By Prashant Phillips, Sameer Avasarala, and Gaurav Tiwari
Data protection and privacy in India has undergone a significant transformation with the enactment of the Digital Personal Data Protection Act, 2023. While the law is not yet notified, it proposes a comprehensive framework for data protection (including establishment of the Data Protection Board), obligations for entities which ‘process’ data and rights for individuals (referred to as Data Principals).
Who does the law apply to?
The Act is applicable to all entities or businesses which collect or handle personal data. It classifies entities into those which make decisions on the ‘why’ and ‘how’ of processing (referred to as Data Fiduciaries) and those which process on the instructions of the former (called Data Processors).
For instance, an E-Commerce entity which collects personal data for collecting orders, payments and delivering orders would likely be Fiduciaries. On the other hand, entities such as a logistics provider (which handles delivery of orders placed) or cloud storage provider (which hosts the website) would likely be Processors.
The Act not only applies to data processing in India, but also outside India, if it is in relation to goods and services offered to individuals in India. Therefore, all providers of goods and services offered to Indian residents would be covered under its ambit, regardless of whether they are physically based in India.
What obligations do they have to comply with?
The Act proposes many obligations that would have to be complied with by entities in respect of processing personal data. Some of these key obligations include:
- Providing notice prior to collection of personal data containing data collected, purposes and rights of individuals;
- Obtaining consent or relying on Legitimate Uses, where applicable;
- Collect only such personal data which is required for the purpose specified;
- Retain personal data only till the purpose remains unsatisfied, and delete it subsequently;
- Establish a grievance redressal mechanism to address concerns that individuals may have;
- Implement appropriate technical, organizational and security measures;
- Provide intimation to the Data Protection Board and affected individuals in case of a personal data breach;
- Obtain parental (or guardian’s) consent and not undertake other activities (such as behavioural monitoring, tracking, processing which may cause detrimental effects on a child) in respect of personal data of children or persons with disabilities;
- Restrict transfer of personal data outside India to territories which have been notified;
- Undertake data protection impact assessments, periodic data audits and appoint Data Protection Officer and auditors for Significant Data Fiduciaries; and
- Comply with requirements relating to cross-border transfer of personal data, and avail exemptions, if any applicable.
Rights & duties of individuals
Individuals have been provided certain rights under the law, with regard to the processing of their personal data. This includes:
- Right of access: The law extends the right to individuals to know if their personal data is being processed. In this regard, they may seek a summary of personal data processed and processing activities undertaken (such as if it is being used to target advertisements), identities of entities to which their personal data has been shared (such as processors or other third-parties) and types of data shared;
- Right of Correction & Erasure: Individuals have a right to correction of inaccurate or misleading data, completion of incomplete data, updation of their personal data, especially if this data is being shared with other entities or used to make decisions. They may also request deletion of their personal data (or withdraw consent, where consent is the basis), however, entities may retain it if it is required for compliance with legal obligation.
- Right of grievance redressal & nomination: The Act has proposed a grievance redressal mechanism which enables individuals to file grievances with entities, regarding compliance with the Act and a specified time period may be provided within which the same must be responded to. If an individual is dissatisfied with the response, they may approach the Data Protection Board. Data Principals may also nominate any other individual who would exercise their rights with regard to personal data in case of death or incapacity.
- Duties: The Act also calls upon individuals to perform certain duties such as providing only authentic information and not impersonate another person, suppress material information or register false complaints with the Data Protection Board.
The Act differs vastly from the pre-existing law, which provides limited protection (only in case of a security breach) to a certain subset of data (sensitive personal data). The Act, on the other hand, provides comprehensive protection to personal data by providing obligations and extending rights to individuals of awareness and autonomy over their personal data.
While the Act is undoubtedly a leap ahead in securing digital rights of individuals, further rule-making and actions / advocacy by the Data Protection Board will have a large role in securing digital rights while also providing a framework for processing.
The authors are executive partner, senior associate, and senior associate, Lakshmikumaran & Sridharan Attorneys (LKS), respectively