Safeguarding Data Privacy and Strengthening Digital India: A Quick Insight into the Digital Personal Data Protection Act, 2023

On August 3, 2023, Ministry of Electronics and Information Technology (MeitY) introduced the Digital Personal Data Protection (DPDP) Bill, 2023, marking it the fifth iteration in introducing data privacy bill in India. The Bill was then presented in Rajya Sabha and after the approval from both houses, with the President’s assent, it was officially made the Digital Personal Data Protection [DPDP] Act, 2023 on Aug 11, 2023.

To understand the act’s essence, let us start with the event that led to it. In 2017, when the “Right to Privacy” was ruled as a Fundamental Right of Indian citizens based on the cornerstone case of Justice K. Puttaswamy vs Union of India, the Supreme Court of India underscored the need for dedicated legislation on data privacy and thus, triggered the inception of the Data Protection Bill in India. Let us begin with understanding the key events and timeline before we delve deeper into the DPDPB 2023.

• 2018 – First draft of PDP Bill was released – Personal Data Protection Bill, 2018.
• 2019 – PDP Bill 2012 – Personal Data Protection Bill, 2019 was released and it was reviewed by the Joint Parliamentary Committee (JPC).
• 2021 – The report of the Joint Parliamentary Committee on the PDPB, 2019 – Joint Parliamentary Committee (JPC) report was tabled in Parliament.
• 2022 – Digital Personal Data Protection Bill 2022 [DPDPB 2022] was released for public feedback.
• 2023 – MeitY introduced the DPDPB 2023 in the Lok Sabha.

Before I read the bill, I read the Forty Eighth report that was presented to Lok Sabha on August 1, 2023, titled “Citizens Data Security and Privacy”. This report gave a great insight into the evolution of the DPDPB 2023 by the Standing Committee on Communications and Information Technology members and Chairperson. The report highlights the key areas of concern and reason for the DPDPB in the first place, and here are some of the takeaways from the report:

• Need for Dedicated Legislation on Data Privacy – In recent years, personal data security and privacy issues have become hot topics of public debate, especially in the context of India’s digitization efforts under the “Digital India” initiative. With over 80 crore internet users, regulating personal data has become crucial to address potential risks.
• The Cyber Conundrum – In recent years, the world has witnessed an exponential surge in cybercrimes. The rise in cybercrimes necessitates urgent regulatory action to protect personal data as India’s digital landscape expands. The Digital Personal Data Protection Act, 2023, aims to address these concerns and incorporates essential principles.
• Global Alignment and Comprehensive Approach – The Digital Personal Data Protection Act draws inspiration from global best practices, the bill offers a technology-agnostic and comprehensive legal framework for data protection.
• Amending the IT Act and Unleashing Digital India Bill – The Committee put forth a query about the weaknesses identified in the IT Act that restrict stringent implementation of Penal provisions under the IT Act. To strengthen data protection, DPDPB 2023 bill proposes omissionofSection 43A and introduces provisions to ensure congruence with the new DPDP Act.
• Challenges in Privacy Protection and Solutions – The Ministry acknowledges several challenges related to personal data protection, such as unauthorized processing, data breaches, and misleading usage of personal data.The DPDP Act addresses challenges in personal data protection, holds Data Fiduciaries accountable and includes special controls for handling children’s data, with provisions for rulemaking to address evolving challenges with the “As may be prescribed” clauses.

The DPDPA 2023 adopts a concise and SARAL (Simple, Accessible, Rational & Actionable Law) approach. By using plain language and avoiding complex provisos, it strives to be easily understandable and accessible to all stakeholders. Another innovative aspect is By using the word “she” instead of “he”, acknowledging the role of women in law-making.

Now let’s analyse and understand the DPDPA 2023 chapter wise.

• Chapter 1 – Key Definitions

• Some ofkey definitions includePersonal Data, Digital Personal Data, Personal Data Breach, Data Fiduciary, Significant Data Fiduciary, Data Principal, Data Processor, Data Protection Officer, Appellate Tribunal, The Data Protection Board and Consent Manager.
• Applicability of the Act:
• The Act applies to the processing of digital personal data within India, whether collected in digital form or digitized from non-digital form. It also applies to the processing of digital personal data outside India if it is related to offering goods or services to Data Principals within India.
• The Act does not apply to personal data processed by individuals for personal or domestic purposes. It also does not apply to personal data that is publicly made available by the Data Principal or any other person who is required by law to make it publicly available.

• Chapter 2 – Obligations of Data Fiduciaries

• This chapter outlines the obligations of Data Fiduciaries. They can process personal dataonly for lawful purposes, which require consent and certain legitimate reasons. Consent must be freely given, specific, informed, and can be withdrawn without affecting the legality of prior processing. Data Fiduciaries must provide a notice to individuals before processing their data and ensure its accuracy and protection against breaches.
• In cases of children’s or disabled persons’ data, parental consent is necessary, and harmful practices like tracking or targeted advertising are prohibited. Significant Data Fiduciaries appointed by the Central Government have additional responsibilities, such as appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and undergoing periodic audits.

• Chapter 3 – Rights and duties of the Data Principal

• This chapter outlines the Data Principal’s rights and duties. The Data Principal has the right to access information about their personal data, request corrections, and seek grievance redressal. They can also nominate a representative for certain matters.
• As for their duties, the Data Principal must comply with all applicable laws, provide accurate and authentic information, and refrain from impersonation or suppression of material information. Additionally, they should avoid registering false or frivolous grievances, ensuring responsible and truthful engagement with their personal data.

• Chapter 4 – Special Provisions

• This chapter elaborates on how this Act empowers the Central Government to restrict the transfer of personal data to foreign countries or territory, but it doesn’t override other existing laws or restrictions on international data transfers.
• Certain exemptions are provided, including cases involving legal enforcement, official functions of Indian courts and regulatory bodies, and approved corporate actions with non-Indian Data Principals under contracts with foreign entities.
• Additionally, exemptions apply to research, archiving purposes, and data processing by the State or its instrumentalities.
• Temporary exemptions may also be declared for specific Data Fiduciaries or classes of Data Fiduciaries within the first five years of the Act’scommencement and startups and certain Data Fiduciaries may receive exemptions based on the volume and nature of personal data they process.

• Chapter 5 – Data Protection Board of India

• The chapter establishes the Data Protection Board of India through a notification by the Central Government. The Board comprises a Chairperson and Members with expertise in relevant fields, holding office for a two-year term, eligible for reappointment, and with fixed terms and conditions. Disqualifications include insolvency, criminal convictions, mental or physical incapacity, conflicting financial interests, or misuse of position.
• The Board will follow prescribed procedures for meetings and business, appoint officers and employees with Central Government approval, and the Chairperson will have supervisory powers. Funding will come from the Consolidated Fund of India, with estimated expenditures mentioned.

• Chapter 6 – Powers, Functions & Procedures to be followed by the Board

• This chapter outlines the powers, functions, and procedures of the independent Data Protection Board of India. It has the authority to direct remedial measures for personal data breaches, inquire into breaches, and impose penalties on Data Fiduciaries. The Board functions digitally, receives complaints online, and conducts inquiries to ensure compliance.  
• During the inquiry, it may summon and examine individuals under oath, inspect documents, and issue interim orders if needed. However, it cannot adversely impactthe day-to-day functioning of a person. The Board may seek assistance from authorities during its inquiries.

• Chapter 7 – Appeal & Alternate Dispute Resolution

• This chapter outlines the procedures for appeal and alternate dispute resolution. Anyone dissatisfied with the Data Protection Board’s order or direction can appeal before the Appellate Tribunal within sixty days. The Appellate Tribunal aims to resolve appeals expeditiously, typically within six months, and its orders are executable as civil court decrees. Mediation may be suggested by the Board to resolve disputes, and voluntary undertakings related to compliance with the Act may be accepted.

• Chapter 8 – Penalties & Adjudication

• This chapter deals with penalties and adjudication. The Data Protection Board can impose a monetary penalty if it finds a significant breach of the Act or its rules after an inquiry. When determining the penalty amount, the Board will consider various factors, including the nature and gravity of the breach, the type of personal data affected, and the person’s actions to mitigate the breach’s effects. The penalties collected will be credited to the Consolidated Fund of India. The penalties are:

Sl. No.	Breach of provisions of this Act or rules made thereunder	Penalty
1	Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach.	up to Rs 250 crore
2	Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach.	up to Rs 200 crore
3	Breach in observance of additional obligations in relation to children.
4	Breach in observance of additional obligations of Significant Data Fiduciary.	up to Rs 150 crore
5	Breach in observance of the Data Principal duties.	up to Rs 10 thousand
6	Breach of any term of voluntary undertaking accepted by the Board.	Up to the extent applicable
7	Breach of any other provision of this Act or the rules made thereunder.	up to Rs 50 crore

• Chapter 9 – Miscellaneous

• This chapter covers miscellaneous provisions. It includes protection for actions taken in good faith by the Central Government, Data Protection Board, and its members. The Central Government can call for information from the Board, Data Fiduciaries, or intermediaries as needed. The Act’s provisions are consistent with other laws, and in case of conflicts, the Act prevails. The Central Government has the power to make rules, subject to prior publication, and such rules and notifications will be laid before Parliament for thirty days.

Having analysed and thoroughly understanding the DPDP Act 2023, let us turn to a concise comparison between the DPDP 2022 & the 2023 bill. Here are some key differences between the two:

1. Definitions: The 2022 bill had fewer defined terms, lacking clarity on “Consent Manager” and “Digital Personal Data,” which has been introduced in the 2023 bill.
2. Purpose Limitation: The 2022 bill did not include a specific purpose limitation clause, unlike the 2023 bill, which restricts data processing to the mentioned purpose.
3. Deemed Consent: The 2022 bill included the concept of “deemed consent,” allowing data processing without explicit consent, which has been removed in the 2023 bill.
4. Children’s Data: The 2022 bill did not have specific provisions for processing children’s data, unlike the 2023 bill, which requires verifiable consent from parents or lawful guardians.
5. Right to Access Information: The 2022 bill did not grant rights to access information about legitimate use cases, which is provided in the 2023 bill.
6. Cross-border Data Flow: The 2022 bill followed a whitelisting approach for cross-border data flow, whereas the 2023 bill allows free flow unless blacklisted.
7. Board and Penalties: The 2022 bill did not establish the Board as a body corporate, and the maximum penalty for non-compliance was INR 500 crore, which was reduced to INR 250 crore in the 2023 bill.
8. Dispute Resolution: The 2022 bill did not include provisions for voluntary undertakings or alternate dispute resolution, which has been introduced in the 2023 bill.

What should organizations do to ensure they are prepared to meet the requirements of DPDPA 2023?

To achieve compliance with the Digital Personal Data Protection Act 2023 (DPDPA 2023), organizations should be proactive and not wait for the government’s implementation deadline!

At Network Intelligence, we comprehend the specific challenges organizations encounter while adhering to regulatory requirements. Our customized approach to compliance considers each organization’s business nature, values, and culture.

Here’s how Network Intelligence can help organizations ensure DPDPA 2023 compliance:

1. Data Collection & Processing Framework: Develop tailored methodologies, standards, and policies for data collection and processing based on the organization’s role as Data Fiduciaries or Data Processors.
2. Data Classification: Assist in categorizing data into Personally Identifiable Information (PII) and Sensitive Personal Information (SPI) to ensure proper handling and protection.
3. Data Mapping & Flow: Create a clear Data Flow that visualizes data’s journey throughout the organization, identifying areas requiring privacy safeguards.
4. Privacy Impact Assessments: Conduct Data Privacy Impact Assessments (DPIA) to identify potential privacy risks and implement effective measures.
5. Data Protection Officer (DPO) Setup: Help document and establish roles and responsibilities for a Data Protection Officer (DPO) to oversee and enforce data protection efforts.
6. Employee Awareness Training: Provide organization-wide awareness training on data protection and privacy concepts to ensure all employees understand their compliance roles.
7. Automation and Data Security: Offer guidance on leveraging automation, such as Data Loss Prevention (DLP) implementation, to enhance data security and minimize human errors.

Through Network Intelligence’s expertise and support, organizations can navigate DPDPA 2023’s complexities and ensure robust compliance readiness! Top of Form