The Digital Personal Data Protection Act, 2023 is a significant step taken by the Indian legislature towards reinforcing the data protection and privacy regime in India. The Act intends to establish the compatibility of the Indian data protection laws with the rapidly evolving approach of processing and deployment of personal data. Further, the Act is intended towards directing the Data Fiduciaries across the globe to ensure a greater accountability towards the treatment of personal data of the Indian Data Principals.
In the Part I of the Article (accessible here), we had summarized (a) the key concepts introduced under the DPDP Act; (b) the modes in which personal data can be collected by the Data Fiduciaries; (c) the grounds for collection of such personal data; (d) the duties of the Data Fiduciaries; and (e) additional obligations of the Significant Data Fiduciaries.
This part of the Article is aimed towards discussing (a) the rights available to the Data Principals; (b) the duties of the Data Principals; (c) the establishment of the Data Protection Board of India and its powers; (d) the penalties prescribed for any breach of the provisions of the DPDP Act.
Rights of the Data Principals
The Chapter III of the Act facilitates the Data Principals with certain vital rights which can be exercised in relation to their digital personal data. While the Act provides for the rights available to the Data Principals, the manner in which such rights will be enforced and made available to the Data Principals will be elaborated in the rules to be notified subsequent to the Act. The rights made available to the Data Principal under the Act are:
Right to access information about personal data: The Data Principals have been provided with a right to seek certain information pertaining to their personal data from the concerned Data Fiduciary, including: (a) a summary of the personal data of the Data Principal being processed; (b) identities of all the Data Fiduciaries and Data Processors with whom the personal data of the Data Principals have been shared; and (c) other information related to the personal data of the Data Principal.
Right to correction and erasure of personal data: The Data Principals have been extended a right to seek correction, completion, updating and erasure of their personal data for which they have previously given their consent. Further, the Act imposes an explicit obligation on the Data Fiduciary to (a) correct the inaccurate personal data; (b) complete the incomplete personal data; and (c) update the personal data, upon a request raised by the Data Principal.
Right to grievance redressal: The Act provides the Data Principals with a right to have ‘readily available means’ of grievance redressal from the Data Fiduciary or the Consent Manager to protect their personal data in accordance with the provisions of the Act and to enforce their rights under the Act. In furtherance to the right to grievance redressal, the Data Principal is required to exhaust the remedy available by enforcing the right before approaching the Data Protection Board of India.
Right to nominate: The Data Principals have been provided with a right to nominate any individual who shall exercise the rights of the Data Principal in the event of death or incapacity of such Data Principal.
Duties of the Data Principals
Besides the rights provided to the Data Principals, the Act requires the Data Principals to abide by certain duties. The Data Principals are required to (a) comply with the provisions of applicable law for enforcing their rights under the Act; (b) not impersonate as another person while providing personal data; (c) not to suppress any material information while providing personal data; (d) not file any false grievance or complaint under the Act; and (e) furnish only such information as is verifiably authentic, while exercising right to seek correction or erasure of personal information.
Processing of personal data outside India
The Act, per se, does not restrict the transfer of personal data by a Data Fiduciary outside India. However, the Act provides the Central Government with an authority to notify any restriction which can be imposed on the transfer of personal data by a Data Fiduciary to any specific country or territory outside India.
It has been clarified in the Act that the provisions of the Act shall not restrict the applicability of any other law in force in India which may impose a higher degree of compliance requirement in relation to transfer of personal data outside India.
As an illustration, the Reserve Bank of India, vide a circular DPSS.CP.OD.No 2785/06. 08. 005/2017-18 dated April 06, 2018, mandated all the payment system providers under the Payment and Settlement Systems Act, 2007 to store the entire payment data only in India. Thereby, nothing contained in the Act or the rules notified under the Act can permit such payment system providers to store payment data outside the territory of India.
Exemptions under the Act
Section 17 of the Act provides a list of instances wherein the applicability of the provisions of the Act is exempted. Such instances can be broadly classified as:
Exemptions from the applicability of Chapter II and Chapter III: Section 17(1) of the Act provides for a list of instances where the provisions of Chapter II i.e., obligations of Data Fiduciary; Chapter III i.e., the rights of Data Principals; and Section 16 i.e., processing of personal data outside India shall not be applicable. The list of such exemptions include processing of personal data:
(i) for enforcing any legal right or claim;
(ii) by a court or tribunal or any other judicial/quasi-judicial body in India;
(iii) in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law in India;
(iv) for a scheme of compromise or arrangement or merger or amalgamation of two or more companies, as approved by the court or tribunal; and
(v) for ascertaining the financial information of any person who has defaulted in payment of loan or advance taken from a financial institution.
Blanket exemption: Section 17(2) provides for a list of instances wherein any provision of the Act in respect of the processing of personal data would not be applicable. The list includes processing of personal data:
(i) by any instrumentality in India as the notified by the Central Government of by the Central Government of any personal data shared by such instrumentality for: maintaining sovereignty and integrity of the country, security, relationship with foreign states, maintenance of public order or preventing incitement to any cognizable offence.
(ii) For undertaking any research, archiving or statistical purposes. However, such processing shall not be used to make any decision specific to a Data Principal.
Exemption to Startups: The Central Government has been authorized to notify certain classes of Data Fiduciaries including ‘Startups’[1] to whom certain provisions of the Act shall not be applicable.
Data Protection Board of India
The Act authorizes the Central Government to establish a board for the purposes of the Act, which will be called as the Data Protection Board of India (“Board”). The powers and functions of the Board includes:
(i) Direct any urgent remedial or mitigation measures in the event of any data breach, and to initiate inquiry into such data breach and impose penalty;
(ii) Inquire into any complaint made by the Data Principal in respect of any breach of data by the Data Fiduciary or the Central Government or a State Government under the Act, and impose penalty accordingly;
(iii) Inquire into any complaint made by the Data Principal in respect of any breach by the Consent Manager under the Act, and impose penalty accordingly;
(iv) Inquire into any breach of any condition of registration of a Consent Manager and impose penalty;
(v) Inquire into any breach by the ‘intermediary’[2] on a reference made by the Central Government and impose penalty;
(vi) Direct any dispute to mediation, if it is of the opinion that such complaint may be resolved by mediation.
Appellate Tribunal: Under Section 29 of the Act, any person who is aggrieved by the order or direction of the Board may appeal to the Appellate Tribunal within 60 (sixty) days of receipt of such order or direction. Further, under Section 2(a) of the Act, Appellate Tribunal has been referred to the Telecom Disputes Settlement and Appellate Tribunal established under Section 14 of the Telecom Regulatory Authority of India Act, 1997.
Penalties
The Schedule to the Act issued under Section 33(1) provides for a list of maximum penalties imposable on breach of various provisions of the Act. The penalties prescribed extend up to INR 250,00,00,000 (Indian Rupees Two Hundred and Fifty Crores) in certain instances. However, under Section 33(2) of the Act, it is elucidated that the Board shall take into consideration numerous factors before determining the penalty under the Act, including:
(i) The nature, gravity and duration of the breach;
(ii) The type of personal data breached;
(iii) Whether there has been some gain or avoidance of loss due to such breach;
(iv) Steps taken to mitigate such breach;
(v) Proportionality of the penalty and the impact of imposition of such penalty.
[1] Under explanation to Section 17(3) of the Act, ‘Startup’ has been defined to mean any “private limited company or a partnership firm or a limited liability partnership incorporated in India, which is eligible to be and is recognized as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government.”
[2] Under Section 37 of the Act, the Central Government has been authorized, upon a reference from the Board and in the interest of general public, to direct any agency of the Central Government or any intermediary to block for access by the public any information that enables a Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within India.
It has been clarified under Section 37(3) that ‘Intermediary’ shall have meaning assigned to it under the Information Technology Act, 2000