Salient Features of The Digital Personal Data Protection Bill, 2023 - Lexology
Salient Features of The Digital Personal Data Protection Bill, 2023 - Lexology
Find out more about Lexology or get in touch by visiting our About page.
Register
Data Fiduciary - Any person who alone or in conjunction with other persons determines the purpose and
means of processing of personal data.
Data Principal - The individual to whom the personal data relates and where such individual is a child
includes the parents or lawful guardian of such a child. The newest iteration of the bill has also introduced
lawful guardians of persons with disabilities within this definition.
Data Processor - Any person who processes personal data on behalf of a Data Fiduciary.
Data Protection Officer - An individual appointed as such by a Significant Data Fiduciary under the
provisions of the Act.
Significant Data Fiduciary: A Data Fiduciary has been notified by the Central Government after
considering factors such as the volume of personal data processed, risk to electoral democracy, security of
the State, public order, etc.
Scope and Application
The proposed bill applies to the processing of digital personal data within India when it is collected from Data
Principals online; and if such personal data is collected offline if it is digitized. Processing of digital personal
data outside the territory of India is also covered under the Bill, provided such processing is in connection with
the activity of offering goods or services, or for profiling of Data Principals within India, thus including foreign
entities within its scope. It keeps personal data processed by an individual for any personal or domestic purpose
and personal data that is made or caused to be made publicly available by the Data Principal herself or any other
person who is under an obligation under any law to make such personal data publicly available, outside of its
purview.
Grounds for Processing Digital Personal Data:
Data fiduciaries will be permitted to process personal data for any lawful purpose (i.e., a purpose that is not
expressly prohibited by law) provided consent has been obtained from the Data Principal or for ‘certain
legitimate uses’.
Conditions for Data Processing by Data Fiduciaries:
Prior to or at the time of seeking consent, the Data Fiduciary must provide the Data Principal with a notice that
specifies the personal data to be processed and the purpose for which it will be used. The notice should also
explain how the Data Principal can exercise their right to withdraw consent and how they can file a complaint
with the Data Protection Board. Processing of personal data by the Data Fiduciary is only allowed if the Data
Principal provides consent, which must be freely given, specific, informed, and clearly indicated through
affirmative action, expressing their intention to allow the processing of their personal data for the purpose stated
in the notice.
For consent obtained before the commencement of the DPDP Bill 2023, a similar notice should be provided to
the Data Principal as soon as ‘reasonably practicable’. However, the DPDP Bill 2023 clarifies that until the Data
Principal withdraws her consent, it can continue to be processed by the Data Fiduciary. Replacing the
terminology of ‘deemed consent’ as was present in the previous 2022 iteration of the Bill, the concept of ‘certain
legitimate uses’ has been introduced which allows the Data Fiduciary to process personal data without the Data
Principal giving express consent, in some specific instances such as for specified purposes for which the Data
Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not
indicated to the Data Fiduciary that she does not consent to the use of her personal data; where the State and any
of its instrumentalities require the personal data to provide or issue to the Data Principal a subsidy, benefit,
service, certificate etc., for the performance by the State or any of its instrumentalities of any function under any
law or in the interest of sovereignty and integrity of India or security of the State etc.
Data Fiduciary primarily responsible for compliance under the DPDP Bill
Certain duties are mandated for Data Fiduciaries to protect the security of personal data, irrespective of any
contract to the contrary or any action taken by the Data Principal, which includes:
a. complying with the provisions of the Act;
b. appointing a Data Processor on its behalf for any activity related to the offering of goods or services to Data
Principals only under a valid contract;
c. making reasonable efforts to process accurate, complete and consistent personal data;
d. implementing appropriate technical and organizational measures to ensure effective observance of the
provisions of this Act;
e. keeping security safeguards in place to avoid breach of personal data (which also include any unauthorised
processing of personal data or accidental disclosure);
f. notifying instances of data breaches to the regulatory body, the Data Protection Board of India and the
affected Data Principal.
Another important obligation is to make sure to erase personal data when it's no longer needed for legal
compliance or the specified purpose. This should happen either when the Data Principal withdraws consent or
when it's reasonable to assume that the purpose is fulfilled, whichever comes first. The Data Fiduciary must also
ensure that its Data Processor erases any personal data provided for processing.
Data of Children and Persons with Disabilities
Under the Bill, an individual under the age of 18 years is a "child". Data Fiduciaries, before processing any
personal data of a child, are required to obtain verifiable consent from the parent or lawful guardian of the child.
They are also restricted from undertaking any such processing of personal data which is likely to cause
detrimental effects on the well-being of a child or undertaking tracking or behavioural monitoring of children or
targeted advertising directed at children.
However, if the Central Government is satisfied that a Data Fiduciary is processing children's personal data in a
‘verifiably safe’ manner, it may notify the age from which such classes of Data Fiduciaries are exempt from the
obligations on verifiable consent and tracking/monitoring/targeted advertising, subject to any conditions that it
may prescribe. Additionally, the Bill also includes the protection of any personal data of disabled persons, as
verifiable consent must be obtained from their lawful guardian.
Obligations for Significant Data Fiduciaries (“SDF”)
SDFs would be a special category of Data Fiduciary or class of Data Fiduciaries as may be notified by the
Central Government based on some relevant factors, who would have additional obligations such as carrying out
periodic audits; undertaking data protection impact assessments; and appointing an independent data auditor and
a Data Protection Officer. This Data Protection Officer would represent the Significant Data Fiduciary, be
responsible to their Board of Directors/governing body and would be the point of contact for the grievance
redressal mechanism set up for the Data Principal.
Certain rights and duties of Data Principals
Data Principals are ensured some rights such as the right to Information, right to correction and erasure of
personal data, right of grievance redressal, right to nominate etc. Furthermore, the right to identity of the Data
Fiduciaries and Data Processors and other rights as under Section 12(1)(b) and (c) would not be applicable if the
information is collected for prevention/detection/investigation/prosecution of cyber offences. To prevent the
abuse of their rights, the DPDP Bill also specifies duties for Data Principals such as not concealing relevant
information, providing incorrect information, making false and frivolous complaints etc. as well as not
impersonating another person when providing their personal data.
Consent Managers
A Consent Manager would be a person registered with the Board, who would act as a single point of contact to
enable a Data Principal to give, manage, review, and withdraw her consent through an “accessible, transparent
and interoperable platform”. The Consent Manager would be accountable to the Data Principal and shall act on
her behalf.
Data Protection Board
The Bill establishes the Data Protection Board of India comprising a Chairman and as many other members as
may be prescribed, which would be a specialized tribunal with the authority to check non-compliances and
impose penalties, in situations such as:
a. an intimation of a personal data breach;
b. a complaint made by a Data Principal in respect of a personal data breach or a breach in observance by a
Data Fiduciary of its obligations in relation to her personal data or her rights, or on a reference made to it by
the Central Government or a State Government, or in compliance of the directions of any court;
c. on the basis of a complaint made by a Data Principal in respect of a breach in observance by a Consent
Manager;
d. on receipt of an intimation of breach of any condition of registration of a Consent Manager;
e. on a reference made by the Central Government in respect of the breach in observance of the provisions of
sub-section (2) of section 36 by an intermediary.
Every order made by the Board will be enforceable just like a civil court decree. Persons who are aggrieved by
any orders/directions passed by the Board would be able to file an appeal against the same before the Telecom
Disputes Settlement and Appellate Tribunal, and thereafter to the Supreme Court.
Broad powers with the Central Government
Section 36 grants the Central Government the authority to direct the Data Protection Board and any Data
Fiduciary to provide information as required. The Central Government has the power to issue notifications,
establish rules, and order blocking of access of Data Fiduciaries to any public information of Government
agencies or intermediaries when it is in the public interest. This blocking order would prevent a Data Fiduciary
from offering goods or services to Data Principals within India, following a reference from the Board.
Cross-border personal data transfer
The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for
processing to such notified country or territory outside India. The Bill also clarifies that any other law for the
time being in force in India that provides for a higher degree of protection for or restriction on the transfer of
personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary will continue to
apply.
Penalties
The Bill imposes penalties for various non-compliances by Data Fiduciaries. Failure to implement reasonable
security safeguards leading to a personal data breach can result in a penalty of up to 250 Crores. Not notifying
the Board and affected Data Principals about a breach and not fulfilling additional obligations concerning
Children may incur a penalty of up to 200 Crores. Additionally, non-compliance with the obligations of
Significant Data Fiduciaries may lead to a penalty of up to 150 Crores. Penalty up to Rs 10 thousand can be
imposed upon Data Principals in breach of their duties under Section 15.
Penalties are also applicable for breaching any term of a voluntary undertaking accepted by the Board under
Section 32. Furthermore, a penalty of up to 50 Crores may be imposed for any other breach of the provisions of
this Act or the rules established under it.
Exemptions
The Central Government has the authority to exempt certain situations from the application of the rights, duties,
and compliance requirements enumerated for Data Fiduciaries under the Bill. These exemptions can be for
enforcing legal rights, performing judicial or regulatory functions, facilitating business arrangements, or
protecting national interests and security etc.
Furthermore, the Bill provides that exemptions from the provisions of the Act may also be granted to
instrumentalities of the State as notified by the Central Government for reasons such as security of the State,
friendly relations with foreign States, maintenance of public order, or for research, archiving, and statistical
purposes as specified by the Central Government. Additionally, certain Data Fiduciaries, including startups, may
be exempted from fulfilling the mentioned rights and duties. Furthermore, within five years from the
commencement of the Act, the Central Government can issue notifications declaring that specific provisions of
the Act will not apply to certain Data Fiduciaries for a specified period.
Based on the above, the DPDP Bill seeks to create a robust data protection framework, focusing on safeguarding
personal data, respecting individual rights, and holding Data Fiduciaries accountable for their handling of
personal information.