Legal Chronicle

September 2023

UJA | Legal Chronicle

Index

Dear Reader, 

The Legal Department at UJA is delighted to impart certain legal knowledge as construed under Legal Chronicle to keep the readers aware of the recent updates and developments that revolve around various aspects of the law. Our ultimate goal is to enable our readers to develop a sense of familiarity with the complexities of Indian as well as International Law.

With our proven expertise and knowledge, the Chronicle shall uncover the intricacies of various branches of law like International Law, Labour Law, Intellectual Property, Alternative Dispute Resolution, Business, and Corporate laws.

In this edition of Legal Chronicle, we have analyzed the important legal developments that extensively highlight distinct aspects of law and profoundly make arrangements to discuss the importance of Digital Personal Data Protection Act, 2023.

We hope that this edition creates a sense of enthusiasm for our readers and successfully delivers the plethora of legal knowledge as intended. In case you have any feedback or need us to include any information to make this issue more informative, please feel free to write to us at legal@uja.in

Introduction

On August 3, 2023, the Digital Personal Data Protection Bill of 2023 was introduced, and received approval from both the Lower and Upper Houses of Parliament on August 7 and August 9, 2023, respectively. Following the Presidential assent and official gazette notification, this bill officially became law  on August 11, 2023 .

Until now, the use of personal data was regulated under the Information Technology (IT) Act, 2000.

Scope

  • Information that can directly or indirectly identify an individual.
  • Data collected online, or (ii) collected offline and is digitized.
  • Processing of personal data outside India if it is for offering goods or services in India.

The Act does not cover personal data processed by individuals for personal or domestic purposes or publicly available data.

Important Definitions

a. Personal Data

Means any data about an individual who is identifiable by or in relation to such data.

b. Consent Manager

means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.

c. Data Fiduciary

means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. 

d. Data Principal

Means the individual to whom the personal data relates to.

d. Data Protection Officer ( DPO )

Means an individual appointed by a significant data fiduciary to undertake activities assigned within the Act

UJA | Legal Chronicle

Rights and Duties of Data Principal

Rights of Data Principal

a. Right to Access Information

Data Principals maintain the right to access clear and easily understandable information about how their data is being processed. This also includes a right to obtain information about the identity of data processors and Data Fiduciaries with whom personal data was shared. 

b. Right to seek correction and erasure of Personal Data

Data Fiduciaries are under an obligation to act upon the specific requests as received from the Data Principals which include (i) Correcting/updating inaccurate or misleading data, (ii) Correcting incomplete data (iii) Erasing the personal data unless it is mandated by law. 

c. Right to Nominate

The data principal has the right to other individuals to exercise the provided rights in the event of death or incapacity of the Data Principal. 

d. Right to Grievance Redressal

Data  Principals are offered accessible grievance redressal mechanisms through Data Fiduciaries or consent managers, ensuring timely responses within specified time limits. Data Principals should use these mechanisms before escalating issues to higher authorities to encourage efficient dispute resolution. If unsatisfied with the redressal mechanism, Data Principals can approach the Data Protection Board. 

Data Fiduciaries also have the option to challenge Board decisions at the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) within 60 days, fostering accountability and resolution.

Duties of Data Principal:

  • Adhere to all current applicable laws while exercising rights under the Act.
  •  Avoid impersonating another individual while submitting personal data for a specific purpose.
  • Refrain from withholding any essential information while providing personal data for any State-issued document, unique identifier, proof of identity, or proof of address.
  • Abstain from lodging false or frivolous grievances or complaints with a Data Fiduciary orthe Board.
  • Provide only authenticated information when exercising the right to correction or erasure-under the Act or its related regulations.
Violation of the Data Principal’s duties is punishable with a penalty of up to Rs 10,000.
UJA | Legal Chronicle September -2023

General Obligations and Responsibilities of Data Fiduciary

The most important obligation of a Data Fiduciary is to make reasonable efforts to ensure the accuracy and completeness of data and to build reasonable security safeguards to prevent a data breach. The obligations and Responsibilities of the Data Fiduciary are outlined below: 

a. Compliance with the provisions of the Digital Data Protection Act

A Data Fiduciary shall be responsible for complying with the provisions of the legislation and the rules made there under in respect of any processing undertaken by it or on its behalf by a Data Processor.

b. Data Processing

A Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering goods or services to Data Principals only under a valid contract.

c. Ensuring Accuracy of Data

In cases where personal data processed by a Data Fiduciary is likely to be used to make a decision that affects the Data Principal or is to be disclosed to another Data Fiduciary, The Data Fiduciary processing such personal data shall ensure its completeness, accuracy, and consistency.

d. Safeguard Data

A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach. The Data Fiduciary shall implement appropriate technical and organizational measures to ensure the safety of data. 

e. Notifying a Data breach

In the event there is a personal data breach, the Data Fiduciary shall give the Board and each affected party, intimation of such breach in such form and manner as may be prescribed.

f. Erasure of Data

The Data Fiduciary shall erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.

UJA | Legal Chronicle - Data Fiduciary-
g. Publish Necessary Information

A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who can answer on behalf of the Data Fiduciary for any questions raised about the data processing. Further, the Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.

h. Significant Data Fiduciaries

The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, based on an assessment of relevant factors as it may determine. These Significant Data Fiduciaries shall be required and be responsible for complying with additional obligations, which include appointing a Data Protection Officer, who shall represent the Significant Data Fiduciary.

i. Data Auditor

The Significant Data Fiduciary shall appoint an independent data auditor to carry out the data audit, who shall evaluate the compliance of the Significant Data Fiduciary as prescribed.

j. Periodic Assessment

The Significant Data Fiduciary shall undertake periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing personal data, assessment and management of the risk to the rights of the Data Principals.

UJA | Legal Chronicle - Data Fiduciary

Cross-Border Data Transfer

The act allows cross-border data transfer under which the Data Fiduciaries can transfer Personal Data to countries outside India provided that such transfer to a specific country is restricted by the Government of India. Additionally, the other applicable laws in relation to the cross-border transfer shall maintain their applicability in the subject matter.

Processing of Personal Data of Children

In the case of processing the personal data of children or of a person with a disability, the data fiduciary has to ensure that verifiable consent is obtained from the legal guardian or the parent of the child as the case may be. Data fiduciaries are prohibited from processing the personal data of children for tracking, targeted advertising, or behavioural monitoring. Any processing that is detrimental to the well-being of children is abstained by the act. The legislation also grants authority to the government to decide a lower limit age for the applicability of data in cases where verifiable safe processing is put through by the Data Fiduciary.

Exemptions

There are certain activities that are exempted from the obligations of crossborder data transfer, Obligations of Data Fiduciaries, and Data Principal’s Rights. These activities are laid down under the act for:

  • Processing of personal data for enforcing legal rights or claims.
  • Processing of personal data by a judicial or quasi-judicial body for the performance of any judicial or regulatory duty.
  • Processing of personal data for prevention, detection, investigation, or prosecution of an offence.
  • Processing of personal data as a result of a contract with a foreign entity that involves the personal data of Data Principals outside of India.
  • Processing of personal data necessary for any Merger and Acquisition or any reconstruction of an organization undertaken and approved by the judicial body.
  • Processing of personal data for debt ascertainment and enforcement.
UJA | Legal Chronicle - Exemptions

Penalties

In the event there has been a breach of the provisions of the rules, the Board constituted under the provisions of this act, may impose monetary penalty for breach.

No.

Nature of Breach

Penalty

1

Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent a personal data breach.

Penalty may extend to two hundred and fifty (250) crore rupees.

2

A breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach.

Penalty may extend to two hundred (200) crore rupees.

3

Breach in observance of additional obligations in relation to children.

Penalty may extend to two hundred (200) crore rupees

4

Breach in observance of additional obligations of Significant Data Fiduciary

Penalty may extend to one hundred and fifty (150) crore rupees.

5

Breach in observance of the duties of the Data Principal.

Penalty may extend to ten (10) thousand rupees.

6

Breach of any term of voluntary undertaking accepted by the Board.

Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. section 28 herein outlines the Procedure to be followed by the Board.

7

Breach of any other provision of Digital Personal Data Protection legislation or the rules made thereunder.

Penalty may extend to fifty (50) crore rupees.

While determining the amount of monetary penalty to be imposed, the Board shall have regard to the following factors:

  • the nature, gravity, and duration of the breach;
  • the type and nature of the personal data affected by the breach;
  • repetitive nature of the breach;
  • whether the person, as a result of the breach, has realized a gain or avoided any loss;
  • whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
  • whether the monetary penalty to be imposed is proportionate and effective;
  • the likely impact of the imposition of the monetary penalty on the person

Way Forward for Organizations to Ensure Compliance with the Act

a. Understanding the Legislation

The new legislation has introduced new terminology and provisions. It is essential that the organization and its stakeholders are aware of the provisions introduced by the new act.

b. Framework to strengthen the data privacy in the organization

It is advisable for an organization to undertake steps to strengthen its existing data protection framework or to create a new framework for data protection, this includes implementing data protection policies that align with the provisions of the Act, providing training to employees with reference to data protection and data processing.

c. Implement reasonable security measures

Each organization to undertake reasonable steps to ensure data protection. This includes implementing security measures within the organization.  

d. Contractual obligations

The new legislation states that a Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data only under a valid contract.  Thus, it is essential for organizations to ensure valid contracts are executed with Data processors.

e. Notifying breach of Data

In case of a Data breach, the Organization shall ensure to notify about the breach to all the relevant parties affected by such breach including concerned Government Authorities as early as possible.

f. Periodic Audits

In order to ensure that the Data collected or processed by the organization aligns with the provisions of the Act, the Organization shall conduct periodic audits of the data. Such audit shall provide an overview of any requests or grievances raised by the Data Principal, and the accuracy and completeness of the data.

g. Appointment of Data Protection Officer

The Company shall appoint a Data Protection Officer (DPO) that can formulate essential policies and procedures. These DPOs serve as contact points, responding to questions and issues raised by data principals.

Expert’s Cubicle

Picture of Adv. Archana Dadhich
Adv. Archana Dadhich

HOD - Corporate & Commercial Law

Brief Analysis

The Digital Personal Data Protection Bill, 2023, raises significant concerns related to exemptions for the State, potentially allowing excessive data collection and processing that may infringe upon the right to privacy established in Supreme Court Judgment in Justice K.S. Puttaswamy vs. Union of India (2017), where the ‘Right to Privacy’ was recognized as a fundamental right within the ambit of the ‘Right to Life’ under Article 21 of the Indian Constitution. Following this landmark ruling, the Court recommended the Central Govt. to establish an act or regime for safeguarding Personal Data.

The Bill grants the central government the power to exempt government agencies from certain provisions, posing risks of extensive surveillance without requiring the deletion of personal data. It also lacks provisions to regulate potential harms arising from data processing and omits essential rights like data portability and the right to be forgotten. Additionally, the Bill’s approach to cross-border data transfer, the short-term appointments with the possibility of re-appointment for the Data Protection Board, and the definition of children as individuals under 18 raise apprehensions about the legislation’s comprehensiveness and effectiveness.

India’s proposed legislation diverges from other jurisdictions in several key aspects. Firstly, the bill excludes protection for data that individuals or others make publicly available, whereas global data protection norms typically impose obligations on publicly accessible data. Secondly, it introduces a pioneering feature by regulating consent managers, entities facilitating individuals in providing and managing consents across various businesses, which is a unique aspect in privacy laws. Thirdly, the bill permits flexible cross-border data flows and offshore data processing, differing from global frameworks by not setting specific conditions for such transfers. Lastly, in contrast to many international laws that differentiate treatment for children based on age groups, the bill uniformly treats all children under 18 alike, disregarding distinctions between those under 13 and those between 13 and 17 in terms of risks and harms.

The Act’s Schedule also outlines the penalties applicable for different offenses and violations stipulated within the Act. For example, non-compliance with obligations concerning children incurs a penalty of INR 200 Crore. Failure to implement security measures to prevent data breaches attracts a penalty of INR 250 Crore. Additionally, a breach in notifying the Board or the Data Principal of a Personal Data breach results in a penalty of INR 200 Crore.

Under this new legislation, companies and businesses engaged in any form of handling Personal Data are now required to establish a standardized operating procedure and provide training to their personnel. This is to ensure compliance with specific regulations, including collaboration with the Data Protection Officer designated by the Significant Data Fiduciary according to Section 10 of the Act. Other mandatory measures encompass appointing an Independent Data Auditor, implementing a consent management system for the collection, maintenance, tracking, and updating of individual consents, conducting assessments to safeguard data, and maintaining valid contracts with data processors, among other obligations.

However, the criteria for classifying companies and startups as Data Fiduciaries need further clarification, especially with regard to specific thresholds and eligibility criteria such as net worth, assets, size, number of personnel, and their qualifications.

The Path Ahead for Organizations Involves A Comprehensive Approach to Data Privacy

Organizations should begin by evaluating their existing conditions and initiating the integration of data privacy within their operations. Creating an inventory of applications and data repositories containing personal data is crucial, followed by identifying the network of data processors currently in use. Developing preliminary versions of documents in alignment with the requirements of the DPDP Act, including policies, processes, notices, consents, and contractual clauses, is essential. Subsequently, organizations need to prepare finalized versions of these documents for approval, revising and updating data privacy policies and processes as needed. Generating content for privacy notices and consent procedures, along with defining standard contractual clauses for various agreements, including those with third parties, vendors, and service providers, is a critical step.

To uphold the rights outlined in the Act, organizations should devise consent mechanisms based on the application inventory gathered in earlier phases and design mechanisms for data principal rights. Establishing processes for managing data privacy breaches, including notifying stakeholders, is imperative, as is specifying data retention periods for different data categories. Additionally, organizations should assess, agree to, and implement data privacy technologies for enhanced data protection. Conducting communication and awareness programs for various stakeholders is crucial to ensure a collective understanding of data privacy measures. Lastly, staying informed about notifications and amendments issued by the Central Government is essential for organizations to adapt and comply with evolving data protection regulations.

On a positive note, the Bill demonstrates positive aspects, as it takes a principles-based approach, emphasizing outcomes over specific processes, thereby increasing its longevity and providing flexibility for businesses to achieve compliance. The light-touch and facilitative approach toward personal data protection is seen as advantageous, reflecting the government’s trust in the private sector to responsibly manage customer data. Furthermore, the streamlined framework is anticipated to attract global tech investments, with startups benefiting from exemptions of certain obligations, potentially fostering the growth and competitiveness of the startup ecosystem.

The Act represents a distinctive approach in protecting Personal Data, addressing long-standing needs amidst the rise in internet users, data generation, and cross-border trade. However, there is a perceived need for clarification on various implementation details, expected to be addressed with the establishment of the Data Protection Board of India and the issuance of Rules under the Act. Overall, the Act reflects India’s unique perspective on contemporary data protection, shaped by extensive post-draft consultations. While less detailed than the European Union’s GDPR, the Act necessitates a significant shift in how Indian businesses handle privacy and Personal Data, endorsing the government’s authority to regulate, retain, and monitor citizens’ personal information. As the implementation of specific sections is pending notification, it remains to be seen how the Courts interpret the broad empowering provisions and how the Act evolves. 

Disclaimer

This document is intended to provide general information and is not intended to be substituted for any legal or professional advice. This document is meant exclusively for informational purposes and not for advertising or solicitation. UJA has made significant efforts to ensure that the information contained in this document is accurate and reliable. However, the information herein is provided “as is” without warranty of any kind. UJA hereby disclaims all responsibility and liability, whether stated or implied, for the accuracy, validity, adequacy, reliability, or completeness of any information provided under this document. In no event shall UJA be held liable for any losses or damages whatsoever incurred as a result of using this document.

Our Team

Meet Our Experts

Download PDF

Download PDF

Hello, how may we help you?