Taxmann's Analysis | Decoding Digital Personal Data Protection Bill (DPDP)

Decoding Digital Personal Data Protection Bill (DPDP): A Comprehensive Overview

Decoding Digital Personal Data Protection Bill (DPDP):

Imagine you bought a car, and soon after the tires hit the pavement, your phone buzzes with an unexpected call. It’s a cheery voice from a car accessory vendor offering customised enhancements to elevate the driving experience. With each passing day, the calls multiply, and your inbox fills with solicitations from service providers and advertisers. Your personal data1 that you shared with the car vendor at the time of purchase is all over the place. Your personal data has been harvested, shared, and sold without your consent. Questions arise about the sanctity and privacy of data in this digital age.

Currently, India does not have a standalone law on data2 protection. The use of personal data is regulated under the Information Technology (IT) Act, 2000. In 2017, the central government constituted a Committee of Experts on Data Protection to examine issues relating to data protection in the country. The Committee submitted its report in July 2018. Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019. In August 2022, the Bill was withdrawn. In November 2022, a draft Bill was released for public consultation. In August 2023, the Digital Personal Data Protection Bill, 2023 (DPDP Law) was introduced in Parliament and passed by the Lok Sabha and Rajya Sabha.

This DPDP Law aims to protect the personal data of an Individual and make sure that the data of an individual is shared with others only with his consent. The key aspects of the DPDP Law are as follows:

1. Applicability

The DPDP Law will apply to processing3 digital personal data4 within India, where such data is collected online or offline and digitised. It will also apply to such processing outside India if it is for offering goods or services in India.

However, it shall not apply to the following:

(a) Personal data processed by an individual for any personal or domestic purpose.

(b) Personal data that is made or caused to be made publicly available by the person himself (Data Principal5) to whom such personal data relates or any other person6 who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

For example: Imagine Sarah, a passionate travel blogger, who frequently shares her travel experiences and personal insights on her social media accounts. She posts about her adventures, the places she visits, the local cuisine she tries, and even includes pictures of herself enjoying these experiences. In doing so, she openly makes available her personal data, such as her location, preferences, and appearance, to her followers and the public. Therefore, the provisions of this DLDP law shall not apply to Sarah’s data.

2. What amount to a personal data breach?

“Personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromise confidentiality, integrity or availability of personal data.

3 Data Processing means ‘“processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

4 Digital personal data means personal data in digital form;

5 Data Principal refers to the individuals to whom the personal data relates and where such an individual is:

• A child, includes the parents or lawful guardian of such a child;

• A person with a disability, includes her lawful guardian, acting on her behalf.

6 Person includes:

• An individual;

• A Hindu undivided family;

• A company;

• A firm;

• An association of persons or a body of individuals, whether incorporated or not;

• The State; and

• Every artificial juristic person, not falling within any of the preceding sub-clauses.

3. Grounds for possessing personal data

Personal data can be possessed on the ground that it is retained for a lawful purpose and the person whose data is retained has given her consent. However, consent may not be required for specified, legitimate uses such as the voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.

4. Consent: The Key to Data’s Heartlock

The DPDP law defines consent as an indication from the data principal signifying the agreement to allow personal data to be processed for a specific purpose. This consent must be freely given, specific, informed, unconditional, and unambiguous, demonstrated through clear affirmative action. The consent’s validity is limited to the personal data necessary to fulfil the specified purpose.

A notice must be given before seeking consent from the person. The notice should contain details about the personal data to be collected and the purpose of processing. The consent may be withdrawn at any point in time.

5. Action Plan when DPDP law comes into force

Where a Data Principal has given her7 consent for the processing of his personal data before the date of commencement of this Act:

(a) Data Fiduciary8 shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her:

• the personal data and the purpose for which the same has been processed;

• the manner in which she may exercise the rights as provided under the Act;

• the manner in which the Data Principal may make a complaint to the Board.

Further, the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.

For example: Before the Act came into effect, Ms. Priti, an individual, agreed to allow her personal information to be used for an online shopping app or website run by ABC & Company, an e-commerce service provider. 7

Once the Act becomes effective, ABC & Company must promptly send information to Ms. Priti using email, in-app notification, or another effective way. This information should explain the details of the personal data being processed and the reason for its use.

6. Personal data must be used for specific purposes only

The consent given by the Data Principal (to whom the data relates) shall be free, specific, informed, unconditional and unambiguous with clear affirmative action and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

For example: X, an individual, downloads a telemedicine app. The app asks X for her agreement regarding two matters: (i) the use of his personal data to provide telemedicine services and (ii) accessing her mobile phone’s contact list. X agrees to both requests. Since accessing the phone contact list is not essential for delivering telemedicine services, her consent will only apply to the processing of her personal data necessary for telemedicine services.

It is to be noted that any part of consent which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.

For example, X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives her consent for (i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to the waiver of her right to file a complaint, shall be invalid.

7. ‘Rights and Duties of Data Principal’

Chapter III of the DPDP Law provides certain rights and duties of data principals. The rights of the data principal concerning her personal data are as follows:

(a) Right to access information about personal data: Data principals have the right to request information about their personal data being processed, a summary of personal data being processed, and the identities of all other data fiduciaries and data processors9 with whom their data has been shared.

(b) Right to correction and erasure of personal data: Data principals have the right to request data fiduciaries to correct, complete, update and erase their personal data. Data principals can also request its erasure when it is no longer needed for the purpose for which it was processed.

(c) Right to redress grievances: Data principals have the right to register their grievances with data fiduciaries, who must provide easily accessible grievance redressal mechanisms. Also, data principals are encouraged to exhaust these grievance redressal options before approaching the Data Protection Board.

(d) Right to nominate: Data principals have the right to nominate any other individual to exercise their rights on their behalf in case of death or incapacity.

The DPDP Law also imposes certain duties on the data principals to prevent the misuse of their rights. The duties are as follows:

(a) Do not register false and frivolous complaints with the Data Protection Board of India.

(b) Do not impersonate another person while providing personal data to data fiduciaries.

(c) Do not suppress any material information while providing personal data for any document.

(d) Furnish only authentic information while exercising the right to data correction or erasure.

The rights granted to data principals empower them with control and transparency over their personal data. These rights foster trust and confidence in data handling practices. On the other hand, the imposed duties promote responsible behaviour, preventing misuse of rights and ensuring accurate and authentic data exchange. This balanced approach under the Bill aims to create a secure digital ecosystem, protecting data principals’ privacy.

8. Specific conditions for the processing of data of Children/Persons with disability

DPDP Law lays down the grounds for the processing of the personal data of children. The law states that a “Data Fiduciary” must get permission from a parent if they want to collect and use the personal data of a child10. For someone with a disability, they need permission from their legal guardian. This permission needs to be confirmed and proven.

A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.

A Data Fiduciary is not allowed to track or monitor the behaviour of children or show them specific ads through targeted advertising.

The Govt. may prescribe certain classes of data fiduciaries that will be exempted from:

(a) the restriction relating to the processing of data relating to a Child/ a person with a disability; and

(b) the restriction relating to tracking or behavioural monitoring of children or targeted advertising directed at children.

The Central Government is satisfied that a Data Fiduciary has ensured that it is processing the personal data of children in a verifiably safe manner, notified for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations as discussed above in respect of processing by that Data Fiduciary.

Where the Central Government is convinced that a company handling kids’ personal data is doing so in a very safe way, it can allow that company to not follow certain rules about data protection for children above a certain age. This exemption is given if the company’s data processing is proven to be safe for kids.

9. Significant

Data Fiduciary

DPDP law lays down the additional obligations on Significant Data Fiduciary11 for processing personal data.

As per Section 10, the Govt. may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary on the basis of an assessment of such relevant factors as it may determine, including:

(a) the volume and sensitivity of personal data processed;

(b) risk to the rights of the Data Principal;

(c) potential impact on the sovereignty and integrity of India;

(d) risk to electoral democracy;

(e) security of the State; and

(f) public order.

These entities will have certain additional obligations, including (i) appointing a data protection officer and (ii) undertaking an impact assessment and compliance audit.

11 “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10.

Business entities such as banks, insurance companies, e-commerce entities, in-app mobile operating systems, search engines etc., generally handle large volumes of data having sensitive information which may seriously threaten the Nation’s security, public order, sovereignty and integrity of India. Social Media platform providers have all the critical information of the users, which external agencies can use to infer users’ inclination towards political parties and ideologies, which may, if it falls into the wrong hands, pose a risk to electoral democracy.

10. Cross-border personal data transfer

The DPDP law allows data fiduciaries to transfer personal data outside India, except to countries or territories restricted by the Central Government through notification. This provision has a significant impact on cross-border data flows and data protection. By restricting data transfers to specific countries designated by the Central Government, the law aims to safeguard the privacy and security of the personal data of Indian citizens, preventing potential misuse or unauthorised access.

11. Exemptions

The DPDP law provides certain exemptions for certain data processing activities. These exemptions apply to data processing for investigating offences, implementing schemes of compromise, merger or amalgamation, detecting financial frauds, and processing personal data of a data principal located outside India pursuant to a contract with any person outside India.

Further, the Central Government has the authority to exempt the application of the law for notified state agencies if it is in the interests of the sovereignty, integrity, and security of the State, friendly relations with foreign states, or maintenance of public order, etc.

Also, the Central Government can provide exemptions for data processing for research, archiving or statistical purposes, as long as the data is not used to make specific decisions affecting a data principal.

The government can also notify certain data fiduciaries or classes of data fiduciaries, including start-ups, for exemption from the law based on the volume and nature of personal data processed by them.

The exemptions in the DPDP law are likely to have a positive impact across various aspects. By enabling efficient investigation of offences and detection of financial frauds, they contribute to a safer and more secure society. The flexibility in data processing offered by these exemptions benefits businesses, encouraging growth and development while ensuring responsible data use to safeguard individual privacy.

12. Penalty provisions

The DPDP law provides for penalty provisions. Where the Data Protection Board determines, upon an inquiry, that a person has breached the provisions of the Act, it has the authority to impose monetary penalties as specified in the Schedule.

The Schedule to the Bill specifies penalties for various offences such as (a) up to Rs 200 crores for non-fulfilment of obligations in relation to children, (b) up to Rs 250 crores for failure to take security measures to prevent data breaches, etc.

The penalties for non-compliance range from Rs 10,000 to Rs 200 crore, with an upper limit of Rs 250 crore. However, the Bill has removed criminal penalties, including jail terms, from its provisions.

The penalty provisions will have a significant impact on ensuring data protection compliance. With the authority to impose substantial fines, the Data Protection Board can effectively discourage and penalise those who violate the Act. The specified penalties for different offences emphasise the seriousness of non-compliance.

By prioritising financial consequences over criminal penalties, the law aims to promote responsible data handling while safeguarding individuals’ privacy. These measures create a culture of accountability and protection in the digital era.

13. Data Protection Board of India

Chapter V of the DPDP law relates to the ‘Data Protection Board of India’. The law requires the central government to establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.

14. Appeal

If any person is aggrieved by an order or instruction given by the Board under this Act, they can file an appeal with the Appellate Tribunal within a period of sixty days from the date of receipt of the order or direction. If an appeal cannot be resolved within six months, the Appellate Tribunal must provide written reasons for the delay in concluding the appeal.

Income-tax Department Income-tax Appellate Tribunal

Institute of Banking & Finance

Institute of Securities Markets -

About TAXMANN

Our mission at Taxmann is ‘Spearheading the pursuit of expertise & authenticity’. We at Taxmann strive to provide authentic and fastest reporting of information. We are proud to call ourselves the #1 source for everything on Tax and Corporate Laws in India. Our domain knowledge of more than 60 years has helped us in being trusted by more than 500K legal professionals across the country.

Taxmann Alliance is the only publishing house in India with complete backward and forward integration, right from self-owned paper printing unit to in-house research and editorial team, and finally reaching the readers through its own distribution network all across India. The group has also ventured into the technologies division since 2007.

Taxmann Alliance consists of four independent verticals:

Research & Editorial

Taxmann Research & Editorial comprises of an enthusiastic team of over 200 Legal associates. They are responsible for keeping the readers abreast of the latest developments in the judicial, administrative and legislative fields in the form of authentic articles and updates.

Sales & Marketing

At Taxmann, we believe in marketing our products through various refined sales channels, with a diverse network of Dealers & Distributors and an in-house marketing team.

A quick preview of the strength of our sales is listed below:

Printing

Tan Prints has been carrying out specialized printing jobs since the 1980s in their beautifully landscaped facility spread over 10,000 sq. meters. Tan Prints has a strong presence in Nigeria, Ghana, Ethiopia, Rwanda, Uganda and Kenya. It not only caters to reputed Book Publishers but also Governments, Universities and Institutes.

Technologies

Taxmann’s excellent team of professionals offers the best in class end-to-end website and App designing, development and maintenance solutions.

Taxmann Group

Research & Editorial

21/35, West Punjabi Bagh, New Delhi – 110026

Phone : +91-11-45662200 | E-mail : editorial@taxmann.com

Printing - Tan Prints

44 Km. Mile Stone, National Highway, Rohtak Road Village Rohad, Distt. Jhajjar (Haryana)

Phone : 01276-278155-56 | Mobile : 9896514100 | E-mail : sales@tanprints.com

Technologies

59/32, New Rohtak Road, New Delhi - 110005 (India) | Phone : +91-11-46462222 | E-mail : technologies@taxmann.com

Delhi: 59/32, New Rohtak Road, New Delhi - 110005 (India)

Tel: +91-11-45562222 | For Support Enquiry: support@taxmann.com

For Sales Enquiry: sales@taxmann.com | Skype ID: taxmannindia

Mumbai: 35, Bodke Building, Ground Floor, MG Road, Opp. Mulund Railway Station, Mulund (W), Mumbai - 400080

Tel: +91-022-25934806/07/09, 25644807 | Mobile: 09322247686, +91-9619668669

Email: sales.mumbai@taxmann.com, nileshbhanushali@taxmann.com

Ahmedabad: 7, Abhinav Arcade, Ground Floor, Nr. Bank of Baroda, Pritam Nagar Paldi, Ahmedabad - 380007

Tel: +91-079-26589600/02/03 | Mobile: +91-9909984900, 9714105770, 9714105771

Email: bdurgaprasad@taxmann.com, sales.ahmedabad@taxmann.com

Hyderabad: 4-1-369-Indralok Commercial Complex Shop No. 15/1 - Ground Floor, Beside Hotel Jaya

International Reddy Hostel Lane Abids Hyderabad - 500001

Mobile: +91-9391041461/09322293945 | Email: bdurgaprasad@taxmann.com, sales.hyderabad@taxmann.com

Pune: Office No. 14, First Floor, Prestige Point, 283 Shukrwar Peth, Opp.Chinchechi Talim, Nr. BSNL office, Bajirao

Road, Pune - 411002

Mobile: 9822411811, 9834774266, 9322293945 | Email: sales.pune@taxmann.com

For Contact & Assistance:

Tel. : +91-11-45562222 | E-mail : support@taxmann.com, sales@taxmann.com

www.taxmann.com Follow us