THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
INTRODUCTION
An Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
The DPDP Act is based on the following seven principles:
- The principle of consented , lawful and transparent use of personal data;
- The principle of purpose limitation – ie use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal
- The principle of data minimization – collection of only as much personal data as is necessary to serve the specified purpose
- The principle of data accuracy – ensuring data is correct and updated
- The principle of storage limitation – storing data only till it is needed for the specific purpose
- The principle of reasonable security safe guards and
- The principle of accountability ( through adjudication of data breaches and breaches of the provisions of the DPDP Act and imposition of penalties for the breaches )
The DPDP Act regulates the processing of personal data, which may include the set of manual or automated operations, wholly or partly for the following activities:
- Collecting or recording personal data
- Organising, structuring, indexing, or storing personal data
- Retrieving or using personal data
- Adapting, aligning, or combining personal data
- Sharing or disclosing by transmission, dissemination, or otherwise making personal data available
- Restricting, erasing, or destructing personal data
CHAPTER I
Contains definitions and mentions about its applicability.
Data: means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
Person: includes (i) an individual; (ii) a Hindu undivided family; (iii) a company; (iv) a firm; (v) an association of persons or a body of individuals, whether incorporated or not; (vi) the State; and (vii) every artificial juristic person, not falling within any of the preceding sub-clauses.
Personal data: means any data about an individual who is identifiable by or in relation to such data;
Digital personal data: means personal data in digital form.
Applicability : This Act shall apply to ( a) the processing of digital personal data within the territory of India where the personal data is collected––in digital form; or (ii) in non-digital form and digitized subsequently and
(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.
Non Applicability : This Act shall not apply to (i) personal data processed by an individual for any personal or domestic purpose; and (ii) personal data that is made or caused to be made publicly available
by—(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
Data Principal- the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
CHAPTER II
Obligations of Data Fiduciary
Data Fiduciary- means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. Eg: Amazon, Bank.
Processing of the personal data of a Data Principal :A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose (ie not expressly forbidden by law) :
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.
Consent of Data Principal: The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. The consequences of the withdrawal shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal.
“Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.
Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.
The exemptions for processing personal data: i. the processing of personal data that is necessary for enforcing any legal right or claim; ii the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; iii. personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; iv personal data of Data Principal not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; v the processing is necessary for a scheme of compromise arrangement or merger, or amalgamation of two or more companies or reconstruction by way of demerger of a company, or transfer of undertaking of one or more companies to another approved by a court or tribunal or other authority competent to do so by any law for the time being in force; vi. the processing to ascertain the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force; vii. With respect to the processing of personal data by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognisable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and necessary for research, archiving or statistical purposes if the personal data is not to be used to make any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.
CHAPTER III
Rights and duties of data principal
RIGHTS OF DATA PRINCIPAL:
- Right to access information about personal data – The Data Principal shall have the right to obtain from the Data Fiduciary (a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
(b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
(c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
(2) Right to correction and erasure of personal data – A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, in accordance with any requirement. or procedure under any law for the time being in force.
(3) Right of grievance redressal Data Principal shall have the right to have readily available means of grievance redressed provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.
- Right to nominate – A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made there under.
DUTIES OF DATA PRINCIPAL:
A Data Principal shall perform the following duties, namely:—
(a) comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;
(b) to ensure not to impersonate another person while providing her personal data for a specified purpose;
(c) to ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
(d) to ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
(e) to furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.
CHAPTER IV
Special provisions. Says about Processing of personal data outside India.
CHAPTER V
Data Protection Board of India
Says about Establishment of Board, Composition and qualifications for appointment of Chairperson and Members.
CHAPTER VI
Powers, Functions and Procedure to be Followed by Board
CHAPTER VII
Appeal and Alternate Dispute Resolution
- (1) Any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal.
(2) Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed.
(3) The Appellate Tribunal may entertain an appeal after the expiry of the period specified in sub-section (2), if it is satisfied that there was sufficient cause for not preferring the appeal within that period.
(6) The appeal filed before the Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally within six months from the date on which the appeal is presented to it.
(7) Where any appeal under sub-section (6) could not be disposed of within the period of six months, the Appellate Tribunal shall record its reasons in writing for not disposing of the appeal within that period.
(8) Without prejudice to the provisions of section 14A and section 16 of the Telecom Regulatory Authority of India Act, 1997, the Appellate Tribunal shall deal with an appeal under this section in accordance with such procedure as may be prescribed.
(9) Where an appeal is filed against the orders of the Appellate Tribunal under this Act, the provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997 shall apply.
- (1) An order passed by the Appellate Tribunal under this Act shall be executable by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the powers of a civil court.
CHAPTER VIII
Penalties and Adjudication
CHAPTER IX
Miscellaneous
- No civil court shall have the jurisdiction to entertain any suit or proceeding in respect of any matter for which the Board is empowered under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power under the provisions of this Act.
PENALTY PRESCRIBED UNDER THE ACT
Sl. No. |
Breach of provisions of this Act or rules made thereunder |
Penalty |
01 |
Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8. |
May extend to two hundred and fifty crore rupees. |
02 |
Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8. |
May extend to two hundred crore rupees. |
03 |
Breach in observance of additional obligations in relation to children under section 9. |
May extend to two hundred crore rupees. |
04 |
Breach in observance of additional obligations of Significant Data Fiduciary under section 10. |
May extend to one hundred and fifty crore rupees. |
05 |
Breach in observance of the duties under section 15. |
May extend to ten thousand rupees. |
06 |
Breach of any term of voluntary undertaking accepted by the Board under section 32. |
Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. |
07 |
Breach of any other provision of this Act or the rules made thereunder. |
May extend to fifty crore rupees. |