Everything You Need to Know About the Digital Personal Data Protection Act

Representative image - Freepik

India’s new Digital Personal Data Protection Act is officially in force!

So what exactly does that mean? How did this bill come into being, and how will it impact our lives in the future? Let’s have a deeper look into things.

A little background

In 2017, a committee was formed by MeiTY - Ministry of Electronics and Information Technology. This committee in turn released the Data Protection Bill 2021 towards the end of 2021.

In 2022, a new version of the bill was released for public consultation. The suggestions made have not been publicly displayed or discussed anywhere, despite an RTI application being filed.

Coming to 2023, the newest version of the bill has been released, and passed in the Lok Sabha on 7th August. On 9th August, it was passed by the Rajya Saba as well and is now officially in action.

A few definitions

1. “Board” refers to the newly-established Data Protection Board of India.

2. A data fiduciary is a person who “determines the purpose and means of processing of personal data”.

3. “Data principal”, a term defined for the first time, means the person to whom the data relates.

Extent of the Act

The Act applies within India in two main cases - (i) where data is collected from Data Principals online, or (ii) where data collected offline is digitized.

Interestingly, the law also applies to the processing of (online) personal data online as well. However, this is only when the processing is linked with the profiling of or offering of goods and services to a person in India.

Rules for Data Fiduciaries

Do you fall under the “Data Fiduciary” category? These are a few things you need to know:

1. Before asking for any data, the fiduciary must give the Data Principal a notice with an itemized list of all the data being requested and the purpose. This must be in simple and clear language.

2. The notice must be available in English or any language of the Principal’s choice under the Eighth Schedule of the Constitution. As you can see, every precaution is being taken to make sure people can’t be tricked or confused.

3. The Data Principal’s consent must be free, unambiguous and informed. If they give consent to a condition that violates this Act, the said term will be waived. As before, the request for consent must be clear and simple. It should be available in English or any language in the Eighth Schedule.

4. If a Data Principal withdraws consent, the fiduciary needs to stop processing within a “reasonable amount of time”.

5. A Data Fiduciary cannot refuse to offer a service because the Data Principal has denied to provide unnecessary personal data.

6. Data Fiduciaries must make sure the data they use is accurate and complete.

7. “Reasonable security safeguards” must be taken to prevent a breach of data. If there is a breach, the Board and all involved Data Principals have to be informed.

8. Once data is not required to be retained, Data Fiduciaries must let go of it immediately. (For example, when you delete an Instagram account, your personal information can no longer be retained.)

9. An effective mechanism must be set up to address the Data Principals’ grievances.

Protection of children under the Act

1. No Data Fiduciary may take personal data from a child without parental consent.

2. They cannot process any data that might cause harm to a child.

3. They may not track, monitor or send targeted ads directed at children.

For the purposes of this Act, a child is any person under the age of 18.

Significant Data Fiduciaries

The government may, according to certain criteria, declare some fiduciaries to be Significant Data Fiduciaries. They must:

1. Appoint a Data Protection Officer and an Independent Data auditor.

2. Undertake other measures such as Data Protection Impact Assessment and periodic audits.

Rights as a Data Principal

Every person reading this is probably a Data Principal in one way or another. Lucky for us, this new Act comes with new rights for Data Principals. We have the right to:

1. Get confirmation whether a Data Fiduciary has processed or is processing our data.

2. Obtain a summary of the personal data being processed.

3. Get a single list of all the Data Fiduciaries with whom our personal data has been shared.

4. Readily available means of registering a grievance with a Data Fiduciary.

Duties of a Data Principal

Rights and duties are two sides of the same coin, and we need to make sure we know our duties just as well:

1. We must comply with all the provisions of the Act while exercising our rights.

2. We may not register any false or frivolous grievance or complaint.

3. We may not give false data, suppress information or impersonate another person.

Penalties

This is one you definitely don’t want to skim through - the penalties in this Act are through the roof.

1. Failure by a Data Principal or Fiduciary to take reasonable security safeguards to prevent breach of data - up to ₹250 crore.

2. Failure to notify the Board and concerned Data Principals in case of a data breach - up to ₹200 crore.

3. Non-fulfillment of obligations regarding children - up to ₹200 crore.

4. Non-fulfillment of obligations of a Significant Data Fiduciary - up to ₹150 crore.

5. Non-compliance with the duties of a Data Principle - up to ₹10,000.

Conclusion

Creating this Act is a huge step for India, which with the growing technology sector will have to adapt to our new circumstances. It isn’t perfect, and will most likely need amendments as new developments come up. But to have one in the first place is a sign that we are willing to make these changes.

As a side note, this Act uses the pronouns “she” and “her” to refer to all genders, something which rarely ever happens in legal documents.