The Digital Personal Data Protection Act, 2023 (“DPDPD Act”)

CORPORATE, TAX & BUSINESS ADVISORY LAW FIRM THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (“DPDP Act”) Notified on 11th August 2023 NEED FOR THE DPDP ACT, 2023 01 02 04 03 05 RECOGNITION OF ‘RIGHT TO PRIVACY’ To confer rights on individuals to protect their personal data and place duties on the entities that processes these personal data and to strikes an important balance in protecting users’ rights and promoting innovation in digital businesses. CONFERRING RIGHTS AND DUTIES PROTECTION AND SECURITY To penalise the parties in case of unlawful processing of personal data. IMPOSING PENALTIES Digital transactions have transformed economics as well as social interactions and use of personal data is a common aspect of such transactions. Therefore, protection of personal data has become a need as well as a prerequisite for the growth of digital economy. GROWTH OF ECONOMY Need for protection and security of personal data of users and to process data for lawful purpose. In the case of Justice K S Puttaswamy (Retd.) & Anr. v. Union of India and Ors., (2017) 10 SCC 1, the Supreme Court recognized the right to privacy as a facet of Article 21 of the Constitution of India, i.e., Protection of Life and Personal Liberty, a Fundamental Right. DATA FIDUCIARY DATA PRINCIPAL DATA PROCESSOR CONSENT MANAGER DATA PROTECTION OFFICER SIGNIFICANT DATA FIDUCIARY KEY TERMS IN THE DPDP ACT “Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data” . Personal Data means any data about an individual who is identifiable by or in relation to such data . DATA FIDUCIARY [S. 2(i)] DATA FIDUCIARY [S. 2(i)] 65 32 14 “Data Processor means any person who processes personal data on behalf of a Data Fiduciary.” 6 5 3 1 DATA PROCESSOR [S. 2(K)] 4 2 “Data Principal means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.” 6 5 2 1 DATA PRINCIPAL [S. 2(j)] 4 3 65 4 32 1 “Significant Data Fiduciary means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 . ” Significant Data Fiduciary has the additional obligations to appoint Data Protection Officer,, Independent Data Auditor and conduct periodic Data Protection Impact Assessment . 04 SIGNIFICANT DATA FIDUCIARY [S.2(z)] 6 32 1 CONSENT MANAGER [S. 2(g)] “Consent Manager means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.” The role of Consent Manager is to facilitate the Data Principal by managing their consent and is accountable to Data Principal. 4 5 5 32 1 DATA PROTECTION OFFICER [S. 2( l ) “Data Protection Officer means an individual appointed by the Significant Data Fiduciary under clause (a) of sub -section ( 2 ) of section 10 . ” The Data Protection officer • shall represent the Significant Data Fiduciary • must be based in India • shall be the point of contact for the grievance redressal mechanism 4 6  The DPDP Act contemplates the establishment of a Data Protection Board, as an enforcement body, by the Central Government. Civil courts are barred from entertaining suits or proceedings for any matter in respect of which the Board is empowered.  Under the DPDP Act, the Data Protection Board has the following powers: 1. To direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal data breach 2. To inquire into such breach 3. Impose penalties for non-compliances 4. Inspect any document 5. Summon and enforce attendance of any person etc.  Appeal can be filed against the order of DPB before Appellate Tribunal within 60 days DPB Telecom Disputes Settlement and Appellate Tribunal Supreme court DATA PROTECTION BOARD OF INDIA APPLICATION OF THE DPDP ACT S. 3(a) & 3(b) NON-APPLICABILITY OF THE DPDP ACT S. 3(c)  Processing of Personal Digital Data within territory of India, where data collected is in digital form OR in physical form BUT subsequently digitized.  Processing of Personal Digital Data outside the territory of India, if such processing is being done to offer goods or services to Data Principal within the territory of India.  Processing of Personal Data by an individual ONLY for personal or domestic use.  Where the personal data is publicized by the Data Principal himself OR any other person who is under obligation under law to made such personal data publicly available. GROUNDS FOR PROCESSING DATA Section 4 of the DPDP Act states that a person i.e., a Data Fiduciary can process data of a Data Principal only for a lawful purpose-  for which the Data Principal has given her consent; or  for certain legitimate uses. CONCEPT OF ‘NOTICE Illustration: X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing. Consent has to be accompanied by NOTICE under Section 5, informing the Data Principal about the personal data which is to be processed and the purpose of such processing. The Notice should also contain about the information about the right of withdrawing consent and grievance redressal available to Data Principal and the manner in which the complaint can be made to the Board. PROVISIONS OF CHAPTER II  The DPDP Act under Section 6 provides for free, specific, informed, unambiguous and unconditional CONSENT to be taken by the Data Fiduciary of the Data Principal before processing personal digital data .  Consent taken for a specified purpose needs to be utilized for that purpose ONLY. Illustration: X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for the processing of her personal data for making available telemedicine services, and accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services  Request for consent shoulda) Be presented to Data Principal in clear and plain language. b) Contain option to access such request in any language. c) Provide for contact details of Data Protection Officer or any other person authorized by Data Fiduciary to respond to communication of Data Principal in order to able him to exercise his rights. CONSENT PROVISIONS o Where the consent of the Data Principal has been obtained prior to the commencement of the DPDP Act for processing of her personal data, the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a fresh NOTICE. o Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. WITHDRAWAL OF CONSENT o Availability of ‘Right to withdraw consent’ with the Data Principal. o However, withdrawal of consent shall NOT affect the legality of processing of the personal data based on such consent before such withdrawal. o Data Fiduciary shall CEASE and cause its Data Processors to CEASE PROCESSING of such personal data. • UNLESS, such processing is necessary according to some provision of law which is for time being is in force. ISSUANCE OF FRESH NOTICE WHERE CONSENT IS OBTAINED PRIOR TO THE COMMENCEMENT OF DPDP ACT The some of the legitimate uses provided in the DPDP Act are as under: A. VOLUNTARY PROVISION OF DATA If the users voluntarily provide their personal data to the Data Fiduciary for a specified purpose and has not indicated to the Data Fiduciary that they do not consent to the use of their personal data. B. FOR STATE TO PROVIDE ANY BENEFIT/SUBSIDY TO THE DATA PRINCIPAL For the State or its agencies to perform any function under any law or in the interest of sovereignty and integrity of India or security of the State; or to provide any subsidy, service, benefit, certificate, license, or permit to the Data Principal, where Data Principal has previously consented, or such personal data is already available to the government in digital or non-digital form and is notified by the Central Government. C. FOR FULFILING OBLIGATIONS UNDER THE LAW D. FOR COMPLIANCE OF COURT ORDERS E. DURING THE MEDICAL EMERGENCIES F. DURING THE SPREAD OF EPIDEMIC G. DURING THE DISASTERS H. FOR EMPLOYMENT PURPOSES I. FOR SAFEGUARDING THE EMPLOYER FROM LOSS OR LIABILITY CERTAIN LEGITIMATE USES GENERAL OBLIGATIONS OF DATA FIDUCIARY • Appointment of Data Processor to process personal data of the Data Principal on his behalf only under a valid contract. • Ensure completeness, accuracy and consistency of the personal data where the data processing is likely to be used to make a decision that affects the Data Principal or disclosed to another Data Fiduciary. • Erase or cause to erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes. • To implement appropriate technical and organizational measures for proper observance of the provisions. • To build reasonable security safeguards to prevent a data breach to protect the personal data in its possession. • Inform the Data Protection Board of India and affected persons in the event of a breach • To establish an effective mechanism for redressal of the grievances. • Publish contact information of Data Protection Officer or any other person acting on behalf of Data Fiduciary. PROCESSING OF CHILDREN’S PERSONAL DATA • A ‘Child’ has been defined under S. 2(f) as an individual who has not yet completed the age of 18 years. • A Data Fiduciary, before processing any personal data of a ‘child’ or a person with disabilities MUST OBTAIN VERIFIABLE CONSENT of the parent of the child or of the lawful guardian, as the case may be. NOT ALLOWED a) NO processing of personal data which can have DETRIMENTAL EFFECT on the well-being of the child. b) Not to engage in targeted advertising,tracking or behavioral monitoring. EXMEPTION a) If the government is satisfied that a Data Fiduciary has ensured that the processing of personal data of children is done in a manner that is “verifiably safe”, then the government can exempt the fiduciary. RIGHTS AND DUTIES OF DATA PRINCIPALS [Chapter III] 1. Right to access information about personal data (S. 11) • Right to get summary of personal data which is processed by the data fiduciary and processing activities undertake by such Data Fiduciary. • Right to receive identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared and any other information. 2. Right to correction, completion, updating and erasure of personal data (S. 12) 3. Right of grievance redressal • Through Data Fiduciary or Consent Manager • The user can escalate their grievance to the Data Protection Board only after exhausting their options with the Data Fiduciary or Consent Manager first. 4. Right to Nominate • In case of his death or personal incapacity to exercise his right of being a Data Principal. 5. Right to withdraw consent Duties of a Data Principal includes: complying with the present provisions and other applicable laws, not to register a false and frivolous complaint, not to suppress material information while providing personal data, to furnish only verifiable information, etc. CROSS BORDER DATA TRANSFERS • The DPDP Act allows for the cross border transfers of personal data, for processing, by the Data Fiduciaries. However, under Section 16 of the DPDP Act, Central Government can restrict the countries or territories outside India to which the data can be transferred. • As per Section 17 of the DPDP Act, provisions of Chapter II, except sub sections (1) and (5) of Section 8, Chapter III and Section 16 of the DPDP Act will NOT apply for processing of personal data (i.e., exemptions):  For enforcement of legal right or claim  When processing is to be done by any court/tribunal for the performance of any judicial or quasi judicial or supervisory or regulatory function.  For prevention, detection, investigation or prosecution of any offence, etc.  When personal data of Data Principals who are not within the territory of India processed outside India under any contract.  When processing is required for scheme of compromise or arrangement or merger or amalgamation, approved by Court or Tribunal.  For ascertaining the financial information of a person who has defaulted in payment to financial institution EXEMPTIONS PROVIDED UNDER DPDP ACT OTHER EXEMPTIONS UNDER S. 17(2) & 17(3) OF DPDP ACT  Central Government has the power to exempt any instrumentality of the State, under S. 17(2), from the application of the present law via notification, in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by Central Government of such personal data furnished to it by the aforesaid instrumentality.  The processing of personal data is also exempted from the application of the present law which is necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with standards as may be prescribed.  Having regard to the volume and nature of personal data processed, the Central Government may also notify certain Data Fiduciaries or classes of Data Fiduciaries, including start-ups, as exempt from certain provisions of the law.  Within 5 years from the date of enactment of DPDP Act, the Central Government may notify any provision that will not apply to certain Data Fiduciaries or classes of Data Fiduciaries for a specified period. PENALTIES • Depending on the nature and significance of contravention, monetary penalties up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry and after giving an opportunity of being heard to the defaulting person. • Several factors shall be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, mitigation measures, impact of the imposition of monetary penalty, etc. • Penalty up to INR 10000 can be imposed on Data Principal for breach of the duties. • Under the DPDP Act, there is no provision to compensate the affected person as provided under Section 43 A of the Information Technology Act, 2000. • All sums realized by way of penalties shall be credited to the Consolidated Fund of India. AMENDMENTS AFTER THE ENACTMENT OF THE DPDP ACT, 2023 According to S. 38(2) of the DPDP Act, “in the event of any conflict between a provision of this law and a provision of any other law for the time being in force, the provision of this law shall prevail to the extent of such conflict.” The DPDP Act omitted the following provisions of the Information Technology Act, 2000 after its enactment [S. 44(2)] :- • Section 43A: The said section provides for the compensation for failure to protect sensitive personal data of information. • Section 87(2)(ob): Under the said section, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 were framed. The above Sections of the Information Technology Act, 2000 and IT Rules, 2011 governed the legal framework of data laws in India will be replaced by DPDP Act once the provisions are notified. For any specific query, please contact: Mr. Vijay Pal Dalmia, Senior Partner at [email protected] or on Mobile at +91 9810081079 Mr. Rajat Jain, Principal Associate at [email protected] or on Mobile at +91 9953887311 Vaish Associates Advocates New Delhi 1 st, 9th & 11th Floors, Mohan Dev Building, 13, Tolstoy Marg, New Delhi 110001, India Mumbai 106, Peninsula Centre, Dr. S. S. Rao Road. Parel, Mumbai - 400012, India Bengaluru 105 -106, Raheja Chambers, #12, Museum Road, Bengaluru - 560001, India www.vaishlaw.com DISCLAIMER: The content of this presentation is intended to provide a general guide on the subject matter. Vaish Associates Advocates assume no responsibility for any errors which may inadvertently appear. The presentation is circulated with the understanding that the author/ publisher is not rendering any legal or professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. © 2023, Vaish Associates Advocates, All rights reserved