The Digital Personal Data Protection Act (DPDP) 2023 is India’s first comprehensive law on data protection, designed to govern the processing of digital personal data within India . The Act recognizes individuals’ rights to protect their personal data and the need to process data lawfully . It was passed by both houses of Parliament and received Presidential assent, becoming law .
Key Features of the DPDP Act 2023:
- Applicability:
- Applies to the processing of digital personal data within India when the data is collected online or offline and later digitized .
- Also applies to processing personal data outside India if it involves offering goods or services to individuals (data principals) within India .
- Core Principles:
- Lawful Purpose: Personal data can only be processed for a lawful purpose after obtaining consent from the individual .
- Consent: Requires a notice before seeking consent, detailing the data to be collected and the purpose of processing; individuals can withdraw consent at any time . Consent is not required for “legitimate uses” like voluntary data provision, government services, medical emergencies, and employment . For individuals under 18, consent must be provided by a parent or legal guardian .
- Data Accuracy: Data fiduciaries must ensure the accuracy and completeness of data .
- Data Security: Reasonable security safeguards must be in place to prevent data breaches .
- Storage Limitation: Personal data must be erased once its purpose has been met, and retention is no longer necessary for legal purposes .
- Rights of Data Principals (Individuals):
- Right to obtain information about the processing of their data .
- Right to seek correction and erasure of personal data .
- Right to nominate another person to exercise rights in case of death or incapacity .
- Right to grievance redressal .
- Obligations of Data Fiduciaries (Organizations):
- Provide notice before collecting personal data .
- Obtain consent for processing data .
- Ensure data accuracy and security .
- Report data breaches to the Data Protection Board of India and affected individuals .
- Erase personal data when it is no longer needed .
- Data Protection Board of India:
- Established by the central government to monitor compliance and impose penalties .
- Directs data fiduciaries to take necessary measures in case of a data breach .
- Hears and resolves grievances from affected individuals .
- Penalties:
- Non-compliance can result in penalties of up to ₹250 crore .
- ₹200 crore for non-fulfilment of obligations for children .
- ₹10,000 penalty for data principals who file false or frivolous complaints .
- Data Transfers Outside India:
- Allows the transfer of personal data outside India, except to countries restricted by the central government through notification .
- Exemptions:
- The government can exempt its agencies from the Act’s provisions in the interest of national security, public order, and prevention of offenses .
- Rights and obligations do not apply in cases such as prevention and investigation of offenses, and enforcement of legal rights or claims .
- Impacted Sectors:
- Expected to impact legal, IT, HR, sales and marketing, procurement, finance, and information security departments .
Key Issues and Analysis:
- Exemptions for the State: Broad exemptions for government agencies raise concerns about potential privacy violations .
- Harms from Processing: The Act does not regulate risks of harms arising from the processing of personal data .
- Omission of Key Rights: The Act does not include the rights to data portability and the right to be forgotten, which were present in earlier drafts .
- Board Independence: Shorter terms for Data Protection Board members may impact the independence of the board .
- Children’s Data: Requires verifiable parental consent for processing children’s data and prohibits processing that is detrimental to a child’s well-being .
The DPDP Act 2023 is a significant step towards creating a data protection framework in India, balancing the rights of individuals with the needs of businesses and the government .
