UNDERSTANDING INDIA’S NEW PROTECTION LAW

Corporate Vijay Bhan 02 Jul, 2024

The Digital Personal Data Protection Act, of 2023, provides legislation for the protection and regulation of personal data of individuals for the simultaneous purpose of data protection and processing by and for lawful means and purposes, and for the address of matters connected to or incidental to the processing of digital personal data.

Evolution of the Act

With the K.S. Puttaswamy, 2017 judgment, the Hon’ble Supreme Court held that the ‘Right to Privacy’ shall be identified as a fundamental right of the citizens of India, which laid the stepping stone for the legal protection of data of individuals. To bring into effect the Hon’ble Court’s precedent, the Central Government, in July 2017, formulated a committee, chairmanship by Justice B.N. Srikrishna, for addressing data protection issues and for drafting laws for the subject. The Central Government in August 2023, passed the DPDP Act and brought the same into effect.

Applicability of the Act

By Section 3 of the Act, the Act extends its applicability to the processing of digital data which may be collected in digital and non-digital means, within and outside of the territory of India, with due prescription, and hence, the key stakeholders involved in the same which are provided as:

Data Fiduciary: any person(s) that determine the purpose and means of personal data processing;
Data Principal: individual to whom the personal data relates and where such individual is a child or disabled person, the individual shall refer to the parent or legal guardian respectively;
Data Processor: any person who processes personal data on behalf of the Fiduciary;
Data Protection Officer: individual appointed by the Fiduciary for data Protection.

Mandate of the Act

Following Chapter 2 of the Act in its principle it mandates share of consent of a Data Principal by way of mandating all Data Fiduciaries that wish to collect or use such data to their or the Principal’s benefit, by way of requesting consent before proceeding to obtaining such data. The request is mandated to be made such that it includes the following:

the personal data and the purpose for which the same is proposed to be processed;
how an individual may exercise her rights by the Act;
how the Data Principal may make a complaint to the Data Protection Board of India by the subject Act.

Nature of Consent of the Mandate

The Act provides in Section 6 that this consent of the Data Principal shall be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the conditional request made and shall be such that the Principal may exercise their right to withdraw the same on their own accord by way of a Consent Manager. The personal data of any individual shall be utilized by the Fiduciary by the legitimate means of use as provided in the Act.

Rights and Duties of Data Principals

The Principal of the data shall secure their right:

to obtain any information regarding their data, including its use, the information of the fiduciaries it is shared with, any related processing activities, etc;
to correct, complete, update, and erasure their data for the processing of which they have previously given consent;
to have readily available means of grievance redressal provided by the Fiduciary or Consent Manager in respect of any act or omission of such Fiduciary or Consent Manager;
to nominate, any other individual, who shall, in the event of death or incapacity of the Principal, exercise their rights by the Act;

However, the Data Principal is expected to comply with the duties as provided in the Act that

state:

Compliance with the provisions of the Act;
prevention of impersonation of any other individual in providing personal data;
prevention of concealment of any material fact in providing personal data;
providing verifiable and authentic information.

Obligations of Data Fiduciaries

To comply and be responsible for compliance of the use of data of Principal, with the provisions of this Act;
may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract;
ensure the completeness, accuracy, and consistency of data and data processing of the Principal;
protect personal data in its possession or under its control, including in respect of any processing undertaken;
in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach;
may erase the personal data upon withdrawal of consent of the Principal and once it's assumed that the data may no longer serve further purpose.

Data Protection Board of India

The Data Protection Board of India (hereinafter referred to as the ‘Board’) is mandated to resolve disputes of the nature wherein a personal data breach of the Principal has occurred, which may also be in observance by any Data Fiduciary or Consent Manager, or any other related dispute as covered in the Act. The directions of the Board provided in compliance with the procedures to be followed by the Board as provided by the Act, shall be binding on such person.

Any appeal shall be made to the appellate tribunal to the decision of the Board within sixty days from the date of receipt of the order or direction appealed against, subject to provisions of the Act.

Penalties

While determining the amount of monetary penalty to be imposed, the Board shall have regard to the following matters:

the nature, gravity, and duration of the breach;
the type and nature of the personal data affected by the breach;
repetitive nature of the breach;
whether the person, as a result of the breach, has realized a gain or avoided any loss;
whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
the likely impact of the imposition of the monetary penalty on the person.

The penalties that may be imposed by way of this Act by the Board shall vary between a

the sum of ten thousand rupees to two hundred fifty crores, as provided in Schedule 1 of the DPDP Act, 2023

UNDERSTANDING INDIA’S NEW PROTECTION LAW

Recent Posts

SPORTS LAWYERS WITH TEAM INDIA MIGHT HAVE DEFENDED. VINESH DISQUALIFICATION AND RED CARD OF AMIT

K.M. Nanavati vs. State of Maharashtra: A Landmark Case in Indian Legal History

REVIEWING SECTION 17 (1) OF SECURITIZATION AND RECONSTRUCTION OF FINANCIAL ASSETS AND ENFORCEMENT OF

Judicial Discretion and Article 142: Dissolving Marriages on Grounds of Irretrievable Breakdown

UNDERSTANDING INDIA’S NEW PROTECTION LAW

Related Post

Follow Us

Pages

Reach Us

UNDERSTANDING INDIA’S NEW PROTECTION LAW

Search

Recent Posts

SPORTS LAWYERS WITH TEAM INDIA MIGHT HAVE DEFENDED. VINESH DISQUALIFICATION AND RED CARD OF AMIT

K.M. Nanavati vs. State of Maharashtra: A Landmark Case in Indian Legal History

REVIEWING SECTION 17 (1) OF SECURITIZATION AND RECONSTRUCTION OF FINANCIAL ASSETS AND ENFORCEMENT OF

Judicial Discretion and Article 142: Dissolving Marriages on Grounds of Irretrievable Breakdown

UNDERSTANDING INDIA’S NEW PROTECTION LAW

Related Post

UNDERSTANDING INDIA’S NEW PROTECTION LAW

E-Waste Management in India: A Comprehensive Overview

Follow Us