The relevancy of data in driving the economic, social and political forces in the digitally driven world is well understood and established. With the high digital exposure of data and its growing value, it has become vulnerable to risks associated with its unauthorized use and manipulation.
Data collected and processed digitally in India was primarily regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Personal Data Rules, 2011”) notified under the Information Technology Act, 2000. The Personal Data Rules, 2011 were drafted with limited foreseeability of the importance of protecting personal data available digitally, the extent of breach and misuse of such data, and the impact of such breach/misuse.
However, the limitation of the law to regulate and govern the evolving landscape of data privacy has been unwaveringly recognized, and over a period of time, numerous endeavors have been made to revamp the laws pertaining to protection of digital data. A broad timeline of such evolution of the data protection laws in India is provided below:
The Parliament of India took a remarkable step towards strengthening the data protection and privacy regime, and passed the Digital Personal Data Protection Bill, 2023 on August 09, 2023. The Digital Personal Data Protection Act, 2023 (“DPDP Act”/ “Act”) is a far more comprehensive legal framework governing the collection, processing and usage of digital data in India, and can be juxtaposed with the evolved jurisprudences across the world. The salient provisions of the DPDP Act are construed below[1]:
Key definitions
The DPDP Act introduces the concepts of (a) Data Fiduciaries[2], the ones who control the personal data and the purpose of processing such data; (b) Data Principals[3], the ones whose personal data is being processed; and (c) Data Processors[4], the ones who process personal data on behalf of the Data Fiduciary, which are similar to the concepts under the General Data Protection Regulations of the European Union.
Further, the DPDP Act comprehensively defines “processing” of personal data to mean any wholly or partly automated operations performed on the digital personal data, including “collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”[5]
Applicability
The provisions of the DPDP Act are applicable to the processing of personal data within India when such personal data is either collected in a digital form or is collected in non-digital form and is digitized subsequently. Further, the provisions of DPDP Act are also applicable to any processing of digital personal data outside the territory of India, when the processing is done in relation to goods or services being offered to the Data Principals in India.
Exclusion: It has been elucidated in the Act that the provisions and the compliance requirements are not applicable to (a) any digital personal data collected for domestic purposes; or (b) any digital data which is made publicly available by the Data Principal.
Consent from the data principal
The DPDP Act requires the Data Fiduciaries to seek “free, specific, informed, unconditional and unambiguous” consent from the Data Principal for processing of the personal data. Further, the Act clarifies that the consent cannot be a deemed consent and shall be obtained by way of an affirmative action by the Data Principal.
Notice: Under Section 5 of the DPDP Act, every request for consent is required to be supported by a notice from the Data Fiduciary. Such notice shall provide for (a) the purpose for which the data is proposed to be processed; (b) the manner in which the consent can be withdrawn; and (c) the manner in which a complaint can be made to the Data Protection Board of India. Also, taking into account the wide access to internet, and high exposure of personal data of the vernacular language speaking population, the Act requires the Data Fiduciaries to make the notices available in English or any language specified in the Eighth Schedule of the Constitution, at the request of the Data Principals.
Withdrawal of consent: The Data Principals have been provided with a right to manage, review and withdraw their consent extended for the processing of their personal data. The Data Principal may review, manage or withdraw their consent through a consent manager[6], who shall be accountable to the Data Principal.
Grounds for processing of personal data
Elementary conditions: The primary condition for processing of personal data is that such processing should be in accordance with the provisions of the Act. Moreover, such processing should be for a ‘lawful purpose’, which has been clarified to mean “any purpose which is not expressly forbidden by law”[7].
Sequential conditions: Besides the elementary conditions, the processing of personal data should satisfy either of the following conditions: (a) a consent of the Data Principal has been obtained in accordance with the Act; or (b) where the personal data is being processed for certain ‘legitimate uses’. Under Section 7 of the DPDP Act, there is a list of uses provided which are considered as ‘legitimate uses’, which includes (but is not limited to):
(i) For any subsidy, benefit, certificate, license or permit to be issued by the government;
(ii) For performance of any function of the government under any law in India or in the interest of sovereignty, integrity or security of India;
(iii) For responding to any medical emergency or for any medical treatment;
(iv) For complying with any order or decree of the courts; and
(v) For safeguarding the employer from any loss or liability.
General compliances for Data Fiduciaries
Section 8 of the DPDP Act provides for a list of general compliances to be undertaken and observed by the Data Fiduciary. Such general compliances include:
(i) Valid contract with the Data Processor: For engaging with a Data Processor, the Data Fiduciary is required to enter into a valid contract with such Data Processor. Further, the Data Fiduciary shall have the onus to ensure that the Data Processor erases any personal data made available by the Data Fiduciary, in compliance with the Act.
(ii) Data breach: The Data Fiduciary is required undertake reasonable security safeguards to prevent any data breach. However, if there is any breach of personal data then the Data Fiduciary is required intimate the Data Protection Board of India of the same.
(iii) Grievance redressal: The Data Fiduciary is required to establish an effective mechanism to redress the grievances of the Data Principals. The Act further provides the Data Principals with a right to grievance redressal, which is discussed in the Part II of this article.
(iv) Processing of personal data of children: The Data Fiduciary is required to obtain a verifiable consent of the parent or a lawful guardian before processing of any personal data of a child[8] or a person with disability. The Data Fiduciary is restricted from processing of any personal data where (a) such processing may be detrimental to the child’s well-being; or (b) such processing is to undertake tracking or behavioral monitoring or targeted advertising of children.
Significant Data Fiduciaries and their obligations
The Central Government has been provided with an authority to classify certain Data Fiduciaries as ‘Significant Data Fiduciaries’ basis on certain factors including the volume and sensitivity of the personal data processed, the risks to rights of the Data Principals, impact on the sovereignty and integrity of the country, risk to electoral democracy, security and public order.
Additional obligations: Apart from the general obligations, the Significant Data Fiduciaries shall be required to undertake the following additional compliances:
(i) Appointment of a Data Protection Officer;
(ii) Appointment of an independent data auditor; and
(iii) Undertaking of periodic data audit and data protection impact assessment.
[1] The DPDP Act, 2023 is composed of nine chapters. This article is Part I of the two-part article titled as ‘An Overview of the Digital Personal Data Protection Act, 2023’. The Part I is primarily focused on Chapters I and II of the DPDP, 2023.
[2] Section 2(i) of the DPDP Act defines ‘Data Fiduciaries’ to mean “any person who alone or in conjunction with other persons determines the purpose and means of process of personal data”;
[3] Section 2(j) of DPDP Act defines ‘Data Principal/ to mean “the individual to whom the personal data relates and where such individual is- (i) a child, includes the parents or lawful guardian of such a child; and (ii) a person with disability, includes her lawful guardian, acting on her behalf.”
[4] Section 2(k) of the DPDP Act defines ‘Data Fiduciaries’ to mean “any person who processes personal data on behalf of Data Fiduciary.”
[5] Section 2(x) of the DPDP Act.
[6] Section 2(g) of the DPDP Act defines ‘Consent Managers/ to mean “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.”
[7] Section 4(2) of the DPDP Act.
[8] Under Section 2(f) of the DPDP Act, a ‘Child’ has been defined to mean “an individual who has not completed the age of eighteen years.”