The Legal Department at UJA is delighted to impart certain legal knowledge as construed under Legal Chronicle to keep the readers aware of the recent updates and developments that revolve around various aspects of the law. Our ultimate goal is to enable our readers to develop a sense of familiarity with the complexities of Indian as well as International Law.
With our proven expertise and knowledge, the Chronicle shall uncover the intricacies of various branches of law like International Law, Labour Law, Intellectual Property, Alternative Dispute Resolution, Business, and Corporate laws.
In this edition of Legal Chronicle, we have analyzed the important legal developments that extensively highlight distinct aspects of law and profoundly make arrangements to discuss the importance of Digital Personal Data Protection Act, 2023.
We hope that this edition creates a sense of enthusiasm for our readers and successfully delivers the plethora of legal knowledge as intended. In case you have any feedback or need us to include any information to make this issue more informative, please feel free to write to us at email@example.com
On August 3, 2023, the Digital Personal Data Protection Bill of 2023 was introduced, and received approval from both the Lower and Upper Houses of Parliament on August 7 and August 9, 2023, respectively. Following the Presidential assent and official gazette notification, this bill officially became law on August 11, 2023 .
Until now, the use of personal data was regulated under the Information Technology (IT) Act, 2000.
The Act does not cover personal data processed by individuals for personal or domestic purposes or publicly available data.
Means any data about an individual who is identifiable by or in relation to such data.
means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.
means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
Means the individual to whom the personal data relates to.
Means an individual appointed by a significant data fiduciary to undertake activities assigned within the Act
Data Principals maintain the right to access clear and easily understandable information about how their data is being processed. This also includes a right to obtain information about the identity of data processors and Data Fiduciaries with whom personal data was shared.
Data Fiduciaries are under an obligation to act upon the specific requests as received from the Data Principals which include (i) Correcting/updating inaccurate or misleading data, (ii) Correcting incomplete data (iii) Erasing the personal data unless it is mandated by law.
The data principal has the right to other individuals to exercise the provided rights in the event of death or incapacity of the Data Principal.
Data Principals are offered accessible grievance redressal mechanisms through Data Fiduciaries or consent managers, ensuring timely responses within specified time limits. Data Principals should use these mechanisms before escalating issues to higher authorities to encourage efficient dispute resolution. If unsatisfied with the redressal mechanism, Data Principals can approach the Data Protection Board.
Data Fiduciaries also have the option to challenge Board decisions at the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) within 60 days, fostering accountability and resolution.
The most important obligation of a Data Fiduciary is to make reasonable efforts to ensure the accuracy and completeness of data and to build reasonable security safeguards to prevent a data breach. The obligations and Responsibilities of the Data Fiduciary are outlined below:
A Data Fiduciary shall be responsible for complying with the provisions of the legislation and the rules made there under in respect of any processing undertaken by it or on its behalf by a Data Processor.
A Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering goods or services to Data Principals only under a valid contract.
In cases where personal data processed by a Data Fiduciary is likely to be used to make a decision that affects the Data Principal or is to be disclosed to another Data Fiduciary, The Data Fiduciary processing such personal data shall ensure its completeness, accuracy, and consistency.
A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach. The Data Fiduciary shall implement appropriate technical and organizational measures to ensure the safety of data.
In the event there is a personal data breach, the Data Fiduciary shall give the Board and each affected party, intimation of such breach in such form and manner as may be prescribed.
The Data Fiduciary shall erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.
A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who can answer on behalf of the Data Fiduciary for any questions raised about the data processing. Further, the Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.
The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, based on an assessment of relevant factors as it may determine. These Significant Data Fiduciaries shall be required and be responsible for complying with additional obligations, which include appointing a Data Protection Officer, who shall represent the Significant Data Fiduciary.
The Significant Data Fiduciary shall appoint an independent data auditor to carry out the data audit, who shall evaluate the compliance of the Significant Data Fiduciary as prescribed.
The Significant Data Fiduciary shall undertake periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing personal data, assessment and management of the risk to the rights of the Data Principals.
The act allows cross-border data transfer under which the Data Fiduciaries can transfer Personal Data to countries outside India provided that such transfer to a specific country is restricted by the Government of India. Additionally, the other applicable laws in relation to the cross-border transfer shall maintain their applicability in the subject matter.
In the case of processing the personal data of children or of a person with a disability, the data fiduciary has to ensure that verifiable consent is obtained from the legal guardian or the parent of the child as the case may be. Data fiduciaries are prohibited from processing the personal data of children for tracking, targeted advertising, or behavioural monitoring. Any processing that is detrimental to the well-being of children is abstained by the act. The legislation also grants authority to the government to decide a lower limit age for the applicability of data in cases where verifiable safe processing is put through by the Data Fiduciary.
There are certain activities that are exempted from the obligations of crossborder data transfer, Obligations of Data Fiduciaries, and Data Principal’s Rights. These activities are laid down under the act for:
In the event there has been a breach of the provisions of the rules, the Board constituted under the provisions of this act, may impose monetary penalty for breach.
Nature of Breach
Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent a personal data breach.
Penalty may extend to two hundred and fifty (250) crore rupees.
A breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach.
Penalty may extend to two hundred (200) crore rupees.
Breach in observance of additional obligations in relation to children.
Penalty may extend to two hundred (200) crore rupees
Breach in observance of additional obligations of Significant Data Fiduciary
Penalty may extend to one hundred and fifty (150) crore rupees.
Breach in observance of the duties of the Data Principal.
Penalty may extend to ten (10) thousand rupees.
Breach of any term of voluntary undertaking accepted by the Board.
Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. section 28 herein outlines the Procedure to be followed by the Board.
Breach of any other provision of Digital Personal Data Protection legislation or the rules made thereunder.
Penalty may extend to fifty (50) crore rupees.
While determining the amount of monetary penalty to be imposed, the Board shall have regard to the following factors:
The new legislation has introduced new terminology and provisions. It is essential that the organization and its stakeholders are aware of the provisions introduced by the new act.
It is advisable for an organization to undertake steps to strengthen its existing data protection framework or to create a new framework for data protection, this includes implementing data protection policies that align with the provisions of the Act, providing training to employees with reference to data protection and data processing.
Each organization to undertake reasonable steps to ensure data protection. This includes implementing security measures within the organization.
The new legislation states that a Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data only under a valid contract. Thus, it is essential for organizations to ensure valid contracts are executed with Data processors.
In case of a Data breach, the Organization shall ensure to notify about the breach to all the relevant parties affected by such breach including concerned Government Authorities as early as possible.
In order to ensure that the Data collected or processed by the organization aligns with the provisions of the Act, the Organization shall conduct periodic audits of the data. Such audit shall provide an overview of any requests or grievances raised by the Data Principal, and the accuracy and completeness of the data.
The Company shall appoint a Data Protection Officer (DPO) that can formulate essential policies and procedures. These DPOs serve as contact points, responding to questions and issues raised by data principals.
The Digital Personal Data Protection Bill, 2023, raises significant concerns related to exemptions for the State, potentially allowing excessive data collection and processing that may infringe upon the right to privacy established in Supreme Court Judgment in Justice K.S. Puttaswamy vs. Union of India (2017), where the ‘Right to Privacy’ was recognized as a fundamental right within the ambit of the ‘Right to Life’ under Article 21 of the Indian Constitution. Following this landmark ruling, the Court recommended the Central Govt. to establish an act or regime for safeguarding Personal Data.
The Bill grants the central government the power to exempt government agencies from certain provisions, posing risks of extensive surveillance without requiring the deletion of personal data. It also lacks provisions to regulate potential harms arising from data processing and omits essential rights like data portability and the right to be forgotten. Additionally, the Bill’s approach to cross-border data transfer, the short-term appointments with the possibility of re-appointment for the Data Protection Board, and the definition of children as individuals under 18 raise apprehensions about the legislation’s comprehensiveness and effectiveness.
India’s proposed legislation diverges from other jurisdictions in several key aspects. Firstly, the bill excludes protection for data that individuals or others make publicly available, whereas global data protection norms typically impose obligations on publicly accessible data. Secondly, it introduces a pioneering feature by regulating consent managers, entities facilitating individuals in providing and managing consents across various businesses, which is a unique aspect in privacy laws. Thirdly, the bill permits flexible cross-border data flows and offshore data processing, differing from global frameworks by not setting specific conditions for such transfers. Lastly, in contrast to many international laws that differentiate treatment for children based on age groups, the bill uniformly treats all children under 18 alike, disregarding distinctions between those under 13 and those between 13 and 17 in terms of risks and harms.
The Act’s Schedule also outlines the penalties applicable for different offenses and violations stipulated within the Act. For example, non-compliance with obligations concerning children incurs a penalty of INR 200 Crore. Failure to implement security measures to prevent data breaches attracts a penalty of INR 250 Crore. Additionally, a breach in notifying the Board or the Data Principal of a Personal Data breach results in a penalty of INR 200 Crore.
Under this new legislation, companies and businesses engaged in any form of handling Personal Data are now required to establish a standardized operating procedure and provide training to their personnel. This is to ensure compliance with specific regulations, including collaboration with the Data Protection Officer designated by the Significant Data Fiduciary according to Section 10 of the Act. Other mandatory measures encompass appointing an Independent Data Auditor, implementing a consent management system for the collection, maintenance, tracking, and updating of individual consents, conducting assessments to safeguard data, and maintaining valid contracts with data processors, among other obligations.
However, the criteria for classifying companies and startups as Data Fiduciaries need further clarification, especially with regard to specific thresholds and eligibility criteria such as net worth, assets, size, number of personnel, and their qualifications.
Organizations should begin by evaluating their existing conditions and initiating the integration of data privacy within their operations. Creating an inventory of applications and data repositories containing personal data is crucial, followed by identifying the network of data processors currently in use. Developing preliminary versions of documents in alignment with the requirements of the DPDP Act, including policies, processes, notices, consents, and contractual clauses, is essential. Subsequently, organizations need to prepare finalized versions of these documents for approval, revising and updating data privacy policies and processes as needed. Generating content for privacy notices and consent procedures, along with defining standard contractual clauses for various agreements, including those with third parties, vendors, and service providers, is a critical step.
To uphold the rights outlined in the Act, organizations should devise consent mechanisms based on the application inventory gathered in earlier phases and design mechanisms for data principal rights. Establishing processes for managing data privacy breaches, including notifying stakeholders, is imperative, as is specifying data retention periods for different data categories. Additionally, organizations should assess, agree to, and implement data privacy technologies for enhanced data protection. Conducting communication and awareness programs for various stakeholders is crucial to ensure a collective understanding of data privacy measures. Lastly, staying informed about notifications and amendments issued by the Central Government is essential for organizations to adapt and comply with evolving data protection regulations.
On a positive note, the Bill demonstrates positive aspects, as it takes a principles-based approach, emphasizing outcomes over specific processes, thereby increasing its longevity and providing flexibility for businesses to achieve compliance. The light-touch and facilitative approach toward personal data protection is seen as advantageous, reflecting the government’s trust in the private sector to responsibly manage customer data. Furthermore, the streamlined framework is anticipated to attract global tech investments, with startups benefiting from exemptions of certain obligations, potentially fostering the growth and competitiveness of the startup ecosystem.
The Act represents a distinctive approach in protecting Personal Data, addressing long-standing needs amidst the rise in internet users, data generation, and cross-border trade. However, there is a perceived need for clarification on various implementation details, expected to be addressed with the establishment of the Data Protection Board of India and the issuance of Rules under the Act. Overall, the Act reflects India’s unique perspective on contemporary data protection, shaped by extensive post-draft consultations. While less detailed than the European Union’s GDPR, the Act necessitates a significant shift in how Indian businesses handle privacy and Personal Data, endorsing the government’s authority to regulate, retain, and monitor citizens’ personal information. As the implementation of specific sections is pending notification, it remains to be seen how the Courts interpret the broad empowering provisions and how the Act evolves.
This document is intended to provide general information and is not intended to be substituted for any legal or professional advice. This document is meant exclusively for informational purposes and not for advertising or solicitation. UJA has made significant efforts to ensure that the information contained in this document is accurate and reliable. However, the information herein is provided “as is” without warranty of any kind. UJA hereby disclaims all responsibility and liability, whether stated or implied, for the accuracy, validity, adequacy, reliability, or completeness of any information provided under this document. In no event shall UJA be held liable for any losses or damages whatsoever incurred as a result of using this document.