Know what the Digital Personal Data Protection Act, 2023 entails for you as a consumer or a business concern?

Know what the Digital Personal Data Protection Act, 2023 (the “Act”) entails for you as a consumer or a business concern?  

      I.   At the outset, it is pertinent to note that the Act is strategically devised to balance the rights of the individuals and use ‘personal data’ for lawful purposes. We all are aware that the digital transactions have revolutionized the conduct of transactions and the collection of personal data as a part and parcel of the provisioning of the services by business concerns is an inevitable aspect. 

 Firstly, it becomes essential to delineate what constitutes as ‘data’ ‘personal data’. The term ‘data’ and ‘personal data’ has been defined in the Act as under:

(i)      “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;

(ii)    “personal data” means any data about an individual who is identifiable by or in relation to such data;

From the bare perusal of the definition of data, one can understand that any information or fact or concepts would constitute to be ‘data’. Thus, now it becomes crucial to highlight what constitutes as breach. 

What are other terms one needs to be aware in the Act?

(i)       "Consent Manager" means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;

(ii)      “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

(iii)      “Data Principal” means the individual to whom the personal data relates and where such individual is. 

   II.      When can you attribute breach by another party of your personal data?

According to Section 2 (u) of the Act, when there is unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data which leads to a compromise of confidentiality, integrity or availability of personal data, it would tantamount to personal data breach. 

 III.         Applicability

The Act extends to digital processing of personal data within the territory of India where the personal data is collected in digital form or collected in non-digital form and digitized subsequently. It is to be noted that the Act also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.

The Act shall not apply in cases of below – mentioned scenario:

(i) personal data processed by an individual for any personal or domestic purpose; and

(ii) personal data that is made or caused to be made publicly available by—

(A) the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

So, if you’re making your personal data publicly available on social media while blogging in such cases the provisions of the Act shall not Apply. 

 IV.     Value of ‘consent’ and ‘notice’: Section 4 provides that a person may process the personal data in accordance with provisions of the Act and for lawful purpose where consent has been given or for legitimate use. The entity processing the personal data is required to give notice to the person whose data processed. Such a Notice shall contain details such as purpose of processing and the manner in which the person whose data is processed may make a complaint. The consent given by a data principal as per the Section 6 of the Act is supposed to be free, specific, informed, unconditional and unambiguous with a clear affirmative action, which shall include signing of an agreement to the processing of the personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. The Act confers right to withdraw the ‘consent’ at any time. As per Section 9 of the Act, if data of a child or a person with disability is being processed. Consent Manager: the Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. The Consent Manager shall be accountable to the Data Principal. 

 So, at the time of opening of a bank account or an online shopping platform, while you share your personal information the Bank gives you notice about the extent of processing the personal information.

Legitimate use of personal data: Section 7 of the Act lists down the instances that permit the processing of data in the below-mentioned scenario:

a.     Wherein data is voluntarily provided by the data principal. 

b.     For the purpose of state or any instrumentality to provide or issue data principal with subsidy, benefit, service, certificate, licence or permit, wherein consent is available, such data is available in digital form from the data base register, books, which is maintained by the state.

c.     For the performance by the state or instrumentality of any function under law or and integrity of India or security of the State. 

d.     For compliance with decree/judgment/order issued as per law. 

e.     For responding to medical emergency, involving a threat to the life or immediate threat to the health of the Data Principal or any other individual.

f.      To provide medical services during epidemic. 

g.     To provide safety and assistance during disasters. 

h.     for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.

 VI.  What is your duty as a ‘Data Fiduciary’ and additional obligations as ‘Significant Data Fiduciary’ ?

a.     A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.

b.     Responsible for completeness, accuracy and consistency of the personal data. 

c.     Protection of personal data. 

d.     Apprise about data breach, if any. 

e.     The Central Government also has the power to notify any class of data Fiduciaries as Significant Data Fiduciary (“SDF”) on the basis of assessment of factors such as volume and sensitivity of the data processed, risk to rights of data principal, impact on sovereignty and integrity of India, risk to electoral democracy, security of state and public order. The ‘Significant Data Fiduciary’ shall also appoint a data protection officer who shall be responsible to the Board of Director Significant Data Fiduciary and be responsible for contact person for grievance redressal. The SDF is also obligated to appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act. 

Right to know to what extent your data is being processed and right to get its erased?

a.    As per Section 11 of the Act, a Data Principal shall have the right to obtain from the Data Fiduciary to whom consent is being given a summary of personal data being processed, processing activities, the identities of all other data fiduciaries and data processors to whom personal data is being shared.

b.    As per Section 12 of the Act, Data Principal has the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent. 

VIII. Data Protection Board of India (DPBI) and its role: the first step in the procedure of recourse to the complaints with respect to the data breach is the DPBI established in accordance with the Act. 

a.  Upon a complaint made by DP in respect of a personal data breach or a breach in observance by a Data Fiduciary of its obligations in relation to her personal data or the exercise of her rights under the provisions the Act, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, the board has been given the power to inquire into such breach and impose penalty as provided in this Act. 

b.   Upon on a complaint made by a Data Principal in respect of a breach in observance by a Consent Manager of its obligations in relation to her personal data, the board has the power to inquire into such breach and impose penalty as provided in this Act. 

c.   In case of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act. DPBI also has the power to impose penalties depending upon the nature, gravity and duration of the breach, he type and nature of the personal data affected by the breach, repetitive nature of breach, whether a person a person as a result of the breach has gained or lost, whether a person took any action to mitigate the breach, likely impact of imposition of monetary penalty, etc. 

 IX.  Aggrieved by the decision of the Board: An appeal to the “Appellate Tribunal”, which means the Telecom Disputes Settlement and Appellate Tribunal established under Section 14 of the Telecom Regulatory Authority of India Act, 1997? 

a.  An appeal may be filed by the aggrieved person within 60 days and the Appeal shall be dealt with as expeditiously as possible and attempt shall be made to dispose it off within 6 (six) months. An order passed by the Appellate Tribunal under this Act shall be executable by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the powers of a civil court. 

     Cumulatively, the Act provides a comprehensive legal framework for protection of the rights of the individuals, whose personal data is being processed and the entities responsible for the processing of such  personal data. With the enacted legislation already in place, the Government is yet to notify the effective date of its enforcement. As a matter of abundant caution entities processing personal data have already started complying the intricacies of the Act.