Digital Personal Data Protection Act 2023

November 7, 2023

Summary

  • The Digital Personal Data Protection Act is India's first comprehensive data protection law.
  • In most cases, personal data can be processed only based on customer’s consent.  
  • Consent must be clear, explicit and specific, with local language options.
  • Personal data cannot be processed if purpose is completed or consent is withdrawn.
  • Businesses to ensure that their systems and vendors comply with data protection requirements.

What is Digital Personal Data Protection Act?

In an era of digital transformation, India has introduced its first comprehensive data protection legislation: the Digital Personal Data Protection Act of 2023 (DPDP Act). This landmark law aims to empower Indian citizens with decisive control over their personal data while imposing stringent obligations on businesses processing this data.

What are the key features of Digital Data Protection Act?

While the government is yet to release the detailed DPDP Rules, these are the key features arising from the text of the Digital Personal Data Protection Act:

A.  Consent as Primary Ground of Processing: Consent is the main requirement for processing personal data under the DPDP Act, with other grounds being rare exceptions.

B.  Data Fiduciaries' Responsibility: The DPDP Act holds Data Fiduciaries accountable for all data processing, including that done by third party vendors. There are higher obligations for Significant Data Fiduciaries.

C.  Data Security and Breach Notification: Data fiduciaries must ensure strong data security and promptly report breaches to the Data Protection Board and affected individuals.

D.  Data Protection Board (DPB): The Data Protection Board shall oversee the enforcement of the Act, impose penalties, and handle complaints.

E.  Cross-Border Data Transfers: Data can be transferred to any jurisdiction unless specifically prohibited by the government. Read more about restrictions on cross border data transfers and data localization.

F.  Protection of Children's Data: The Act gives special consideration to children's and disabled persons' data, requiring verified parental consent for processing and banning certain practices like targeted advertising. Read more about DPDP law on children's data on our consent blog.

When and where will the DPDP Act apply?

The law applies to “Digital Personal Data”. Personal data means any data about an individual who can be identified using that data. A person’s name, mobile number, bank account, photograph, signature, Aadhar details, etc. will be classified as personal data as they can be used to identify an individual. Read our article on DPDP Applicability to dive deeper.

Who is affected by the DPDP Act?

Everyone. The DPDP Act defines two main stakeholders - Data Principals and Data Fiduciaries.

  1. Data Principals: These are individuals to whom the data belongs, such as customers opening bank accounts or users registering on websites. They are empowered with extensive rights over their data.
  2. Data Fiduciaries: Entities like banks, telecom providers, and social media platforms that process personal data. They face the highest level of compliance obligations and are responsible for proving adherence to data collection and processing standards.

Apart from these two central players, the DPDP Act also classifies Data Processors as someone who processes personal data on behalf of a Data Fiduciary. The critical difference between Data Processors and Fiduciaries is that only the Fiduciaries determine the means and purpose of processing.

Personal Data originates from Data Principals,
Data Fiduciaries collect and process data of multiple Data Principals
Data Processors process data on behalf of Data Fiduciaries

What are the penalties under the Data Protection Act?

The Digital Personal Data Protection Act imposes significant fines for breaches, calculated based on the nature, duration, and severity of the breach. This underscores the seriousness with which data protection is now regarded in India. Read our blog on DPDP Penalties for greater detail.

Essentially, the Data Protection Board wields considerable discretion in levying monetary penalties, taking into account a range of factors to ensure that the punishment is both proportionate and effective.

What are the Exemptions under Digital Data Protection Law

There are exemptions to the Act's provisions in certain cases like investigation of offenses, enforcement of legal rights or claims, and processing outside Indian territory. The government has the power to exempt certain businesses from some obligations but more clarity is needed from the awaited Digital Personal Data Protetction Rules. You can read our article on DPDP Exemptions for a comprehensive breakdown.

What are consent obligations on Data Fiduciaries?

Consent forms the crux of the Digital Personal Data Protection Act 2023. Data processing must be based on clear, informed, and specific consent from Data Principals, except in certain cases like state functions or legal obligations. The Act mandates that Data Fiduciaries provide detailed notices at data collection points, informing Data Principals about the nature of data collected, processing purposes, and their rights.

The Data Fiduciary is obligated to notify the following terms to the Data Principal:

  • The personal data being collected and purpose for processing;
  • The manner of exercise of rights of the Data Principal; (covered later in this article)
  • The manner in which the Data Principal can make a complaint to the Data Protection Board.

This notice is crucial because right from the beginning, the Data Principal will have full knowledge of exactly which personal information is being collected and to what end. 

What will happen to the data collected prior to the Act?

Even for consents collected prior to the enactment of the DPDP Act, the Data Fiduciary must send a one time notice in the format stated above. If the Data Principal withdraws their consent after this notice, the data processing will have to stop. 

This is a significant obligation on many industries especially the data colossuses like finance, healthcare, ecommerce and others. A customized notice must be sent to all the existing customers detailing their data, purpose of use, right to withdraw consent and method of grievance redressal.

How will the collected data be stored and managed?

Data Fiduciaries cannot store personal data indefinitely. Data must be erased once the purpose is fulfilled or consent is withdrawn. The Act introduces the concept of Consent Managers, digital platforms that enable Data Principals to manage their consent preferences easily.

GDPR vs DPDP how are they different?

The General Data Protection Regulation (GDPR) of the European Union and India's Digital Personal Data Protection (DPDP) Act are both landmark legislations in their respective regions for data protection and privacy. To understand all the major differences between the two laws, read our piece on GDPR and DPDP Act. Here are some key differences between the two:

Category GDPR DPDP
Geographical Scope Applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location. Primarily applies to Indian entities or those processing data of individuals in India.
Consent Requires explicit, informed consent for data processing, with consent being one of several legal bases. Consent is central and often the primary basis for processing personal data.
Data Protection Officer (DPO) Mandates the appointment of a DPO for organizations that process large amounts of sensitive data or regularly monitor individuals. May have similar requirements, but the specifics could differ.
Cross-Border Data Transfer Allows transfer of data outside the EU to countries deemed to have adequate data protection, or through mechanisms like Binding Corporate Rules or Standard Contractual Clauses. Allows data transfers except to jurisdictions barred by the Indian government.
Penalties for Non-Compliance Fines up to €20 million or 4% of the company's annual global turnover, whichever is higher. The penalty structure may be different, potentially involving both fines and other legal consequences.

Next Steps

The DPDP Act is set to revolutionise data protection for good. Companies need to adapt quickly and reimagine how they collect and process personal data. Failure to do so will invite legal and monetary consequences as well as reputational damage. Long story short, the DPDP Act is a wake-up call to all businesses: the era of taking data for granted is over, and a more respectful, consent-oriented approach is the new norm.

Still unsure about what the DPDP Act 2023 means for your business?

Read Part 2 of this series on how the DPDP Act is a game changer. We break down the history leading up to this landmark law. This will help contextualize just how drastic the shift is compared to previous data regulations.

Businesses of all shapes and sizes will be affected by the Digital Personal Data Protection Act 2023. To understand sector specific implications please refer to our articles on the impact of the DPDP Act on BFSI and Telemarketing sectors. Read our article on DPDP Compliance to get started on your compliance strategy.

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.