About The Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act was passed by the President of India on 11th August, 2023.
The Act contains several provisions regarding the collection and processing of user personal data by organizations and the consent required for it. The Act also specifies several obligations of organizations on handling the user data. Some rights as well as duties of a user is also mentioned. It requires the creation of the Board for supervising the implementation of the Act and for issuing penalties in case of breach. The law gives supreme power to the Central government for making changes to the provisions of the law as and when required in respect of national interests.
The Act will apply if the personal data is collected within India in digital form or non-digital form, which would be later digitalized. Also, it can be applied for data collected outside India if it is regarding the services to users within India.
The Act will not be applicable if the user has made the personal data public or if there is an obligation on the user to make that personal data public.
We are using ‘User’ for the Data Principal and ‘Organization’ for the Data Fiduciary in the blog.
Request for Consent by organizations.
The Act establishes that organizations need to mandatorily obtain consent from concerned users before collecting and processing any personal data.
It requires that the organization send a request for consent to the user, and the consent request should be in clear, understandable language. The request for consent must also contain the contact of the Data Protection Officer or another authorised officer who could help the users with their rights.
Scenarios where the organization do not need consent.
However, there are a few scenarios where the organization does not require the user’s consent for processing their data, such as:
- If a user has themself given the data to the organization for some purpose and has not notified them about not processing that personal data.
- If the State requires the data processing to be done for some situations regarding national interest, epidemic, maintaining public order, maintaining confidentiality, etc.
The consent given by the user should specifically include the agreement of processing of personal data, the purpose for processing, and the limit on personal data to be processed.
Users are allowed to use a Consent Manager who would be responsible for managing their consent regarding personal data processing by organizations.
If the question arises whether the personal data processing was carried out as per the user’s consent or not, the organization should be able to prove that the notice was given to the user for data processing and consent was received regarding the same.
Withdrawal of consent by the user
The Act makes it easier for users by requiring the organizations to make the revoking of consent as easy as it is to provide the consent. For e.g., we see that while using any application, the user can select a simple Yes or No to provide the consent. Similarly, if the user wants to restrict access, that process must also be simple.
After consent is withdrawn, the organization must cease processing personal data as quickly as possible and delete the stored data. However, organizations may continue the processing of data that was already in progress before consent was revoked.
For e.g., let’s say that an organization is using the address of a user to deliver a product. The user revokes the consent of data processing by that organization after placing the order. In this case, the organization would require the user’s address to ship the product properly.
Organizations’ data processing and storage can persist even without consent, provided this Act or another applicable law mandates it.
Notice sent by organizations for consent.
The Act specifies that organizations need to send a notice to the user while requesting their consent over data processing. The notice sent by the organization should clearly specify the purpose for which the personal data is being requested and the kind of processing intended with that personal data. The notice should also mention the rights that the user has for revoking the given consent and to whom the user can approach in case of any issue or complaint.
The Act also states that if the user has given consent for data processing before this Act came into force, then the organization should send a notice to the user with all the specified details as soon as possible.
The Central Government has the authority to make changes and request for consent if personal data is being sent to the users by any organization.
Obligations of organizations
- The Act takes further measures to secure the user data by specifying that the organization and the data processor should comply with the provisions even if the users fail to carry out their duties.
- If the organizations involve a Data Processor to process the user’s personal data, it should only be under a valid contract.
- Organizations are required to thoroughly check the accuracy and correctness of a user’s personal data before sharing it with any other organization or if the decision made on processing the personal data can affect the user.
- If there is a data breach, the organization needs to inform the Board and the associated users about the breach.
Some of the obligations for organizations mentioned in the above points would not be applicable in cases like ascertaining the financial conditions of the user who has defaulted on loan payment, etc.
Personal data protection for children
The Act also takes into consideration the personal data of children. It states that for processing the information of children (below 18) or a person with a disability, the organization must obtain the consent of the parent of the child or lawful guardian of the latter person.
Taking into account the sensitive nature of children’s data, organizations are not allowed to process such personal data that could cause harmful effects on the well-being of the child. Also, tracking, monitoring and targeted advertisements directed at children would not be allowed.
Relief on the processing of personal data of children
Central Government has been given the authority to let some organizations not be bound by the abovementioned restrictions. For this, the Central Government should specify a certain age for children above which the organization can act only if they are satisfied that the organization is safely processing data.
Significant Data Fiduciary
The Act allows the Central Government to designate some organizations as Significant Data Fiduciary considering several factors. The Significant Data Fiduciary would have some additional functions and obligations.
Data Protection Officer
The Significant Data Fiduciary should appoint a Data Protection Officer to represent itself, and the Data Protection Officer should be based in India and act as a point of contact for the grievance redressal mechanism.
Significant Data Fiduciaries are required to perform periodic Data Protection Impact Assessment. It will include the description of users’ rights, the purpose of processing personal data, the assessment and management of risks to the rights of users and other matters which could be described later.
Rights of user
The Act provides the user certain rights to protect their privacy, some of which are:
- Users can ask the organization about the summary of their personal data and its associated processes.
- Users can ask the organization about the other organizations and data processors with whom their personal data has been shared.
- Users can nominate a different person to carry out their rights in case of the user’s death or when the user cannot access those rights themselves.
The Act also states that if the secondary organization with whom the data is shared is authorized by law in writing, then the user may not get the details of such organization.
Duties of user
The Act also imposes certain duties on the user for accessing their rights, some of which are:
- Users should be compliant with all the provisions of all the applicable laws in force at the time to exercise their rights under this Act.
- Users should not try to impersonate or hide any information provided to them by the government. For e.g., Aadhar card, voting card, driving license, etc.
The Act mentions the establishment of the Data Protection Board of India by the Central Government. Some of the functions and procedures of The Board are as follows:
- The Board can inquire into any personal data breach and impose a penalty.
- The Board can investigate any person, if it has sufficient reasons for doing so in writing, to ensure whether the person has complied with the provisions of this Act.
- Any person can appeal before the Appellate Tribunal against the decision passed by the Board within sixty days from the date of receipt of the order.
The Central Government
The Central Government has the power to ask the Board or any organization to provide it with the information for the purpose of this act, as and when required.
The Central Government holds the authority to change many of the provisions described in this Act.
Language options for notice and consent
The act specifies that organizations should provide an option to the user to read the notice and consent request in English and other languages specified in the Eighth Schedule of the Constitution.
The Act strengthens its effectiveness by setting a maximum monetary penalty for violating the provisions, some of which are:
- Up to two hundred crore rupees if the organization fails to inform the Board and affected users about the personal data breach.
- Up to two hundred and fifty crore rupees if the organization fails to take reasonable security measures for protecting the personal data of the user.
- Up to two hundred crore rupees if the organization fail to comply with the restrictions placed on personal data processing related to children.
- Up to one hundred and fifty crore rupees if the Significant Data fails to follow the obligations placed on them properly.
- Up to fifty crore rupees for the breach of any other provisions of this Act.
Rules and Restrictions on Organizations
- A user’s consent to data processing by an organization will be invalid if it is inconsistent with any law in India that is in force at the time of providing consent.
- The Central Government has the authority to restrict the organizations from transferring the personal data of a user to any other country, which may be notified later.
- Transfer of personal data outside India will be restricted if a law that provides higher protection restricts it and is in effect for the time being.
- The Central Government can designate some organizations or classes of organizations, including startups, to whom some of the general obligations placed of organizations would not apply.
Recommended Read – Data Protection Bill 2022
- Data Principal – the individual to whom the personal data relates.
- Data Fiduciary – any person who alone or in conjunction with other persons, determines the purpose and means of processing of personal data. Generally, it refers to organizations.
- Data Processor – any person who processes personal data on behalf of a Data Fiduciary.
- Consent Manager – a person registered with the Board who acts as a single point of contact to enable a Data Principal to manage its consent.
- Appellate Tribunal – the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997
- Board – The Data Protection Board of India was established by the Central Government.
- Personal data – any data about an individual identifiable by or in relation to such data.
- Processing – in relation to personal data includes operations such as collection, recording, organisation, structuring, storage, retrieval, etc.
- Significant Data Fiduciary – any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government.
- Data Protection Officer – an individual appointed by the Significant Data Fiduciary
- State – the Government and Parliament of India and the Government and the Legislature of each of the States and all local and other authorities within the territory of India or under the control of the Government of India.”