The Digital Personal Data Protection Act, 2023 was passed by both the houses and received President’s assent on 11.08.2023. The Act provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
Data - Data has
been defined as a representation of information, facts, concepts, opinions or
instructions in a manner suitable for communication, interpretation or
processing by human beings or by automated means. It includes data is collected
in digital form or in non-digital form and digitised subsequently.
Applicability - The Act
applies to the processing of digital personal data within the territory of
India where the personal data is collected in digital form or in non-digital
form and digitised subsequently. It also applies to processing of digital
personal data outside the territory of India, if such processing is in
connection with any activity related to offering of goods or services within
the territory of India.
Consent and Notice - A
person may process the personal data only in accordance with the provisions of
this Act and for a lawful purpose for which the consent has been given or for
certain legitimate uses. A notice must be given before seeking consent which
should contain details about data being collected and its purpose of processing
and the manner in which a complaint can be made. Consent may be withdrawn at
any point in time. Consent will not be
required for ‘legitimate uses’ including: (i) specified purpose for which data
has been provided by an individual voluntarily, (ii) provision of benefit or
service by the government, (iii) medical emergency, and (iv) employment. For individuals below 18 years of age,
consent will be provided by the parent or the legal guardian.
Rights of Data Principal - The Data Principal means the individual to whom the personal
data relates. She shall have the right to obtain a summary of personal data
which is being processed and the processing activities undertaken with respect
to such personal data. Also, the identities of all other Data Fiduciaries and
Data Processors with whom the personal data has been shared by such Data
Fiduciary, along with a description of the personal data so shared. Data
Principal also has the right to correction and erasure of personal data.
Duties of Data Principal - Duties of Data Principal is to ensure not to impersonate
another person while providing her personal data for a specified purpose, not
to suppress any material information while providing her personal data for any
document, unique identifier, proof of identity or proof of address issued by
the State or any of its instrumentalities and to ensure not to register a false
or frivolous grievance or complaint with a Data Fiduciary or the Board.
Consent Manager - The Act also
provides for appointment of Consent Manager who will be a person registered
with the Board, who acts as a single point of contact to enable a Data
Principal to give, manage, review and withdraw her consent through an
accessible, transparent and interoperable platform. A Data Principal shall have
the right to have readily available means of grievance redressal provided by a
Data Fiduciary or Consent Manager in respect of any act or omission of such
Data Fiduciary or Consent Manager regarding the performance of its obligations
in relation to the personal data of such Data Principal or the exercise of her
rights under the provisions of this Act and the rules made thereunder.
Transfer of personal data outside India: The Bill allows transfer
of personal data outside India, except to countries restricted by the central
government through notification.
State Exemptions - Personal data processing by the State has been
given several exemptions under the Bill. The Central Government also retains
the provision to exempt certain fiduciaries or classes of data fiduciaries from
particular provisions, specifically including start-ups.
Data Protection Board of India: The central government will establish the Data Protection Board
of India. Functions of the Board will
include monitoring compliance and imposing penalties, directing data
fiduciaries to take necessary measures in the event of a data breach, and
hearing grievances made by affected persons.
Board members will be appointed for two years and will be eligible for
re-appointment. The central government will prescribe details such as the
number of members of the Board and the selection process. Appeals against the
decisions of the Board will lie with TDSAT.
Penalties: The Act
specifies penalties in the Schedule for various offences such as up to: (i) Rs
200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore
for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after
conducting an inquiry.
In the event of any conflict between a provision of the Act and a
provision of any other law for the time being in force, the provision of the
Act shall prevail to the extent of such conflict.
The Digital Personal Data Protection Act, 2023 is a welcome change
in how the digital data will be processed. The Act keeps a check on the limited
use of data by Data Fiduciaries and highlights the importance of consent. By
limiting the grounds for processing, the Act provides safeguard to Data Principals
and upholds their right to privacy. Now after this Act the Data Fiduciaries
will have to revisit their privacy policy, terms of use and contracts to make
the necessary changes. The few drawbacks of the Act are exemption given to the
State and creation of Boards which may slower down the implementation of the
Act. However, the strong penalty clauses will help in prevention of data
breaches which had become common due to lack of comprehensive legal framework.
Many details and rules of the Act are still left to be formulated by the new
Data Protection Board of India which is yet to be set up. The Act will bring in
a new era of data security, privacy and accountability in India’ digital
landscape.
This Article has been Compiled by Ayushi Misra (Senior Associate) and Arun Gupta (Managing Partner).
You can direct your queries or comments to the author at info@factumlegal.com
Disclaimer-
The contents of this article should not be construed as legal opinion. This article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. We expressly disclaim any financial or other responsibility arising due to any action taken by any person on the basis of this article.
No comments:
Post a Comment