In an era defined by data, where the digital realm knows no bounds, safeguarding personal information is of paramount importance. The Digital Personal Data Protection Act has arrived, ushering in a new era of data ethics and responsibility. In this blog post, we dive deep into this transformative legislation, shedding light on key provisions, exemptions, and FAQs that every business leader, from Chief Revenue Officers (CRO) to Chief Information Security Officers (CISO), needs to understand.
Understanding the Basics
Data Principal: This refers to the individual to whom personal data pertains, wielding the power of control and ownership.
Digital Personal Data: This refers to personal data in digital form, a treasure trove of information that could be either digitally collected or physically collected and later digitally processed and stored.
Personal Data: Essentially, any data that can identify an individual falls under this category. It's the heart of the Act and what it seeks to protect.
Data Fiduciary: This is the entity responsible for determining the purpose and means of processing personal data. Think of them as the guardians of personal information.
Data Processor: If the data fiduciary is the guardian, the data processor is the trusted custodian. They process personal data on behalf of the data fiduciary.
Processing: This covers all automated operations on digital personal data, from collection to sharing, alteration to destruction.
Specified Purpose: The reason why personal data is collected, as mentioned in the notice given by the data fiduciary to the data principal.
Consent: This is the linchpin of the Act. It must be specific, informed, unconditional, unambiguous, and accompanied by clear affirmative action.
Consent Manager: The Data Protection Board envisages that a Data Fiduciary could employ the services of a "consent manager" to oversee the "consent" of the Data Principal. This Consent Manager acts as a representative for the Data Principal and carries out tasks related to granting, handling, assessing, or withdrawing consent on their behalf. It's worth noting that, according to the DPDPB, a consent manager is also classified as a Data Fiduciary.
Key Provisions of the Act
Prevention, Detection, Investigation, or Prosecution: Personal data can be processed in the interest of preventing, detecting, investigating, or prosecuting any offence or contravention of Indian law.
Financial Information: Processing data to ascertain financial information, assets, and liabilities of individuals who have defaulted on loans or advances from financial institutions, as long as it aligns with existing data disclosure laws.
Establishment of a Data Protection Board: The Data Protection Board serves as an impartial body to address privacy-related disputes, enforce the Act, and impose penalties for non-compliance. The central government appoints its CEO and members to ensure a fair selection process. An appellate body, possibly the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), allows customers to challenge its decisions.
Voluntary Commitments: The Board can accept voluntary compliance commitments from data fiduciaries during complaint proceedings. These commitments can specify actions or restrictions. The Board may modify them if needed. Non-compliance results in penalties under the DPDP Act, and commitments can be made public at the Board's discretion.
Offences and Penalties: Data fiduciaries can potentially encounter various consequences for non-compliance with the DPDP Act, 2023. These penalties range from INR 500 million to INR 2.5 billion. These penalties are designed to ensure strict adherence to data protection regulations and promote responsible data handling practices.
What Does it Cover?
The Act covers digital data, including data that was initially physically collected but is now stored digitally. However, it doesn't apply to personal data processed by individuals for personal or domestic purposes or data made publicly available as required by law.
Who Does it Apply To?
The Act primarily targets data fiduciaries, laying down obligations for them. Data principals have rights and duties, while consent managers shoulder obligations regarding consent management.
When Does it Apply?
The Act applies when personal data is processed with the consent of the data principal or for certain legitimate purposes.
How to Obtain Consent?
Consent must be accompanied by a notice containing details of the personal data to be collected and processed, along with the purpose. Data principals also have the right to withdraw consent and seek grievance redressal for breaches.
Existing Customers and Consent?
For customers who provided consent before the Act came into force, businesses must obtain fresh consent as per Section 5(2) of the Act.
Where Does Legitimate Use Apply?
Legitimate use applies to data provided voluntarily by data principals for specified purposes, as long as they haven't indicated otherwise.
Certain classes of data fiduciaries, particularly startups, may enjoy exemptions based on the volume and nature of the data they process.
Cross-Border Transfer: The Act permits cross-border data transfer, but existing guidelines shall continue to apply and hence, the RBI’s localization of payments and lending data shall prevail and these data must be stored in India. The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India.
No Distinction: The Act does away with the prior differentiation between personal data and sensitive personal data/information outlined in the IT Act, 2000. By adopting the term "personal data," its scope broadens significantly. Additionally, the introduction of consent places the rights of data principals at the forefront, emphasizing their importance. This shift sets the stage for a regulatory framework focused on safeguarding data and ensuring its exclusive use for intended purposes.
In a world where data drives decisions, the Digital Personal Data Protection Act serves as a compass, guiding businesses toward ethical and secure data practices. For CISOs, CROs, CTOs, CIOs, Heads of Fraud, and industry regulators, this Act heralds a new era where data protection isn't just an option—it's a mandate.