INDIA: DIGITAL PERSONAL DATA PROTECTION ACT,2023

SCOPE AND APPLICATION

INTRODUCTION

India officially implemented the Act on August 11, 2023, marking the culmination of the fifth version of the proposed personal data protection legislation The Act closely aligns with the draft Bill published by the Ministry of Electronics and Information Technology on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which underwent public consultations. Upon full enforcement, the Act will supersede Section 43A of the Information Technology Act, 2000 (IT Act), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules)

The Act is designed to be implemented gradually, with the Central Government initiating its provisions and continually issuing rules under the Act over time.

SCOPE

The Act aims to establish a framework for the lawful processing of digital personal data, prioritizing the protection of individuals' rights related to their data It introduces the concept of a fiduciary relationship between data subjects (individuals to whom the data pertains) and data controllers (entities determining the purpose and method of data processing), labeling them as data principals and data fiduciaries, respectively

The origin of the DPDP Act can be linked to the 2017 landmark decision of the Supreme Court of India in the case of Justice KS Puttaswamy & Ors v Union of India & Ors,[1] This ruling recognized the right to privacy as an integral component of the right to life and personal liberty under Article 21 of the Constitution of India, establishing it as a fundamental right The court underscored the necessity for the government to enact a comprehensive personal data protection law to safeguard individuals' privacy rights

APPLICATION

No Sub-Categories of Personal Data: The Act specifically addresses digital personal data and does not encompass non-personal data It pertains to the processing of 'personal data,' whether collected digitally or initially in physical form and later digitized The definition of personal data includes all identifiable information about an individual but does not introduce sub-categories like sensitive personal data or critical personal data. This is a departure from the previous data protection regulations under the IT Act and SPDI Rules, which recognized sensitive personal data, imposing additional compliance measures

Extraterritorial Applicability: The Act extends its reach beyond the borders of India to include the processing of digital personal data abroad, especially when offering goods or services to data principals within India Compliance with the Act is required even if the data fiduciary operates from outside India, engaging with data principals in the country Notably, the Act doesn't necessitate a systematic or habitual engagement, meaning even occasional collection and processing of data from Indian data principals by foreign businesses may trigger compliance

Exclusions: The Act excludes the processing of anonymised data, personal data processing by individuals for personal or domestic purposes, and the processing of personal data made publicly available by the data principal or any other person under legal obligation

Exemptions to State and Certain Data Fiduciaries: State instrumentalities, subject to government notifications considering factors like sovereignty and integrity, security, and public order, are exempt from the Act's applicability

Additionally, the government holds the authority to grant exemptions to specific classes of data fiduciaries, including startups, from certain notice, accuracy, and erasure requirements

CONSENT AND LEGITIMATE USES

Basis for Processing Personal Data

The processing of a data principal's personal data must strictly adhere to the Act's provisions and be founded on either:

Consent: The data principal's explicit agreement to process their personal data for a lawful purpose

Legitimate Uses: Specific grounds recognized under the Act that allow the processing of personal data without requiring the explicit consent of the data principal

In essence, while the Act places significant emphasis on obtaining the data principal's consent for processing their personal data, it also outlines particular legitimate reasons that justify processing without explicit consent

Consent Guidelines under the Act: Ensuring Precision and Compliance

When relying on consent as the foundation for processing personal data, it is imperative to meet specific criteria as outlined by the Act. The consent must be:

Free and Unambiguous: Given voluntarily without coercion, ensuring a clear and unequivocal expression of agreement

Specific and Informed: Clearly and precisely articulating the purpose for which personal data will be processed, with the data principal having full awareness

Unconditional and Affirmative: Without any conditions that compromise its validity, requiring an active, affirmative action from the data principal

Limited and Necessary: Restricted to the personal data essential for the specified purpose, emphasizing data minimization

Consent Communication: Clarity and Transparency

When seeking consent, data fiduciaries must accompany or precede it with a clear and straightforward 'notice' to the data principal This notice, presented in plain language, should encompass:

Categories of Personal Data:

Clearly delineate the types of personal data undergoing processing

Purpose of Processing: Explicitly state the intended purpose for which personal data is being processed

Withdrawal Process: Outline the procedure for data principals to exercise their right to withdraw consent and seek grievance redressal

Complaint Filing Process: Specify the process for data principals to file a complaint with the Data Protection Board of India.

To ensure accessibility, data principals should be provided the option to access the notice content in English or any language specified in the 8th Schedule to the Constitution of India

For consents obtained before the Act's commencement, data fiduciaries are obligated to furnish a similar notice promptly Processing can continue until the data principal withdraws consent, safeguarding consents obtained pre-Act enforcement The Act prioritizes transparency and empowerment in data processing practices

Empowering Data Principals: Withdrawal of Consent

Data fiduciaries must afford data principals the unequivocal right to withdraw their consent for personal data processing at any time The withdrawal process should mirror the ease of granting consent, ensuring a straightforward experience for the data principal

Upon withdrawal, the data fiduciary, and its data processor, if applicable, must promptly cease processing the data principal's personal data

Exceptions include situations where retention is mandated by legal obligations

Special Considerations for Children and Persons with Disabilities

For data principals below 18 years or persons with disabilities, the data fiduciary must secure verifiable consent from the parent or legal guardian for personal data processing

The specific process for obtaining such verifiable consent is expected to be outlined in rules notified by the Government of India

Legitimate Uses: Balancing Privacy and Utility

The Act introduces 'legitimate uses' as a foundation for processing personal data without explicit consent in certain defined scenarios These include:

Voluntary Sharing: Processing personal data voluntarily shared by the data principal without objection.

Employment-Related Processing:

For employment-related purposes, ensuring employer protection from loss or liability

Medical Emergencies: Responding to medical emergencies that warrant personal data processing

Legal Compliance: Processing necessary for law enforcement, state-provided services, compliance with judgments, and more

This nuanced approach balances privacy protection and the practical necessities of data processing, underscoring the Act's commitment to responsible and ethical data handling practices