India's Digital Personal Data Protection Act, 2023 ("DPDP Act") (Notified and Effective from 11th August, 2023) Guardians of Data: Navigating Responsibilities under the DPDP Act for Business Entities Compiled by: CS Dr IP Shilpi Thapar Shilpi Thapar & Associates Practising Company Secretaries, Ahmedabad www.shilpithapar.com
India's Digital Personal Data Protection Act, 2023 ("DPDP Act") (Notified and Effective from 11th August, 2023) Guardians of Data: Navigating Responsibilities under the DPDP Act for Business Entities Compiled by: CS Dr IP Shilpi Thapar Shilpi Thapar & Associates Practising Company Secretaries, Ahmedabad www.shilpithapar.com September 2023 All rights reserved @ 2023 Imprint: Independently published COMPLIMENTARY COPY-Not intended for Sale Disclaimer: Every effort has been made to avoid errors or omissions in this publication. In spite of this, errors may creep in. Any mistake, error or discrepancy noted may be brought to our notice which shall be taken care in our next edition. It is further notified that author or her firm will not be responsible for any damage or loss of actions to any one, of any kind, of any manner, therefrom. It is suggested that reader should crosscheck all the facts, law and contents of the publication with original government notifications and publications. This publication is released for educational and informational purpose only and should not be constituted as legal advice or advertisement/solicitation. No part of this publication should be reproduced or copied in any manner without author prior written permission.
About the Author CS Dr IP Shilpi Thapar, is Fellow member of The Institute of Company Secretaries of India (ICSI), Registered Insolvency Professional (IBBI),Associate Member of the Institute of The Chartered Secretaries and Administrator of England and Wales (ICSA), Law Graduate, Qualified for the Certificated Independent, holds Certificate course in “PSYCHOLOGY” from Yale University, USA-Ivy League, Certified Mediator and Arbitrator(IIAM), Adjudged as “Certified Corporate Director” by The World Council for Corporate Governance and awarded with Highest Honor “Doctor of Excellence-Honoris Causa” by Confederation of International Accreditation Commission, Global in cooperation with KEISS International University, South Korea. She is holding experience of almost 21 years. M/s. Shilpi Thapar and Associates (“STA”) founded by CS Shilpi Thapar is a ICSI registered Practicing Company Secretary firm for more than 18 years having head office at Ahmedabad and associates at Vapi, Delhi and Mumbai rendering services in areas of: - Corporate Laws with specialization in Corporate Governance issues including effective board processes, - Insolvency & Bankruptcy, - Legal drafting of agreements, - Corporate Restructuring, - Alternate Dispute Resolution incl Negotiation, Mediation and Arbitration etc.
Corporate Governance vs. Compliance Corporate governance refers to a framework of procedures, policies, and rule that is used to determine the overall performance and direction of the company. Senior executives and board members use this management approach to direct and control an organization. This framework is used because it ensures directives, instructions, and strategies are carried out effectively. On the other hand, compliance is a term used to describe the process through which businesses showcase they’ve to requirements in contracts, regulations, policies, and laws. Corporate governance is intended to increase accountability and to facilitate prudent management and is focused on how the organization will perform in the long run. Another key difference is that corporate governance originates from internal sources, while compliance comes externally. It’s important to separate governance and compliance. Although they’re designed to protect against the same risks, they are different. While corporate governance determines what the company’s attitude towards business practices and risk will be, compliance ensures the attitude is within the bounds of the law. Even after being fully COMPLIANT, your organization is having CORPORATE GOVERNANCE issues if: 1. Weak Board supervision and Dysfunctional structure of Board of Directors leading to suboptimal decision making.
2. Ineffective Board Processes and Meetings which leads to poor communication among board members resulting in missed opportunities and conflicts. 3. Ineffective approach of drafting agendas and minutes of meetings which leads to insufficient information to board members for taking informed decisions and actions. 4. Lack of training for board members and senior management related to their roles and responsibilities, corporate governance best practices and industry specific knowledge. 5. Board and Committee Meetings are ineffective due to poor conduct of meetings in sync with regulatory provisions. 6. Inadequate Succession Planning leading to leadership gaps and instability. 7. Lack of Board and Senior Management i.e. CEO/CFO Evaluation 8. Ethical and Compliance issues in the company resulting into conflict of interests and compliance violations of Companies and Securities Laws resulting into grave penalties and legal consequences. 9. Lack of Crisis Management – incapacity of board to respond to crisis resulting into financial downturns, legal issues and reputational crisis. 10. Failing to adequately address data privacy concerns under Digital Personal Data Protection Act, 2023. 11. Lack of Internal Controls and Risk Management. We act as a Board Strategist and provide customised, effective and balanced solutions and strategies to all above issues to reputed Companies resulting into effective corporate
governance which enables board of directors to take informed decisions and actions. If you have question in your mind, please contact us at: Shilpi Thapar & Associates Company Secretaries 407B, Pinnacle Business Park Prahladnagar Corporate Road Ahmedabad-380052. Contact details: 079-4004 7878 Email: [email protected], [email protected] Visit us: www.shilpithapar.com
Author’s Message: "In the digital age, privacy and security are not a trade-off; they're two sides of the same coin." - Satya Nadella, CEO-Microsoft. Data is the lifeblood of the modern economy and the currency of the digital world. It is widely acknowledged as new oil and new gold. The World Economic Forum (WEF) declared that big data is an asset class like gold or oil. It is becoming new economic “Asset Class”, a valuable resource for the 21st century that will touch all aspects of society. In our increasingly digital and interconnected world, the term "data" has become a fundamental currency. Data fuels the engines of technology, driving everything from personalized advertisements to medical research breakthroughs. However, with this immense power comes an equally significant responsibility: the protection of data. Data protection, in its essence, is the practice of safeguarding information from unauthorized access, use, disclosure, alteration, or destruction. It is a critical aspect of our modern lives, touching virtually every facet of our existence, from personal privacy to business operations and national security. In our rapidly digitizing world, personal data has emerged as one of the most valuable and vulnerable assets of the modern age. From the moment we log into our favourite apps, make online purchases, or even use our smartphones, we leave a trail of digital
footprints—bits and bytes of information that collectively constitute our personal data. Personal data protection is the practice of safeguarding these digital footprints, ensuring that our personal information remains confidential, secure, and under our control. It is a fundamental concept that strikes at the heart of privacy, trust, and ethical data handling in our interconnected society. In an age of constant digital interaction and data sharing, personal data protection has never been more relevant. It's about balancing the benefits of technology and data-driven services with the preservation of individual rights, freedoms, and privacy. Across the globe, landmark legislations like the General Data Protection Regulation (GDPR) in the European Union and the Digital Personal Data Protection Act (DPDP Act) in India are setting new standards for personal data protection. These laws empower individuals with greater control over their data by giving their consent, impose stringent data security requirements on organizations, and establish hefty fines for non-compliance. As we delve deeper into the world of Digital Personal data protection in India, we'll explore the key principles, regulations, technologies, and best practices that underpin this vital field, providing insights into how individuals, organizations, and societies can navigate the challenges and opportunities presented by the data-driven era in this guide.
I am pleased to present concise guide for Employers, Professionals, Corporate Directors, all business entities on India’s most significant Law- The Digital Personal Data Protection Act, 2023(DPDP Act). Happy Learning! CS Dr IP Shilpi Thapar Practising Company Secretary Certified Arbitrator & Mediator Ahmedabad ||10.09.2023
CONTENTS S. No. Particulars Page Nos. 1. Introduction 1-3 2. Applicability of DPDP Act,2023 in India 4 3. History of Personal Data Protection Laws in India 5-7 4. International Practices for Personal Data Protection 8-10 5. Requirements of the Digital Personal Data Protection Act,2023 (DPDP Act) in India 11-13 6. 30 significant FAQ’s on legal framework and provisions of DPDP Act,2023 14-36 7. Suggested Compliances and Implementation for Organisations as per DPDP Act,2023 37-41
1 1. Introduction Data protection is a complex and multifaceted field, encompassing topics like cyber security, data governance, ethical data use, and the balance between individual rights and societal benefits. In this digital age, where data flows like a river, understanding and practicing personal data protection is not just a matter of legal requirement and compliance but an ethical imperative that shapes our digital future and also a social responsibility. It's about harnessing the power of data while respecting the dignity and autonomy of every individual. The DPDP Act, 2023 recently introduced and made effective in India from 11th August, 2023 represents a significant step in ensuring the privacy and data protection rights of Indian Citizens while also creating a conducive environment for responsible datadriven innovation and economic growth. It reflects India’s commitment to protecting personal data of its citizens. Currently, the Information Technology Act, 2000 prevailing in India does little to protect individuals against such harms in India. The transfer of personal data (defined as sensitive personal data or information) is governed by the SPD Rules of IT Act. DPDP Act, 2023 being effective, corresponding amendments are required in IT Act, RTI Act, and Consumer Protection Act for harmonisation.
2 Key elements typically included in a Digital Personal Data Protection Act, 2023 (DPDP) encompass: 1. Definition of Personal Data: Clear definitions of what constitutes personal data and sensitive personal data. This defines the scope of the law's application. 2. Data Subject Rights: Outlining the rights of individuals whose data is being processed, including rights to access, rectify, and delete their data. 3. Data Processing Principles: Establishing principles for the lawful and fair processing of personal data, such as data minimization, purpose limitation, and accuracy. 4. Consent: Regulations regarding obtaining informed and explicit consent from individuals before collecting and processing their data. 5. Data Security: Mandating data security measures to protect personal data from unauthorized access, breaches, and cyberattacks. 6. Data Transfers: Rules for the international transfer of personal data to countries or organizations outside the jurisdiction.
3 7. Data Breach Notification: Requirements for organizations to report data breaches to authorities and affected individuals within specified timeframes. 8. Data Protection Impact Assessments (DPIAs): Procedures for conducting assessments of data processing activities that may pose a high risk to individuals' privacy. 9. Data Protection Officers (DPOs): Designation of data protection officers within organizations to oversee compliance with data protection laws. 10. Penalties and Enforcement: Imposing fines and penalties for non-compliance with data protection regulations and assigning authorities responsible for enforcement. 11. Regulatory Authorities: Establishment of regulatory bodies or data protection authorities to oversee and enforce compliance with the law. 12. Data Localization: Provisions related to storing certain categories of data within the country's borders.
4 2. Applicability of DPDP Act in India As per our view this will be applicable to ALL Business Entities (as Employers being custodian of Employee Personal Data), Educational Institutions, Utility Companies, Financial Institutions, Service Providers i.e. CA, CS, CWA, Advocates, Doctors, Real Estate Sector, Aviation and Transportation Sector, Hospitals, Hospitality and Tourism Sector, Online Subscriptions, Entities providing AMC services, E-commerce Companies. In many jurisdictions, data protection laws aim to safeguard the personal data of individuals, which can include employees' data held by their employers. Employers are typically considered data controllers or data processors, and as such, they are required to comply with the data protection laws relevant to their jurisdiction. Employers are likely to be covered by the DPDP Act if it includes provisions related to the collection, processing, storage, and management of personal data in an employment context. This might involve employee records, payroll information, contact details, and any other personal data collected and processed during the course of employment. To ensure compliance, employers need to familiarize themselves with the specifics of the DPDP Act, understand their obligations, and implement necessary policies and procedures to protect the personal data of their employees. It's advisable to consult professionals’/ legal experts dealing with Digital Data Protection Laws.
5 3. History of Personal Data Protection Laws in India The history of personal data protection in India has been shaped by various developments and milestones. Below is a brief overview: 1. Pre-Independence Era: India did not have specific data protection laws during its colonial period. However, privacy was recognized as a fundamental right under the Indian Constitution, which was adopted in 1950. 2. Aadhaar Act, 2016: The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, was a significant development. It established the legal framework for the collection and use of biometric and demographic data for the Aadhaar identification system. It also included provisions related to data protection. 3. Right to Privacy as a Fundamental Right: In August 2017, the Supreme Court of India, in the landmark case of Justice K.S. Puttaswamy (Retd.) vs. Union of India, recognized the right to privacy as a fundamental right under the Indian Constitution. This judgment laid the foundation for stronger data protection laws. The right to privacy is enshrined as a fundamental right under Article 21 of the Indian Constitution, which guarantees the right to life and personal liberty. The Supreme Court of
6 India, in the Puttaswamy case, affirmed that the right to privacy is intrinsic to the dignity and freedom of an individual 4. Justice BN Srikrishna Committee Report: In 2017, the government of India formed a committee headed by Justice B.N. Srikrishna to draft a comprehensive data protection law. The committee submitted its report titled as “A free and fair Digital Economy Protecting Privacy, Empowering Indians” in 2018, which served as a basis for the PDPB. 5. Introduction of the Personal Data Protection Bill (PDPB): The PDPB was introduced in the Lok Sabha (the lower house of India's Parliament) in December 2019. The bill aimed to regulate the processing of personal data in India, establish the Data Protection Authority of India (DPAI), and outline principles for data protection. 6. Parliamentary Consideration: The PDPB went through parliamentary discussions and reviews. It was referred to a Joint Parliamentary Committee for examination and report. 7. After several consultation and iterations, Hon’ble Minister of Electronics and Information introduced the highly anticipated draft Digital Personal Data Protection Bill,2023 (‘DPDP Bill’) in both houses of parliament i.e. Lok Sabha on 7th August,2023 and Rajya Sabha on 9th August,2023. 8. The Digital Personal Data Protection Act (DPDP Act), 2023 was passed by Parliament and received the President's assent
7 on August 11, 2023 and become effective from 11th August, 2023. It is the significant step toward protecting the privacy of Indian Citizens in Digital Age. 9. The Digital Personal Data Protection Act, 2023 (the “DPDP Act” or “Act”), was published in the official gazette pursuant to a notification dated August 11, 2023. 10. Provisions of the DPDP Act, 2023 will likely be notified in Phases, potentially starting with the constitution of the DPDP Board. 11. Possibly Implementation timelines will differ for certain classes of data fiduciaries handling large volumes of data as compared to smaller companies and start-ups. As per media reports, the MeitY intend to start this process with Big Tech companies.
8 4. International Practices for Personal Data Protection Digital personal data protection laws vary by country and region, and they are designed to safeguard individuals' personal data in digital form. Here are some notable data protection laws and sources of information: 1. General Data Protection Regulation (GDPR) - European Union: GDPR is one of the most comprehensive data protection laws globally, applicable to EU member states and any organization processing data of EU residents. Source: European Commission's GDPR webpage (https://ec.europa.eu/info/law/law-topic/data-protection_en) 2. California Consumer Privacy Act (CCPA) - United States: CCPA provides data protection rights to California residents and imposes obligations on businesses collecting their data. Source: California Attorney General's CCPA website (https://oag.ca.gov/privacy/ccpa) 3. Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada: PIPEDA governs the collection, use, and disclosure of personal information by private-sector organizations in Canada. Source: Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-
9 canada/the-personal-information-protection-and-electronicdocuments-act-pipeda/) 4. Personal Data Protection Act (PDPA) - Singapore: PDPA regulates the collection, use, and disclosure of personal data in Singapore and sets out data protection obligations for organizations. Source: Personal Data Protection Commission Singapore (https://www.pdpc.gov.sg/) 5. Data Protection Act 2018 - United Kingdom: This UK legislation incorporates GDPR principles into national law post-Brexit and adds some specific provisions. Source: Information Commissioner's Office (ICO) - UK (https://ico.org.uk/) 6. Data Privacy Law (RA 10173) - Philippines: RA 10173 is the primary data protection law in the Philippines, governing the processing of personal data. Source: National Privacy Commission - Philippines (https://privacy.gov.ph/) 7. The Privacy Act 2020 - New Zealand: The Privacy Act 2020 regulates how personal information is handled in New Zealand, including the collection, use, and disclosure of personal data. Source: Office of the Privacy Commissioner - New Zealand (https://privacy.org.nz/)
10 8. Brazilian General Data Protection Law (LGPD) - Brazil: LGPD is Brazil's data protection law, inspired by GDPR, and it governs the processing of personal data in Brazil. Source: National Data Protection Authority - Brazil (https://www.gov.br/anpd/en) 9. Digital Personal Data Protection Act, 2023(DPDP) –India: The DPDP is a proposed data protection law in India, aimed at regulating personal data processing. Source: Ministry of Electronics and Information Technology - India (https://meity.gov.in/) The effectiveness of digital personal data protection laws can vary depending on the specific needs, legal frameworks, and enforcement mechanisms of each country. The key features of any personal data protection laws have following features: • Explicit and informed consent for personal data processing. • Strict data breach notification requirements. • Robust data subject rights, including the right to access, rectify, and erase personal data. • Stringent security and privacy-by-design requirements. • Cross-border data transfer mechanisms and standard contractual clauses. • Substantial fines for non-compliance.
11 5. Why Digital Personal Data Protection Act, 2023 is required in India? The world economic forum (WEF) declared that personal data is becoming new economic “Asset Class”, a valuable resource for the 21st century that will touch all aspects of society. As per reports India houses about 17% of world population and likely to contribute 1/5th of world’s data, so it was imperative for the government to develop a balanced ecosystem to enforce the legislation which protects the privacy and provides security to the Indian Citizens from dangers to informational privacy originating from state and non-state actors, serves the common good by developing trust between individuals, government and private sector. The right to privacy in India is recognized as a fundamental right, and it has been upheld by the Indian judiciary as a part of the right to life and personal liberty guaranteed by Article 21 of the Indian Constitution. Taking into consideration this fundamental right, DPDP Act 2023 was enacted. Here are some key reasons why strict enforcement of DPDP Act, 2023 is required and significant advantages of enforcing it: 1. Protecting Privacy Rights: The DPDP Act is essential for safeguarding the privacy rights of Indian citizens. It establishes legal protections and rights for
12 individuals concerning how their personal data is collected, processed, and used by organizations. 2. Alignment with International Standards: In an increasingly interconnected world, having a data protection law that aligns with international standards is crucial. The DPDP Act aims to bring India's data protection regulations in line with global norms, facilitating international data transfers and trade. 3. Global Data Economy Participation: India is a participant in the global data economy. A robust data protection framework fosters trust and confidence in India's digital ecosystem, promoting cross-border data flows, trade, and investments. 4. Preventing Data Misuse: The DPDP Act seeks to prevent the misuse of personal data, such as unauthorized data sharing, identity theft, and fraud. It sets rules and restrictions on how organizations can process and use personal information, enhancing data security and integrity. 5. Empowering Individuals: The act empowers individuals by giving them greater control over their personal data. It grants individuals rights, such as the right to access their data, request corrections, and even request its deletion (the "right to be forgotten").
13 6. Data Security and Accountability: The DPDP Act promotes data security practices within organizations. It mandates measures like encryption, access controls, and data breach notification, reducing the risk of data breaches and cyber-attacks. It also holds organizations accountable for data handling practices. 7. Trust in Digital Services: A clear legal framework for data protection builds trust between individuals and organizations. When people have confidence that their data will be handled responsibly and securely, they are more likely to engage with digital services and share their information. 8. Supporting Digital Innovation: The DPDP Act can support digital innovation and entrepreneurship by providing clear rules and guidelines. Organizations can develop new technologies and services with confidence, knowing they are operating within a legal framework. 9. Data Localization Considerations: The act may include provisions related to data localization, which can require certain categories of sensitive personal data to be stored within India's borders. This can enhance data sovereignty and security. 10. Constitutional Recognition: The right to privacy is a fundamental right under the Indian Constitution. The DPDP Act aligns with this constitutional protection and reinforces the importance of individual privacy.
14 6. 30 Significant FAQ’s on Legal Framework and Provisions of the Digital Personal Data Protection Act, 2023 (‘DPDP’) 1. What is the Digital Personal Data Protection Act (DPDP Act), 2023? The DPDP Act, 2023 is a significant legislation in India aimed at regulating the processing of personal data in the country. It is designed to provide individuals with greater control over their personal data ensuring that their data is shared only with their consent and establish rules for organizations handling such data. 2. What are the key objectives of the DPDP Act, 2023? DPDP Act, 2023 seeks to protect the privacy of individuals by regulating the collection, storage, processing, and transfer of their personal data. It aims to establish principles for data protection, data subject rights, and mechanisms for enforcement and compliance. 3. DPDP Act, 2023 is based on which principles? It is based on 7 principles: a. The principle of consented, lawful and transparent use of personal data; b. The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
15 c. The principle of data minimization (collection of only as much personal data as is necessary to serve the specified purpose); d. The principle of data accuracy (ensuring data is correct and updated); e. The principle of storage limitation (storing data only till it is needed for the specified purpose); f. The principle of reasonable security safeguards; and g. The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches). 4. Which current Acts are regulating Data Protection in India? Information Technology (IT) Act, 2000 was regulating data protection in India before enactment of DPDP Act, 2023. 5. What is applicability of DPDP Act, 2023? It applies only to the processing of digital personal data within territory of India collected in digital form or in non-digital form and digitized subsequently. 6. Does it apply to the digital personal data processed outside India? It applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals with in the territory of India.
16 7. To whom does DPDP Act, 2023 does not apply? It doesn’t apply to: a. Personal data processed by an individual for any personal or domestic purpose; and b. Personal data that is made or caused to be made publicly available by The Data Principal to whom such personal data relates; or Any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. Illustration: A, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply. 8. How does DPDP Act, 2023 define Personal Data? Personal data means any data about an individual who is identifiable by or in relation to such data such as information on name, address, e-mail address, personal identification number, Aadhar or passport registration number, photo, fingerprints, diagnostics, biological material. Further, as per World Economic Forum–personal data is defined as data (and metadata) created by and about people, encompassing: a. Volunteered data – created and explicitly shared by individuals, e.g., social network profiles. b. Observed data – captured by recording the actions of individuals, e.g., location data when using cell phones. c. Inferred data – data about individuals based on
17 analysis of volunteered or observed information, e.g., credit scores. 9. Who are the key parties as per DPDP Act, 2023? a. “Data Fiduciary” which means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; Here “person “includes— An individual; A Hindu undivided family; A company; A firm; An association of persons or a body of individuals, whether incorporated or not; The State; and Every artificial juristic person, not falling within any of the preceding sub-clauses; b. “Data Principal “means the individual to whom the personal data relates and where such individual is— i. A child, includes the parents or lawful guardian of such a child; ii. A person with disability, includes her lawful guardian, acting on her behalf; c. “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary; d. “Data Protection Officer” means an individual appointed by the Significant Data Fiduciary under clause(a)of subsection(2)ofsection10;
18 e. “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and with draw her consent through an accessible, transparent and interoperable platform; f. “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section10 of DPDP Act,2023; 10. How does DPDP Act, 2023 define Consent? The concept of consent in data protection laws and regulations generally refers to the voluntary and informed agreement given by an individual (data subject) for the collection, processing, and use of their personal data by an organization or entity. Consent is a fundamental element of data protection, and it typically includes the following key aspects: a. Voluntary Agreement: Consent must be given freely without coercion or pressure. Individuals should have a genuine choice to provide or withhold their consent. b. Informed: Individuals must be informed about the purpose for which their data will be processed, who will process it, and any other relevant information. This ensures that individuals understand what they are consenting to. c. Clear and Unambiguous: Consent should be expressed clearly and unambiguously. It should not be inferred from silence or inaction. d. Revocable: Individuals have the right to withdraw their consent at any time, and this withdrawal should be as
19 easy as giving consent. e. Specific and Granular: Consent should be sought for specific processing activities. Organizations should not bundle multiple purposes into a single consent request. f. Age and Capacity: Data protection laws often specify the age at which an individual can provide valid consent, and they may require additional safeguards for obtaining consent from minors. g. Records of Consent: Organizations are usually required to maintain records of consent to demonstrate compliance with data protection regulations. 11. How does DPDP Act, 2023 define Child? “Child” means an individual who has not completed the age of eighteen years. 12. What are the grounds of processing Personal Data by Data Fiduciary? A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— a. For which the Data Principal has given her consent; or b. For certain legitimate uses. For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law.
20 13. What is the obligation of Data Fiduciary before processing personal data of Data Principal and how consent should be obtained? Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under sub-section(4) of section 6 and section13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed. The notice should provide the contact details of a Data Protection Officer, where applicable, or of any other person authorized by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. Illustration: A, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, A opts for processing of her personal data by Y in alive, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to A, describing the personal data and the purpose of its processing.
21 14. Can organizations process personal data collected before the DPDP Act, 2023 came into effect? Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— "The Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her, –– a. the personal data and the purpose for which the same has been processed; b. the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and c. the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed. The Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent." Illustration: "A, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by Y, an e-commerce service provider, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method, information to A, describing the personal data and the purpose of its processing."
22 15. In which language Data Fiduciary shall give options to Data Principal to access the contents of notice? The Data Fiduciary shall give the Data Principal the option to access the contents of the notice in English or any of the 22 languages specified in the Eighth Schedule to the Constitution. 16. What are key requirements of giving consent by Data Principal? The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. Here “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder. Illustration: A, an individual, downloads Y, a telemedicine app. Y requests the consent of A for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and A signifies her consent to both. Since the phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services
23 17. Is there any timeline within which consent should be obtained by Data Fiduciary from Data Principal? There is no specific timeline prescribed in the Act for informing by Data Fiduciary to Data Principal for obtaining her consent. He shall as soon as it is reasonably practicable, give notice to the data principal. 18. Whether consent shall be treated as invalid if any part of consent constitutes infringement of the provisions of the act or rules framed thereunder? Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. Illustration: A, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid. 19. Can a Data Principal withdraw her consent at any time? Yes, where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. The consequences of the withdrawal shall be borne by the
24 Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. Illustration: A, an individual, is the user of an online shopping app or website operated by Y, an e-commerce service provider. A consents to the processing of her personal data by Y for the purpose of fulfilling her supply order and places an order for supply of a good while making payment for the same. If A withdraws her consent, Y may stop enabling A to use the app or website for placing orders, but may not stop the processing for supply of the goods already ordered and paid for by A. 20. Can Data fiduciary retain a data principal personal data once the specified purpose for which the data consent was fulfilled? If a Data Principal withdraws her consent to the processing of personal data, the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorized under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India 21. What are certain legitimate uses for which Data Fiduciary may process personal data of Data Principal?
25 The term "legitimate purposes" in the context of data protection typically refers to the lawful and justifiable reasons for which an organization or entity may collect, process, and use personal data. Following are the legitimate uses for which personal data of Data Principal may be processed: 1. For the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. 2. For the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where – • she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or • such personal data is available in digital form in, or in nondigital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. 3. For the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;
26 4. For fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; 5. For compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; 6. For responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; 7. For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; 8. For taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. Explanation.—For the purposes of this clause, the expression “disaster” shall have the same meaning as assigned to it in clause (d) of section 2 of the Disaster Management Act, 2005; or 9. For the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.
27 22. What are the key points to be kept in mind by Data Fiduciary while processing with personal data of children or a person with disability? (1) The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian, obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. Explanation.—For the purpose of this sub-section, the expression “consent of the parent” includes the consent of lawful guardian, wherever applicable. (2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. (3) A Data Fiduciary shall not undertake tracking or behavioral monitoring of children or targeted advertising directed at children. The Central Government may prescribe certain classes of data fiduciaries that will be exempted from certain rules about data protection for children above certain age: (a) the restriction relating to the processing of data relating to a child/person with disability, (b) the restriction relating to tracking or behavioral monitoring of children or targeted advertising directed at children if it is convinced that an organization handling kids' personal data is doing so in a very safe way.
28 23. What are the Key responsibilities of Data Fiduciary? (1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made there under in respect of any processing undertaken by it or on its behalf by a Data Processor. (2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. (3) Where personal data processed by a Data Fiduciary is likely to be- (a) used to make a decision that affects the Data Principal; or (b) disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. (4) A Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective observance of the provisions of this Act and the rules made there under. (5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
29 (6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. (7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force— (a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and (b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. Illustrations: 1. A, an individual, registers herself on an online marketplace operated by Y, an e-commerce service provider. A gives her consent to Y for the processing of her personal data for selling her used car. The online marketplace helps conclude the sale. Y shall no longer retain her personal data. 2. A, an individual, decides to close her savings account with Y, a bank. Y is required by law applicable to banks to maintain the record of the identity of its clients for a period of ten years beyond closing of accounts. Since retention is necessary for compliance with law, Y shall retain A’s personal data for the said period. (8) A Data Fiduciary shall publish, in such manner as may be
30 prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. (9) A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. 24. What are the rights and duties of Data Principal? Following are the rights of Data Principal: 1. Right to access information about personal data. 2. Right to correction and erasure of personal data. 3. Right of grievance redressal. 4. Right to nominate. Duties of Data Principal: 1. Comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act; 2. To ensure not to impersonate another person while providing her personal data for a specified purpose; 3. To ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities; 4. To ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and 5. To furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions
31 of this Act or the rules made thereunder." 25. Under what circumstances, data fiduciary shall be deemed to have consent of Data Principal to process her data? There are following 8 circumstances under which a data fiduciary shall be deemed to have consent of data Principal for processing her personal data: 1. Personal data is given voluntarily. 2. To perform any function under any Act which is to be the benefit of the Data Principal or for issuance of any certificate, license or permit. 3. To comply with judgement or order issued under any Act. 4. Medical Emergencies 5. For taking measures for providing medical treatment /health services to any individual during any epidemic, outbreak of disease or any other threat to public health. 6. For ensuring safety, assistance and services to any individual during the disaster or breakdown of public order, pursuant to notification of Central and State government in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order. 7. Employment purposes, preventing corporate espionage, trade secrets, confidentiality, intellectual property, etc. 8. For public interest including any fraud prevention and detection, M & A’s or corporate restructuring under applicable Acts, debt recovery or any fair or reasonable purpose as maybe prescribed.
32 26. Who is Significant Data Fiduciary and what are the criteria on the basis of which Government will notify the Significant Data Fiduciary? “Significant Data Fiduciary” means any Data Fiduciary or class of DataFiduciariesasmaybenotifiedbytheCentralGovernmentundersec tion10 of the Act. They will be notified on basis of an assessment of following relevant factors: 1. the volume and sensitivity of personal data processed; 2. risk to the rights of Data Principal; 3. Potential impact on the sovereignty and integrity of India; 4. risk to electoral democracy; 5. security of the state; and 6. public order. 27. In case of negligence of Data Fiduciary, where any compensation to be provided to Data Principal under the Act? Act has defined term’ Gain and Loss’ but there is no provision for providing compensation to the Data Principal in case of the Data breach due to negligence of Data Fiduciary. 28. What are the key features of Data Protection Board of India (DPBI)? The DPBI will be the primary regulatory authority responsible for enforcing data protection and privacy laws in India. The Board shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued. The headquarters of the Board shall be
33 at such place as the Central Government may notify. It is to be constituted of a chairperson and several members, who would be appointed by the central government. It will be tasked with various functions, including directing any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act and to monitor and enforce data protection laws, promoting awareness of data protection, and handling complaints and disputes related to data protection violations. It will oversee Data Protection Impact Assessments (DPIAs) to assess the impact of data processing activities on individuals' privacy. It will have the power to impose penalties for data protection violations and ensure compliance with data protection regulations. It will issue guidelines, codes of practice, and regulations related to data protection. 29. What are provisions of Appeal and Adjudication under the DPDP Act, 2023? The “Appellate Tribunal” under this Act means the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of IndiaAct,1997. Appeal must be filed within sixty days from the date of receiving the order from the Board and it can consider to accept appeal after sixty days has passed if there is a valid reason for such delay.
34 The Appellate Tribunal must handle appeals as quickly as it can and resolve within six months from appeal is submitted. Where it is not possible to dispose it within six months, it will record its reasons in writing for no disposing of the appeal within that period. An order passed by the Appellate Tribunal under this Act shall be executable by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the powers of a civil court. Where an appeal is filed against the orders of the Appellate Tribunal under this Act, the provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997shallapply. • If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon, or as provided for under any law for the time being in force in India. • The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28 of the DPDP Act, 2023. • All sums realized by way of penalties imposed by the Board under this Act shall be credited to the Consolidated Fund of India. 30. What are the consequences or fines that can be enforced under the DPDP Act, 2023? The penalties are based on breach of provisions of this Act or rules made thereunder. Maximum Penalty prescribed is upto Rs.250
35 crores for default by data fiduciary. The schedule is as under: S. N o Breach of provisions of this Act or rules made thereunder Penalty (Rs) 1. Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section(5)ofsection8 May extend to two hundred and fifty crore rupees. 2. Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under subsection(6) ofsection8. May extend to two hundred crore rupees. 3. Breach in observance of additional obligations in relation to children under section 9. May extend to two hundred crore rupees 4. Breach in observance of additional obligations of Significant Data Fiduciary under section10. May extend to one hundred and fifty crore rupees 5. Breach in observance of the duties under section15. May extend to ten thousand rupees 6. Breach of any term of voluntary Upto the
36 undertaking accepted by the Board under section32. extent applicable for the breach in respect of which the proceedings under section 28 were instituted. 7. Breach of any other provision of this Act or the rules made there under. May extend to fifty crore rupees.
37 7. Suggested Compliances and Implementation for Organisations as per DPDP Act, 2023: A. For all types of Organisations (Firm, Company, Association, Trusts, etc.): Protecting digital personal data in organisations is crucial for safeguarding individual’s privacy, complying with data protection laws and maintaining trust with customers and clients. Following are the steps and best practices to help all type of organisations for protecting digital personal data: 1. Understanding applicable laws and Regulations: Familiarisation with provisions of DPDP Act, 2023 and ensure compliance with these laws. 2. Data Inventory and Classification: Identify and classify all personal data within your organisation. Determine the types of data you collect, where it is stored, who has access to it and how it is processed. 3. Data Minimisation: Collect and retain only the data that is necessary for your organisation’s legitimate purposed. Avoid collecting excessive or irrelevant data.
38 4. Consent and Transparency: Obtain explicit and informed consent from individuals before collecting and processing their personal data. Be transparent about how data will be used and provide clear privacy notices. 5. Data Security: Implement robust data security measures, including encryption, access, controls, firewalls, detection systems and regular security audits. Ensure that data is protected both in transit and at rest. 6. Employee training and awareness: Train employee on data protection policies and best practices. Employees should be aware of their responsibilities and the importance of data security. 7. Access Control: Restrict access to personal data to authorised personnel only. Implement role-based access controls to ensure that employees have access only to the data necessary for their roles. 8. Data Encryption: Encrypt sensitive data, use strong encryption algorithms to protect data from unauthorised access. 9. Regular Software updates and patch Management: Keep all software, including operating systems and applications, upto date with latest security patches to protect against know vulnerabilities.