[Analysis] Decoding Digital Personal Data Protection Bill (DPDP) | A Comprehensive Overview

Table of Contents

1. Introduction
2. Applicability
3. What amount to a personal data breach?
4. Grounds for possessing personal data
5. Consent: The Key to Data’s Heartlock
6. Action Plan when DPDP law comes into force
7. Personal data must be used for specific purposes only
8. ‘Rights and Duties of Data Principal’
9. Specific conditions for the processing of data of Children/Persons with disability
10. Significant Data Fiduciary
11. Cross-border personal data transfer
12. Exemptions
13. Penalty provisions
14. Data Protection Board of India
15. Appeal

1. Introduction

Imagine you bought a car, and soon after the tires hit the pavement, your phone buzzes with an unexpected call. It’s a cheery voice from a car accessory vendor offering customised enhancements to elevate the driving experience. With each passing day, the calls multiply, and your inbox fills with solicitations from service providers and advertisers. Your personal data¹ that you shared with the car vendor at the time of purchase is all over the place. Your personal data has been harvested, shared, and sold without your consent. Questions arise about the sanctity and privacy of data in this digital age.

Currently, India does not have a standalone law on data² protection. The use of personal data is regulated under the Information Technology (IT) Act, 2000. In 2017, the central government constituted a Committee of Experts on Data Protection to examine issues relating to data protection in the country. The Committee submitted its report in July 2018. Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019. In August 2022, the Bill was withdrawn. In November 2022, a draft Bill was released for public consultation. In August 2023, the Digital Personal Data Protection Bill, 2023 (DPDP Law) was introduced in Parliament and passed by the Lok Sabha and Rajya Sabha.

This DPDP Law aims to protect the personal data of an Individual and make sure that the data of an individual is shared with others only with his consent. The key aspects of the DPDP Law are as follows:

2. Applicability

The DPDP Law will apply to processing³ digital personal data⁴ within India, where such data is collected online or offline and digitised. It will also apply to such processing outside India if it is for offering goods or services in India.

However, it shall not apply to the following:

(a) Personal data processed by an individual for any personal or domestic purpose.

(b) Personal data that is made or caused to be made publicly available by the person himself (Data Principal⁵) to whom such personal data relates or any other person⁶ who is under an obligation under any law for the time being in force in India to make such personal data publicly available. 

For example: Imagine Sarah, a passionate travel blogger, who frequently shares her travel experiences and personal insights on her social media accounts. She posts about her adventures, the places she visits, the local cuisine she tries, and even includes pictures of herself enjoying these experiences. In doing so, she openly makes available her personal data, such as her location, preferences, and appearance, to her followers and the public. Therefore, the provisions of this DLDP law shall not apply to Sarah’s data.

3. What amount to a personal data breach?

“Personal data breach” means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromise confidentiality, integrity or availability of personal data. Thus, proper key management for multicloud architecture is crucial to protect personal data from breaches, maintaining its confidentiality, integrity, and availability.

4. Grounds for possessing personal data

Personal data can be possessed on the ground that it is retained for a lawful purpose and the person whose data is retained has given her consent. However, consent may not be required for specified, legitimate uses such as the voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.

5. Consent: The Key to Data’s Heartlock

The DPDP law defines consent as an indication from the data principal signifying the agreement to allow personal data to be processed for a specific purpose. This consent must be freely given, specific, informed, unconditional, and unambiguous, demonstrated through clear affirmative action. The consent’s validity is limited to the personal data necessary to fulfil the specified purpose.

A notice must be given before seeking consent from the person. The notice should contain details about the personal data to be collected and the purpose of processing. The consent may be withdrawn at any point in time.

6. Action Plan when DPDP law comes into force

Where a Data Principal has given her⁷ consent for the processing of his personal data before the date of commencement of this Act:

(a) Data Fiduciary⁸ shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her:

• the personal data and the purpose for which the same has been processed;
• the manner in which she may exercise the rights as provided under the Act;
• the manner in which the Data Principal may make a complaint to the Board.

Further, the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.

For example:  Before the Act came into effect, Ms Priti, an individual, agreed to allow her personal information to be used for an online shopping app or website run by ABC & Company, an e-commerce service provider.

Once the Act becomes effective, ABC & Company must promptly send information to Ms Priti using email, in-app notification, or another effective way. This information should explain the details of the personal data being processed and the reason for its use.

7. Personal data must be used for specific purposes only

The consent given by the Data Principal (to whom the data relates) shall be free, specific, informed, unconditional and unambiguous with clear affirmative action and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

For example: X, an individual, downloads a telemedicine app. The app asks X for her agreement regarding two matters:

(i) the use of his personal data to provide telemedicine services and

(ii) accessing her mobile phone’s contact list. X agrees to both requests. Since accessing the phone contact list is not essential for delivering telemedicine services, her consent will only apply to the processing of her personal data necessary for telemedicine services.

It is to be noted that any part of consent which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.

For example, X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives her consent for

(i) the processing of her personal data by Y for the purpose of issuing the policy, and

(ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to the waiver of her right to file a complaint, shall be invalid.

8. ‘Rights and Duties of Data Principal’

Chapter III of the DPDP Law provides certain rights and duties of data principals.

The rights of the data principal concerning her personal data are as follows:

• Right to access information about personal data: Data principals have the right to request information about their personal data being processed, a summary of personal data being processed, and the identities of all other data fiduciaries and data processors⁹ with whom their data has been shared.
• Right to correction and erasure of personal data: Data principals have the right to request data fiduciaries to correct, complete, update and erase their personal data. Data principals can also request its erasure when it is no longer needed for the purpose for which it was processed.
• Right to redress grievances: Data principals have the right to register their grievances with data fiduciaries, who must provide easily accessible grievance redressal mechanisms. Also, data principals are encouraged to exhaust these grievance redressal options before approaching the Data Protection Board.
• Right to nominate: Data principals have the right to nominate any other individual to exercise their rights on their behalf in case of death or incapacity.

The DPDP Law also imposes certain duties on the data principals to prevent the misuse of their rights. The duties are as follows:

• Do not register false and frivolous complaints with the Data Protection Board of India.
• Do not impersonate another person while providing personal data to data fiduciaries.
• Do not suppress any material information while providing personal data for any document.
• Furnish only authentic information while exercising the right to data correction or erasure.

The rights granted to data principals empower them with control and transparency over their personal data. These rights foster trust and confidence in data handling practices. On the other hand, the imposed duties promote responsible behaviour, preventing misuse of rights and ensuring accurate and authentic data exchange. This balanced approach under the Bill aims to create a secure digital ecosystem, protecting data principals’ privacy.

9. Specific conditions for the processing of data of Children/Persons with disability

DPDP Law lays down the grounds for the processing of the personal data of children. The law states that a “Data Fiduciary” must get permission from a parent if they want to collect and use the personal data of a child¹⁰. For someone with a disability, they need permission from their legal guardian. This permission needs to be confirmed and proven.

A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.

A Data Fiduciary is not allowed to track or monitor the behaviour of children or show them specific ads through targeted advertising.

The Govt. may prescribe certain classes of data fiduciaries that will be exempted from:

• the restriction relating to the processing of data relating to a Child/a person with a disability; and
• the restriction relating to tracking or behavioural monitoring of children or targeted advertising directed at children.

The Central Government is satisfied that a Data Fiduciary has ensured that it is processing the personal data of children in a verifiably safe manner, notified for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations as discussed above in respect of processing by that Data Fiduciary.

Where the Central Government is convinced that a company handling kids’ personal data is doing so in a very safe way, it can allow that company to not follow certain rules about data protection for children above a certain age. This exemption is given if the company’s data processing is proven to be safe for kids.

10. Significant Data Fiduciary

DPDP law lays down the additional obligations on Significant Data Fiduciary¹¹ for processing personal data.

As per Section 10, the Govt. may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary on the basis of an assessment of such relevant factors as it may determine, including:

• the volume and sensitivity of personal data processed;
• risk to the rights of the Data Principal;
• potential impact on the sovereignty and integrity of India;
• risk to electoral democracy;
• security of the State; and
• public order.

These entities will have certain additional obligations, including

(i) appointing a data protection officer and

(ii) undertaking an impact assessment and compliance audit.

Business entities such as banks, insurance companies, e-commerce entities, in-app mobile operating systems, search engines etc., generally handle large volumes of data having sensitive information which may seriously threaten the Nation’s security, public order, sovereignty and integrity of India. Social Media platform providers have all the critical information of the users, which external agencies can use to infer users’ inclination towards political parties and ideologies, which may, if it falls into the wrong hands, pose a risk to electoral democracy.

11. Cross-border personal data transfer

The DPDP law allows data fiduciaries to transfer personal data outside India, except to countries or territories restricted by the Central Government through notification. This provision has a significant impact on cross-border data flows and data protection. By restricting data transfers to specific countries designated by the Central Government, the law aims to safeguard the privacy and security of the personal data of Indian citizens, preventing potential misuse or unauthorised access.

12. Exemptions

The DPDP law provides certain exemptions for certain data processing activities. These exemptions apply to data processing for investigating offences, implementing schemes of compromise, merger or amalgamation, detecting financial frauds, and processing personal data of a data principal located outside India pursuant to a contract with any person outside India.

Further, the Central Government has the authority to exempt the application of the law for notified state agencies if it is in the interests of the sovereignty, integrity, and security of the State, friendly relations with foreign states, or maintenance of public order, etc.

Also, the Central Government can provide exemptions for data processing for research, archiving or statistical purposes, as long as the data is not used to make specific decisions affecting a data principal.

The government can also notify certain data fiduciaries or classes of data fiduciaries, including start-ups, for exemption from the law based on the volume and nature of personal data processed by them.

The exemptions in the DPDP law are likely to have a positive impact across various aspects. By enabling efficient investigation of offences and detection of financial frauds, they contribute to a safer and more secure society. The flexibility in data processing offered by these exemptions benefits businesses, encouraging growth and development while ensuring responsible data use to safeguard individual privacy.

13. Penalty provisions

The DPDP law provides for penalty provisions. Where the Data Protection Board determines, upon an inquiry, that a person has breached the provisions of the Act, it has the authority to impose monetary penalties as specified in the Schedule.

The Schedule to the Bill specifies penalties for various offences such as

(a) up to Rs 200 crores for non-fulfilment of obligations in relation to children,

(b) up to Rs 250 crores for failure to take security measures to prevent data breaches, etc.

The penalties for non-compliance range from Rs 10,000 to Rs 200 crore, with an upper limit of Rs 250 crore. However, the Bill has removed criminal penalties, including jail terms, from its provisions.

The penalty provisions will have a significant impact on ensuring data protection compliance. With the authority to impose substantial fines, the Data Protection Board can effectively discourage and penalise those who violate the Act. The specified penalties for different offences emphasise the seriousness of non-compliance.

By prioritising financial consequences over criminal penalties, the law aims to promote responsible data handling while safeguarding individuals’ privacy. These measures create a culture of accountability and protection in the digital era.

14. Data Protection Board of India

Chapter V of the DPDP law relates to the ‘Data Protection Board of India’. The law requires the central government to establish the Data Protection Board of India. Key functions of the Board include:

(i) monitoring compliance and imposing penalties,

(ii) directing data fiduciaries to take necessary measures in the event of a data breach, and

(iii) hearing grievances made by affected persons.

15. Appeal

If any person is aggrieved by an order or instruction given by the Board under this Act, they can file an appeal with the Appellate Tribunal within a period of sixty days from the date of receipt of the order or direction. If an appeal cannot be resolved within six months, the Appellate Tribunal must provide written reasons for the delay in concluding the appeal.

1. Personal Data is defined as any data about an individual who is identifiable by or in relation to such data.

2. Data means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

3. Data Processing means ‘“processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

4. Digital personal data  means personal data in digital form;

5. Data Principal refers to the individuals to whom the personal data relates and where such an individual is:

• A child, includes the parents or lawful guardian of such a child;
• A person with a disability, includes her lawful guardian, acting on her behalf.

6. Person includes:

• • An individual;
  • A Hindu undivided family;
  • A company;
  • A firm;
  • An association of persons or a body of individuals, whether incorporated or not;
  • The State; and
  • Every artificial juristic person, not falling within any of the preceding sub-clauses.

7. The pronouns “her” and “she” have been used for an individual, irrespective of gender.

8. Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data.

9. Data Processor means any person who processes personal data on behalf of the data fiduciary.

10. “Child” means an individual who has not completed the age of 18.

11. “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10.