The Digital Personal Data Protection Act, 2023 (DPDP / the Act) is one of India’s biggest legislations in the past year. It is created for consumers to regulate how people’s data is collected, handled, and deleted correctly. This article discusses the 5 major features of the soon-to-be-implemented privacy law.
DPDP: It’s features, in brief.
DPDP introduced Data Principal (the person to which the data belongs and the person that chooses to provide that data), Data Fiduciary (the entity that collects such data from the said person) and Data Processor (the entity that is required to enter an agreement with the Data Fiduciary, broadly to use/store/analyse the data on behalf of the Data Fiduciary). The Act’s provisions deal with how a Data Fiduciary can collect the information from the Data Principal and share such collected data with the Data Processor (if, in case, the Data Fiduciary is NOT the Data Processor).
Here are some of the features of the Act.
Request for Consent & Consent:
The Data Fiduciary can collect and process the data only after a request for consent was made to the Data Principal and the consent was given by the said Data Principal. Request for Consent should mention the personal data sought and the purpose for which such specific personal data is collected.
The purpose of collection should be lawful, and data can only be processed after consent is given. In certain situations where the State / its instrumentalities require the data to provide any subsidy, benefit, license, certificate or permit, the Data fiduciary doesn’t need consent to process the data.
Consent provided by the Data Principal must be free, specific (to the purpose of the collection alone), informed, unambiguous, unconditional and with an explicit informative action (i.e. a positive action required to be taken by the Data Principal when interacting with the platform of Data Fiduciary like checking the terms and conditions box, etc.). Consent can be withdrawn at any time, and the Data fiduciary is in charge of providing a mechanism that is as easy as providing consent for withdrawing it.
Processing of Data:
Data can be processed by a person, an algorithm, or a human in a single operation or in a series of Operations. As per the law, the word- operations means any function that pertains to recording, erasing, destroying, organising, combining, storing, restricting, sharing, collecting, disclosing, making it available, adapting, using, structuring or indexing.
Duties of the Data Fiduciaries:
DPDP requires data fiduciaries to perform certain duties while handling and using the data for their business purposes. It requires:
- The Data Fiduciary to transfer, if it is collecting the data for the sake of sharing such data with another Data Fiduciary, complete, accurate and consistent data.
- The Data Fiduciary should be responsible for protecting the data in its control.
- Once the Data Principal indicates the withdrawal of the consent, the Data Fiduciary should delete the data as soon as it is reasonable to assume that the purpose is no longer being served.
- The Data Fiduciary should NOT use the data collected from children to provide services that are detrimental to their well-being.
- The Data fiduciary to appoint a Consent Manager (a person who manages the requests from the Data principal about the consent). A Data Protection Officer (a person who is responsible for the Data Fiduciary) may also be appointed by the Data Fiduciary.
Rights of the Data Principals:
Under the new Act, those who share their data with the Data Fiduciary (collector) can obtain from such Data Fiduciary three types of information:
The identity of the companies with which the collector has shared the information.
Summary of personal data being processed by such Collector and the activities undertaken concerning such personal data.
Any other information related to the personal data and its processing, as determined by the rules formulated later on.
In cases where the collectors share the data with the entities that are authorised by the law to obtain such data (Government authorities / regulatory bodies) for the sake of prevention or detection or investigation of offences or cyber incidents or prosecution of punishments, users (data principals) can only ask for a summary of personal data that’s being processed and the activities undertaken. One can’t ask for the identity of the institutions to which the collector has shared the data and all the specific information related to personal data and its processing.
Penalty for violations:
Any Data Fiduciary and Data Processor who violates any of the provisions are penalised accordingly.
For not taking reasonable security safeguards to prevent a data breach a maximum penalty of 250 crore is imposed. The same maximum penalty is imposed for not informing the Data Protection Board in case of a breach, for using children’s data without obtaining the legal guardian’s consent / using it detrimentally to their well-being. A maximum penalty of 50 Crore is imposed for violating any other provisions.
While deciding on the penalty, the Board (Data Protection Board) will assess the nature, gravity and duration of the data breach and the type and nature of the personal data affected by the breach. Other factors like: whether the Data Fiduciary has made any gains because of the breach and whether there were any timely and effective mitigating measures were taken or not.
These are, in brief, the major provisions of the Act.
