THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

Use of personal data is regulated under the Information Technology (IT) Act, 2000. In 2017,
the central government constituted a Committee of Experts on Data Protection, chaired by
Justice B. N. Srikrishna, to examine issues relating to data protection in the country. The
Committee submitted its report in July 2018. Based on the recommendations of the
Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in
December 2019. The Bill was referred to a Joint Parliamentary Committee which submitted
its report in December 2021. In August 2022, the Bill was withdrawn from Parliament. In
November 2022, a Draft Bill was released for public consultation. In August 2023, the
Digital Personal Data Protection Act, 2023 was introduced in Parliament.

The Digital Personal Data Protection Act (DPDPA), 2023 – which was passed in the Rajya
Sabha – has now become a law . It received presidential assent on August 12.

The DPDP Act defines "digital personal data" as any information that relates to an
identifiable individual, whether directly or indirectly, and that is processed in digital form.
This includes information such as name, address, phone number, email address, bank account
details, social media handles, and biometric data.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is a landmark legislation in India
that seeks to protect the privacy of individuals' personal data. The Act applies to the
processing of digital personal data within India, and also to the processing of digital personal
data outside India if such processing is in connection with any profiling of, or activity of
offering goods or services to, individuals within India.

The Act provides for the processing of digital personal data in a manner that recognizes both
the rights of the individuals to protect their personal data and the need to process such
personal data for lawful purposes and for matters connected therewith or incidental thereto.

Key features

 Applicability

The Act applies to processing digital personal data within India, whether in digital or non-
digital form, and outside India if it is related to offering goods or services to Data Principals.
 THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
It does not apply to personal or domestic data processed by individuals or public data made or
made public by the Data Principal or any other person under law.

 Consent

The Data Principal's consent is free, specific, informed, unambiguous, and unambiguous,
indicating an agreement to the processing of their personal data for a specified purpose.
The Data Principal has the right to withdraw consent at any time, with the consequences
being borne by the Data Principal. If the Data Principal withdraws consent, the Data
Fiduciary must cease processing their personal data within a reasonable time, unless
unauthorized processing is required or authorized under the Act or applicable laws.
The Data Principal can give, manage, review, or withdraw consent through a Consent
Manager, who must be accountable to the Data Principal and act on their behalf. Consent
Managers must be registered with the Board and subject to technical, operational, financial,
and other conditions. If a question arises regarding the consent given by the Data Principal,
the Data Fiduciary must prove that a notice was given.
Consent will not be required for ‘legitimate uses’ including: (i) specified purpose for which
data has been provided by an individual voluntarily, (ii) provision of benefit or service by the
government, (iii) medical emergency, and (iv) employment. For individuals below 18 years
of age, consent will be provided by the parent or the legal guardian.

 Obligations of data fiduciaries

A Data Fiduciary is responsible to have security safeguards to prevent personal data breach;

1. To intimate personal data breaches to the affected Data Principal and the Data
Protection Board;
2. To erase personal data when it is no longer needed for the specified purpose;
3. To erase personal data upon withdrawal of consent;
4. To have in place grievance redressal system and an officer to respond to queries from
Data Principals; and
5. To fulfil certain additional obligations in respect of Data Fiduciaries, the Central
Government may appoint a Data Fiduciary as a Significant Data Fiduciary based on
 THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
factors such as processing children's personal data, risking data rights, India's
sovereignty, electoral democracy, security, and public order.
The Significant Data Fiduciary must appoint a Data Protection Officer, an
independent data auditor, and undertake periodic Data Protection Impact Assessment
to ensure higher degree of
data protection.

 Processing of personal data of children

While processing the personal data of a child, the data fiduciary must not undertake: (i)
processing that is likely to cause any detrimental effect on the well-being of the child, and (ii)
tracking, behavioural monitoring, or targeted advertising.

 Rights and duties of the Data principal

An individual, whose data is being processed (data principal), will have the right as follows:

(i) Right to obtain consent from a Data Fiduciary for processing personal data, including a
summary of the data being processed, the identities of other Data Fiduciaries and Processors,
and any other information related to the data and its processing.

(ii) A Data Principal has the right to correct, complete, update, and erasure their personal
data, provided they have given consent. A Data Fiduciary must correct, complete, or update
inaccurate or misleading data upon request. If a Data Principal requests erasure, the Data
Fiduciary will erase the data unless retention is necessary for specific purposes or compliance
with law.

(iii) Right to nominate another person to exercise rights in the event of death or incapacity,
and

(iv) A Data Principal has the right to receive grievance redressal from a Data Fiduciary or
Consent Manager regarding their obligations with their personal data. The Data Fiduciary
must respond within prescribed timeframes, and the Principal must exhaust all options before
addressing the Board.
 THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
Data principals will have certain duties. They must not impersonate another person, suppress
material information, register false grievances, and only provide verifiably authentic
information while exercising the right to correction or erasure. They must also avoid filing
frivolous complaints with Data Fiduciaries or the Board. Violation of duties will be
punishable with a penalty of up to Rs10,000.

 Cross broader transfer

The Act allows transfer of personal data outside India, the Central Government can restrict
personal data transfer to countries or territories outside India by notification. This does not
affect existing laws requiring higher protection or restrictions on data transfer.

 Exemptions

Rights of the data principal and obligations of data fiduciaries (except data security) will not
apply in specified cases:
(a) Processing personal data for legal rights or claims.
(b) Processing personal data by courts, tribunals, or regulatory bodies in India for judicial or
regulatory functions.
(c) Processing personal data for prevention, detection, investigation, or prosecution of
offenses or law contraventions in India.
(d) Processing personal data of non-resident individuals under contracts with Indians.
(e) Processing personal data for company mergers, arrangements, reconstructions, or transfers
approved by competent authorities.
(f) Processing personal data to ascertain financial information of loan defaulters, in
compliance with relevant laws.
The central government may, by notification, exempt certain activities from the application of
the Bill. These include:(i) for the protection of India's interests in sovereignty, integrity,
security, foreign relations, public order, and prevention of incitement to any offense; with the
Central Government processing personal data provided by such authorized State
instrumentality.
(ii) for research, archiving, or statistical purposes, as long as the personal data isn't used for
making specific decisions about a Data Principal, and the processing follows prescribed
standards.
 THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

 Data Protection board of India

The Central Government shall appoint a Board named the Data Protection Board of India
shall be established for the purposes of this Act. The Board's headquarters are determined by
the Central Government. The Board consists of a Chairperson and other notified Members.

They shall possess special knowledge or experience in relevant fields like data governance,
administration, social or consumer protection, dispute resolution, information technology,
digital economy, law, regulation, techno-regulation, or any other field deemed useful by the
Central Government. Additionally, at least one Member will be a legal expert.
The Chairperson and other Members serve a two-year term and can be reappointed. A person
will be disqualified for being appointed or continued as the Chairperson or a Member if they:
(a) are insolvent; (b) have been convicted of an offense involving moral turpitude, according
to the Central Government's opinion; (c) are physically or mentally incapable of acting as a
Member; (d) have acquired a financial or other interest that could negatively affect their role
as a Member; or (e) have abused their position, making it detrimental to public interest.

The Chairperson has the power to: (i) oversee and direct all administrative matters of the
Board, (ii) authorize officers to review any communication with the Board, and (iii)delegate
Board functions and proceedings to individual or groups of Members as necessary.

Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii)
directing data fiduciaries to take necessary measures in the event of a data breach, and (iii)
hearing grievances made by affected persons. Board members will be appointed for two years
and will be eligible for re-appointment. The central government will prescribe details such as
the number of members of the Board and the selection process. Appeals against the decisions
of the Board will lie with TDSAT.

 Penalties

The schedule to the Act specifies penalties for various offences:

Key issues

 Personal data processing by the State has been given several exemptions under the
Act. As per Article 12 of the Constitution, the State includes: (i) central government,
(ii) state government, (iii) local bodies, and (iv) authorities and companies set up by
the government. There may be certain issues with such exemptions.

 The enactment of the DPDP Act in India deviates from the original vision of what the
law could have been. The Right to Privacy judgment, which was passed by the
Supreme Court of India in 2017, recognized the right to privacy as a fundamental
right. The judgment also called for the enactment of a comprehensive law to protect
the privacy of individuals.
 The DPDP Act, which was passed in 2022, does not fully meet the expectations that
were raised by the Right to Privacy judgment, the Act does not explicitly define the
right to privacy, and it does not give individuals the right to sue organizations that
violate their privacy.
 The DPDP Act has also been criticized for being too complex and for giving too
much power to the government. The Act allows the government to exempt certain
organizations from its provisions, and it gives the government the power to access
personal data without a warrant.
 Despite these criticisms, the DPDP Act is a significant step forward in protecting the
privacy of individuals in India. The Act provides a framework for organizations to
collect and process personal data, and it gives individuals certain rights in relation to
their personal data. The Act is still relatively new, and it is possible that it will be
amended in the future to address some of the concerns that have been raised.
 The Act does not regulate risks of harms arising out of processing of personal data.
The Srikrishna Committee (2018) had observed that harm is a possible consequence
of personal data processing. Harm may include material losses such as financial loss
and loss of access to benefits or services. It may also include identity theft, loss of
 THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
reputation, discrimination, and unreasonable surveillance and profiling. It had
recommended that harms should be regulated under a data protection law.
 The Act overrides consent of an individual where the State processes personal data for
provision of benefit, service, license, permit, or certificate. It specifically allows use
of data processed for one of these purposes for another. It also allows use of personal
data already available with the State for any of these purposes. Hence, it removes
purpose limitation, which is one of the key principles for protection of privacy.

Here are some of the key differences between the original vision of the law and the
actual DPDP Act:

1. The original vision of the law was to create a comprehensive law that would
protect the privacy of individuals in all aspects of their lives. The DPDP Act, on
the other hand, only applies to the processing of personal data by organizations.
2. The original vision of the law was to give individuals strong rights to control their
personal data. The DPDP Act, on the other hand, gives individuals some rights,
but these rights are not as strong as they could be.
3. The original vision of the law was to create an independent data protection
authority that would be responsible for enforcing the law. The DPDP Act, on the
other hand, gives the power to enforce the law to the government.