Digital Personal Data Protection Act 2023: Comprehensive Guide, Compliance And Penalties

Introduction:

In an age where information flows ceaselessly, safeguarding personal data has become paramount.The Digital Personal Data Protection Bill of 2023 (now Digital Personal Data Protection Act of 2023 is hereinafter referred to as “DPDP Act”), presented in Lok Sabha on August 3, 2023, by the Minister of Electronics & Information Technology, successfully passed the legislative process, by obtaining Presidential assent on 11th August 2023. 

Notably, previous iterations of Personal Data Protection Bills in 2019 and 2022, marked by numerous amendments and concerns such as data localisation, transparency, and compliance issues, were withdrawn by the Central Government.

The main objective of this Act is to establish a comprehensive framework for safeguarding and managing Personal Data as defined within the legislation. The said Act will apply to processing of digital personal data within the territory of India where the personal data is collected (i) in digital form; or (ii) in non-digital form and digitised subsequently. It will also apply to processing to digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods and services within the territory of India.[1]

Before dwelling into the much-asked question “What Compliances do businesses now have to comply with after the bill has been passed?” let us try understanding some basic terminologies for a better understanding of compliances.

Who is a Data Principal (DP)?

A customer, Sarah, signs up for an online shopping website ‘ShopSmart’ to buy a smartphone. Sarah is the Data Principal because she is the owner of her personal data, such as her name, email address, and purchase history. To provide personalised product recommendations, the website asks for her consent to use her browsing history. Sarah provides written authorisation for this specific purpose. Once Sarah revokes her consent ‘ShopSmart’ will have to stop using her data in that manner.[2]

Who is a Data Fiduciary?

            In the example mentioned above, the online shopping website i.e., ‘ShopSmart’, is the Data Fiduciary. They collect customer data, including names, addresses, and purchase preferences. Such data is also taken careby a Consent Manager, where customers can grant, manage, and withdraw consent for various data uses. The government evaluates ShopSmart’s operations and determines that they are handling a significant amount of sensitive data. Consequently, ‘ShopSmart’ is declared a Significant Data Fiduciary and must adhere to additional regulations.[3]

Who is a Data Processor?

A small marketing agency, “AdPro,” works with an e-commerce company (Data Fiduciary) to analyse customer data for targeted advertising campaigns. In this context, AdPro acts as a Data Processor. They process the data on behalf of the e-commerce company to help create personalised ads. While the terms “Data Fiduciary” and “Data Processor” may sometimes be used interchangeably, in this case, AdPro’s role is clearly defined as a processor of data provided by the e-commerce company.[4]

What is the Data Protection Board of India (DPBI)?

The Data Protection Board of India (DPBI) as established by the Central Government will oversee data protection matters. Suppose a government department collects personal information from citizens for tax purposes. DPBI ensures that this data is protected and not misused. If a citizen believes their data privacy has been breached by a government agency, they can file a complaint with DPBI. Appeals against DPBI decisions can be made to the High Court within 60 days of the board’s order, ensuring a fair and accountable process for data protection. Suo-Motu Cognisance by the High Court allows it to take action if it comes to the knowledge of the Court there’s any breach of personal data. Additionally, the DPDP Act restricts civil courts from interfering in matters governed by the Act to maintain consistency and prevent misuse of data-related legal proceedings.[5]

Compliances to be followed:

In an era characterised by pervasive data collection and processing, businesses hold a reservoir of personal information. Bringing businesses under this Act is paramount to establishing a robust compliance framework. It ensures that businesses adhere to stringent data protection standards, fostering trust among consumers. 

By imposing obligations on data handling, transparency, and accountability, the Act not only shields individuals from potential privacy infringements but also bolsters the overall integrity of digital commerce, promoting responsible data practices for a secure and ethical digital future.

Some of those business compliances are: 

  1. Notice Mechanism.
    1. Data Fiduciary must inform people about how they intend to use the Data Principal’s personal information/data.[6]For example: An e-commerce website must clearly state in its terms and conditions how it will use customer data, such as for order processing and marketing.
    2.  Individuals must willingly and knowingly agree to such data usage. For example: When users sign up for a social media platform, they must actively agree to the platform's privacy policy and data usage terms by clicking “I agree”.
    3. Once consent is given for a specific purpose, it cannot be used for anything else. For example, if a person agrees to share their email for a newsletter, it can’t be used for marketing calls or if a fitness app collects data for creating workout plans, it cannot use that data to target users with unrelated advertisements.
  2. Designation of Consent Manager.
    1. Consent Managers are registered with the DPBI and will be a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.[7]For example: The Consent Manager maintains a record of a user’s consent choices and can raise concerns if a service violates those choices.
    2. File complaints if needed and maintain records of when and why consent was given. For example: A Consent Manager keeps records of when a user agreed to share their location data with a ride-sharing app and can file a complaint if the app shares that data without permission.
  3. Roles of Fiduciaries and Processors.
    1. Businesses must distinguish between data fiduciaries (those who decide how data is used) and processors (those who do the actual data processing).[8] Example: A cloud storage company (data fiduciary) stores customer data, while a third-party analytics tool (data processor) processes the data to provide insights.
    2. Ensure both comply with the DPDP Act through clear data protection agreements. Likewise, the data fiduciary and processor sign a clear agreement outlining how data will be handled, ensuring both comply with data protection laws.
  4. Data Access and Portability.
    1. Allow individuals to access their own data and request copies of it.[9] Forexample: A social networking site allows users to download a copy of their profile data, including posts, photos, and messages.
    2. Provide a means for individuals to transfer their data to other service providers. For example: An email service enables users to easily transfer their email contacts to another email provider.
  5. Data Security Measures.[10]
    1. Businesses must use strong security measures like encryption and access controls to protect personal data. For example: A financial institution uses encryption to protect customer account information during online transactions.
    2. Regular security assessments are needed to prevent data breaches. For example: A healthcare provider conducts regular security assessments to identify vulnerabilities in its patient record system.
  6. Data Breach Notification.
    1. The Data Fiduciary will have to notify regulatory authorities and affected individuals promptly in case of a data breach[11]. For example: A retail company promptly informs affected customers and the data protection authority if a breach exposes customer credit card information.
    2. Take necessary actions to mitigate the impact of the breach. For example: In response to a data breach, a software company takes immediate steps to secure its systems and minimise potential damage.
  7. Data Privacy Evaluation.
    1. Create uniform privacy rules for your organisation to ensure consistency in data handling. For example: A multinational corporation establishes consistent data privacy guidelines across all its subsidiaries to ensure uniform data handling practices.
  8. Children’s Data Protection.
    1. Obtain parental consent before processing children’s data.[12]For example: An online gaming platform obtains parental consent before allowing children under 18 to create accounts. The technicality’s of how it will be implemented is still to be understood. 
    2. A Data Fiduciary is prohibited from engaging in tracking or behavioral monitoring of children or conducting targeted advertising aimed at children. For example: An advertising platform should avoid targeting ads to users identified as children under the age of 18.
  9. Compliance with Significant Data Fiduciary Designation.[13]
    1. The government can label certain businesses like a large online marketplace as a Significant Data Fiduciary due to the vast amount of sensitive customer data it handles based on data sensitivity and risks. 
    2. Such businesses must appoint a Data Protection Officer and Independent Data Auditors and perform Data Protection Impact Assessments (DPIA). For example: In response to the designation, the marketplace appoints a Data Protection Officer and conducts a Data Protection Impact Assessment to ensure compliance.
  10. Data Protection Officers (DPOs).
    1. Appoint a Data Protection Officer responsible for ensuring compliance with the law.[14] For example: Let’s assume that XYZ Corporation is an e-commerce giant, and designates one of its senior executives, John, as the Data Protection Officer (DPO). John will now be responsible for ensuring that XYZ Corporation complies with the DPDP Act. He ensures that customer data is handled securely and in accordance with the law. John also serves as a point of contact for data-related inquiries and concerns from both customers and regulatory authorities.
    2. Ensure DPOs have the necessary expertise and resources. The DPO should receive adequate training and should have access to cybersecurity resources to fulfill their role effectively.
  11. Data Protection Impact Assessments (DPIAs).[15]
    1. Conduct DPIAs for high-risk data processing activities. For example: A tech startup conducts privacy impact assessments to identify and address privacy risks in its new app. 
    2. Evaluate and mitigate privacy risks associated with such activities. For example: A healthcare provider conducts a DPIA before implementing a new patient records system to identify and mitigate potential privacy risks.
  12. Data Mapping and Audit.[16]
    1. Identify all instances where personal data is collected, managed, or transferred. Example: A software company conducts a thorough data mapping exercise to identify all instances where customer data is collected and stored.
    2. Regular data audits can reveal areas of non-compliance and improve data protection.
  13. Cross-Border Data Transfer and Extra-Territorial Applicability.[17]
    1. Data Fiduciaries must comply with rules for transferring data across borders. Example: An IT services company transfers customer data to a server located in another country and ensures it complies with both Indian and foreign data protection regulations.
    2. The Central Government can restrict the transfer of personal data by a Data Fiduciary to specific foreign countries or regions, through official notifications. For example, if concerns arise about data security, the Central Government may restrict a company from sending personal data to a particular foreign nation until adequate safeguards are in place.
    3. If other laws are stricter than the DPDP Act, then they take precedence. For example, if the Reserve Bank of India mandates data localisation, it overrides the DPDP Act.
  14. Data Retention and Deletion.[18]
    1. Establish data retention policies and delete data when it is no longer needed for the specified purpose. For Example: An online travel agency deletes customer booking data once the trip is completed and retains it only for a limited time for legal purposes.
    2. Comply with requests from individuals for data erasure. For Example: A social media platform allows users to delete their entire account and associated data upon request, as per the right to be forgotten.

What can be a Future Timeline for Businesses that may be helpful for structuring their Data Processing Policies:

It can broadly be divided into three phases:

  1. Three to six months:
  2. Conduct a Data Privacy Assessment to assess the present privacy posture and requirements.
  3. Create a data privacy framework to help your organisation’s data privacy program.
  4. Create a Data Privacy Organization to oversee the initiative.
  5. Data Exploration, categorisation, and Mapping exercise to locate and classify Personal Data touch points, structured and unstructured data throughout the environment.
  6. Create an inventory of assets that process personal information, as well as a comprehensive list of suppliers / third parties used for various reasons / delivering services.
  7. Six to twelve months:
    • Create/update pertinent policies and supporting practices to clarify the purpose and uniform approach to privacy and protection.
    • To determine the possible risk exposure, conduct Data Privacy Impact Assessments (DPIAs) for the high-risk in-scope business operations and apps.
    • Create systems for managing consent, protecting data principal rights, and reporting breaches.
  8. Twelve to Twenty-four months:
    • Use private technology enablers to handle your data governance chores automatically and to cut down on human labor.
    • Carry out outside certifications to show adherence to the Privacy Information Management System

The Schedule to the Digital Personal Data Protection, Act 2023, provides for penalties for non-compliance, and those are majorly:

  1. The Data Protection Board has the authority to impose fines of up to Rupees 250 crore on Data Fiduciaries for failing to follow their duty to take reasonable security precautions to avoid the compromise of personal data.
  2. Even a breach in failing to notify the Board or the Principal of the impacted data can attract a fine of upto Rupees 200 crore.  
  3. Data Principal Penalty: A breach in the performance of the obligations of Data Principal Non-Compliance would result in a fine of Rupees 10,000. 
  4. Breach of additional responsibilities with respect to children will result in a penalty of Rupees 200 crore.
  5. A breach in the performance of a significant data fiduciary’s additional obligations and noncompliance will result in a penalty of Rupees 150 crore.
  6. Breach of any other provision of this Act or the rules issued thereunder is punishable by a fine of Rupees 50 crore.

[1]As per Section 3 of the Digital Personal Data Protection Act 2023.

[2] As per Section 2(j) of Digital Personal Data Protection Act 2023, the Data Principal is the owner of the data. DP may be people or organizations whose data has to be protected. To generate and process the data, the DP must provide written authorization stating the intended use in detail. The consent may be revoked at any time, or its usage may be restricted, by DP.

[3] As per Section 2(i) of Digital Personal Data Protection Act 2023, the Data Fiduciary is an organization that gathers, stores, and shares data. In addition, a data fiduciary serves as a ‘Consent Manager’ who provides a platform that is publicly available and interoperable for DPs to grant, manage, evaluate, and withdraw consent. Any Data Fiduciary or group of Data Fiduciaries may be declared Significant Data Fiduciaries by the Central Government based on an evaluation of appropriate facts when they become operationally valuable.  

[4] As per Section 2(k)of Digital Personal Data Protection Act 2023, the Data Processor isa entity that manages data processing on behalf of a data fiduciary. In some small businesses, the terms “data fiduciary” and “data processor” may also be used interchangeably.

[5] As per Section 2(c)of Digital Personal Data Protection Act 2023, the Data Protection Board of India (DPBI) is to prevent breaches of personal data, it is essential for the government to both identify and protect any personal information it possesses or controls.

[6]Section 5 of the Digital Personal Data Protection Act 2023.

[7]Section 6 of the Digital Personal Data Protection Act 2023.

[8]Section 8 of the Digital Personal Data Protection Act 2023.

[9]Ibid.

[10]Section 8(4) Section 10of the Digital Personal Data Protection Act 2023.

[11]Section 8(6) of the Digital Personal Data Protection Act 2023.

[12]Section 9 of the Digital Personal Data Protection Act 2023.

[13]Section 10(1) of the Digital Personal Data Protection Act 2023.

[14]Section 10(2)(a) of the Digital Personal Data Protection Act 2023.

[15]Section 10(2)(c) of the Digital Personal Data Protection Act 2023.

[16]Ibid.

[17]Section 16 and 17 of the Digital Personal Data Protection Act 2023.

[18]Section 12 of the Digital Personal Data Protection Act 2023.

profile-image

Krrishan Singhania

Guest Author As a seasoned professional with comprehensive experience covering more than 20 years, Mr Krrishan Singhania has provided legal expertise in the areas of commerce, arbitration, shipping, oil and gas, power and aviation laws to national and international clients around the globe. As an expert in this field, he regularly presents lectures on Indian law and regulations in international conferences and fora.

Also Read

Stay in the know with our newsletter