The newly enacted Digital Personal Data Protection Act, of 2023 aims to protect the individual’s digital personal data. The act ensures compliance by data fiduciaries. The Act casts certain obligations on data principals and data fiduciaries. The act provides a penalty of up to 250 crores in case of a data breach. The act aims to provide consent-based data collection techniques. The act also establishes the Data Protection Board to ensure compliance with the provisions of the act and address grievances. The scope of the act covers the digitised personal data and data taken offline and subsequently converted into digitised form. Any platform processing digital personal data has to comply with certain legal requirements as per the DPDP Act 2023.
Key terminology under the Act –
- Who is the data principal?
Data principle: Section 2(j) defines data principle. It states that a data principal is an individual to whom the personal data relates. In case such an individual is a child, then the parent or lawful guardian of such child will be the data principal. In case such an individual is a person with a disability, then her lawful guardian acting on his behalf will be considered data principal. A data principal is basically a person whose data is being collected.
- Who is classified as a data fiduciary?
Data fiduciary: Section 2(i) defines data fiduciary as any person(s) who determines the purpose and means of processing the personal data. Basically, a data fiduciary is, persons, companies and government entity that determines the purpose for data processing, that is, collection, storage or any other operation on personal data.
Significant data fiduciary: Under section 2(z) significant data fiduciary is defined as any data fiduciary or class of data fiduciary as may be notified by the central government under section 10 of the Act.
- Who is the data processor?
Data Processor: The data processor is defined under section 2(k), a data processor is any person who processes the data on behalf of a data fiduciary.
Impact of DPDP on corporations handling digital personal Data:
All of us have seen that, increasingly, we are dealing with companies or platforms that we refer to as data fiduciaries. Such companies or platforms serve individuals’ products and services online, and to deliver the products and services, they seek our personal data and use that data to deliver those products or services. The data fiduciaries have been collecting personal data and have been exploiting their personal data for their own business model primarily without the awareness or express consent of the individual whose data is being processed. There has been misuse and exploitation of personal data by many of the platforms. The new DPDP Act 2023 creates a high penalty for the platform that misuses or exploits personal data. The data fiduciaries were essentially creating business models by misusing and exploiting the digital personal data of citizens. DPDP Act will address these concerns by imposing reasonable obligations on data fiduciaries, providing a compliance framework and safeguarding the digital personal data of individuals.
Compliance framework under the DPDP Act, 2023
- Purpose and storage limitation: The data which is being collected can only be used for the purpose for which it is collected. That means the platform can not ask you to provide data which is extraneous personal data or information which is not necessary to the product or services that it is delivering to you as a customer.
- Data minimisation: The data fiduciaries can only collect the data to the extent which is absolutely a minimum required data for the delivery of the product or services. They can not ask for the data and use it for purposes other than for which it is given.
- Data protection and accountability: The act imposes an obligation on the platforms to store the data for the minimum duration without any breach or misuse. And imposes a high punitive financial penalty in case of any breach to the contrary.
- Reporting of data breaches: The platform that collects the data and finds that the data has been breached either willfully or unwittingly will have to report it to the data protection board.
- Accuracy of data: Data will be stored in a manner where data will not be monitored in an erroneous manner, and it will be stored in an accurate manner by the data fiduciary collecting the data.
Role of consent:
- Consent: The Act mandates that Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. A notice must be given before seeking consent.
- Legitimate use(Deemed consent): Consent will not be required for ‘legitimate uses’ including (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment. The act allows a Data Fiduciary to process the personal data of children only with parental consent.
Positive aspects of DPDP 2023 on the industry
- The act establishes the data protection board, which will provide the remedial measures for any complaints of data breach.
- The act provides a strong data protection framework, which data fiduciaries need to comply with. Such compliance in regard to data protection will ultimately boost trust in the industry.
- The act drives the enterprise(data fiduciaries) to process personal data for lawful purposes.
- The act has an extraterritorial application. The enterprises which are based outside India and serving individuals in India will also be expected to comply with the provisions of this act, ensuring compliance at a broader level.
- The act serves as a positive step in safeguarding data privacy, strengthening the trust and transparency in the industry collecting data of individuals for lawful purposes.
- The act also provides business-friendly provisions, including eliminating criminal penalties for non-compliance. It also facilitates international data transfers to friendly nations.
- The DPDP Act strikes a balance between user data protection and promoting industry growth and innovation in digital businesses.
Ensuring privacy, what does the industry need to keep in mind?
- Privacy by design.
- Legal grounds for processing personal data.
- Obtaining adequate consent.
- Implementing technical and reasonable security safeguards.
- Grievance Redressal.
- Purpose of collecting data.
- Data protection assessment.
- Privacy notice.
Digital Personal Data Protection Act, 2023 marks a significant step towards safeguarding individuals’ digital personal data and promoting responsible data practices in the industry. By establishing a robust compliance framework, imposing penalties for data breaches, and emphasising the importance of consent and accountability, the act ensures that data fiduciaries prioritise data protection and user privacy. The act balances the industry’s growth and innovation while ensuring digital personal data protection. The DPDP Act underscores the importance of privacy by design and ethical data handling. It promotes trust, transparency, and security in the digital ecosystem, benefiting both individuals and businesses.
Author: Neeraj Soni, Research Associate – Policy & Advocacy, CyberPeace