The Digital Personal Data Protection Act, 2023 (DPDP Act) has recently received presidential approval and is poised to bring significant changes to India’s data privacy landscape. Here’s a concise summary of its key provisions:
Personal Data: Information identifying an individual.
Data Fiduciary: Entities responsible for processing personal data.
Data Principal: The person to whom the personal data belongs.
Data Processor: Individuals or entities processing data on behalf of Data Fiduciaries.
Processing: Automated operations on digital personal data.
Significant Data Fiduciary: Entities with extensive data processing responsibilities.
The DPDP Act applies to digital personal data processed within or outside India if it serves Indian data principals.
Exemptions exist for personal use and publicly available data.
Some exemptions apply to legal, governmental, and research activities.
Certain entities may be exempt from specific obligations based on data volume and risk assessment.
Notice and Consent:
Data Fiduciaries must inform Data Principals about data collection and processing purposes.
Consent must be free, specific, informed, unconditional, and unambiguous.
Data Principals can withdraw consent but may impact service availability.
Data Fiduciaries must prove the validity of consent.
A registered individual who helps Data Principals manage their consent.
Grounds for Data Processing:
Data processing must comply with the DPDP Act, serve a lawful purpose, and, in some cases, require consent.
Obligations of Data Fiduciaries:
Data Fiduciaries must protect personal data, implement technical and organizational measures, respond to data breaches, engage data processors via valid contracts, ensure data accuracy, erase data when necessary, provide contact information, and more.
Significant Data Fiduciaries:
Additional obligations apply to entities designated as Significant Data Fiduciaries, including appointing a Data Protection Officer, conducting data audits, and performing data protection impact assessments.
Rights of Data Principals:
Data Principals can withdraw consent, access information, request data correction or erasure, seek grievance redressal, and nominate someone to act on their behalf.
Duties of Data Principals:
Data Principals must comply with applicable laws, provide accurate information, refrain from suppressing data, and avoid false grievances.
Cross-Border Data Transfer:
Data Fiduciaries can transfer data outside India unless restricted by the Central Government.
Data Protection Board of India:
An adjudicatory body that enforces the DPDP Act, addressing data breaches and contraventions.
Appeals can be made to the Telecom Disputes Settlement and Appellate Tribunal.
Emphasis on alternative dispute resolution mechanisms and voluntary undertakings.
Monetary penalties for breaches vary depending on the nature and severity of the violation.
Factors considered include breach nature, impact, repetition, gain or loss avoidance, mitigation actions, proportionality, and likely impact of the penalty.
Consistency with Other Laws:
The DPDP Act complements existing laws and takes precedence in case of conflicts.
The DPDP Act provides comprehensive protection for personal data, emphasizing trust between Data Principals and Fiduciaries.
It introduces purpose-based data processing and monetary penalties for non-compliance.
Implementation will occur in stages through government notifications, promoting ease of doing business in India.
In essence, the DPDP Act aims to safeguard personal data in the digital age while fostering a climate of trust and compliance among entities processing such data in India.