Digital Personal Data Protection – Act to action
By Akshat Pande, on September 4, 2023
POSTED IN Data Privacy/ Technology,
A CXO checklist of the provisions
– The Digital Personal Data Protection Act, 2023 (“Act”) shall apply to:
(i) Processing of digital personal data (“DPD”) within India, where the DPD is collected in digital form or in non-digital form and digitised subsequently; and
(ii) Processing of DPD outside India, if such processing is in connection with any activity related to offering goods or services to the Data Principal (“DP”) within India.
– Non-Applicability of the Act:
(i) If the DPD is processed by an individual for personal or domestic purposes; and
(ii) Publicly available DPD, where such data is made public by DP itself or by any other person pursuant to an obligation under law.
II. AMENDMENTS BROUGHT IN OTHER LAWS AND CONSISTENCY WITH OTHER LAWS
– In case of conflict with any other existing law, the provisions of the Act shall prevail.
– Following are certain corresponding changes in other laws within India:
Section 14 (c) of the Telecom Regulatory Authority of India Act, 1997 Appellate Tribunal under the Digital Personal Data Protection Act, 2023 has been added in Section 14 (c)
Section 43A of the Information Technology Act, 2000 Section 43A has been omitted as it provided for compensation for failure to protect sensitive personal data or information
Section 8 of the Right to Information Act, 2005 Information which relates to personal information has been added to list of exemptions from disclosure
III. POWERS OF GOVERNMENT
– Constitution of the Data Protection Board of India (“Board”): The Central Government may require the Data Protection Board of India (“Board”), any Data Fiduciary (“DF”) or any intermediary to furnish such information as it may require for the administration of the Act.
– Penalties and restrictions: In the event the Board has imposed penalty on a DF in more than two instances or if the Board advises the Central Government that it is expedient to block public access to any information generated or transmitted or used by a DF that carries on business of selling goods or services in India to a DP, the Central Government may block such access after giving opportunity of being heard and recording reasons in writing.
– Power to make rules: The Central Government has the powers to make rules under this Act inter alia on matters listed below:
(i) standards for processing the personal data;
(ii) form and manner of intimation of personal data breach;
(iii) manner of publishing the business contact information;
(iv) manner of obtaining verifiable consent;
(v) matters comprising the process of Data Protection Impact Assessment;
(vi) manner in which a DP shall make a request to the DF
(vii) manner in which request be made to the DF for erasure of personal data;
(viii) manner of accountability and the obligations of the Consent Manager;
(ix) processing of data under Section 7(b) of the Act viz., for the state to provide subsidy, benefit, service, certificate, licence or permit;
(x) categorisation of the classes of DF, etc.
IV. IMPORTANT DEFINITIONS/ENTITIES UNDER THE ACT
Child An individual who under 18 years of age.
Consent Manager – A person registered with the Board
– acting as a single point of contact
– enabling a DP to change, give or withdraw consent
Data Fiduciary A Person who determines the purpose and means of processing personal data
Data Principal – An individual
– to whom personal data relates
– or acting for a child or disabled as a lawful guardian
Data Processor Person who processes data on behalf of the DF
Data Protection Officer
– An individual
– appointed by a notified DF
– based in India
– being responsible to the Board of Directors of such DF
– being the point of contact for the grievance redressal
V. OBLIGATIONS OF THE DATA FIDUCIARY
– The DF has inter alia following obligations under the Act:
(i) Processing of personal data for which the DP has given consent or there is deemed consent or for certain legitimate uses as per the Act;
(ii) Take reasonable steps to ensure the accuracy and completeness of the data;
(iii) Ensuring adequate and reasonable security safeguards to prevent a data breach;
(iv) Informing the Board and any affected individual in the event of a breach;
(v) Erasure of personal data upon fulfilment of the purpose and retention being no longer required (“Storage Limitations”). It is pertinent to note that governmental organisations are not required to comply with Storage Limitations.
VI. RIGHTS AND DUTIES OF DATA PRINCIPALM
– The DP has inter alia following rights under the Act:
(i) Right to access information: The DP has the right to seek information regarding personal data, including description of actions taken while processing and the DF’s which have processed personal data;
(ii) Right to seek correction and erasure of personal data: The DF is obligated to follow the instructions of the DP and rectify any incorrect data or complete the incomplete database;
(iii) Right of grievance redressal: The DP has the right to raise a complaint with the DF or the Consent Manager and also has the right to approach the Board if she is dissatisfied with the DF’s response; and
(iv) Right to nominate: In the event of death or incapacity of the DP, she has the right to nominate any other person to exercise her rights.
– The DP has inter alia following duties under the Act:
(i) Not to impersonate another individual while providing her personal data;
(ii) Not to supress any material information;
(iii) not to register a false or frivolous grievance or complaint; and
(iv) to furnish only verifiably authentic information while exercising the right to correction or erasure.
VII. PROCESSING OF DATA OUTSIDE INDIA
– Subject to the provisions of the Act, extraterritorial processing and transfer of personal data except to such nations as restricted by the Central Government through notification is allowed.
VIII. CONSTITUTION AND POWERS OF THE BOARD
– The Board shall consist of a chairperson and other members, appointed for a term of two years and eligible for retirement.
– The Board shall operate and observe the proceedings by digital means, adopting techno-legal measures as prescribed under the Act.
– The key functions of the Board are inter alia as follows:
(i) Direct necessary remedial and mitigation measures in the event of a breach of personal data;
(ii) Hear complaints or grievances raised by the DP; and
(iii) Inquire into such personal data breach and impose penalty as per the Act.
– The Board shall have powers of a civil court as per the provisions of the Civil Procedure Code, 1908, in order to conduct any enquires etc.
IX. APPEALS, DISPUTE RESOLUTION, PENALTIES AND ADJUDICATION
– No civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter for which the Board is empowered under the Act.