Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 was notified on the 11th August, 2023.

The Act provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The Act protects digital personal data (that is, the data by which a person may be identified) by providing for the following:

• The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
• The rights and duties of Data Principals (that is, the person to whom the data relates);and
• Financial penalties for breach of rights, duties and obligations.

Applicability

Apply to

• Processing of digital personal data within the territory of India where the personal data is collected
  • in digital form; or
  • in non-digital form and digitised subsequently;
• Processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.

Not apply to

• personal data processed by an individual for any personal or domestic purpose; and
• personal data that is made or caused to be made publicly available by
  • the Data Principal to whom such personal data relates; or
  • any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

Principles followed

The Act is based on the following seven principles:

• The principle of consented, lawful and transparent use of personal data;
• The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
• The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
• The principle of data accuracy (ensuring data is correct and updated);
• The principle of storage limitation (storing data only till it is needed for the specified purpose);
• The principle of reasonable security safeguards; and
• The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).

Rights of individuals

The Act provides for following rights to the individuals:

• The right to access information about personal data processed;
• The right to correction and erasure of data;
• The right to grievance redressal; and
• The right to nominate a person to exercise rights in case of death or incapacity.

For enforcing his/her rights, an affected Data Principal may approach the Data Fiduciary in the first instance. In case he/she is not satisfied, he/she can complain against the Data Fiduciary to the Data Protection Board in a hassle-free manner.

Obligations of data fiduciary

The Act provides for following obligations on the data fiduciary:

• To have security safeguards to prevent personal data breach;
• To intimate personal data breaches to the affected Data Principal and the Data Protection Board;
• To erase personal data when it is no longer needed for the specified purpose;
• To erase personal data upon withdrawal of consent;
• To have in place grievance redressal system and an officer to respond to queries from Data Principals; and
• To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure higher degree of data protection.

Safeguars of personal data of children

The Act safeguards the personal data of children as follows

• Allows a Data Fiduciary to process the personal data of children only with parental consent.
• Does not permit processing which is detrimental to well-being of children or involves their tracking, behavioural monitoring or targeted advertising.

Exemptions  

The exemptions provided in the Act are as follows:

• For notified agencies, in the interest of security, sovereignty, public order, etc.;
• For research, archiving or statistical purposes;
• For startups or other notified categories of Data Fiduciaries;
• To enforce legal rights and claims;
• To perform judicial or regulatory functions;
• To prevent, detect, investigate or prosecute offences;
• To process in India personal data of non-residents under foreign contract;
• For approved merger, demerger etc.; and
• To locate defaulters and their financial assets etc.

Data Protection Board of India 

The key functions of the Board are as under:

• To give directions for remediating or mitigating data breaches;
• To inquire into data breaches and complaints and impose financial penalties;
• To refer complaints for Alternate Dispute Resolution and to accept Voluntary Undertakings from Data Fiduciaries; and
• To advise the Government to block the website, app etc. of a Data Fiduciary who is found to repeatedly breach the provisions of the Act.

Penalties

• Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8. - May extend to two hundred and fifty crore rupees.
• Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8. - May extend to two hundred crore rupees. 
• Breach in observance of additional obligations in relation to children under section 9. -  May extend to two hundred crore rupees. 
• Breach in observance of additional obligations of Significant Data Fiduciary under section 10. -  May extend to one hundred and fifty crore rupees. 
• Breach in observance of the duties under section 15 - May extend to ten thousand rupees.
• Breach of any term of voluntary undertaking accepted by the Board under section 32.- Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted
• Breach of any other provision of this Act or the rules made thereunder. - May extend to fifty crore rupees.

To access the complete Act, click here.

Source : Ministry of Electronics and IT