection of personal data and the privacy of individuals.
Digital Personal Data Protection Act (DPDP Act), 2023
The Digital Personal Data Protection Act, 2023 was passed by both Houses of Parliament and received the President’s assent, thereby coming into force in 2023. This Act now establishes a comprehensive framework for the protection of digital personal data and upholds the privacy rights of individuals in India.
Applicability and Non-Applicability
The DPDP Act applies to the processing of digital personal data within India, where such data is:
Collected online, or
Collected offline and subsequently digitized.
It also applies to the processing of personal data outside India if it relates to the offering of goods or services within India.
Personal data is defined as any data that can identify an individual either directly or indirectly. Processing is described as any automated or partially automated operation, including collection, storage, use, and sharing of digital personal data.
The Act does not apply to:
Non-digital data,
Data processed for personal or domestic purposes, and
Data made publicly available by the data principal or other legally obligated entities.
Consent
Personal data may be processed only for a lawful purpose with the consent of the individual, which must be obtained through a prior notice detailing the type of data collected and the processing purpose. Consent is revocable at any time.
Consent is not required for specific “legitimate uses” including:
Situations where data is voluntarily provided,
Provision of benefits or services by the government,
Medical emergencies, and
Employment-related purposes.
For minors (below 18 years), consent must be given by a parent or legal guardian.
Language
Data principals have the right to access information in English or any of the languages listed in the Eighth Schedule of the Indian Constitution.
Notice
Data fiduciaries must provide a clear notice at the time of obtaining consent, outlining the nature of the personal data, its intended purpose, the rights to withdraw consent, and the process for grievance redressal. This notice must also include details on filing complaints with the Data Protection Board of India (DPB).
Rights and Duties of Data Principals
Data principals (individuals whose data is being processed) have the right to:
Obtain information about their data processing,
Request correction or erasure of personal data,
Nominate another person to exercise their rights in the event of death or incapacity, and
Seek grievance redressal.
Data principals are expected to:
Avoid filing false or frivolous complaints, and
Refrain from furnishing incorrect information or impersonating others.
Penalties for violating these duties can reach up to Rs 10,000.
Obligations of Data Fiduciaries
Data fiduciaries (entities determining the purpose and means of data processing) must:
Ensure accuracy and completeness of data,
Establish robust security safeguards to prevent data breaches,
Notify the DPB and affected individuals in case of a breach, and
Erase personal data once its purpose is fulfilled, except where legal retention is necessary.
Government entities are exempt from storage limitation and data erasure requirements.
Significant Data Fiduciaries
Certain entities may be designated as significant data fiduciaries based on factors such as:
Volume and sensitivity of data processed,
Risk to individuals’ rights,
National security, and
Public order.
Such entities have additional obligations, including:
Appointment of a Data Protection Officer (DPO), and
Conducting Data Protection Impact Assessments (DPIA) and compliance audits.
Exemptions
The DPDP Act provides specific exemptions where the rights of data principals and obligations of data fiduciaries do not apply, such as:
Prevention and investigation of crimes,
Enforcement of legal claims.
The government may also exempt certain processing activities in the interest of national security, public order, or for research and archival purposes.
Processing of Children's Data
When processing the data of children, data fiduciaries are prohibited from:
Engaging in activities that may harm the child’s well-being, and
Conducting tracking, behavioral monitoring, or targeted advertising.
Cross-Border Data Transfer
The Act permits cross-border transfers of personal data, except to countries restricted by the government. Localized restrictions, such as those from the Reserve Bank of India, may still apply.
Data Protection Board of India (DPB)
The DPB, established by the government, is responsible for:
Monitoring compliance and imposing penalties,
Directing data fiduciaries to take corrective measures in case of data breaches, and
Addressing grievances from affected individuals.
Blocking Authority
The central government, or any authorized officer, may block public access to a data fiduciary’s platform upon DPB’s recommendation. Blocking orders require prior notice and an opportunity for the fiduciary to be heard and must serve the public interest.
Penalties
The Act prescribes penalties up to:
Rs 200 crore for violations concerning children’s data,
Rs 250 crore for security lapses leading to data breaches.
Rulemaking Authority
The Act grants the government broad powers to make rules, including those governing consent managers, data breach notifications, children’s data processing, and significant data fiduciary requirements.
Partner with Cyber Law Consulting for Comprehensive Privacy Solutions
Take proactive steps to secure your organization’s sensitive data and ensure compliance with the Digital Personal Data Protection Act, 2023. At Cyber Law Consulting, we specialize in privacy auditing and data protection strategies tailored to your unique needs. Let us help you strengthen privacy practices, align with regulatory requirements, and build trust with your customers. Contact us today to learn more about our customized privacy solutions.
