La Meer Inc.

 

Highlights of the Bill

  • The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services in India.
  • Personal data may be processed only for a lawful purpose upon consent of an individual.  Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
  • Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
  • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
  • The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill.

Source : https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023

 

Which organizations does DPDP Act apply to?

The DPDP Act lays out an all-encompassing structure for safeguarding personal data. This Act applies to organizations that:

  • Handle personal data within India’s borders, whether the data is initially collected in digital format or non-digital format and later converted to digital, or
  • Process personal data that occurs outside India, as long as the activity is related to offering goods or services to individuals in India.

However, it is important to note that, not every piece of personal data will be protected by the Act. Personal data will not be included if it is:

  • Managed by an individual for personal or household reasons, or
  • Publicly disclosed either by the Data Principal or by another individual required by existing Indian law to make such information public.

DPDP Act’s key terms and definitions

The terminology used in the DPDP Act is different from that in other data protection laws around the world, such as GDPR. Learning the key terminology of the DPDP Act is vital to understanding the new law.

Personal data

Any data about an individual who is identifiable by or in relation to such data

Digital personal data

Personal data in digital form

Data Fiduciary

Any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data

Data Principal

The individual to whom the personal data relates and where such individual is:

  • a child, includes the parents or lawful guardian of such a child; or
  • a person with disability, includes her lawful guardian, acting on her behalf

Data Processor

Any person who processes personal data on behalf of a Data Fiduciary

Processing of personal data

A wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction

Source : https://blog.usecure.io/digital-personal-data-protection-act-of-india-dpdp

What are the important aspects that organizations should pay attention to?

Data Protection and Security

Data Fiduciaries are responsible for protecting personal data, including taking technical measures to prevent data breaches. They are also obligated to notify the authorities and affected individuals in the case of a breach. 

Consent

Data can only be processed if the Data Principal gives explicit, informed consent or if the data is processed for legitimate uses defined by law.

Notification

Data Fiduciaries must provide detailed notices to Data Principals about what data is being collected, for what purpose, and how they can exercise their rights or make complaints.

Language and Clarity 

Requests for consent must be in clear language, and Data Principals should have the option to receive the notice in English or any language specified in the Eighth Schedule to the Constitution.

Withdrawal of Consent

Data Principals can withdraw their consent at any time, and Data Fiduciaries must cease processing data once consent is withdrawn, unless required by law.

Data Erasure 

Data should be erased if the Data Principal withdraws consent or if the original purpose for which the data was collected is no longer valid.

Special Cases 

Extra care must be taken when processing the data of children or persons with disabilities, including obtaining verifiable consent from their parents or guardians.

Significant Data Fiduciaries 

Certain fiduciaries may be classified as “Significant Data Fiduciaries” based on criteria such as volume and sensitivity of data processed. They have extra obligations, including the appointment of a Data Protection Officer and conducting data audits.

Accountability 

Data Fiduciaries must establish grievance redressal mechanisms and are accountable for any data processing activities, even those carried out by third-party Data Processors on their behalf. 

Key Features 

Applicability:  The Bill applies to the processing of digital personal data within India where such data is:

 

(i) Collected online, or

(ii) Collected offline and is digitised.

 

It will also apply to the processing of personal data outside India if it is for offering goods or services in India.

Personal data is defined as any data about an individual who is identifiable by or in relation to such data.  Processing has been defined as wholly or partially automated operation or set of operations performed on digital personal data.  It includes collection, storage, use, and sharing.

 

Consent:  Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.  A notice must be given before seeking consent.  The notice should contain details about the personal data to be collected and the purpose of processing.  Consent may be withdrawn at any point in time.

 

Consent will not be required for ‘legitimate uses’ including:

 

(i) Specified purpose for which data has been provided by an individual voluntarily

(ii) Provision of benefit or service by the government

(iii) Medical emergency, and

(iv) Employment.

 

For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.

Rights and duties of data principal:  An individual whose data is being processed (data principal), will have the right to:

 

(i) Obtain information about processing

(ii) Seek correction and erasure of personal data

(iii) Nominate another person to exercise rights in the event of death or incapacity, and

(iv) Grievance redressal.

 

Data principals will have certain duties.  They must not:

 

(i) Register a false or frivolous complaint, and

(ii) Furnish any false particulars or impersonate another person in specified cases.

 

Violation of duties will be punishable with a penalty of up to Rs 10,000.

 

Obligations of data fiduciaries:  The entity determining the purpose and means of processing, (data fiduciary), must:

 

(i) Make reasonable efforts to ensure the accuracy and completeness of data

(ii) Build reasonable security safeguards to prevent a data breach

(iii) Inform the Data Protection Board of India and affected persons in the event of a breach

(iv) Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).

 

In case of government entities, storage limitation and the right of the data principal to erasure will not apply.

 

Transfer of personal data outside India:  The Bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.

 

Exemptions:  Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include:

 

(i) Prevention and investigation of offences

(ii) Enforcement of legal rights or claims.

The central government may, by notification, exempt certain activities from the application of the Bill.  These include:

(i) Processing by government entities in the interest of the security of the state and public order, and

(ii) Research, archiving, or statistical purposes.

 

Data Protection Board of India: The central government will establish the Data Protection Board of India.  Key functions of the Board include:

 

(i) Monitoring compliance and imposing penalties

(ii) Directing data fiduciaries to take necessary measures in the event of a data breach, and

(iii) Hearing grievances made by affected persons.  Board members will be appointed for two years and will be eligible for re-appointment.

 

The central government will prescribe details such as the number of members of the Board and the selection process.   Appeals against the decisions of the Board will lie with TDSAT.

 

Penalties: The schedule to the Bill specifies penalties for various offences such as up to:

 

(i) Rs 200 crore for non-fulfilment of obligations for children

(ii) Rs 250 crore for failure to take security measures to prevent data breaches.  Penalties will be imposed by the Board after conducting an inquiry.