Written by: Niveditha KS, Sr Consultant, Legal Counsel, Head of Regulatory, India, Dell Technologies
Data privacy has emerged as a critical concern globally in an era defined by digital transformation. India’s evolving digital economy recognised this need for comprehensive legislation safeguarding personal data. The culmination of this endeavour over the last seven years and after multiple iterations is the Digital Personal Data Protection Act, 2023 (DPDP Act), representing a significant milestone of India’s journey towards ensuring data privacy rights for its citizens.
Evolution of the Privacy legal framework in India: India did not have a specific privacy law on personal data protection and the use of personal data has been governed as per the provisions of the Information Technology Act 2000. There are other laws namely Indian Penal Code 1860, etc which touch upon other various aspects of an individual’s right to privacy. India’s approach to data privacy underwent a transformative phase with the recognition of privacy as a fundamental right by Supreme Court in the case of K.S. Puttaswamy v. Union of India (2017) 10 SCC 1. This paved the way for the enactment of the DPDP Act after years of deliberation and iterations by the Government. The Act aims to address the void left by previous laws and aligns India with international standards particularly drawing parallel with European Union’s General Data Protection Regulation (GDPR).
An elucidation of a few key highlights of the DPDP Act:
- Innovative feature: The DPDP Act is concise and simple in language. The contents of the Act have been described using illustrations that make the meaning clear and reduce ambiguity.
- Definition of personal data *: The DPDP Act has provided for a broad definition of ‘personal data,’ which includes “data” of an individual who is identifiable by or about such data. The DPDP Act covers only digital data and hence, all forms of data in a digital form, which are identifiable to an individual are protected under the DPDP Act.
- Non-applicability of DPDP Act to certain forms of personal data: DPDP Act provides clarity on certain forms of personal data to which it does not apply; namely personal data that is processed by an individual for any personal or domestic purpose; and personal data that is made or caused to be publicly available — by the individual to whom the personal data relates or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
- Illustration where DPDP Act is not applicable (as illustrated in the DPDP Act) – X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of the DPDP Act shall not apply.**
- The DPDP Act has defined, roles, obligations, and rights of ‘data principal’ (data owner/individuals), ‘data fiduciary’ (a person alone or in conjunction with other persons who controls the purpose or means of processing the data) and ‘data processor’ (a person who processes data on behalf of data fiduciary). A ‘person’ is defined as a company, an individual etc.
- Consent and notice to data principal a mandatory requirements for a company before the collation of personal data, a few requirements are that such consent needs to be free, specific, informed, unconditional, and unambiguous. Withdrawal of consent by the data principal is possible.
- Data processing by third parties are allowed only under valid contracts.
Key provisions and commonalities with other jurisdictional law: The DPDP Act encompasses various provisions aimed at protecting digital personal data including stringent penalties for non-compliance and rights for data subjects to access, correct, and delete their personal information. Notably the DPDP Act shares commonalities with GDPR, such as the obligations to obtain explicit consent, provide privacy notices; notify data breaches; honour data privacy rights of an individual which includes the right to access, correct, delete, redress, and optout, to enter contracts with processors and limit retention of personal data to the extent required.
Challenges for multinational companies: While the DPDP Act harmonizes India’s data protection norms with global standards, the multinational companies operating in the country may need to review the current ways of working as per the new regime. This is applicable especially in case of personal data of employees, customers, suppliers, vendors etc. to honour their right to access, update and erase their personal data as and when required. There is a provision in the DPDP Act on “significant data fiduciary” which defines a set of parameters with a detailed realm of compliances. The DPDP Act has not defined entities that fall under this category. The awaited Rules or subsequent Central Government notifications will provide the required clarity.
Challenges for local companies and organisations: The local companies and organizations who perhaps may not be well acquainted with the GDPR or other privacy laws must familiarize themselves to the new privacy law of India. They would be required to adhere to and implement provisions, have mechanisms in place to record explicit consent of data individuals, have a privacy policy and statement, incorporate a grievance redressal mechanism for privacy complaints etc.
Protection of Children’s data: A significant feature of the DPDP Act is its emphasis on safeguarding children’s personal data and reflecting a commitment to protect vulnerable groups. The DPDP Act lays down guidelines for data fiduciaries on the processing of children’s personal data. The definition of “children” are minors who are under 18 years of age. The data fiduciaries are forbidden to engage in any forms of processing of children’s data that is “likely to cause any detrimental effect on the well-being of the child”. Hence, there is an obligation on the data fiduciary to ensure appropriate handling and mitigate risks associated with the use of children’s digital personal data trail.
Penalties: The violations to DPDP Act invoke a penalty of a minimum of INR 10,000 (approx. $125) up to INR 250 Crores (approx. $30 Mn) depending on the nature of the breach.
Ethical responsibility: Beyond legal compliance, the DPDP Act highlights ethical principles such as transparency, fairness, and accountability in data processing activities. By laying down responsible data management practices, the Act fosters trust between organizations and individuals, which are very essential for a data-driven economy to sustain.
Legal compliance and ethical considerations: Striking a balance between legal requirements and ethical considerations is crucial in implementing the DPDP Act effectively. While the law provides a regulatory framework, ethical principles of an organisation guide, act as a compass in upholding individual rights, and reinforce trust in their data handling practices.
The DPDP Act heralds a new era of data privacy law in India by safeguarding individual privacy rights in an increasingly digital and data-driven world. It attempts to bridge the gap between legal compliance and ethical responsibilities. By aligning with global standards while attempting to address unique challenges, the DPDP Act aims to provide confidence among citizens and businesses. This fosters a culture of responsible data management and ensures the protection of digital personal data. The effectiveness shall depend on robust enforcement and active compliance by organizations.
**Source: Digital Personal Data Protection Act 2023 Digital Personal Data Protection Act 2023.pdf (meity.gov.in)
About the Expert
Niveditha KS is Sr Consultant, Legal Counsel, Head of Regulatory, India, Dell Technologies
DISCLAIMER: This article represents the views of the author and not the company the author is associated with. The article’s content is for information and reading purposes only and is not meant as legal advise.
