The Lok Sabha passed the ‘Digital Personal Data Protection Bill, 2023’ (“DPDPB”) on August 07, 2023, thereby introducing the first comprehensive personal data protection regime in India, after several years of legislative efforts and an inclusive consultation process. It prescribes various obligations on ‘data fiduciaries’ and ‘significant data fiduciaries’ while processing the personal data of ‘data principals’. Considering the landmark nature of the DPDPB and the fact that a data protection framework for India has been in the pipeline for several years now, as well as the increasing need of an Indian data protection framework that meets global adequacy standards, it appears that this relatively business-friendly version of the DPDPB might be enacted soon, almost in its current form. The DPDPB, in many ways, will require organisations to take a re-look into their existing information technology policies and processes, to ensure compliance with this new law. In order to help you and your organisation understand the intricacies of the DPDPB and the obligations that you may have to undertake once the same is enacted, we have prepared this document answering pertinent questions on the compliance with the DPDPB, which could come up frequently. We have prepared a note capturing the key provisions of the DPDPB, along with a detailed analysis of the same, which can be accessed here.
When do the provisions of the DPDPB come into force? Would my organisation be considered as a ‘data fiduciary’ or a ‘data processor’? In what scenarios would my entity be treated as a significant data fiduciary? Who is considered as a ‘data principal’ for the purposes of data processing? As on this date, the provisions of the DPDPB are not in force. They will come into force on a date notified in the official gazette by the Central Government. The Central Government may also opt to notify different provisions to take effect on different dates, in a phase-wise manner. If your organisation collects personal data of data principals for a specified purpose and determines the manner in which such personal data should be processed digitally, your organisation would be a ‘data fiduciary’ and would have to comply with the obligations on data fiduciaries set out under the DPDPB (more particularly described in FAQ No. 2(ii)). If your organisation only processes personal data on behalf of another organisation, your organisation would be considered as a ‘data processor’. In this case, the organisation on whose behalf you are processing such personal data, would be the data fiduciary. There are no prescribed criteria stipulated under the DPDPB to be construed as a ‘significant data fiduciary’. The Central Government may, at its discretion, notify any data fiduciary or a class of data fiduciaries as a ‘significant data fiduciary’ after an assessment of some relevant factors, such as: • The volume and sensitivity of personal data processed by the data fiduciaries; • The risk to the rights of data principals; • The potential impact on the sovereignty and integrity of India; • The risk to electoral democracy; • The security of the state; and • Public order. Therefore, your organisation will only be considered a ‘significant data fiduciary’ if it falls within the specified class of data fiduciaries, and fulfils the prescribed criteria, as may be notified by the Central Government in the future. A data principal is the individual to whom the personal data relates. However, when the personal data is in relation to a child, the data principals would include the parents or lawful guardians of such child; and when the personal data is in relation to a person with disability, the data principal would include her lawful guardians acting on her behalf. Note that ‘processing’ has been defined under the DPDPB as a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. ON APPLICABILITY What type of data does the DPDPB apply to? Are there different categories of personal data? Will the compliances under the Information Technology Act, 2000 remain applicable to my organisation post the implementation of the DPDPB? The DPDPB is applicable to the processing of personal data in following scenarios: • Processing of personal data collected in digital form (i.e., digital personal data); and • Processing of personal data collected in non-digital form and digitised subsequently. However, the provisions of the DPDPB will not apply if: • You are an individual processing personal data for any personal or domestic use; or • You are processing personal data that has been made publicly available by the data principal or any other person who is under an obligation under Indian laws to make such personal data publicly available. Unlike the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”), which categorises personal data into ‘personal information’ and ‘sensitive personal data or information’, the DPDPB does not classify personal data sets into different categories. It treats all digitised personal data uniformly. Yes, the compliances under the Information Technology Act, 2000 (“IT Act”) will continue to apply post the enactment of the DPDPB. However, Section 43A of the IT Act (compensation for failure to protect sensitive personal data) and the rules framed thereunder (i.e., the SPDI Rules) – which is largely the current data protection framework in India, is proposed to be repealed by the DPDPB (upon enactment and notification of the relevant section). That said, other provisions of the IT Act will continue to remain applicable. However, in case of any inconsistencies between the provisions of the IT Act and DPDPB, it is proposed that the provisions of DPDPB would prevail.
