Contributed by: Sumit Kochar, Anjali Dawar & Shivam Gera

In the ever-evolving landscape of data privacy and protection, India has taken a significant step forward with the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act). This landmark legislation is poised to reshape the way personal data is handled in the digital age, impacting businesses and individuals alike. In this article, we explore the core provisions of the DPDP Act, shedding light on its potential implications.

Background and the Scope of the DPDP Act

The DPDP Act is the culmination of extensive efforts and consultations aimed at addressing the challenges posed by the digital era. It builds upon previous drafts and public feedback, with a laser focus on digital personal data. Once fully implemented, it will supersede Section 43A of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011.

Key Provisions of the DPDP Act

  1. Applicability:
    • The DPDP Act exclusively applies to personal data, irrespective of its digital or non-digital origin.
    • It extends jurisdiction to digital personal data processed outside India if related to goods or services offered to Indian data principals (individuals).
    • Exceptions include personal data used for personal or domestic purposes and data made publicly available under legal obligations.
  2. Principles:
    • At its core, the DPDP Act emphasizes two essential principles: purpose limitation and collection limitation.
    • It mandates that personal data should only be processed for lawful purposes with explicit data principal consent, and data collection should be limited to what is necessary.
  3. Uniform Treatment of Personal Data:
    • In a notable departure from previous regulations, the DPDP Act treats all forms of personal data equally, eliminating sub-classifications like sensitive or critical personal data.
    • This uniform approach streamlines compliance requirements, ensuring consistency in data protection practices.
  4. Consent and Notice:
    • Consent assumes a central role in data processing, requiring it to be freely given, specific, informed, unconditional, and unambiguous.
    • Data principals have the right to withdraw their consent easily, without affecting prior data processing legality.
    • The DPDP Act mandates detailed notices to data principals, providing information about data collection, processing purposes, and instructions on exercising their rights, withdrawing consent, and filing complaints.
  5. Legitimate Uses (Processing Without Consent):
    • The DPDP Act introduces the concept of ‘legitimate uses’ in lieu of ‘deemed consent’ for specific instances where data processing without explicit consent is permissible.
    • These legitimate uses encompass various specified purposes, including responding to medical emergencies, fulfilling legal obligations, and providing services mandated by the state.
  6. Obligations of Data Fiduciaries:
    • Data fiduciaries bear the responsibility of ensuring compliance with the DPDP Act, including data processing conducted by third-party data processors.
    • They must maintain data accuracy and promptly delete personal data when consent is withdrawn or when the specified purpose no longer applies.
  7. Notification of Personal Data Breaches:
    • In the event of a personal data breach, data fiduciaries must notify the Data Protection Board (DPB) and affected data principals following prescribed procedures.
  8. Cross-Border Transfer of Personal Data:
    • The DPDP Act permits the transfer of personal data to foreign countries or territories, except those explicitly restricted by the Central Government.
    • If other laws or sectoral regulations provide higher data protection standards, those provisions take precedence.
  9. Significant Data Fiduciaries:
    • The Central Government has the authority to designate certain data fiduciaries as ‘significant,’ considering factors such as the volume and sensitivity of personal data processed, risks to data principal rights, and national security concerns.
    • Significant data fiduciaries are subject to additional compliance requirements, including the appointment of a data protection officer and independent data auditor.
  10. Data of Children and Persons with Disabilities:
    • The DPDP Act mandates verifiable consent from a parent or lawful guardian for processing the personal data of children and individuals with disabilities.
    • It prohibits tracking or behavioral monitoring of children and processing of their data likely to harm their well-being.
    • The Act empowers the Central Government to grant exemptions for specific data processing activities involving children, subject to certain conditions.

Conclusion

The Digital Personal Data Protection Act, 2023, marks a significant milestone in India’s data protection landscape. Its comprehensive framework aims to safeguard the rights and privacy of data principals while establishing clear obligations for data fiduciaries. As this legislation is implemented and further refined through regulations, it is expected to shape the future of data privacy in India, ensuring a balance between innovation and the protection of personal data. Businesses operating in India will need to adapt swiftly to these new regulations, prioritizing data privacy and compliance to thrive in the evolving digital landscape. Stay informed and prepared as the DPDP Act, 2023, ushers in a new era of data protection in India.

Thank you for submitting your request!

We would like to express our gratitude for reaching out to us at Dolce Vita Group. We understand that navigating the complexities of matters can be daunting, and we are here to assist you every step of the way.

Our team of experienced professionals is dedicated to providing you with the highest level of service and expertise. We appreciate the opportunity to review your request thoroughly and provide you with the guidance you need. We understand the importance of timely assistance, and we aim to respond to all inquiries within 24-48 hours.

In the meantime, we encourage you to explore our website and familiarize yourself with the range of consulting services we offer. You can also find valuable resources on “Insights” tab which includes blogs, reviews, talks, market research and significant developments on family offices, funds, corporate & commercial laws, securities laws and investment ecosystem.

If you have provided your contact information, we will reach out to you using the preferred method you indicated, ensuring your convenience and privacy. Our office hours are Monday to Saturday from 10:00 AM to 6:30 PM, and we will make every effort to accommodate your schedule.

Once again, thank you for choosing Dolce Vita Group. We appreciate your trust and look forward to assisting you with your requirements.

Best regards,
Dolce Vita Group