The Digital Personal Data Protection Act (DPDPA), India was introduced and passed in August 2023. The stated objective of the DPDPA is to provide for processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
There are three broad sets of exclusions under the Act:
- Any data which has been made publicly available by the Data Principals or a third party which is required by the law to make the data publicly available. For example, the list of shareholders of a Public Limited company.
- Data processed by an individual for personal or domestic purposes. For example, background check reports by an employer or landlord.
- The Central Government of India may exempt:
- Processing by government instrumentalities for specific purposes such as enforcing any legal rights and ascertaining financial information.
- Processing that is necessary for research, archiving or statistical purposes provided the data is not used for making any decision specific to a Data Principal.
- Considering data volume and nature, certain Data Fiduciaries and class of Data Fiduciaries, including startups, from certain provisions via notification. However, the details regarding the scope of these exemptions and the eligibility criteria remain unclear currently.
Much like other similar data protection legislations, the Act revolves around the rights of the Data Principal; which is by definition “an individual to whom the data relates to”. The Data Principal can, therefore, be considered as the “queen” on the data protection chessboard around which are the constructs of Data Fiduciary, Data Processor, Consent Manager, and Data Protection Board.
Data Fiduciaries are obligated to process personal data in accordance to DPDPA for lawful purpose only. Under the legislation lawful purpose is defined as comprising of two broad concepts:
- Any purpose for which the Data Principal has given their consent.
- For certain legitimate uses as specified under Section 4(1).
Data Fiduciaries can process personal data based on consent obtained through notice by Data Principals. The Data Fiduciary must specify what personal data is being collected and for what purpose, inform them of their manner of exercise of rights, contact details of data protection officer, and any grievance redressal mechanisms in place. It is important to note that the Data Principal must be able to withdraw consent as easily as it was given. The manner of withdrawing consent must be clearly enumerated and should be easy to access and exercise. This notice must be made available in English or one of the 22 regional languages.
The role of the Consent Manager is to be accountable to the Data Principal and act on their behalf. To ensure this, the Consent Manager has to be registered with the Data Protection Board and has to satisfy prescribed technical, operational, financial and other conditions which are yet to be notified. Using prior legislations as guidance, it can be envisaged that the Consent Manager will play a role similar to an account aggregator.
The Act also grants specific rights to the Data Principal. These include:
- Right to access a summary of their data which is being processed, processing activities which are being undertaken, and securing information related to identities of all Data Fiduciaries and Data Processors who have access to their data.
- Right to correction and erasure.
- Right of grievance redressal.
- Right to nominate an individual to exercise their rights in event of their incapacity or death.
On the other hand, the Data Principal also has specific obligations under the Act. The Data Principal must:
- Comply with the provisions of all applicable laws.
- Not impersonate another person.
- Not suppress any material information.
- Only furnish such information as is verifiable and authentic while exercising the right to correction and erasure.
- Not register a false or frivolous grievance with the Data Fiduciary or the Board.
Any entity which is processing digital personal data and is determining the means and purpose of the data processed becomes a Data Fiduciary and is required to fulfil certain obligations under the Act. The entity will be required to ensure completeness, accuracy, and consistency of the personal data when they make a decision affecting the Data Principal or disclosing this data to another Data Fiduciary. Any data breaches must be informed to the Board and all affected Data Principals. They are also obligated to implement technical safeguards and take reasonable security measures to observe the provisions of the Act.
The Data Fiduciary will be obligated to:
- Ensure completeness, consistency and accuracy of personal data that they process
- Implement technical safeguards and take reasonable security measures
- Publish details of a grievance officer who can be contacted
- Notify personal data breaches to the Board and affected Data Principal
- Erase, destroy or anonymize personal data
Higher compliance for a Data Fiduciary includes appointing a Data Protection Officer based in India, appointing independent auditors to evaluate compliance and periodic audits and assessments. In event of a data breach, the primary responsibility for compliance is on the Data Fiduciary. Although the Act does not prescribe standards, there are a few actions recommended in the slide deck shared below that organisations can start having in place.
There are specific Sections of the Act that continue to remain ambiguous. Some of these include information around costs associated with obtaining consent from principals, cross-border data transfer, details around consent manager positions and rights against data processors. Multiple stakeholders continue to seek clarity, which may only be provided in the Rules that are yet to be framed by the Government.
The team at GameChanger Law Advisors drew up a few illustrations as to how DPDPA might impact SGBs in various sectors, that can be seen in the slides as well.