This official document outlines India’s Digital Personal Data Protection Act, 2023, a comprehensive law enacted to regulate the processing of digital personal data. The Act aims to balance individual data protection rights with the necessity of processing such data for lawful purposes. It defines key terms like Data Fiduciary and Data Principal, establishes the Data Protection Board of India to oversee compliance, and details the obligations of data fiduciaries, including obtaining consent and implementing security safeguards. Crucially, the document also specifies the rights and duties of data principals, such as the right to information, correction, and grievance redressal, and outlines penalties for breaches of the Act’s provisions.
Summary
This briefing summarises the key provisions and themes of India’s Digital Personal Data Protection Act, 2023 (No. 22 of 2023), which received presidential assent on 11 August 2023. The Act aims to balance “the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”.
1. Scope and Application of the Act
Digital Personal Data: The Act specifically applies to “personal data in digital form” and personal data collected in non-digital form that is subsequently digitised.
Territorial Application: It applies to processing of digital personal data within India. It also extends to processing outside India if it’s “in connection with any activity related to offering of goods or services to Data Principals within the territory of India.”
Exemptions:Personal/Domestic Use: The Act “shall not apply to personal data processed by an individual for any personal or domestic purpose”.
Publicly Available Data: It also doesn’t apply to personal data “made or caused to be made publicly available by the Data Principal” or by “any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.” An illustration provides the example of an individual blogging their views and publicly making their personal data available on social media.
Government Exemptions: Certain provisions can be exempted for State instrumentalities in the interest of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence”.
Research/Archiving/Statistical Purposes: Exemptions apply if data is not used for specific decisions about a Data Principal and processed according to prescribed standards.
Startup Exemptions: The Central Government can notify certain Data Fiduciaries, including startups, for whom specific sections (e.g., notice requirements, significant data fiduciary obligations) may not apply.
Legal & Public Interest Exemptions: Processing necessary for enforcing legal rights/claims, judicial/regulatory functions, prevention/detection/investigation of offences, or certain financial institution activities are also exempted.
2. Key Definitions and Roles
The Act establishes several critical definitions:
Data Principal: “the individual to whom the personal data relates”. For children or persons with disabilities, this includes their parents or lawful guardians.
Data Fiduciary: “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”.
Data Processor: “any person who processes personal data on behalf of a Data Fiduciary”.
Significant Data Fiduciary: A Data Fiduciary notified by the Central Government based on factors like “volume and sensitivity of personal data processed,” “risk to the rights of Data Principal,” and “potential impact on the sovereignty and integrity of India.” These fiduciaries have additional obligations.
Consent Manager: “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform”.
Digital Personal Data: “personal data in digital form”.
Personal Data Breach: “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data”.
Processing: A “wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”.
Lawful Purpose: “any purpose which is not expressly forbidden by law.”
3. Obligations of Data Fiduciaries
Data Fiduciaries bear significant responsibilities:
Lawful Processing: Personal data can only be processed “for a lawful purpose,” either with the Data Principal’s consent or for “certain legitimate uses.”
Notice and Consent:Requests for consent must be “accompanied or preceded by a notice” informing the Data Principal of the data to be processed, the purpose, and how to exercise their rights.
The notice and consent request must be in “clear and plain language,” with an option to access it in English or any language specified in the Eighth Schedule to the Constitution.
Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.” An example clarifies that consent for a telemedicine app does not extend to accessing contact lists if not necessary for the service.
Invalid consent: Any part of consent infringing the Act or other laws is invalid. An example notes that waiving the right to complain to the Board is invalid.
Withdrawal of Consent: Data Principals have the right to withdraw consent “at any time, with the ease of doing so being comparable to the ease with which such consent was given.” Upon withdrawal, the Data Fiduciary must “cease and cause its Data Processors to cease processing the personal data” unless otherwise authorised by law.
Data Accuracy & Security: Data Fiduciaries must ensure the “completeness, accuracy and consistency” of personal data used for decisions affecting the Data Principal or shared with others. They must “implement appropriate technical and organisational measures to ensure effective observance” of the Act and “take reasonable security safeguards to prevent personal data breach.”
Breach Notification: In the event of a personal data breach, the Data Fiduciary must notify “the Board and each affected Data Principal”.
Data Erasure: Personal data must be erased “upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier,” unless retention is necessary for legal compliance.
Grievance Redressal: Data Fiduciaries must “establish an effective mechanism to redress the grievances of Data Principals” and publish contact information for a Data Protection Officer or other authorised person.
Accountability: Data Fiduciaries are “responsible for complying with the provisions of this Act…in respect of any processing undertaken by it or on its behalf by a Data Processor.”
Processing Children’s Data:Requires “verifiable consent of the parent” or lawful guardian.
Prohibits processing “likely to cause any detrimental effect on the well-being of a child.”
Forbids “tracking or behavioural monitoring of children or targeted advertising directed at children.”
The Central Government may notify exemptions for certain Data Fiduciaries who ensure “verifiably safe” processing of children’s data, allowing them to be exempt from certain obligations for specific age groups.
4. Obligations of Significant Data Fiduciaries
Beyond general obligations, Significant Data Fiduciaries must:
Appoint a Data Protection Officer: This officer must be based in India, responsible to the Board of Directors, and act as the contact for grievance redressal.
Appoint an Independent Data Auditor: To evaluate compliance with the Act.
Undertake Periodic Data Protection Impact Assessments: This process involves describing Data Principals’ rights, the purpose of processing, and assessing/managing risks.
Conduct Periodic Audits:
5. Rights and Duties of Data Principals
The Act grants Data Principals several rights:
Right to Information: Data Principals can request “a summary of personal data which is being processed,” “the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared,” and other related information. This right has exceptions for law enforcement/investigation purposes.
Right to Correction and Erasure: Data Principals have the right to “correction, completion, updating and erasure of her personal data.” Erasure is granted unless retention is necessary for the specified purpose or legal compliance.
Right of Grievance Redressal: Data Principals must have “readily available means of grievance redressal” provided by the Data Fiduciary or Consent Manager. Grievances must be responded to within a prescribed period, and Data Principals must exhaust this channel before approaching the Data Protection Board.
Right to Nominate: Data Principals can nominate another individual to exercise their rights in case of their death or “incapacity” (unsoundness of mind or bodily infirmity).
The Act also outlines duties for Data Principals:
Compliance with Laws: To “comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act.”
Authenticity: Not to impersonate others, suppress material information for official documents, or register false/frivolous complaints. They must “furnish only such information as is verifiably authentic” when seeking correction or erasure.
6. Data Protection Board of India
A central feature of the Act is the establishment of the Data Protection Board of India.
Establishment: To be established by the Central Government, it will be a body corporate with perpetual succession and a common seal.
Composition: Consists of a Chairperson and other Members appointed by the Central Government. Members must possess “special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation.” At least one member must be a legal expert.
Powers and Functions:Inquiry and Penalties: The Board can inquire into personal data breaches, breaches of Data Fiduciary or Consent Manager obligations, and impose penalties as per the Schedule. This includes breaches related to children’s data and significant Data Fiduciary obligations.
Directions: It can issue “urgent remedial or mitigation measures” in case of a breach and other necessary directions, which persons are bound to comply with. These directions can be modified, suspended, withdrawn, or cancelled.
Digital Functioning: The Board shall function as an “independent body” and, “as far as practicable, function as a digital office, with the receipt of complaints and the allocation, hearing and pronouncement of decisions in respect of the same being digital by design”.
Civil Court Powers: For inquiries, the Board has powers equivalent to a civil court, including summoning witnesses, receiving evidence, and inspecting documents.
Voluntary Undertakings: The Board can accept voluntary undertakings from persons regarding compliance, which can bar further proceedings unless the undertaking is breached.
Penalties: If a breach is “significant,” the Board may impose monetary penalties as specified in the Schedule, taking into account factors like the “nature, gravity and duration of the breach,” “type and nature of the personal data affected,” and “repetitive nature of the breach.” Penalties range from ₹10,000 for breach of Data Principal duties to ₹250 crore for failure to take reasonable security safeguards.
7. Appeal and Dispute Resolution
Appellate Tribunal: Any person aggrieved by a Board order or direction can appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which is now designated as the Appellate Tribunal for this Act.
Timelines: Appeals must be filed within 60 days, with provision for entertaining appeals after this period if sufficient cause is shown.
Digital Functioning: The Appellate Tribunal shall also, “as far as practicable, function as a digital office” for appeals under this Act.
Mediation: The Board may direct parties to attempt dispute resolution through mediation.
8. Miscellaneous Provisions
Supremacy of the Act: “In the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict.”
Central Government Powers: The Central Government can restrict data transfer outside India, call for information from the Board or Data Fiduciaries, and issue directions to block public access to information from Data Fiduciaries that have repeatedly incurred penalties.
Good Faith Protection: Protection is granted for actions taken in good faith by the Central Government, the Board, and its members/employees.
Amendments to Other Acts: The Act amends existing legislation:
Telecom Regulatory Authority of India Act, 1997: Designates the Appellate Tribunal under this Act to also hear appeals under the Digital Personal Data Protection Act, 2023.
Information Technology Act, 2000: Section 43A (dealing with compensation for failure to protect data) is omitted, and an amendment to Section 81 clarifies that the DPDP Act prevails in cases of conflict.
Right to Information Act, 2005: Clause (j) of sub-section (1) of section 8, which dealt with “personal information” as an exemption, is substituted to state simply “information which relates to personal information.” This suggests a potential narrowing or clarification of what personal information can be exempt from RTI disclosure.
