In our increasingly connected and digitized world, data privacy has emerged as a fundamental concern and has become an integral aspect of our lives. These days we rely more on the data stored in our hi-end digital phones and devices rather than nerve-recking our memories for the same. Just like two sides of a coin, the heavy reliance on the digital data/ VDRs/ digital storage platforms has its own pros and cons.

To illustrate, being corporate attorneys, we do acquisitions and mergers day-in-day-out. Several kinds of due diligences precede the actual acquisition transaction. The due diligences are streamlined by the target entity by hiring a server to host and maintain its data which is required as per the due diligence checklist sent by us so that the folder and files in the virtual data room (hereinafter referred to as "VDR") can be arranged and indexed in the same manner. Post this point we, i.e., the Law Firm, is asked for names of associates who should have access to the scanned documents in the VDR for completion of the documentary limited legal due diligence. The process from here gets fairly simple, we email the names of the associates and their e-mail addresses and each of the named associate gets an individual link to set up its own password to access the VDR and to download copies.

It is pertinent here to define 'data privacy' which refers to the protection of personal information and sensitive data from unauthorized access, use or disclosure. Now the fascinating part arises wherein we ask ourselves, what happens if there is a data theft prior to us even getting access to the VDR? Talking in the jargon of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the "Act"), the data principal, i.e., the target entity, shall try and pin the liability on the data fiduciary, being us, the Law Firm and its associates. However, the Act lacks the spine to pin the liability of data leaks from other entities who have access to the data, except the data fiduciaries and data processors , for which we have to go back to the liabilities of 'intermediaries' under the Information Technology Act, 2000 read with the Rules made thereunder.

Historically speaking, India has been steadfastly working towards the establishment of a robust and comprehensive data privacy law. A pivotal moment arrived in 2017 when the Hon'ble Supreme Court in the matter of K.S. Puttaswamy & Anr. v. Union of India, (2017) 10 SCC 1, unequivocally recognized privacy as a fundamental right. To quote the Hon'ble Justice Dr. D.Y. Chandrachud:

"Informational privacy was a facet of the right to privacy. The dangers to privacy in an age of information can be originate not only from the state but from non-state actors as well. Present Court commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. ..."

This momentous decision spurred the government into proactive action, initiating the process of crafting a comprehensive data protection legislation for the nation. In August 2017, a committee was constituted to thoroughly examine data protection issues, and to recommend effective solutions whilst drafting a comprehensive data protection bill. This esteemed committee, chaired by the Hon'ble Supreme Court Justice B.N. Shrikrishna, worked diligently and presented its report along with the draft bill to the Ministry of Electronics and Information Technology (hereinafter referred to as "MeitY") on July 27, 2018. Subsequently, MeitY undertook the drafting of several bills related to data protection, which were eventually withdrawn. However, India's endeavour towards establishing a robust data protection and privacy framework achieved its goal with the introduction of the latest Digital Personal Data Protection Act, 2023, i.e., the Act.

This Act received the assent of the President of India on August 11, 2023 and was subsequently published in the official gazette. However, the Act shall come into force in a phased manner, on such date as the Central Government may notify, from time to time. Key highlights of the Act are as below:

  1. Applicability: The Act casts a wide net when it comes to its applicability. The Act applies to the processing of 'digital personal data'1 of 'Data Principal(s)'2 within India, whether it's initially collected in digital form or converted into digital format from non-digital sources. Its jurisdiction extends globally i.e., processing of digital data can be done outside India provided such processing of digital personal data is linked to offering goods or services to data principals within India. However, the Act comes with its own exceptions and challenges. Its ambit does not cover personal data processed by individuals for personal or domestic purposes. It also omits personal data intentionally made publicly available by a Data Principal or as mandated by Indian law. Further, the Act does not offer protection to Data Principals in the event where, Data Principals not being present within the territory of India, enter into any contract with a person outside the territory of India.

  2. Non-Classification of Personal Data: The Act introduces a groundbreaking shift in the realm of data protection by adopting an all-encompassing approach. Unlike previous regulations that categorized personal data into sensitive and non-sensitive categories or provide with limited and specified (sub) categories of data, the Act treats all personal data3 This means that every form of personal data will be subject to the same set of rules and protections. However, the Act also provides a carve out for any stricter restriction on transfer of any type of data under other applicable laws, rules and regulations, for them to prevail over the provisions of the said Act.

  3. Consent: The Act emphasizes the significance of 'Consent' and establishes the following grounds for processing personal data:

    1. Consent must be free, specific, informed, unconditional, and unambiguous. It must be granted through a clear and affirmative action, signifying an agreement to process personal data of Data Principal for a specified purpose, utilizing only the necessary personal data for that purpose.
    2. Before requesting consent from the Data Principal, Data Fiduciaries4 must furnish Data Principals with a comprehensive notice, elucidating the nature of personal data, its intended purpose, and the rights they can exercise, including consent withdrawal, utilizing the grievance redressal mechanism and the process for filing complaints with the Board5. It's worth noting that the Act doesn't have retrospective effect, meaning Data Fiduciaries must provide notice to such Data Principals whose consent was given before the commencement of Act, notifying the Data Principals' rights for withdrawing such consent and redressal of any grievance(s). However, the Act does not specify a timeline for providing such notice to Data Principals.
    3. Any part of the consent that violates the Act, its rules, or other applicable laws will be considered invalid to the extent of such violation.
    4. The requests for consent must be presented in clear and plain language, allowing access in English or any language specified in the Eight Schedule to the Constitution of India and such request shall also provide the contact details of Data Protection Officer or authorized personnel.
    5. Data Principals possess the right to withdraw their consent at any time, with the same ease with which they initially provided it. However, it's important to note that the consequences of withdrawal rest with the Data Fiduciaries and the withdrawal of consent will not impact the legality of personal data processing that has already occurred based on the initial consent prior to such withdrawal.

  4. Processing of personal data for legitimate uses: The legitimate uses empower Data Fiduciaries to process personal data without explicit consent in specific cases. Such cases include instances where the Data Principal willingly shared personal information for specified purposes without objection, processing related to employment, addressing medical emergencies, fulfilling legal obligations, providing state services or benefits, along with compliance with judicial orders.

  5. General obligations of Data Fiduciaries: Data Fiduciaries are entrusted with the crucial task of adhering to the Act and its accompanying rules, regardless of any conflicting agreements or oversights by Data Principals. They have the authority to engage Data Processors through valid contracts only for processing personal data related to offering of goods or services to Data Principals. When personal data processed by Data Fiduciary is used to make a decision that affects Data Principal or is disclosed to another Data Fiduciary, Data Fiduciaries must ensure its completeness, accuracy, and consistency. In the event of personal data breach, Data Fiduciaries must promptly notify the Data Protection Board and affected Data Principals in the prescribed manner. Data Fiduciaries are obligated to erase personal data upon withdrawal of consent or when the specified purpose is no longer served, unless retention is mandated by law. Data Fiduciaries must publish the contact information of a Data Protection Officer or a representative who can address Data Principals' queries about personal data processing. Lastly, they must establish an effective mechanism for redressing Data Principals' grievances in the manner prescribed.

  6. Data of Children and Person with Disability: Prior to processing personal data of a child or a person with a disability under lawful guardianship, Data Fiduciaries must obtain verifiable consent from the parent or guardian, as prescribed. The 'consent of the parent' encompasses consent from the lawful guardian as and when applicable. Data Fiduciaries are strictly barred from engaging in any form of personal data processing that could potentially harm a child's well-being. This prohibition extends to tracking, behavioural monitoring, and any form of targeted advertising directed at children. It also empowers the Central Government to grant exemptions for Data Fiduciaries processing data of children above a certain age, with the removal of certain obligations tied to the processing of children's data in select situations.

  7. Transfer of personal data outside India: The Central Government is empowered to oversee and regulate the transfer of personal data from Data Fiduciaries to specific countries or territories outside India. A formal list of countries which will be restricted from data processing will be communicated by the Central Government. However, the Act explicitly states that if any other law provides heightened protection or imposes stricter rules on transferring personal data abroad, whether it's about specific personal data or certain Data Fiduciaries, those stricter protections will take precedence and be enforced, ensuring robust data privacy measures.

  8. Exemptions: The Act introduces essential exemptions to cater to specific situations. It inter-alia excludes processing of personal data by certain instrumentality of the State which will be notified by the Central Government, in cases related to national sovereignty, security, public order and preventing incitement to criminal offenses. It also exempts data processing for research, archiving, or statistical purposes, provided it does not impact specific decisions concerning Data Principals. Furthermore, the Central Government has the authority to notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, exempting them from specific provisions of the Act. The Central Government has been given the power to issue notifications, within five years from the commencement of the Act, specifying certain Data Fiduciaries or classes of Data Fiduciaries to whom provisions of the Act shall not apply for a specified period.

  9. Overriding Effect: The provisions of the Act are complementary and do not diminish the authority of any existing laws currently in effect. In situations where a provision in this Act contradicts a provision in any other prevailing law, the provision of this Act will take precedence to the extent of the conflict, ensuring a consistent legal framework.

  10. Bar on Jurisdiction: The Data Protection Board is vested with the exclusive jurisdiction over matters falling within the purview of the Act with the Board and the Appellate Tribunal and no civil court has the authority to entertain suits or proceedings in respect of such matters.

Food for thought:

While we expected an over encompassing legislation with all standpoints covered, what we got is a legislation that is in addition to the other law in place, i.e., the Information Technology Act and Rules made thereunder, some of its Rules are presently undergoing amendments. Rhetorically speaking, the nation still lacks one single robust legislation with all its fangs for stringent implementation of the intent of the legislature stated in the legislations in question including the Act.

Footnotes

1. Section 2(n) of the DPDP Act defines "digital personal data" means personal data in digital form;

2. Section 2(j) of the DPDP Act defines "Data Principal" means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf;

3. Section 2(t) of the DPDP Act defines "personal data" means any data about an individual who is identifiable by or in relation to such data;

4. Section 2(i) of the DPDP Act defines "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

5. Section 2(c) of the DPDP Act defines "Board" means the Data Protection Board of India established by the Central Government under Section 18;

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.