Introduction

In a significant move, The Digital Personal Data Protection Bill, 2023 has been approved by both the Lok Sabha and the Rajya Sabha, receiving final assent from the President on 11th August 2023. Now officially the Digital Personal Data Protection Act ("the Act"), this development marks a pivotal moment for safeguarding online privacy of individuals in this data-driven world. The Act seeks to provide protection to Personal Data (as defined below) and the privacy of individuals whose data are collected per se. The Act is also set to replace Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011.

Salient features of the Act:

No distinction between data

The Act covers all sorts of Personal Data and does not categorize it into groups like sensitive Personal Data and other Personal Data. Earlier, under the Indian law, there used to be a differentiation between types of data which also required different system of protections. By removing all the distinctions and treating every type of data under one head, the Act makes the system seamless for all the data fiduciaries ("Data Fiduciary") and data processors ("Data Processor") holding and Processing (as defined below) data of the data principals or subjects ("Data Principal").

Applicability

The Act applies to the Processing of digital Personal Data within India where such data is:

  • collected online, or
  • collected offline and is digitized.

The Act will not change much for most small businesses. It will create a framework and a designated ombudsman system, but it will not apply to physical data that has not been digitized. This means that a lot of small businesses that store data in paper form will be exempt from the Act.

However, the Act will apply to any data that has been digitized, even if it is just a photo of the data. So, if a small business takes a photo of a customer's signature, that data would be covered under the Act. In essence, the Act will only apply to businesses that store data in a digital format. It is quite illogical, but if a business only uses physical paper to maintain data, they will be exempted under the Act, regardless of how much data they store.

The Act will also apply to the Processing of Personal Data outside India if it is for offering goods or services to Data Principals in India. "Personal Data" is defined as any data about an individual who is identifiable by or in relation to such data1. "Processing" has been defined as wholly or partially automated operation or set of operations performed on digital Personal Data. It includes collection, recording, storage, use, sharing, erasure, destruction, etc.2

Consent

The significant aspect of this Act is with regards to the consent for Processing of Personal Data. Section 6 of the Act states that consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with clear affirmative action. It shall be limited to such Personal Data as is necessary for specified purposes.

One significant feature of the Act is that the Data Fiduciaries obtaining the consent of Data Principals shall give Data Principals an "Opt-out" right, as opposed to international standards of "Opt-in".

Personal Data may be processed only for a lawful/legitimate purpose after obtaining the consent of the individual.3 A notice must be given before seeking consent. The notice should contain details about the Personal Data to be collected and the purpose of Processing.4 In the ease of doing business and to make law minimally invasive, where the Data Principal has given the consent for the Processing of their Personal Data before the law comes into force, a similar notice needs to be given to Data Principal as soon as it is reasonably practicable. Hence, the protection to previously obtained consent has also been provided unlike the counterparts in the rest of the world whereby on the prescribed date, all entities i.e., Data Fiduciaries and Data Processers whether big or small were reaching out to every Data Principal to obtain their consent. However, the Data Fiduciary may continue to process the Personal Data until and unless the Data Principal withdraws their consent.

The Data Principal, while giving consent regarding the Processing of their Personal Data, shall have option to view the notice and consent form in English or any other language specified in the Eighth Schedule of the Indian Constitution. This will help a large portion of the population those who are not familiar with English language.

However, consent of Data Principals will not be required if the Personal Data is used for 'legitimate purposes'5 which includes:

1417428a.jpg

Specific safeguards for Processing children's data and provisions for parental control have also been included. For individuals below 18 years of age (as compared to the global standard of 13 years of age), consent will be provided by the parent or the legal guardian.

General obligations of the Data Fiduciary6

The Data Fiduciaries, determining the purpose and means of Processing, must:

  • make reasonable efforts to ensure the accuracy and completeness of data,
  • build reasonable security safeguards to prevent a data breach,
  • inform the Board (as defined below) and affected persons in the event of a breach, and
  • erase Personal Data as soon as the purpose has been met unless retention is necessary for legal purposes (storage limitation). In the case of government entities, storage limitation and the right of the Data Principal to erasure will not apply.

A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any Processing undertaken by it or on its behalf by a Data Processor.

A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process Personal Data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.

Significant Data Fiduciaries7

The Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries by considering certain essential factors such as:

  • volume and sensitivity of Personal Data processed,
  • risks to the rights of Data principals,
  • potential impact on the sovereignty and integrity of India
  • risk to electoral democracy
  • security of the state, and
  • public order.

These Significant Data Fiduciaries will be subject to materially higher compliance obligations including appointing a data protection officer, undertaking impact assessment and compliance audit and such other requirements as may be specified from time to time.

Rights and duties of Data Principal8

The Act provides that the Data Principal, whose data is being processed, will have the right to obtain information about Processing, seek correction and erasure of Personal Data, nominate another person to exercise rights in the event of death or incapacity, and availability of grievance redressal mechanism.

The Act states that the Data Principals will have certain duties9 as well. They must not register a false or frivolous complaint, furnish any false particulars, or impersonate another person in specified cases. Violation of duties by the Data Principals will attract a penalty of up to ₹ 10,000.

Indian businesses are already following many of the same data protection rules as businesses in the US and Europe. So, the Act won't change much for most businesses in real terms. However, it will give Indian Data Principals the same level of protection as their American and European counterparts.

The Act will also require businesses to re-examine their privacy policies and data policies to make sure they are in line with the Act. This will mean extending protection to non-sensitive Personal Data, which was not previously covered by the law.

Now that the Act has officially been passed, Data Principals can expect to start receiving notices from all Data Fiduciaries and Data Processors about the data that is available to them and how it is being processed.

Exemptions

The rights of the Data Principal and obligations of Data Fiduciaries (except data security) will not apply in specified cases. The State is exempt, which excludes privacy requirements for the State. Broadly, the exemptions proposed in the Act includes Processing of Personal Data by the State and its instrumentalities, as notified by Central Government from time to time, in the interests of sovereignty, integrity, security of the State, friendly foreign relations, public order or incitement of related offence.

The exemptions also include Processing of Personal Data for research, archiving or statistical purposes, for startups or other notified categories of Data Fiduciaries, for enforcement of legal rights and claims, for performance of judicial or regulatory functions, for preventing, detecting, investigating, or prosecuting offences or contraventions, for Processing data of non-residents under foreign contract, for approved merger, demerger, etc. and for locating defaulters and their assets.

The companies in the technology and other intellectual property sectors also can now safeguard their trade secrets effectively, preventing instances of "corporate espionage" or unauthorized disclosure of critical or sensitive information. The Act acknowledges that accessing an employee's Personal Data for such protective purposes is considered as implied consent from the employee and will also act as an exemption under the Act.

The Act also substantially and unreasonably widens the scope of exemptions available to Public Information Officers ("PIO's") of the State ministries and departments in rejecting the Right to Information ("RTI") application stating grounds that the information sought under the said RTI application is on matter which 'relates to personal information'[10].

Processing of Personal Data of children11

The Data Fiduciary before Processing any Personal Data of a child or a person with disability who has a lawful guardian shall obtain verifiable consent of the parent of such child or the lawful guardian.

While Processing the Personal Data of a child, the Data Fiduciary must not undertake:

  • Processing that is likely to cause any detrimental effect on the well-being of the child, and
  • tracking, behavioral monitoring, or targeted advertising.

Cross – border transfer12

The Act represents a subtle yet impactful change in how regulations are applied. It brings India's data protection laws in consonance with the data protection laws of other countries. It acknowledges that data Processing can occur across the border while still safeguarding the data protection rights of the Indian individuals.

The Act allows the transfer of Personal Data outside India, except to countries restricted and blacklisted by the Central Government through notification.

Data Protection Board of India.13

The Central Government, under the Act, will set up the Data Protection Board of India ("Board"), which shall be a body corporate having the powers to direct urgent and remedial mitigation measures in the event of Personal Data breach or contravention of any section of the Act. The Act has conferred on the Board the same powers as that of a civil court for discharging its functions as per the Code of Civil Procedure, 1908.

Key functions of the Board include monitoring compliance and imposing penalties, directing Data Fiduciaries to take necessary measures in the event of a data breach, and hearing grievances made by affected persons. Board members will be appointed for two years and will be eligible for re-appointment.

Any appeal made from the order of the Board shall lie before the Telecom Dispute Settlement and Appellate Tribunal ("TDSAT") which is established under the Telecom Regulatory Authority of India Act, 1997. Any party aggrieved by the order of TDSAT, can file an appeal to the Supreme Court of India.

Penalties14

1417428b.jpg

The Act has given the Board the authority to impose penalties and fines ranging from ₹10,000 to ₹250 crores. The Board, while determining the fine amount will consider factors such as the nature, seriousness, duration of the breach, type of Personal Data affected, any gains or losses from the breach, and how the fine imposed would be a deterrent.

The Act does not impose any criminal liability or imprisonment on the person or entity responsible for the breach of Personal Data. This may certainly to some extent make the law less powerful because criminalization of any wrongful act compels everyone to adhere to the rules. When such actions are no longer considered criminal, the strength of the law might diminish. But, given the decriminalization, high monetary fines and penalties are warranted.

However, the Central Government, on the request of the Board, can still instruct the appropriate agencies to shut down the apps or services of the entity involved in the breach. This, coupled with high fines, means Data Fiduciaries could experience major business disruptions due to their repeated non-compliance with the provisions of the Act.

Penalties, as given in the Schedule of the Act, for failure to have reasonable measures and notify the Board about the breaches, have maximum penalty stipulations and not minimum penalties. The actual penalty imposed could also be of ₹ 10,000. Also, the Central government may amend these limits at their option and keep increasing the maximum threshold.

Unless a minimum threshold is provided, the protection seems to be meaningless. But given the existing laws, the limits imposed are a step in the right direction. Though they could have moved in the direction of General Data Protection Regulation ("GDPR"), linking it to revenue or business turnover making the law equal in application to all Data Fiduciaries, such limits do seem preposterous for smaller businesses.

In Sum

The Act marks a major step towards data privacy. It covers all kinds of data, focuses on clear consent, and sets up a Board to monitor data breach issues. However, there are still worries about possible breach of the fundamental right of privacy due to exceptions being given for State data Processing, particularly on the basis of national security as well as exemptions for employers in the name of preventing corporate espionage. However, this might result in the collection, Processing, and retention of more data than is genuinely necessary.

The Act still leaves certain crucial aspects unexplained, such as the specific role of a "Consent Manager" and the procedure for addressing grievances. Much of the finer details are deferred to rules that are anticipated to be introduced by the government.

Also, in a recent update, the Minister of State for Electronics and Information Technology Mr. Rajeev Chandrasekhar has said that the highly awaited and detailed rules will be notified by the government by the end of January 2024. Much of the air will be cleared once these rules come into force.

According to the list provided under Section 40(2) of the Act, around 25 rules will have to be notified by the government in order to properly whip into shape the Act and its application. But it cannot be said that this list provided under the Act is totally exhaustive. This implies that much is still on the horizon.

Furthermore, considering that each rule will be separately notified, corporates will have some leeway to navigate and ensure compliance.

Footnotes

1. Section 2(t) of the Act.

2. Section 2(x) of the Act.

3. Section 4 & 6 of the Act.

4. Section 5 of the Act.

5. Section 7 of the Act.

6. Section 8 of the Act.

7. Section 10 of the Act.

8. Section 11, 12, 13 and 14 of the Act.

9. Section 15 of the Act.

10. Section 44 (3) of the Act.

11. Section 9 of the Act.

12. Section 16 of the Act.

13. Section 18 and 27 of the Act

14. Section 33 and Schedule of the Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.