Digital Personal Data Protection Act 2023

Objective: To provide a comprehensive framework for the Protection and Processing of Personal Data. It recognizes both the rights of the individuals to protect their Personal Data and the need to process such Personal Data for lawful purposes and other related matters.

Definition of Data: Any representation of information, fact(s), concept(s), opinion(s), and instruction(s) which is capable of being communicated, interpreted, and processed by human beings or by automated means. Further, any data about an individual (Data Principal) who is identifiable by or in relation to such data has been referred to as Personal Data in the Act.

DPDP Act 2023 Key Features

The Digital Personal Data Protection Act 2023 introduces several key features designed to enhance data privacy and security. These include:

Applicability

The Bill applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.
It will also apply to the processing of personal data outside India if it is for offering goods or services in India.

Consent

Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
A notice must be given before seeking consent. The notice should contain details about the personal data to be collected and the purpose of processing.
Consent may be withdrawn at any point of time.

Rights of data principal

Data principal is an individual whose data is being processed. An individual will have the right

To obtain information about processing
To seek correction and erasure of personal data
To nominate another person to exercise rights in the event of death or incapacity and
Grievance redressal

Duties of Data Principals

Data Principals must not

Register a false or frivolous complaint
Furnish any false particulars or impersonate another person in specified cases
Violation of duties will be punishable with a penalty of up to Rs 10,000.

Duties of Data Fiduciaries

Data fiduciaries are the entities that determine the purpose and means of processing. They must

Make reasonable efforts to ensure the accuracy and completeness of data.
Build reasonable security safeguards to prevent a data breach.
Inform the Data Protection Board of India and affected persons in the event of a breach.
Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.

Transfer of Personal Data outside India

The central government will notify countries where a data fiduciary may transfer personal data.
Transfers will be subject to prescribed terms and conditions.

Exemptions

Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include
prevention and investigation of offences, and
enforcement of legal rights or claims.

The central government may, by notification, exempt certain activities from the application of the Bill. These include

processing by government entities in the interest of the security of the state and public order, and
research, archiving, or statistical purposes.

Data Protection Board of India

The central government will establish the Data Protection Board of India. Main functions of the Board wll be:

monitoring compliance and imposing penalties,
directing data fiduciaries to take necessary measures in the event of a data breach, and
Grievance redressal

Penalities and Appeal

The act specifies penalties for various offences such as:

Penality of Rs 200 crore for non-fulfilment of obligations for children, and
Penality of Rs 250 crore for failure to take security measures to prevent data breaches

The decisions of the board can be appealed to Telecom Dispute Settlement and Appellate Tribunal.

Main Provisions of DPDP Act

The main provisions of the DPDP Act focus on establishing a robust legal framework for data protection:

Data Processing Guidelines: Specifies conditions under which data can be processed, including provisions for sensitive personal data.
Accountability and Transparency: Requires data fiduciaries to implement policies, maintain records, and conduct data protection impact assessments.
Penalties for Non-Compliance: Introduces significant penalties for violations, including financial fines and corrective actions.
Grievance Redressal Mechanism: Outlines procedures for individuals to address complaints regarding data processing violations.

Digital Personal Data Protection Highlights

The highlights of the Digital Personal Data Protection Act 2023 encapsulate its commitment to safeguarding personal data in the digital age:

Comprehensive Coverage: Applies to all entities processing personal data within the territory of India, as well as those outside India dealing with Indian residents’ data.
Cross-Border Data Transfer: Sets criteria for the transfer of personal data outside India, ensuring adequate levels of protection.
Child Data Protection: Introduces specific protections for personal data of children, requiring verifiable parental consent for data processing.
Data Breach Notification: Mandates timely notification to the authority and affected individuals in the event of a data breach.

Rights under DPDP Act 2023

The Digital Personal Data Protection Act 2023 empowers individuals with several rights to ensure their personal data is handled respectfully and responsibly. These rights include:

Right to Access: Individuals can request access to their personal data held by data fiduciaries to understand how and why it is processed.
Right to Correction: Enables individuals to correct inaccurate or incomplete personal data to ensure its accuracy.
Right to Erasure: Also known as the ‘right to be forgotten,’ this allows individuals to have their personal data deleted under certain conditions.
Right to Data Portability: Individuals can obtain and reuse their personal data across different services.

Individual Rights DPDP Act

Under the DPDP Act, individual rights are designed to give individuals control over their personal data. These rights include:

Right to Withdraw Consent: Individuals can withdraw consent for data processing at any time, subject to legal or contractual restrictions.
Right to Object: Individuals have the right to object to the processing of their personal data, including for direct marketing purposes.
Right to Restriction of Processing: Allows individuals to request a restriction on the processing of their personal data under specific circumstances.
Right to Information: Individuals have the right to be informed about the collection and use of their personal data in a clear, transparent manner.

Data Protection Rights India

The DPDP Act 2023 establishes comprehensive data protection rights in India, aligning with global standards for data privacy and security. These rights aim to:

Protect Privacy: Ensure personal data is processed in a manner that respects individual privacy and autonomy.
Enhance Control: Empower individuals with the ability to control how their personal data is collected, used, and shared.
Promote Transparency: Mandate data fiduciaries to be transparent about data processing activities and policies.
Ensure Accountability: Hold data fiduciaries accountable for adhering to the Act and protecting individuals’ rights.

DPDP Act 2023 Compliance

Compliance with the Digital Personal Data Protection Act 2023 is essential for businesses handling personal data within India. To comply, organizations must:

Understand the Act: Familiarize themselves with the Act’s provisions, focusing on consent, data rights, and processing requirements.
Implement Data Protection Measures: Adopt robust data security practices to protect personal data against breaches and unauthorized access.
Appoint a Data Protection Officer (DPO): Designate a DPO responsible for overseeing data protection strategies and compliance with the DPDP Act.

How to Comply with DPDP Act

Complying with the DPDP Act involves several key steps for businesses:

Conduct a Data Audit: Assess the types of personal data collected, processed, and stored to understand compliance requirements.
Update Privacy Policies: Ensure privacy policies are transparent, detailing the purpose of data collection and rights available to individuals.
Obtain Valid Consent: Collect explicit consent from individuals before processing their personal data, providing them with clear options to opt-in or opt-out.
Train Employees: Educate staff on data protection principles and the importance of compliance to prevent data breaches.

Business Obligations under DPDP Act

Businesses have specific obligations under the DPDP Act to ensure the protection of personal data:

Data Minimization: Collect only the data necessary for the purposes stated at the time of collection.
Accuracy and Retention: Keep personal data accurate and up-to-date, retaining it only for as long as necessary to fulfill the stated purpose.
Notify Data Breaches: Report any data breaches to the relevant authority and affected individuals promptly, as specified by the Act.
Ensure Data Subject Rights: Facilitate individuals’ rights regarding their personal data, including access, correction, and deletion requests.

DPDP Act 2023 Penalties

The Digital Personal Data Protection Act 2023 outlines strict penalties for non-compliance to ensure organizations take data protection seriously. Penalties include:

Financial Fines: Significant fines based on the severity of the data breach or non-compliance, potentially amounting to a percentage of the company’s annual revenue.
Legal Actions: Legal proceedings against entities or individuals responsible for violations of the Act.
Compensation to Individuals: Obligation to compensate affected individuals for any harm resulting from data breaches or misuse.

Enforcement of Digital Personal Data Protection Act

Enforcement of the Digital Personal Data Protection Act is carried out by a dedicated regulatory authority established under the Act. This authority is responsible for:

Monitoring Compliance: Regular audits and assessments to ensure organizations comply with the Act.
Investigating Breaches: Investigating reported data breaches and taking appropriate action against violators.
Raising Awareness: Conducting awareness programs to educate about data protection rights and responsibilities.

Fines under DPDP Act

Fines under the DPDP Act are designed to be a deterrent against the mishandling of personal data. The structure of fines includes:

Tiered Fines: Fines vary based on the nature and severity of the violation, with more significant penalties for more severe breaches.
Percentage of Turnover: In some cases, fines may be calculated as a percentage of the violator’s global annual turnover, making penalties substantial for larger companies.
Daily Fines: For ongoing violations, daily fines may be imposed until compliance is achieved, ensuring prompt action is taken to rectify issues.

Comparing the Digital Personal Data Protection Act 2023 (DPDP Act) with the General Data Protection Regulation (GDPR) reveals both similarities and distinctions:

Scope and Application: While the GDPR is a regulation across the European Union, the DPDP Act is specific to India, each with its territorial applicability and global reach for companies dealing with respective citizens’ data.
Consent: Both laws emphasize the importance of obtaining clear and informed consent for data processing, but the GDPR has stricter requirements for consent validity.
Data Protection Officer (DPO): The appointment of a DPO is mandatory under GDPR for certain organizations, whereas the DPDP Act also suggests appointing a data protection officer depending on the volume and sensitivity of data processed.

Digital Personal Data Protection Act Compared to International Laws

When comparing the Digital Personal Data Protection Act to international data protection laws, several key aspects stand out:

Data Subject Rights: Like many international laws, the DPDP Act grants individuals several rights over their personal data, including access, correction, and deletion, similar to rights under GDPR and the California Consumer Privacy Act (CCPA).
Data Breach Notifications: The DPDP Act aligns with global standards by requiring timely notification of data breaches, akin to GDPR and other international frameworks.
Regulatory Authority: The establishment of a regulatory authority for overseeing compliance and enforcement is a common feature in many data protection laws, including the DPDP Act.

DPDP and Global Data Protection

The DPDP Act represents India’s commitment to aligning with global data protection standards:

Harmonization with International Practices: The Act incorporates principles recognized internationally, such as data minimization, purpose limitation, and transparency, facilitating cross-border data flows with countries having stringent data protection measures.
Global Business Compliance: For multinational companies, understanding the nuances between the DPDP Act and other data protection laws like GDPR is crucial for global compliance strategies, ensuring data protection measures meet all applicable legal requirements.
Enhancing Data Protection Framework: By introducing the DPDP Act, India strengthens its legal framework for data protection, encouraging a culture of privacy and security that is in line with global practices.

Impact of DPDP Act on Businesses

The Digital Personal Data Protection Act 2023 has significant implications for businesses operating in India:

Compliance Requirements: Businesses must adhere to stringent data processing guidelines, necessitating updates to privacy policies and data handling practices.
Increased Accountability: The Act mandates accountability measures, including data protection impact assessments and the appointment of a Data Protection Officer (DPO) for certain organizations.
Financial Implications: Non-compliance with the Act can result in substantial financial penalties, making it crucial for businesses to invest in robust data protection measures.

How DPDP Act Affects Consumers

For consumers, the DPDP Act 2023 marks a pivotal shift towards greater control and security of their personal data:

Enhanced Privacy Rights: Consumers gain significant rights over their data, including the right to access, correct, and delete their personal information.
Consent Management: The Act emphasizes consent, requiring businesses to obtain clear, informed consent from consumers before collecting or processing their data.
Transparency and Trust: With businesses required to be more transparent about their data practices, consumers can expect increased trust in digital transactions and services.

DPDP Act 2023 Implications

The implications of the DPDP Act 2023 extend beyond businesses and consumers, affecting the broader digital ecosystem:

Data Protection Standards: The Act sets a new benchmark for data protection in India, aligning with global standards and enhancing India’s position in the international digital economy.
Innovation and Compliance: While the Act encourages innovation by providing a clear legal framework for data processing, it also requires businesses to incorporate privacy-by-design principles, balancing innovation with privacy.
Cross-Border Data Flows: The Act’s provisions on cross-border data transfer will influence how international data flows are managed, requiring adequacy decisions or contractual safeguards for data transferred outside India.

Significance of Digital Personal Data Protection Act 2023

The Significance of Digital Personal Data Protection Act, 2023 are given below:

The new act will replace the existing Information Technology Act, 2000, the Draft Indian Telecommunication Bill, 2022, and a Policy that addresses the governance of non-personal data.
Personal data of the user will be more safe. More freedom will be there in deciding how to transfer their personal data.
Companies and consumers will be held accountable. Provision of penality is provided if they do not follow the norms listed in the act.
There will be data sovereignty as companies will be able to store data locally. It will empower the Indian government to impose taxes on major Internet corporations.
Different entities including mobile apps, internet companies, and businesses are held responsible for the collection, storage, and processing of citizens’ data under the “Right to Privacy.”

Official Sources and Links

Source	Description	Link
The Gazette of India	Official publication of all acts passed by the Parliament of India.	Visit Site
Ministry of Electronics & Information Technology (MeitY)	Nodal agency for IT and electronics in India, providing official details on the DPDP Act.	Visit Site
Data Security Council of India (DSCI)	Premier industry body on data protection in India, offering analyses and summaries on legislation.	Visit Site
Indian Kanoon	Platform providing comprehensive legal information, documents, and interpretations.	Visit Site
Legal Information Institute of India	Provides access to a wide range of legal documents and acts.	Visit Site
Nishith Desai Associates	Law firm known for detailed legal analyses and articles.	Visit Site
Bar and Bench	Platform for legal news, analyses, and insights.	Visit Site
LiveLaw	Provides latest legal news and updates.	Visit Site
International Association of Privacy Professionals (IAPP)	Offers international comparisons and analyses on data protection laws.	Visit Site

Preparing for DPDP Act 2023

Businesses and organizations must take proactive steps to prepare for the Digital Personal Data Protection Act 2023:

Understand the Legislation: Begin with a thorough review of the DPDP Act to understand its scope, requirements, and how it applies to your operations.
Assess Current Data Practices: Conduct a data audit to identify what personal data you collect, how it’s processed, and if it complies with the new regulations.
Implement Necessary Changes: Update data collection, processing, and storage practices to ensure they align with the Act’s requirements, focusing on data minimization and security.

DPDP Act Checklist for Businesses

To ensure compliance with the DPDP Act, businesses should follow this checklist:

Privacy Policy Update: Revise your privacy policy to include detailed information on data processing activities as required by the Act.
Consent Mechanisms: Implement or update mechanisms to obtain explicit consent from individuals before collecting their data.
Data Protection Measures: Strengthen data security measures to protect against breaches and unauthorized access.
Training and Awareness: Educate employees about the DPDP Act’s requirements and their roles in ensuring compliance.

Data Protection Act Readiness

Achieving readiness for the Digital Personal Data Protection Act involves several key steps:

Gap Analysis: Compare current data protection practices against the Act’s requirements to identify gaps.
Action Plan Development: Develop a comprehensive action plan to address identified gaps, assigning responsibilities and deadlines.
Regular Monitoring and Review: Establish ongoing monitoring and review processes to ensure continuous compliance and adapt to any updates in the legislation.
Engage with Stakeholders: Communicate with all stakeholders, including employees, customers, and partners, about how you’re preparing for the DPDP Act and what changes they can expect.

Data Privacy Law in Other Countries

An overview of data privacy law in other countries includes:

European Union: In 2018, General Data Protection Regulation (GDPR) came into effect. It is a comprehensive law that was formed to imposes strict rules on the collection and processing of personal data especially by businesses and organizations.
Japan: To governs personal data Act on the Protection of Personal Information (APPI) is present. It requires consent of the user and provides for various security measures.
China: In China, the right to prevent the misuse of personal data is present underThe Personal Information Protection Law (PIPL).
Australia: Private individual data is goverend under Privacy Act.
South Africa: Individual information is protected under Protection of Personal Information Act (POPIA).

Various concerns related to the Digital Personal Data Protection Act 2023 are:

It dilutes the Right to privacy as exceptions are granted to the government and its agencies.
Amendment made to the Right to Information Act, 2005 that would prohibit sharing of detail related to personal information of government officials.
Lack the provision of Right to Portablity and Right to Forgotten.
Dilution of independence of the data protection board.
The act overrides Section 43A of the Information Technology Act, 2000. It make it compulsory for the companies to provide compensation to users in case of unauthorized use of their data.

Check this Articles: