Home Insights  > Overview of Digital Personal Data Protection Act, 2023

Share :

Introduction

The Digital Data Protection Act, 2023 (the “Act”) will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside India if it is for offering goods or services in India. Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as the voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.

Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met. The Act grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal. The Central Government may exempt government agencies from the application of the provisions of the Act in the interest of specified grounds such as security of the state, public order, and prevention of offences. The Central Government established the Data Protection Board of India to adjudicate non-compliance with the provisions of the Act.

Key Issues 

Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy. The Act does not regulate risks of harm arising from the processing of personal data.  

Moreover, the Act does not grant the right to data portability and the right to be forgotten to the data principal. The Act allows the transfer of personal data outside India, except to countries notified by the Central Government. This mechanism may not ensure adequate evaluation of data protection standards in the countries where the transfer of personal data is allowed.

The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment.  The short-term scope for re-appointment may affect the independent functioning of the Board.

PART A: HIGHLIGHTS OF THE ACT

Personal data is information that relates to an identified or identifiable individual.  Businesses as well as government entities process personal data for delivery of goods and services.  Processing of personal data allows understanding the preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations.   Processing of personal data may also aid law enforcement.  Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right. It may subject individuals to harm such as financial loss, loss of reputation, and profiling.

Key Features 

  • Applicability: The Act applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.  It will also apply to the processing of personal data outside India if it is for offering goods or services in India.  Personal data is defined as any data about an individual who is identifiable by or in relation to such data.  
  • Data Protection Board of India: The Central Government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.
  • Penalties: The schedule of the Act specifies penalties for various offences such as: (i) up to Rs 200 crore for non-fulfillment of obligations for children, and (ii) up to Rs 250 crore for failure to take security measures to prevent data breaches. 

PART B: ANALYSIS OF THE ACT

Exemptions to the State may have adverse implications for privacy

Personal data processing by the State has been given several exemptions under the Act.  As per Article 12 of the Constitution, the State includes (i) Central Government, (ii) State Government, (iii) Local Bodies, and (iv) Authorities and companies set up by the government.  There may be certain issues with such exemptions.

Whether overriding consent for purposes such as benefits, subsidies, licenses, and certificates is appropriate

The Act overrides the consent of an individual where the state processes personal data for the provision of benefit, service, license, permit, or certificate. It specifically allows the use of data processed for one of these purposes for another. It also allows the use of personal data already available with the State for any of these purposes. Hence, it removes purpose limitation, which is one of the key principles for the protection of privacy. Purpose limitation means data should be collected for specific purposes, and should be used only for that purpose.

Key difference

The Act does not cover offline personal data and non-automated processing whereas the previous act was only processing personal data. The Act binds officers to report to the Data Protection Board of India in case of any data breach. According to the Act, the Central Government is exempted from any notification which shall be issued from time to time, as may be required.

How we can help?

By offering the following services, our team can help organizations comply with the Act:

  • Our team can assist by undertaking a comprehensive analysis of the organization’s data privacy standards. This evaluation will assist in identifying the areas where the organisation needs to make improvements in order to adhere to the rules.
  • Our team of professionals can assist in creating a thorough privacy policy that complies with the Act’s standards. This policy will ensure accountability and openness.
  • Our team can assist in setting up solid consent management systems which includes putting in place procedures that allow people to quickly withdraw their consent if they so want.
  • Our professionals can assist in developing a data breach response plan. This plan will detail the actions to be done to lessen the effects of a breach, notify those who might be impacted, and adhere to legal requirements.

For more information or queries, please email us at
[email protected]