The Digital Personal Data Protection Act 2023

Deepak Jha
4 min readNov 29, 2023

--

The DPDP Act in India is a step forward in the reformation of data privacy laws in the country. India’s relatively young median age of 29 is an indicator of the need for proper data privacy laws to be in place, considering the bulk of personal data being generated. The DPDP Act would help enable businesses to innovate and grow, simultaneously safeguarding the data privacy rights of Indian individuals.

The Act defines ‘personal data’ as “any data about an individual who is identifiable by or any relation to such data”.

Businesses or data fiduciaries would be accountable for maintaining the accuracy of data, keeping it secure, and deleting the data once its purpose has been served.

The Act grants individuals certain rights which include the right to seek information about their data and to request deletion or correction of their data. The central government of India may allow government agencies to supersede these clauses in case of a threat to the security of the state, public order and prevention of offenses.

Key Features of the Digital Personal Data Protection Act would be:

Data Protection Board of India(DPBI):

The central government will also be responsible for establishing a Data Protection Board of India to arbitrate non-adherence to the Act. The main functions of the Board will include:

  • Ensuring the compliance of businesses/organizations with the Act
  • Establishing protocols to be followed in case of a data breach
  • Hearing grievances made by affected people (from a data breach)
  • Members of the board would be appointed for two years with eligibility for re-appointment.
  • Functioning as an independent body

Applicability:

The Digital Personal Data Protection Act will apply to the processing of digital personal data in India. It would extend to data that is collected and stored online, or collected offline and then digitized. The Act would also apply to the processing of personal data outside of India if the services or goods offered are based in India.

Consent:

It mentions consent requirement as an integral part of its functioning, but consent may not be required for specific licit cases where that personal information has been voluntarily shared by the individual or in the case of its processing by the state for permits, licenses etc.

  • A notice must be given before seeking consent
  • Consent may be withdrawn at any point in time
  • Consent will not be required for licit purposes for which data might be provided voluntarily
  • Personal data may only be processed or stored after obtaining the consent of the individual, for legitimate purposes only

Rights and Duties of Data Principal:

An individual whose data is being processed (data principal), will have the right to:

  • Obtain information about its processing
  • Seek correction, alteration, or erasure of personal data
  • Seek Grievance redressal for them to address grievances to a designated contact

Obligations of Data Fiduciaries:

Businesses must:

  • Make adequate efforts to ensure the accuracy of the data stored
  • Build reasonable security safeguards to prevent data breaches
  • Inform the DPBI and affected persons in case of a breach
  • Erase the personal data as soon as the purpose has been met and retaining isn’t required for legal purposes

Transfer of Personal Data Outside of India:

The Act allows the transfer of personal data outside of India, except in countries restricted by the central government.

Penalties:

Here are the specific penalties that will be imposed by the DPBI, after the inquiry:

  • Penalties of up to INR 200 crore for non-fulfilment of obligations regarding children
  • Penalties of up to INR 250 crore for failure to take security measures to prevent breaches

Notably, exemptions regarding the requirement of consent by the State in matters of national security may lead to the processing and collection of data beyond what is needed. This may violate the fundamental right to privacy of Indian individuals. The Act does not control potential risks arising from the processing of personal data. None of the rights of individuals, and the obligations imposed on businesses will apply in exceptional cases such as processing personal data for prevention, investigation, and prosecution of offences where consent could also be overridden.

Another significant shortcoming could be the Act’s lack of provisions for data portability and the right to be forgotten. However, it allows the transfer of personal data outside of India, excluding countries restricted by the central government.

The DPDP Act has a long way to go in terms of the provisions it could create for Indian citizens and their data privacy, but this is a progressive step in this direction.

--

--

Deepak Jha

Product Manager - Talks about Data Security and Privacy