Deciphering the Digital Personal Data Protection Act (DPDPA) 2023 in India: A comprehensive guide

The DPDP Bill 2022 officially became the Digital Personal Data Protection Act after receiving the President's assent on August 11, 2023 (official Gazette notification by the Government of India DPDP Act). The DPDPA, in conjunction with the Digital India Bill and the draft Indian Telecommunication Bill 2022, will serve as a strong foothold to address the governance of personal data in India.

This Act is responsible for regulating the processing of digital personal data in India, regardless of whether the data was initially collected in digital or non-digital form and later digitized.

Additionally, it's important to mention that the DPDP Act will have an impact on India's trade negotiations with other nations. It is at par with the international laws for data protection, such as the Global Data Protection Regulation (GDPR) of the European Union.

Applicability of the DPDP Act 2023

At its core, the DPDP Act has a fundamental goal of establishing a heightened level of accountability and responsibility for entities operating within India, which includes internet companies, mobile apps, and businesses engaged in collecting, storing, and processing citizens' data.

Emphasizing the importance of the "Right to Privacy," this legislation aims to ensure that these entities operate with transparency and are held accountable for their actions in handling personal data, thereby prioritizing the privacy and data protection rights of Indian citizens.

The DPDP Act's reach extends beyond India's borders, encompassing digital personal data processing activities conducted abroad pertaining to individuals in India.

Data fiduciary

Data Fiduciary means any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.

The data fiduciary is responsible for managing and processing the data, while the data principal is the individual whose data is being collected and protected.

Obligations of a data fiduciary

1. A person can only use a Data Principal's personal data in accordance with this Act and for a lawful reason, either:
   • With the Data Principal's consent, or
    
   • For specific legitimate purposes.

2. In this context, "lawful purpose" means any purpose that is not explicitly prohibited by law.

3. Whenever a Data Fiduciary requests consent from a Data Principal, they must provide the Data Principal with a notice that:
   • Explains the personal data being collected and the purpose of its use,
    
   • Describes how the Data Principal can exercise their rights, and
    
   • Informs the Data Principal of the procedure for making a complaint to the Board, following the prescribed guidelines.

4. A significant Data Fiduciary must appoint a Data Protection Officer (DPO) based in India, who is responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary.

Who is a Significant Data Fiduciary?

The three main obligations of a Significant Data Fiduciary are:

• Appoint a Data Protection Officer (DPO) based in India and is directly answerable to the Board of Directors or a similar governing body.
 
• Appoint an Independent Data Auditor to evaluate compliance
 
• Conduct Data Protection Impact Assessment (DPIA) & periodic audits

Data Principal

Data Principal means the individual to whom the personal data relates and where such individual is:

(i) a child, includes the parents or lawful guardian of such a child;

(ii) a person with a disability, including her lawful guardian, acting on her behalf.

Rights of a Data Principal

The Data Principal has the following rights:

1. A Data Principal has the right to request certain information from a Data Fiduciary to whom they have previously given consent. To do so, they can make a request following the prescribed procedure. The information they can request includes:
   • A summary of their personal data being processed by the Data Fiduciary and the activities related to processing that data.
    
   • The names of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by the Data Fiduciary, along with a description of the shared personal data.
    
   • Any other information related to their personal data and its processing, as prescribed by law.

2. Clauses (b) and (c) of subsection (1) do not apply to the sharing of personal data by the Data Fiduciary with another Data Fiduciary authorized by law to obtain such data. This sharing can occur when the other Data Fiduciary requests it in writing for purposes such as preventing or investigating offenses or cyber incidents or for prosecuting or punishing offenses.

3. A Data Principal also has the right to request corrections, completions, updates, or erasure of their personal data for which they have given consent. This should be done following the procedures and requirements of applicable laws.

4. When a Data Principal requests correction, completion, or updating of their personal data, the Data Fiduciary should:
   • Correct any inaccurate or misleading personal data.
    
   • Complete any incomplete personal data.
    
   • Update the personal data.

5. A Data Principal can request the erasure of their personal data following the prescribed procedure. Upon receiving such a request, the Data Fiduciary should erase the personal data unless it is necessary to retain it for the specified purpose or to comply with applicable law

6. A Data Principal has the right to access grievance redressal mechanisms provided by a Data Fiduciary or Consent Manager for any actions or omissions related to the handling of their personal data or the exercise of their rights under this Act and its rules.

7. The Data Fiduciary or Consent Manager must provide readily available means for grievance redressal regarding their obligations in relation to the Data Principal's personal data and the exercise of the Data Principal's rights under this Act and its rules.

Duties of Data Principal

The rights of a Data Principal don't come without the balancing share of duties, A Data Principal must do the following:

1. Follow all current applicable laws when exercising rights under this Act.
 
2. Do not pretend to be someone else when providing personal data for a specific purpose.
 
3. Not withhold important information when providing personal data for official documents like IDs or proof of address issued by the government.
 
4. Not file false or frivolous complaints with a Data Fiduciary or the Board.
 
5. Provide only information that can be proven as genuine when exercising the right to correction or erasure under this Act or its rules.

What are the rules for notice under DPDPA 2023?

Under the Data Protection and Privacy Regulations (DPDPA), "notice" refers to the obligation of a data fiduciary to provide clear and transparent information to the data principal about how their data will be used, the purposes of processing, the categories of data collected, the retention period, and the rights of the data principal, among other things.

This notice is typically conveyed through privacy policies, consent forms, or other means to ensure that individuals are informed about the handling of their personal data, enabling them to make informed decisions about their data privacy.

Notice should be:

1. Clear: Notices should be clear and easy to understand.
 
2. Specific: Information should be itemized for clarity.
 
3. Simple: Use plain language that is easily comprehensible.
 
4. With apt language choice: Data subjects should have the option to access information in either English or any of the 22 languages mentioned in the Eighth Schedule of the Indian Constitution.

The notice should contain:

1. Clarity of information: The notice accompanying a consent request should provide the data subject with details about the personal data that will be processed and the specific purpose for which it will be processed.
 
2. Rights awareness: The notice should also explain how the data subject can exercise their rights as outlined in the DPDPA.
 
3. Complaint procedure: Additionally, it should describe the procedure for the data subject to lodge a complaint with the Board.

What are the rules regarding consent under DPDPA 2023?

Consent under DPDPA refers to the voluntary, informed, specific, and revocable agreement given by individuals for their personal data to be collected and processed by an entity or organization. It must be freely given, and data fiduciaries must maintain records of consent.

Consent should have:

1. Freedom: Consent should be freely given, devoid of any coercion or pressure.
 
2. No conditions: It should not be contingent upon any other factors, such as receiving a product or service.
 
3. Clarity: Consent should be clear and leave no room for ambiguity regarding its purpose.
 
4. Specificity: The consent should specify the exact reason for data collection and processing.
 
5. Informed decision: Data subjects should receive sufficient information about data usage to make an informed choice regarding consent.
 
6. Understandable: Consent should be presented in plain, official Indian language, ensuring it is easy for individuals to comprehend.

What are the duties and responsibilities of a consent manager?

Consent Manager means a person registered with the Board who acts as

a single point of contact to enable a Data Principal to give, manage, review, and

withdraw her consent through an accessible, transparent, and interoperable platform.

The decision to appoint a consent manager for a company depends on the company's specific situation and the type of data processing it engages in. However, as a general guideline, it is advisable for companies to designate a consent manager to ensure adherence to India's DPDPA.

Some common questions for organizations wanting to comply with DPDP Act 2023

1. Can you transfer data across borders? Instead of whitelisting the countries or territories where the data can be transferred, the DPDPA provides that the Central Government of India can blacklist or restrict the transfer of data to the specified countries or territories.  

2. What should you do in case of a data breach? If a Personal Data Breach occurs, the Data Fiduciary must notify both the Board and every impacted Data Principal about the breach. The Act prescribes the form in which the Data Fiduciaries must inform about the breach. However, the DPDPA does not specify a timeline within which the breach must be reported.  

3. What are the penalties for non-compliance with the DPDPA?

The Data Protection Board (DPB) is responsible for the enforcement of the DPDPA, including non-compliance, levying penalties, and issuing directions and mediations (to resolve disputes between parties) to ensure compliance with the law. The DPB is appointed by the Central Government and consists of a chairperson and other members.

Take proactive steps to ensure DPDPA compliance with Scrut. Review your data practices, update privacy policies, and train your team. Safeguard your business and customer data today.