Unveiling the Digital Personal Data Protection Act, 2023: A New Era of Privacy

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

History of DPDPA :

Fig:

Scope and Applicability DPDPA:

AGENDA:

CHAPTER I

PRELIMINARY

· Short Title and Commencement

· Definitions

· Application of Act

1) CHAPTER II

OBLIGATIONS OF DATA FIDUCIARY

· Grounds for processing personal data

· Consent

· Certain legitimate uses

· Processing of personal data of children

· Additional obligations of Significant Data Fiduciary

2) CHAPTER III

RIGHTS AND DUTIES OF DATA PRINCIPAL

· Right to access information about personal data

· Right of grievance redressal

· Right to nominate

· Duties of Data Principal

3) CHAPTER IV

SPECIAL PROVISIONS

· Processing of personal data outside India

· Exemptions

4) CHAPTER V

DATA PROTECTION BOARD OF INDIA

· Establishment of Board

· Composition and qualifications for appointment of Chairperson and Members

· Salary, allowances payable to and term of office

· Disqualifications for appointment and continuation as Chairperson and Members of Board.

· Resignation by Members and filling of vacancy

· Officers and employees of Board.

· Members and officers to be public 45 of 1860. servants.

· Powers of Chairperson

5) CHAPTER VI

POWERS, FUNCTIONS AND PROCEDURE TO BE FOLLOWED BY BOARD

· Powers and functions of Board

· Procedure to be followed by Board.

6) CHAPTER VII

APPEAL AND ALTERNATE DISPUTE RESOLUTION

· Appeal to Appellate Tribunal.

· Orders passed by Appellate Tribunal to be executable as decree.

· Alternate dispute resolution.

· Voluntary undertaking

7) CHAPTER VIII

PENALTIES AND ADJUDICATION

Penalties.

Crediting sums realised by way of penalties to Consolidated Fund of India.

8) CHAPTER IX

MISCELLANEOUS

Protection of action taken in good faith.

Power to call for information

Power of Central Government to issue directions.

Consistency with other laws.

Bar of jurisdiction

Power to make rules

Laying of rules and certain notifications

Power to amend Schedule.

Power to remove difficulties

Amendments to certain Acts.

Grounds for Penalty:

BREACH SUMMARY

THE SCHEDULE

1. Breach Type: Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8.

Penalty: May extend to two hundred and fifty crore rupees.

2. Breach Type: Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8.

Penalty: May extend to two hundred crore rupees.

3. Breach Type: Breach in observance of additional obligations in relation to children under section 9.

Penalty: May extend to two hundred crore rupees.

4. Breach Type: Breach in observance of additional obligations of Significant Data Fiduciary under section 10.

Penalty: May extend to one hundred and fifty crore rupees.

5. Breach Type: Breach in observance of the duties under section 15.

Penalty: May extend to ten thousand rupees.

6. Breach Type: Breach of any term of voluntary undertaking accepted by the Board under section 32

Penalty: Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted.

7. Breach Type: Breach of any other provision of this Act or the rules made thereunder.

Penalty: May extend to fifty crore rupees.

Key Highlight's:

Key Definitions:

1. Data: means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;

2. Data Principal : means the individual to whom the personal data relates and where such individual is

(i) a child, includes the parents or lawful guardian of such a child;

(ii) a person with disability, includes her lawful guardian, acting on her behalf;

3. Rights:

i. The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed

ii. Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.

iii. Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.

4. Duties of Data Principal:

i. “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder.

ii. Also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;

iii. A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose

iv. Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her

v. The Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.

vi. The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

vii. The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal.

viii. If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.

ix. The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

x) Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.

xi) The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not for such time period as may be prescribed, and different time periods may be pescribed for different classes of Data Fiduciaries and for different purposes.

5. Data Fiduciary:

· means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

6. Consent Manager:

· means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give,

7. Data Protection Officer:

· Data Protection Officer” means an individual appointed by the Significant Data Fiduciary under

(a) appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act; be based in India; be an individual responsible to the Board of Directors or similar governing body

(ii) of the Significant Data Fiduciary; and

(iii) be the point of contact for the grievance redressal mechanism under the

(iv) provisions of this Act;

8. Data Processor:

· means any person who processes personal data on behalf of a Data Fiduciary clause (a) of sub-section (2) of section 10;

9. Personal Data:

· means any data about an individual who is identifiable by or in relation to such data.

10. Processing:

· in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;"

11. Loss:

i) a loss in property or interruption in supply of services, whether temporary or permanent; or

ii) a loss of opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration; Definitions.

2. Gain:

i)a gain in property or supply of services, whether temporary or permanent;

ii) an opportunity to earn remuneration or greater remuneration or to

gain a financial advantage otherwise than by way of legitimate

remuneration;"

Grounds for Processing:

· A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law.

· "Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her"

Consent:

1. The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

2. Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.

3. Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.

4. Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.

5. "The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal."

6. If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.

7. The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

8. The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.

9. Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

10. Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.

11. A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:

Obligations of Data Fiduciary:

· A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.

· A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.

· Where personal data processed by a Data Fiduciary is likely to be the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency.

Significant Data Fiduciary:

· means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10;

Cross Border Data Transfer:

The DPDP Act allows for the cross border transfers of personal data for processing, by the Data Fiduciaries However, under Section 16 of the DPDP Act, Central Government can restrict the countries or territories outside India to which the data can be transferred. The proposed Bill states that the Central Government would conduct an assessment of factors, and notify countries to which data fiduciaries would transfer the personal information. The factors are yet to be ascertained. The organizations need to conduct a Transfer Impact Assessment to assess and analyze whether the third-parties / vendors have appropriate measures incorporated to protect the personal data. The best practice is to ensure that the organizations have Data Processing Agreements in place, in case of any such transfer of personal data beyond India.

Further, provisions of Chapter II, except sub sections 1 and 5 of Section 8 Chapter III and Section 16 of the DPDP Act will NOT apply for processing of personal data (i e exemptions

I. No provisions for data localization requirements

II. No provision of Derogation for specific situations

III. No provision for Data Fiduciary to implement appropriate safeguards

IV. The Central Government would conduct an assessment of factors to which data fiduciaries would transfer personal information. The factors are yet to be ascertained.

Data Protection Board of India ( Independent body):

1. With effect from such date as the Central Government may, by notification, appoint, there shall be established, for the purposes of this Act, a Board to be called the Data Protection Board of India.

2. The Board shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.

3. The headquarters of the Board shall be at such place as the Central Government may notify.

References:

DPDPA -2023 PDF LINK:

1) https://egazette.gov.in/WriteReadData/2023/248045.pdf

2) https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023

Key Definitions:

Data: Represents information, facts, concepts, opinions, or instructions suitable for communication or processing by humans or automated means.

Data Principal: The individual to whom personal data relates, including parents or guardians if the individual is a child or has a disability.

Rights:

Data Principals have the right to obtain information from Data Fiduciaries based on consent.

Consent requests must be clear, plain, and available in specified languages.

Data Principals can withdraw consent easily.

Duties of Data Principal:

Processing must align with specified purposes.

Applies even to digital personal data processed outside India.

Consent requests accompanied by notices.

Data Fiduciaries can continue processing until consent withdrawal.

Consent must be free, specific, informed, unconditional, and unambiguous.

Visit YouTube video on this article:

YouTube video name: "Unveiling the Digital Personal Data Protection Act, 2023: A New Eraof Privacy"

About Me

Greetings from Anil Patil! 🙏 With over 14+ years of solid experience in the realm of Cyber Security & InfoSec, I've been helping top entities in the BFSI, IT, FinTech, Payments, and Healthcare sectors hone their Vulnerability Management and Penetration Testing strategies. Equipped with my CERTIFIED ONETRUST FELLOW OF PRIVACY TECHNOLOGY, I have a proven track record in conducting internal and external Penetration Testing and delivering high-impact audit reports.💼📊

As a seasoned Cybersecurity Specialist, I've audited 1500+ web applications abiding by world-class standards like OWASP Top 10, SANS Top 25, NIST, CIS, and many more. Well-versed with GDPR, PCI-DSS, ISO 27001 and other intricate regulatory requirements, I comprehend the vital processes to safeguard data and fortify security walls.🛡️

With proficient use of top-notch tools such as Nessus, QualysGuard, NeXpose, Metasploit Pro, Burp Suite and others, I can scrutinize system vulnerabilities and grasp the imminent security threats with accuracy. I believe in adapting with evolving technologies and henceforth, I'm certified in cutting-edge Threat Modelling tools and Privacy Management software like One Trust Privacy Suite.🖥️

My key strides lie in conducting incisive vulnerability assessments, orchestrating effective Threat Mitigation, Penetration Testing, and building secure infrastructures. Passionate for not just guarding the cyber doors but strategizing an all-around security module, I can be your trusted partner in combating cyber adversary.💪

As a passionate advocate for Security Architecture Design, Data Privacy, Cloud Security, Penetration Testing, Network Security, Incident Response, Data Governance, Application Security, Security Incident Response and Cybersecurity, I have always strived to contribute meaningful insights and foster collaborative discussions.

My Data Privacy Signature’s:

OneTrust Privacy Certification:

Certified OneTrust Fellow of Privacy Technology (April 14, 2023) from OneTrust, USA.

Fellow of Privacy Technology Certificate Image:

OneTrust Certified Privacy Management Professional (OTCP), OneTrust, USA.

(OTCP) Certificate Image:

Honoured/Awarded by OneTrust "FELLOW OF SPOTLIGHT" of Newsletter June-2024.

FELLOW OF SPOTLIGHT Certificate Image:

Introduction to DPDP Bill'23 Bootcamp from Privacy CareerExperts, Bangalore,India.

DPDP Bill’23 Bootcamp Certificate Image:

Anil Patil Data Privacy Signature’s:

My Achievement🏆🥇Credly Here : My Badge:

Badge Certificate Image:

My webinar "Data Localization and Cross-border Transfers under the DPDPA"attended certificate from Zedroit ®

Certificate Image:

A webinar attended certificate on "Impact of the Digital Personal Data Protection Act (DPDPA) on the Financial Services Sector" presented by CXO Junction on in association with QRC Assurance And Solutions on July 19, 2024!.

Certificate Image: