Decoding the Digital Personal Data Protection Act 2023

The DPDPA  received presidential assent and was published in the official gazette on 11 August 2023, less than a week after it was passed by the lower house of Parliament, marking a watershed moment for data privacy in India. The enactment of the DPDPA is a culmination of India’s ongoing efforts to enact a data protection regime starting from 2017, after the Justice KS Puttaswamy vs Union of India judgment identified privacy as a fundamental right in India.

While the DPDPA has been enacted, it has not come into effect yet. Although the DPDPA does not stipulate a transition period, it grants the Union government the discretion to notify different dates for the enactment of different provisions thereby adopting a phased approach to implementation. Until the DPDPA is brought into force, the existing laws pertaining to data privacy i.e., the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the applicable provisions of the Information Technology Act, 2000 (IT Act) will continue to apply.

While the DPDPA has been enacted, it has not come into effect yet. Although the DPDPA does not stipulate a transition period, it grants the Union government the discretion to notify different dates for the enactment of different provisions thereby adopting a phased approach to implementation. Until the DPDPA is brought into force, the existing laws pertaining to data privacy i.e., the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the applicable provisions of the Information Technology Act, 2000 (IT Act) will continue to apply. 

Here is an overview of the key provisions of the DPDPA and its implications on businesses looking to develop and implement comprehensive privacy compliance programmes in India.

Scope and Applicability

Scope

The DPDPA defines personal data to mean data regarding an individual that can be used to identify such an individual either by or in relation to such data. This means that non-personal data (such as anonymised data) will not be regulated by the DPDPA.

Further, the DPDPA only applies to the processing of digital personal data which is personal data either collected in digital form or collected using other traditional non-electronic methods and digitized subsequently. This means that data of any nature in analogue form remains outside the scope of the DPDPA.

Exemptions

The DPDPA does not apply to personal data which is processed for personal or domestic use, or that is made publicly available either by the data principal to whom such information relates or by a third-party where required by law.  

Additionally, the DPDPA does not apply to the processing of personal data for research, archiving, or statistical purposes subject to such data not being used to make decisions specific to a data principal and being carried out in line with the standards that may be prescribed by the Union government.

The Union government has the power to exempt a) certain government instrumentalities for certain specific purposes including in the interest of the sovereignty and integrity of India, security of the state, and maintaining public order; and b) certain data fiduciaries, including start-ups from the applicability of specific provisions.

Territorial applicability

The DPDPA applies to all processing of digital personal data within India. It also applies to the processing of such data outside of India if the processing is in relation to any activity related to the offering of goods and services to data principals in India. 

Notably, the definition of data principals is broad and contains no restrictions based either on residence or citizenship. This means that the processing of digital personal data of a foreigner residing in India will be covered by the provisions of the DPDPA.

Grounds for Processing Personal Data

Under the DPDPA, data fiduciaries are responsible for processing personal data for a lawful purpose, and only if the data principal has provided consent, or if it pertains to a legitimate use of such data. 

Notice

In order to obtain consent, the data fiduciary must provide a notice to the data principal either prior to or at the time of collection of personal data. Such notice must state the data being collected and the purpose of collection, rights of a data principal, and grievance redressal measures.

Consent

The DPDPA requires consent to be:

1. Free, specific, informed, unconditional, and unambiguous;
2. Provided through a clear affirmative action signifying an agreement; and
3. Limited to personal data necessary for the specified purpose.

This signifies that, similar to GDPR, the DPDPA imposes a purpose limitation on collected data i.e., the data may only be used for the specified purpose pursuant to which it was collected, and separate consent must be obtained to process data for a new purpose.

Legitimate uses

In addition to consent, the DPDPA classifies other lawful grounds for processing personal data as a legitimate use. This includes data shared during a medical emergency, or for providing medical treatments or health services, disaster relief, or for compliance with a legal order.

The state has been granted broad powers in respect of processing personal data for carrying out any function required by law, including for providing benefits or subsidies, and in the interest of sovereignty and integrity of the country.

Legacy data

The DPDPA seeks to address the issue of regulation of data collected prior to its enactment (legacy data). In respect of such legacy data, the data fiduciary is required to provide a notice to the data principal in the same manner set forth above. A data fiduciary may continue processing legacy data until the data principal withdraws consent in respect of such data.

Employment purposes

Employers generally collect vast amounts of personal data such as Aadhaar number, PAN details, and bank account details in the course of employment. A data fiduciary may process data for employment purposes, or to protect employers from loss or liability – without the need to obtain specific consent.

Voluntary sharing

A data fiduciary may also process personal data that is shared by a data principal voluntarily (presumably, without the need to obtain consent) and without any indication of objection to such processing, subject to purpose limitation. An example of such sharing enumerated in the DPDPA is where one provides their phone number to acknowledge receipt of payment at a store.

Obligation of Data Fiduciary

Grievance redressal

The DPDPA requires a data fiduciary to establish a grievance redressal mechanism; however, it does not specify any time period to respond to and resolve such grievances, thus, leaving it open to rule making. It specifies that the data protection board (Board) may only be approached by a data principal after exercising the remedy available through a data fiduciary’s grievance redressal mechanism.

Accountability

A data fiduciary is principally accountable for compliance with DPDPA, and any rules made thereunder by itself and any data processors (who have no direct responsibility under the DPDPA) it engages, including the implementation of any technical or organisational measures, and security safeguards, and ensuring completeness, accuracy, and consistency of data.

Data retention

Unless otherwise required by law, a data fiduciary must delete personal data as soon as the purpose for which it was collected is served, or upon withdrawal of consent by the data principal.

Notice of breach

In case of a data breach, a data fiduciary must notify the Board and each data principal affected by such breach. The specifications of such notice – including the time period and content will be set out in the rules.

Significant data fiduciaries

The Central government has the power to designate significant data fiduciaries, who have additional obligations including carrying out periodic data protection impact assessments, audits, and any other measures set out in the implementing rules.

Rights and duties of data principals

A data principal has the right to access the personal data being processed by the data fiduciary, identities of all data fiduciaries and processors with whom the personal data is being shared, and any other information as may be prescribed by the rules. A data principal must be allowed to correct, erase, or update the personal data she provides, and has the right to withdraw consent at any time. In such a case, the data fiduciary must ensure that the process to withdraw consent is as straightforward as that of obtaining consent. A data principal may exercise these rights through a consent manager, who must be accountable to the data principal.

Notably, the rights available to data principals under the DPDPA seem to be rather narrow – it doesn’t allow the data principal to object to processing based on grounds other than consent. In fact, it imposes duties on the data principal which include ensuring compliance with the Act, not registering false complaints, and only furnishing authentic information. Failure to comply with such duties may result in a fine of up to Rs10,000.

Special Categories of DATA

The DPDPA creates significant obligations in connection with processing personal data of children or persons with disabilities. A data fiduciary is required to obtain verifiable consent from a parent or lawful guardian prior to processing such data.

It also prohibits data fiduciaries from engaging in processing of personal data to undertake tracking, behavioural monitoring, or for the provision of targeted advertisements to children.

Cross border transfers

At present, the DPDPA does not restrict cross-border transfer of personal data except to such countries that the Union government may notify through implementing rules. However, it does not prevent any other law from prescribing a higher threshold of data protection, such as the data localisation requirements in relation to payments data imposed by the Reserve Bank of India (RBI).

Penalties

The DPDPA prescribes varying amounts of penalties based on the contraventions under the Act. A data fiduciary may be fined up to Rs250 crore for failure to implement security safeguards, up to Rs200 crore for failure to provide notice of data breach, and failure to comply with the requirements for processing children’s data. Significant data fiduciaries may be fined up to Rs150 crore for failure to meet the additional obligations imposed on them, and a penalty of up to Rs50 crore has been prescribed for a breach of any other provision of the DPDPA or any rule issued under it.

The DPDPA also sets out general parameters that may be considered to determine the quantum of penalty such as the nature, gravity and duration of the contravention, types of personal data affected, implications of the contravention and mitigating measures adopted by the contravening party.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk ,meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps to discover, identify, inventory, map, observe and minimize personal, sensitive and business critical data at scale with oil drilling approach saving cost and reducing complexity.