The Digital Personal Data Protection Bill, 2023 (“Bill”), the revised iteration from the 2022 draft, was passed by the Lok Sabha on August 07, 2023, followed by passing of the Bill by Rajya Sabha on August 09, 2023. The Bill finally received the President of India’s assent on August 11, 2023, and subsequently was notified through the Official Gazette on the following day. The Digital Personal Data Protection Act, 2023 (“Act”) is still not in force until further notification by the Central Government. This will grant the body corporates a transition period to shape up their privacy framework in accordance with the Act, once enforced. Further, the Indian stakeholders are awaiting the publication of Rules under the Act, as prescribed, to receive clarity and specific measurements to be undertaken. The Act aims to provide protection of personal data and the privacy of the citizens of India. The main purpose is to provide for the processing of digital personal data that recognizes the people’s right to protect their data and the need to process them for lawful purposes permitted under the ambit of the law.
- Applicability- This Act applies to the processing of personal data, as defined under the Act, within the territory of India wherein such personal data is collected in the digital form, or collected offline and is digitized. The Act will also apply to the processing of personal data outside India in case such processing is connected with the purpose of offering goods and services in India.
- Notice & Consent- The Act mandates the data fiduciaries to furnish a detailed notice to the data principals which must include the personal data to be collected and processed for a specified purpose, details of the mechanism to manage the personal data of the data principals, grievance mechanism and the manner in which the data principals may file a complaint with the Data Protection of India (“Board”). The data fiduciaries must devise a mechanism to obtain the consent of the data principals through a clear affirmative action, which will ensure that such consent is free, specific, informed, unconditional and unambiguous. After obtaining the consent of every data principal, their personal data may be processed only for a lawful specified purpose. Before or at the time of seeking consent, a detailed notice should be furnished, and it should contain all the necessary details as enumerated above. At any point in time, the option to withdraw the consent must be provided to the data principals. The alternative perspective includes consent for certain legitimate uses which are prescribed under the Act. Additionally, specific verifiable consents must be obtained from the parents / legal guardians, in case the data fiduciaries intend to process the personal data of a child / person of disability.
- Rights and duties of data principle- The data principals will have the right to get information about the processing activities of their personal data, information regarding the other data fiduciaries/processors with whom their personal data may be shared for processing, the right to correct, modify, update and erase their personal data, the right of grievance redressal which must be provided by data fiduciaries, right to nominate in case of respective data principal’s incapacity or death, amongst others as may be prescribed under the Act. The data principals will be bound to perform certain duties under the Act, which include, not impersonating any other data principal, not providing false information / sensitive personal information, not registering a false or frivolous complaints with the data fiduciaries or the Board, amongst others as may be prescribed.
- General duties of data fiduciaries – The Act prescribes general obligations on the data fiduciaries, which include, without limitation:-(i) to comply with the provisions of the Act, at all times; make reasonable efforts to ensure the accuracy and completion of data; (ii) build reasonable security safeguards and organizational measures to prevent a data breach and to ensure compliance under the Act and the Rules thereunder; (iii) inform the Board and affected data principals in the case of breach as may be prescribed; (iv) erase personal data as soon as the purpose has been completed and retention is not necessary for legal purposes; (v) to ensure valid contracts are entered into by the data fiduciaries and data processors for the processing of personal data of data principals; (vi) establishment of a grievance redressal mechanism; (vii) appointment of a Data Protection Officer (in case of significant data fiduciaries) or equivalent to address the queries raised by data principals regarding the processing of their personal data; and (viii) in case the data fiduciaries are processing the personal data of children or disabled individuals, such data fiduciaries shall process the personal data to not cause any detrimental effect of the well-being of a child and shall not perform behavioral monitoring or tracking of children. .
- Additional duties of significant data fiduciaries- The Act introduces the concept of significant data fiduciary as they process data which merits higher protection due to its sensitive nature. Unauthorized disclosure of such data would create significant risks to the fundamental rights and freedom of data principles. The Act mandates additional obligations on significant data fiduciaries, which include, without limitation: (i) appointment of a Data Protection Officer; (ii) appointment of an Independent Data Auditor, (iii) undertaking compliance measures including the periodic audit, periodic Data Protection Impact Assessment; (iii) and such other measures as may be prescribed.
- Processing personal data outside India- The cross-border transfers are allowed unless restricted by the Government. If the data is being transferred to a country that gets restricted, immediate action should be taken to cease the transfer of personal data, to cease the processing of such personal data and to delete the personal data transferred as such. The Act also clarifies that if any other existing Indian law provides for higher degree of regulation with respect to transfer of personal data outside India, then such regulations will take precedence e.g., requirement of storage of payment system data within the country as mandated by the Reserve Bank of India.
- Exemptions provided in the Act – Certain provisions set forth under the Act are exempted for the purpose of data processing, which include: (i) investigation and prevention of offenses, including financial frauds; (ii) enforcement of claims or legal rights; (iii) processing of personal data of data principals outside the territory of India; and (iv) processing of personal data of data principals pursuant to the scheme of mergers or amalgamations. The central government may exempt certain activities from the application of the Act by way of an official notification. These activities include (i) processing by government entities in the interest of the security of the state and public order, friendly relations with foreign States and (ii) research, archiving, or statistical purposes. The Central Government may also exempt certain data fiduciaries from the provisions under the Act subject to the satisfaction of certain conditions at their discretion.
- Data Protection Board of India- The Act empowers the Central Government to establish the Board by way of a notification under the Act. The Act provides for the composition of the Board which is controlled by the Central Government. The Board will ensure that the provisions of the Act are implemented, and the data fiduciaries are aligned with the same. The Board may also advise the data fiduciaries to take corrective measures in case of data breaches. The Board shall hear the complaints made against the data fiduciaries by the data principals and impose penalties accordingly, if required. Appeals against the decisions of the Board will lie with Telecommunications Dispute Settlement and Appellate Tribunal.
- Penalties- The Act intends to implement strict penalties for various offenses which start at INR 50 crores and may extend up to INR 250 crores.
The Act is a distinctive approach by India to safeguard personal data and prevent data breaches. It is a crucial step in safeguarding personal data, addressing longstanding needs in the context of increasing internet users, data generation, and cross-border trade.