The Digital Personal Data Protection Act (DPDPA) of 2023, commonly referred to as the DPDP Act is the data privacy legislation of India. The law is a meticulous blend of recognition of the rights of individuals and the need for processing of data.
Ever since the famous Puttaswamy judgment recognized the right to privacy as a fundamental right, digital privacy has been a hot topic in the country. Now that the DPDP Act has received the assent of the President, India is ready to enter its digital privacy era.
Effective date: Subject to Government notification
Official text: Digital Personal Data Protection Act, 2023
What is the Digital Personal Data Protection Act?
The Digital Personal Data Protection Act was passed in early August of 2023. The act is expected to come into force in 2024 through a government notification. The law enumerates the rights and duties of data principals, and obligations of data fiduciaries, imposes penalties for data breaches, and also creates a special category of data fiduciaries called the significant data fiduciaries. DPDP Act recognizes verifiable consent for children and persons with disability.
Unlike GDPR and other privacy laws, India’s privacy law does not expressly define sensitive data. However, the central Government in the future may classify personal data into different categories.
The Data Protection Board (DPB) is the enforcement authority under the DPDP Act. The act also designates the Telecom Disputes Settlement and Appellate Tribunal as the appellate authority.
Who are the important parties to DPDPA?
Data principal: A data principal is a person to whom the personal data relates. For children, their parents or legal guardians are the data principals and for persons with disability, it is the legal guardian. The act does not specifically define a person with a disability. However, it is assumed to be the same as the definition under the People with Disability Act of 1995.
Data fiduciary: A data fiduciary is a person who controls the purpose and means of handling personal data. It can be a small business, a startup, or even a bank.
Data processor: A data processor is a person who handles/processes data for the data fiduciary.
Significant data fiduciary: A data fiduciary may be designated as a significant data fiduciary (SDF) by the Central government based on several factors like the volume and sensitivity of the data processed or risk to national security and electoral democracy etc. A Significant Data Fiduciary has a few additional obligations like appointing a Data Protection Officer (DPO) and a data auditor, conducting regular impact assessments and data audits, etc.
Who does the DPDP Act apply to?
The law applies to any person who processes digital personal data other than for personal or domestic context if:
- The processing of digital personal data takes place within Indian territory.
- The processing of digital personal data takes place overseas but offers its goods and services to those in India.
The law applies to personal data that were either collected in digital or non-digital form and were digitized thereafter but does not apply to public information or data processed in household/personal context.
A person under the DPDP Act is not just an individual or a business. Here is the list of the entities that are included under this category.
- Any individual
- Hindu Joint Family
- Company
- Firm
- An association of persons regardless of whether they are registered or not.
- The state as defined under Article 12 of the Indian constitution.
- Other legal persons not specified above.
What is personal data under the DPDP Act?
Any data of an individual that can be potentially used to identify that individual is called personal data. Public information does not come under the category of personal data.
| The act defines personal data as ” any data about an individual who is identifiable by or in relation to such data”. Citation: Sub-clause (t) of section 2 |
Information published by the data principal herself or authorized government agencies is termed public information. It is personal data if it was published to a specified audience and not publicly.
What are the duties of data fiduciaries under the DPDP Act?
Data minimization
Only collect data that is required for the specific purpose. Delete the data that is no longer necessary or if the data principal withdraws consent. Take steps to get the personal data deleted by the processor as well.
Purpose limitation
Data controllers should limit the use of personal data to the specific purpose for which the consent was obtained. They can however process the personal data without express consent if the data principal volutarily gave the personal data and did not indicate non-consent to its processing.
Data fiduciaries are allowed to use personal data for various purposes, including complying with the law and court orders, processing by the state or its agencies to provide benefits, subsidies, certificates, licenses, or permits, provided that the data principal has previously consented or if that personal data is already in their database. They can also use personal data for the performance of governmental functions, protecting the sovereignty, integrity, and security of India, maintaining public order, medical emergencies, and treatments, taking measures for epidemics, and safeguarding employers from losses.
Privacy notice
Privacy notices and requests for consent must be accessible in English as well as in all languages provided in the 8th schedule of the Indian Constitution. They should be given in a clear and accessible manner. The privacy notice should be specific and easy to understand.
Under the DPDP Act, data fiduciaries must provide a privacy notice along with the request for consent. The notice and the request should include
details regarding the:
- categories of personal data collected
- specific purposes for which personal data is collected
- the process of exercising consumer rights
- the procedure to revoke consent
- The procedure to file complaints with the data protection board.
Generate a custom privacy policy
for your website
Create a free privacy policy Generate instantlyNo signup required
Consent
Data fiduciaries cannot process personal data without the consent of the data principal unless it is for legitimate use or is exempted by the act. Data principals can withdraw their consent at any time. Make the process of revocation of consent easy and convenient.
Obtain verifiable consent from the parents/legal guardians of children or legal guardians in the case of persons with disability. A child is an individual under the age of 18 years. We will discuss the consent requirements more elaboratively in the following section.
Read in detail: Consent requirements under DPDPA
Data affecting data principals
The data fiduciary should ensure the accuracy, completeness, and consistency of the personal data processed in a way that is likely to be used to make a decision affecting the data principal or if it is going to be shared with another data fiduciary.
Implement security measures
Data fiduciaries must implement necessary safety measures to prevent any data breaches. Also, incorporate technical and organizational measures to comply with the obligations and other provisions of this privacy law.
Redressal mechanisms
Data fiduciaries must implement effective and convenient redressal mechanisms. Provide the procedures for exercising consumer rights in the privacy notice and appoint a person to oversee grievances. Always respond to consumer requests within a reasonable time. Publish details of the Data Protection Officer or anyone else authorized to answer requests or concerns on the data fiduciary’s behalf.
Prohibitions concerning children
Tracking, behavioral monitoring, and targeted advertising of children are not allowed unless the central government permits them. A child is an individual under the age of 18 years. The law imposes a duty upon the data fiduciaries to not process the data of children if it is likely to cause any detrimental effects.
Report of breaches
Data fiduciaries must report all data breaches to the Data Protection Board as well as to the affected person. The intimation must be made within a reasonable time.
Other obligations
If the Government of India has issued any notification restricting the transfer of data to any country, businesses must abide by it. Have a contractual relationship with your data processors and other third parties if any. Determine the rights of the parties involved and also make sure that they comply with the DPDP Act. Deliver the consumer requests within a reasonable time.
What are the rights of data principals under the DPDP Act?
Chapter III of the DPDP Act enumerates the rights of the data principals.
Right to access
A data principal can obtain the summary of their personal data processed, activities of the data fiduciaries, or any other information regarding the processing of such data. They can also request the details of all data fiduciaries and data processors with whom their personal data is shared.
Right to correction
A data principal can request the data fiduciaries to do the following to their personal data collected by them:
- Correct any inaccuracies
- Update their personal data
- Complete their personal data
A data fiduciary who gets such a request must fulfill the request within a reasonable time.
Right to erasure
A data principal has the right to get their personal data deleted. However, a business/data fiduciary is not obliged to erase such personal data if it is necessary for fulfilling the specific purpose for which it was collected or for legal compliance.
Right to grievance redressal
Data principals are entitled to an accessible grievance redressal mechanism to resolve any issues regarding an act or omission of data fiduciaries’ obligations or the enforcement of the data principal’s rights. Unless the data principal fails to get their grievance redressed through this mechanism, they cannot approach the Data Protection Board.
Right to nominate
Data principals can nominate an individual to exercise their rights under this act in the event of their death, unsoundness of mind or infirmity of body.
Right to revoke Consent
A data principal can revoke the consent at any time. However, the data principal should bear any consequences arising from such revocation. The data fiduciaries are bound to stop and also cause the data processors to stop processing the personal data of the data principal in the event of revocation of consent.
Consent requirements under the DPDP Act
The DPDPA requires data fiduciaries to request consent from the data principals before processing their personal data. However, consent is not required for certain legitimate uses. The request for consent must be accompanied by a privacy notice that contains the categories and purpose of personal data processed, the grievance redressal mechanism, and the method to enforce the rights of data principals.
The definition of consent is broad and almost similar to the GDPR’s definition except for the word unconditional.
For consent to be valid, the following conditions should be satisfied:
- Consent should be free, specific, informed, and unconditional.
- There should be a clear indication of consenting to such action.
- Agrees to the processing of personal data for the specified purposes.
Data fiduciaries need not get consent if the data principal voluntarily gives any personal data without indicating non-consent. For example, imagine an online platform for recruitment. On the website, there is a form where users can add their resume along with relevant information. If they voluntarily fill out the form, the platform can use it to assist them with the job-hunting process.
If consent was given before the enforcement of the act, give notice to such data principal containing the details of the data collected, the purpose of collection, rights under the act, and the grievance redressal mechanism. Data fiduciaries can process the personal data until the consent is withdrawn.
The act also obligates the data fiduciaries to recognize consent managers and thereby enable data principals to entrust such registered consent managers to act on their behalf. Consent managers provide a transparent mechanism to give, manage, review, or withdraw consent. It acts as a single point of contact for the data principals to manage their consent.
Manage cookie consent
without any hassle
Add a cookie consent banner and manage cookie consent to comply with India Privacy Law
Try for free14-day free trialCancel anytime
What is a personal data breach under the DPDP Act?
The DPDP Act defines a personal data breach as ” any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data”. All breaches need to be reported whether or not damage was caused. Notify the breaches promptly to the data principals as well as the Data Protection Board. The format of breach notification is not prescribed yet.
What is the penalty for violating the DPDP Act?
The privacy law of India determines the penalty based on various factors like the gravity of the breach and its duration, the category of personal data impacted by the breach, its repetitive nature, the impact of monetary penalty on the violator, etc. The penalties can reach up to a heavy sum of INR 250 crore (~ $30 million).
Unlike many other Data privacy laws across the world, India’s privacy law does not mention anything about a cure period. However, the violators will be allowed to be heard which is a principle of natural justice.
|
Nature of violation/breach
|
Penalty
|
|---|---|
|
Failure to implement security safeguards
|
Up to INR 250 crores (~ $30.213 million)
|
|
Failure to notify a breach to the board
|
Up to INR 200 crores (~ $24.17 million)
|
|
Non-compliance with the special provisions regarding children
|
Up to INR 200 crores (~ $24.17 million)
|
|
Non-compliance with the obligations of SDF
|
Up to INR 150 crores (~ $18.127 million )
|
|
Non-compliance of obligations by the data principals
|
Up to INR 10,000 (~ $120)
|
|
Violation of any voluntary undertaking if any
|
Up to the extent applicable to that breach
|
|
Violation of all other provisions than mentioned
|
Up to INR 50 crore (~ $6 million)
|
Steps to DPDP Act compliance
- Obtain valid consent before processing personal data.
- Provide a clear privacy notice along with the request for consent.
- Make privacy notices and consent requests accessible in English and 22 other languages in the 8th schedule.
- Limit the collection of data to what is required for the specific purpose of processing.
- Implement security safeguards.
- Obtain verifiable consent to process data of children and people with disability.
- Delete data within a reasonable time if the data principal revokes consent requests deletion, or when the specific purpose exhausts.
- Respond to data principals’ requests within a reasonable time.
- Avoid behavioral monitoring, target advertising, and tracking of children.
- Keep the personal data complete, accurate, and consistent.
- Conduct audits and impact assessments if you are categorized as a Significant Data Fiduciary.
- Confirm that you do not sell personal data to countries in the negative list as notified by the government.
- Have a contractual relationship with the data processors.
- Inform the DPB in case of any breach regardless of the volume of risk.
India DPDP Act vs EU GDPR [Infographic]
FAQ on the DPDP Act
Should I report all breaches under the DPDP Act?
Yes. You must report all personal data breaches irrespective of their gravity or damage caused to the Data Protection Board.
Does India have a privacy law?
Yes. Digital Personal Data Protection Act, 2023 is the data privacy law of India. The law aims to bring a balance between the rights of the users and the need for the processing of personal data.
What is the penalty under the DPDP Act?
Penalties can extend up to Rs 250 crores/- and it depends upon several factors like gravity, repetitive nature, etc.
Has the DPDP Act been passed?
Yes. The DPDP Act was passed in early August 2023. The act will be enforced when the central government issues a notification for the same.
