India’s Digital

Personal and Data

Protection Act (2023)
Content
 Preliminary,
 Obligations of Data Fiduciary,
 Rights and Duties of Data Principal,
 Special Provisions,
 Data Protection Board of India,
 Powers, Functions and Procedure to Be Followed by Board,
 Appeal and Alternate Dispute Resolution,
 Penalties and Adjudication
Introduction

 Overview of DPDPA 2023:

 India's comprehensive data privacy and protection law.
 Aimed at safeguarding personal data and ensuring privacy rights.
 Aligns with global standards (e.g., GDPR).
 Regulates data processing by entities (data fiduciaries) and establishes
rights for individuals (data principals).
Rules

 Personal Data Breach

 Children Data Protection
 Data Localization
 Data Protection Board
Statistics Of No Of Internet Users In India

 Total Internet Subscribers: 954.4 million (March 2024)

 Rural Internet Subscribers: 398.35 million (March 2024)
 Urban Internet Subscribers: 556.05 million (March 2024)
 Internet Penetration: 65.89% (as of September 30, 2023)
 Urban Net Penetration: 110.03% (as of September 30, 2023)
 Rural Net Penetration: 41.72% (as of September 30, 2023)
 Average Monthly Data Consumption: 20.27 GB (March 2024)
 CAGR of Internet Subscribers: 14.26% (March 2014 to March 2024)
 Villages with 3G/4G Connectivity: 6,12,952 out of 6,44,131 (as of
April 2024), representing 95.15%
Key Features of the DPDPA 2023

 Personal Data Protection: Defines and safeguards personal data.

 Consent-Based Framework: Explicit and informed consent for data
processing.
 Data Fiduciary Obligations: Data fiduciaries must protect data and
comply with the Act.
 Data Principals' Rights: Rights of access, correction, erasure,
portability, and objection.
 Data Protection Board of India (DPB): Enforces compliance and
resolves disputes.
 Penalties and Adjudication: Penalties for violations and a formal
adjudication process
Preliminary Provisions

 Definitions:
 Digital Data
 Data Processing
 Data Fiduciary: Entities that collect, process, store, or manage personal data.
 Data Principal: The individual whose personal data is collected.
 Personal Data: Any information that can identify a person.
 Sensitive Data: Information like health, financial, biometric data.
 Critical Data: Data requiring storage only in India.
 Scope and Applicability:
 Applies to all businesses operating in India that handle personal data.
 Covers cross-border data transfers with specific conditions.
Obligations of Data Fiduciary

 Transparency and Accountability:

 Clear notice to data principals about data collection purposes.
 Must obtain explicit consent from individuals.
 Data Security:
 Implement safeguards to protect data from unauthorized access or breach.
 Data Minimization:
 Collect only necessary personal data for specific purposes.
 Breach Notification:
 Data fiduciaries must notify the Data Protection Board and individuals within a
specified time frame in case of a data breach.
 Data Retention:
 Personal data should not be retained for longer than necessary.
Rights and Duties of Data
Principal
 Rights of Data Principal:
 Right to Consent: Consent must be informed, freely given, and explicit.
 Right to Access: The right to view or obtain a copy of personal data held.
 Right to Correction: Correct or rectify inaccurate data.
 Right to Erasure: Request the deletion of data (Right to be Forgotten).
 Right to Portability: Transfer personal data to another entity in a
structured format.
 Right to Object: Object to data processing in certain circumstances.
 Duties of Data Principal:
 Provide accurate data.
 Inform the data fiduciary about any changes in the data.
Special Provisions

 Processing of Sensitive Personal Data:

 Stricter rules for processing sensitive personal data (e.g., health, biometric).
 Must obtain explicit consent and follow enhanced security protocols.
 Children’s Data:
 Protection for children under 18 years: Parental consent required for data
collection.
 National Security Exemptions:
 The government can override individual rights for national security or public
interest.
 Data Localization:
 Critical data must be stored in India.
 Other personal data can be transferred abroad under strict conditions.
Data Protection Board of India

 Composition:
 Chairperson and members with expertise in data protection, technology,
law, and security.
 Role and Responsibilities:
 Investigate complaints and violations related to data protection.
 Ensure compliance with DPDPA 2023.
 Issue directives and impose penalties on violators.
 Powers of the Board:
 Powers to audit and inspect data fiduciaries.
 Order the rectification of non-compliance.
 Impose fines and penalties.
Powers, Functions, and Procedures of the
Board

 Powers:
 The Board can issue show cause notices, orders for compliance, and
penalties for non-compliance.
 Investigate complaints of violations and data breaches.
 Functions:
 Conduct investigations and enforce compliance with the DPDPA.
 Promote awareness and understanding of data protection.
 Facilitate dispute resolution between data principals and data fiduciaries.
 Procedure:
 Individuals can file complaints with the Board for data violations.
 Board will follow due process to investigate complaints, including issuing
notices and conducting hearings.
Appeal and Alternate Dispute Resolution

 Appeals:
 Appeal Mechanism: Decisions of the Data Protection Board can be
appealed to the Appellate Tribunal.
 The Appellate Tribunal will review the Board’s order and can affirm or
modify the decision.
 Alternate Dispute Resolution (ADR):
 Encourage mediation and conciliation before moving to formal
adjudication.
 ADR mechanisms may help resolve issues faster and more efficiently.
Penalties and Adjudication

 Penalties:
 The Board can impose heavy fines on non-compliant data fiduciaries:
 Up to ₹250 crore (approx. USD 30 million) for severe violations.
 Smaller penalties for lesser breaches, like failure to report data breaches on
time.
 Adjudication:
 If a data fiduciary fails to comply with Board orders, the matter can be
referred for adjudication in specialized courts.
 Penalty amounts depend on the nature and seriousness of the breach.
Impact on Businesses

 Increased Compliance Requirements:

 Organizations must implement robust data protection measures.
 Designate Data Protection Officers (DPO).
 Update privacy policies and ensure explicit consent from users.
 Increased Transparency:
 Enhanced accountability for organizations to inform users about how their
data is being processed.
 Legal responsibility for data breaches.