Digital Personal Data Protection Act, 2023 (‘DPDPA’)- Benefits, Challenges & Key Takeaways

 

Introduction

The Digital Data Protection Act, 2023 (also known as DPDP Act or DPDPA-2023) is a new law that aims to protect the privacy and security of digital personal data of individuals in India. The DPDPA was passed by the Parliament of India on August 11, 2023, formally enacted by the President of India on August 15, 2023 and will come into force on January 1, 2024. It is India’s first-ever privacy Act that establishes a dedicated legal framework for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. The Act also creates a regulatory body called the Data Protection Board of India (DPBI), which will be responsible for enforcing the law and protecting the rights of individuals.

 

Salient Features and Key Takeaways

The DPDPA has several salient features and key takeaways that are important to know. Some of them are:

• Definition of digital personal data: The DPDPA defines digital personal data as any information that can directly or indirectly identify an individual. It applies to the processing of such data within India, as well as outside India if it relates to offering goods or services to individuals in India.

• Data protection principles and rights: The DPDPA establishes data protection principles, such as consent, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability. It also grants certain rights to individuals, such as access, correction, erasure, grievance redressal, and nomination of a representative.

• Obligations of Data Fiduciaries: The DPDPA imposes obligations on Data Fiduciaries, which are persons or entities that determine the purpose and means of processing personal data. Some data fiduciaries may be classified as Significant Data Fiduciaries based on the volume or sensitivity of the data they process. They will have to comply with additional requirements, such as appointing a data protection officer, conducting data protection impact assessments, and undergoing data audits.

• Regulatory Body and Enforcement: The DPDPA creates a regulatory body called the Data Protection Board of India (‘DPBI’), which will be responsible for enforcing the law and protecting the rights of individuals. The DPBI will have the power to issue directions, orders, codes of practice, and guidelines. It will also adjudicate complaints and impose penalties for non-compliance.

• Penalties for non-compliance: The DPDPA provides for penalties ranging from Rs. 10 thousand to Rs. 250 crore, depending on the nature and severity of the breach. The penalties will be determined by the DPBI after giving an opportunity of hearing to the person concerned. The DPBI will consider factors such as the gravity, duration, type, and impact of the breach, as well as the actions taken to mitigate and prevent it.

• Exemptions for certain categories: The DPDPA also provides for exemptions for certain categories of personal data processing, such as for personal or domestic purposes, for journalistic or artistic purposes, for research or statistical purposes, or for state functions related to security, public order, prevention of offences, etc.

· 

Impact on Businesses and Organisations

The DPDPA is expected to have a significant impact on businesses and organisations that process digital personal data in India or offer goods or services to individuals in India. They will have to ensure compliance with the law and adopt appropriate measures to protect personal data. Some of the steps that they can take are:

• Review their current data processing activities: They should review their current data processing activities and identify the types and sources of personal data they collect, store, use, share, or transfer.

• Obtain valid consent from individuals: They should obtain valid consent from individuals before processing their personal data, unless exempted by the law. They should provide clear and transparent notice about the purpose, manner, and duration of processing.

• Implement reasonable security safeguards: They should implement reasonable security safeguards to prevent personal data breaches and notify the DPBI and affected individuals in case of any breach.

• Respect the rights of individuals: They should respect the rights of individuals and provide them with access to their personal data, as well as options to correct, update, or erase it.

• Designate a data protection officer: They should designate a data protection officer if they are a significant data fiduciary and ensure that they perform their duties as per the law.

• Conduct data protection impact assessments: They should conduct data protection impact assessments for any new or significant data processing activities that may pose a risk to individuals’ privacy or rights.

• Undergo periodic data audits: They should undergo periodic data audits by an independent auditor approved by the DPBI and submit audit reports to the DPBI.

Benefits for Common Citizens

The DPDPA is also expected to benefit common citizens by enhancing their control over their digital personal data and protecting their privacy and rights. Some of the benefits are:

• More choice and consent: They will have more choice and consent over how their personal data is processed by various entities.

• More access and information: They will have more access and information about their personal data and how it is used or shared by different entities.

• More options and remedies: They will have more options and remedies to correct, update, or erase their personal data if they wish to do so.

• More avenues and mechanisms: They will have more avenues and mechanisms to raise grievances and complaints against any entity that violates their privacy or rights.

• More assurance and confidence: They will have more assurance and confidence that their personal data is secure and protected by law.

·    

Conclusions

In short, the Digital Data Protection Act, 2023 is a landmark legislation that aims to safeguard the personal data of citizens and promote responsible data management practices in India. It sets out data protection principles, rights, obligations, penalties, and exemptions for various categories of personal data processing. It also aligns with Indian Prime Minister Narendra Modi’s vision of creating more opportunities for young Indians while protecting their rights in the digital era.

Blog Author| Sameer Srivastava [Ex-Deputy Director, UIDAI-AADHAAR]