A Definitive Guide to DPDP: India’s Digital Personal Data Protection Act

India is now among the 130+ countries with legislated and enforced act to regulate data, aiming to protect the privacy of its 1.4 billion residents.

This blog discusses the act's brief history, its various provisions, and the importance of businesses protecting their customers' sensitive and personal data to remain compliant in the dynamic data security landscape.

Businesses seeking to establish a strong presence in the Indian market must understand and apply the appropriate measures to maintain continuous compliance with these regulations.

‍

What is India’s Digital Personal Data Protection Act?

‍

India's new Digital Personal Data Protection Act legislates the processing of digital personal data, balancing individuals' rights to data protection and lawful data processing needs.

The Indian data privacy law was enacted on August 11th, 2023 and is likely to be in force in 2024.

‍

Brief history about India’s DPDP Act

‍

Let’s look at how the Indian privacy law came into being:

• 2017: The Supreme Court of India held the Right to Privacy as a fundamental right.

• 2018: A committee was set up by the government for a data protection framework under Justice B.N. Srikrishna. A draft Personal Data protection Bill was published for public review.

• 2022: The draft bill was withdrawn. The Ministry of Electronics and Information Technology released the draft legislation of the data protection framework for public consultation.

• 2023: The Digital Personal Data Protection Act was enacted.

• 2024: Likely to be enforced.

‍

What is the definition of personal data under Indian law?

‍

Personal data is defined under India’ Digital Data Protection Act as any data about an individual who is identifiable by or in relation to such data.

‍

What are the grounds for processing personal data under India’s DPDP?

‍

An individual can only process the personal data of a Data Principal in compliance with this Act and for a lawful purpose:

(a) for which the Data Principal has consented; or

(b) for certain legitimate uses.

‍

What is the scope of DPDP?

‍

The scope of DPDP and who must comply with the act is given below:

• The act applies to the processing of digital personal data within the territory of India, where the personal data is collected in digital form; or in non-digital form and digitised subsequently;

• It applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.

Data Principal means the individual to whom the personal data relates and where such individual is a child, includes the parents or lawful guardian of such a child and a person with disability, includes her lawful guardian, acting on her behalf.

Read more on why regulatory compliance with data privacy law is necessary.

‍

What are the definitions in India’s DPDP Act?

‍

There are several unique definitions under the latest DPDP legal framework:

‍

Consent Manager

‍

This refers to an individual registered with the Data Protection Board of India.

Their role is to act as a single point of contact, aiding a Data Principal in granting, managing, reviewing, and withdrawing consent through a platform that is accessible, transparent, and interoperable.

‍

Data Fiduciary

‍

This refers to an individual who, either alone or with others, decides on the purpose and method of processing personal data.

‍

Significant Data Fiduciary

‍

The government specifically identifies these data fiduciaries based on their data volume, sensitivity, risk, and impact on national interests.

Significant Data Fiduciaries (SDFs) are subject to additional requirements, such as the appointment of an India-based Data Protection Officer (DPO).

‍

Data Principal

‍

This refers to the individual to whom the personal data pertains. If the individual is a child, it includes the child's parents or legal guardian.

Similarly, for a person with a disability, it includes their legal guardian acting on their behalf.

‍

Digital Office

‍

This refers to an office that uses an online mechanism.

It conducts proceedings, from the receipt of intimation, complaint, reference, directions, or appeal, to their disposal, entirely in an online or digital mode.

‍

What are the key provisions of India’s DPDP Act?

‍

India’s first-ever privacy act vastly mirrors EU’s GDPR privacy law, by retrofitting it into India’s context.

The key provisions of DPDPA 2023 are highlighted below.

‍

#1 Consent

‍

• Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.

• A notice must be given before seeking consent.  The notice should contain details about the personal data to be collected and the purpose of processing.
• Consent may be withdrawn at any point in time.

• Consent will not be required for ‘legitimate uses’ including:
  • (i) specified purpose for which data has been provided by an individual voluntarily,
  • (ii) provision of benefit or service by the government,
  • (iii) medical emergency, and
  • (iv) employment.

• For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.

‍

#2 Rights of Data Principal

‍

Data protection laws provide certain rights to data principals.

Consumer rights under DPDP act rights highlight the various ways through which individuals can protect their personal data.

‍

Right to Access

‍

The Data Principal has the right to access their personal data from the Data Fiduciary.

This includes obtaining a summary of the processed data, information on data sharing with other fiduciaries or processors, and any additional relevant details.

However, this right does not extend to data shared legally with other fiduciaries for legal or investigative purposes.

‍

Right to Correction and Erasure

‍

Under the DPDP Act, the Data Principal has the right to request the correction, completion, updating, or erasure of their personal data from the Data Fiduciary.

The Fiduciary must comply with requests to amend inaccurate or incomplete data and delete personal data unless it is retained for a specific purpose or legal compliance.

Requests must be made in a prescribed manner.

‍

Right to Grievance Redressal

‍

The right to grievance redressal allows Data Principals to seek resolution from Data Fiduciaries or Consent Managers regarding issues related to personal data handling or rights under the Act.

Data Fiduciaries or Consent Managers must address grievances within a prescribed timeframe.

Data Principals are required to utilize this internal grievance mechanism before approaching the overseeing Board for further redressal.

‍

Right to Nominate

‍

The right to nominate allows Data Principals to appoint an individual who can exercise their data protection rights in cases of the Data Principal's death or incapacity.

This ensures continuity in the protection and management of the Data Principal's personal data in accordance with the Act's provisions.

‍

#3 Duties of Data Principal

‍

A Data Principal must:

(a) comply with all laws while exercising rights under this Act

(b) not impersonate others while providing personal data

(c) not suppress material information when providing personal data for any state-issued document or proof

(d) avoid false or frivolous complaints with a Data Fiduciary or the Board

(e) only provide verifiably authentic information when exercising the right to correction or erasure under this Act

Violation of duties will be punishable with a penalty of up to INR 10,000 or $120 USD.

‍

#4 Obligations of Data Fiduciaries

‍

The entity determining the purpose and means of processing, (data fiduciary), must:

• Make reasonable efforts to ensure the accuracy and completeness of data

• Build reasonable security safeguards to prevent a data breach

• Inform the Data Protection Board of India and affected persons in the event of a breach

• Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation)

• In case of government entities, storage limitation and the right of the data principal to erasure will not apply

‍

#5 Transfer of Personal Data Outside India

‍

The act allows transfer of personal data outside India, except to countries restricted by the central government through notification.

‍

Exemptions for Data Principal and Data Fiduciaries

‍

Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases.  

These include:

• Prevention and investigation of offences

• Enforcement of legal rights or claims

• The central government may, by notification, exempt certain activities from the application of the Bill.  These include:
  • (i) processing by government entities in the interest of the security of the state and public order, and
  • (ii) research, archiving, or statistical purposes.

‍

Data Protection Board of India

‍

The central government has to establish the Data Protection Board of India.  

Key functions of the Data Protection Board of India include

• Monitoring compliance and imposing penalties

• Directing data fiduciaries to take necessary measures in the event of a data breach

• Hearing grievances made by affected persons.

Board members will be appointed for two years and will be eligible for re-appointment.  

The central government will prescribe details such as the number of members of the Board and the selection process.  

Appeals against the decisions of the Board will lie with Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

‍

Penalties Under India's DPDP Act

‍

India’s first data protection law specifies penalties for various offences such as up to:

• $24M USD or INR 200 crore for non-fulfilment of obligations for children

• $30M USD or INR 250 crore for failure to take security measures to prevent data breaches.

Penalties will be imposed by the Board after conducting an inquiry.

‍

Who are exempted from the scope of DPDP act?

‍

DPDPA data processing rules does not apply to:

1. Personal data processed by an individual for any personal or domestic purpose

1. Personal data that is made or caused to be made publicly available by
   • the Data Principal to whom such personal data relates; or
   • any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

‍

Secure Data and Solve Compliance Issues of DPDP Act

‍

Navigating the complex landscape of data protection, particularly with the implementation of the DPDPA requirements for businesses is becoming increasingly challenging.

With India emerging as a hotspot for data breaches, it is essential for businesses to prioritize compliance with the DPDP Act.

India ranked 5th in the list of most breached countries with 5.3 million leaked accounts in 2023.   These numbers underscore the urgency of robust data protection measures.

In such situations, OptIQ serves as an invaluable partner for businesses, helping you leverage state-of-the-art compliance management and data security solutions.

Businesses can ensure they are compliant with the DPDP Act and other data protection regulations, thus protecting their valuable customer data and maintaining their reputation in the market.