LinkedIn Instagram
The Indian Law Society provides content on its platform for informational purposes only. Read Now
Write for Us Write for Us
What are You Looking For?
Popular Searches
The NALSA Compensation Scheme for Women Victims/Survivors of Sexual Assault and Other Crimes
The Digital Personal Data Protection Act, 2023: A New Era for Data Privacy in India
New Criminal Laws: Key Changes Impacting Women and Children in India
IndianLawSociety.com IndianLawSociety.com

The Digital Personal Data Protection Act, 2023: A New Era for Data Privacy in India

The DPDPA aims to provide a comprehensive framework for processing digital personal data in a lawful manner, balancing the rights of individuals to protect their data with the need for organizations to process data for legitimate purposes.
byIndian Law Society
0

The Digital Personal Data Protection Act, 2023 (DPDPA) marks a significant milestone in India’s legal framework for safeguarding personal data in the digital age. After several iterations, the final Act received Presidential assent on August 11, 2023, and is set to come into force in 2024. This blog post will delve into the key aspects of this new law, its implications, and what it means for individuals and organizations in India.

Understanding the DPDPA

The DPDPA aims to provide a comprehensive framework for processing digital personal data in a lawful manner, balancing the rights of individuals to protect their data with the need for organizations to process data for legitimate purposes. The Act emphasizes accountability, transparency, data minimization, fairness, accuracy, and lawful processing of personal data. Notably, the DPDPA uses “she/her” pronouns to refer to Data Principals, reflecting a new level of gender sensitivity in Indian law.

Core Elements of the DPDPA

  1. Data Principals: The Act recognizes the rights of individuals (Data Principals) over their personal data, including the right to give, manage, review, and withdraw consent.

  2. Data Fiduciaries: These are organizations that determine the purpose and means of processing personal data. They have specific obligations to comply with the Act.

  3. Data Processors: These are entities that process data on behalf of Data Fiduciaries.

  4. Significant Data Fiduciaries (SDF): A special category of Data Fiduciaries, notified by the government, that have additional compliance requirements based on their scale and impact.

  5. Consent Manager: A registered entity that facilitates the management of data principals’ consent.

  6. Data Protection Board (DPB): The enforcement authority under the DPDPA, responsible for overseeing compliance and addressing grievances.

  7. Telecom Disputes Settlement and Appellate Tribunal (TDSAT): The appellate authority under the DPDPA.

What is Personal Data?

The DPDPA defines personal data as “any data about an individual who is identifiable by or in relation to such data.” This covers a broad range of information that can directly or indirectly identify a person.

What is a Personal Data Breach?

A personal data breach is defined as “any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.” All breaches, regardless of whether they cause damage, must be reported to both the Data Principals and the Data Protection Board.

Penalties for Violations Under the DPDPA

The Act imposes significant penalties for violations, depending on the nature and severity of the breach. Some of the penalties include:

  • Failure to implement security safeguards: Up to ₹250 crores

  • Failure to notify a breach: Up to ₹200 crores

  • Non-compliance with special provisions regarding children: Up to ₹200 crores

  • Non-compliance of obligations by SDFs: Up to ₹150 crores

  • Non-compliance of obligations by the data principals: Up to ₹10,000

  • Violation of voluntary undertaking: Up to the extent applicable to the breach

  • Violation of other provisions: Up to ₹50 crores

Notably, the DPDPA does not specify a “cure period,” but it does ensure that violators have a chance to be heard, adhering to the principles of natural justice.

Steps to DPDPA Compliance

Organizations must take proactive steps to comply with the DPDPA. Some of the key requirements include:

  1. Obtain Valid Consent: Secure verifiable consent from individuals before processing their personal data. Consent must be free, specific, informed, unconditional and unambiguous.

  2. Provide Clear Privacy Notice: Provide a clear privacy notice along with the request for consent, and ensure that it is accessible in English and any of the 22 other languages in the Eighth Schedule.

  3. Limit Data Collection: Collect only the data that is necessary for the specific purpose of processing.

  4. Implement Security Safeguards: Put in place appropriate security measures to protect personal data from breaches.

  5. Consent for Children and Persons with Disabilities: Obtain verifiable consent from parents or lawful guardians before processing the data of children and persons with disabilities.

  6. Data Deletion: Delete data within a reasonable time after the data principal revokes consent, requests deletion, or when the purpose of processing is fulfilled.

  7. Respond to Data Principals: Respond to data principal requests within a reasonable time.

  8. Avoid Behavioral Monitoring: Avoid behavioral monitoring, targeted advertising, and tracking of children.

  9. Data Accuracy: Ensure the personal data is complete, accurate, and consistent.

  10. Audits and Assessments: Conduct audits and impact assessments if categorized as a Significant Data Fiduciary.

  11. Data Transfer Restrictions: Do not transfer data to countries on the negative list as notified by the government.

  12. Contractual Agreements: Establish a contractual relationship with all data processors.

  13. Breach Notification: Inform the DPB of any data breach regardless of the risk involved.

Key Highlights of the DPDPA

  • Focus on Data Principals: The Act focuses on empowering individuals by giving them control over their data.

  • Emphasis on Consent: Processing of personal data requires explicit consent, with the ability to withdraw consent at any time.

  • Penalties for Non-Compliance: The Act imposes significant financial penalties for violations, encouraging organizations to prioritize data protection.

  • Data Protection Board: The DPB is the key enforcement authority, overseeing compliance and addressing grievances.

  • Gender-Sensitive Language: The use of “she/her” to refer to Data Principals reflects a commitment to gender equality.

  • No definition of sensitive data: Unlike other data protection laws, this one does not define sensitive data.

Conclusion

The Digital Personal Data Protection Act, 2023, is a landmark legislation that will significantly impact how organizations collect, process, and protect personal data in India. It aims to create a balanced framework that prioritizes both individual rights and the legitimate needs of data processing. Understanding the key provisions and compliance requirements of this Act is crucial for all stakeholders.

Digital Personal Data Protection Act 2023Download
Add a comment Add a comment

Leave a Reply

Your email address will not be published. Required fields are marked *