INTRODUCTION
In the backdrop of the rapid commercialisation, digitalisation of information and fungibility of personal data, balancing the rights of private citizens with commercial interests has been at the forefront of multiple discussions. In the historic judgement1, the Hon'ble Supreme Court recognised right of privacy as a fundamental right.
The first and foremost legislation in India primarily dealing with and addressing concerns of the personal data of citizens was the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which has not been able to sufficiently address the newer and nuanced issues relating to data privacy.
After multiple iterations of data protection bills, various reports by eminent jurists and industry wide suggestions over half a decade, the Digital Personal Data Protection Act, 2023 ("Act") has been passed by both Houses of Parliament and has received the President's assent.
KEY FEATURES OF THE ACT
1. Commencement
Section 1(2) of the Act provides that the Central Government will notify and appoint different dates for coming into force for different provisions. The Act also envisages prescription of significant rules for the implementation of the various sections of the Act. It appears that for "smooth transition" the Central Government may notify the sections along with their relevant rules.
2. Applicability
The Act applies to any, (a) personal data2 processed within the territory of India, which is collected in digital form, or is digitalised subsequently after collection; (b) processing of digital personal data processed outside the territory of India, where such personal data relates to any products or services being provided in India.
The Act further clarifies that it does not apply to (a) any processing of personal data by an individual for personal or domestic purposes or (b) personal data made publicly available by the data principal3 or as required under law.
By omission, an argument may be made that any personal data which is not in digitised form is not protected by the Act.
3. Processing of personal data
The Act provides that personal data can be used by a data fiduciary4 only for lawful purposes and either by consent of the data principal or for certain legitimate uses.
(a) Consent Requirements:
One of the approved methods of use of personal data by a data fiduciary is by the express consent of the data principal. In case of children or persons with disability, the legal guardian is considered to be the data principal.
It clarifies that consent given by the data principal must be (a) free; (b) specific; (c) informed; (d) unconditional; and (e) unambiguous, with a clear affirmative action. The consent is required to signify an agreement for processing of personal data for the specified purpose and be limited to personal data as is necessary for such specified purpose.
The request for consent by a data fiduciary is required to be in a form of, and/or accompanied by a notice inter alia informing the data principal about the personal data required, use of such personal data, manner of withdrawal of consent and grievance redressal mechanism. Therefore, the entire mechanism and use case of the personal data should be informed to the data principal at the outset.
For easy understanding, it is emphasised that the notice and the consent be in clear and precise wordings in a language which may be understood by the data principal.
A critical element of consent is also withdrawal of consent by the data principal for processing their personal data and is required to be in a manner which is as easy as giving consent. Ensuring this will also be a systemic challenge for the data fiduciary. If this information has been obtained for meeting KYC or other legal obligations, the question that emanates is whether this will fall within the ambit of exceptions contemplated under the Act.
On withdrawal of consent, the data fiduciary is required to 'within reasonable time' cease processing of the personal data, unless however, such usage is pursuant to 'legitimate reasons'. For sake of good order, it is clarified that the processing of personal data prior to such withdrawal of consent continues to be valid and will not be illegal.
For the protection of the data principal, the Act has discussed the concept of a consent manager who person registered with the Data Protection Board of India (Board) who is the single point of contact for the data principal to give, manage, review or withdraw consent through an accessible platform.
The lack of a definitive timeline to cease usage of data on receipt of withdrawal of consent is of concern and can be misused, if not clarified.
(b) Legitimate Uses:
The Act permits data fiduciaries to process personal data for any identified events which inter alia include:
- processing of personal data for the purposes of employment (relates to incidents like corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit);
- for responding to medical emergencies;
- for the performance of the State or any of its instrumentalities, function under any law or in the interest of sovereignty and integrity of India or security of the State; or
- for compliance with any judgement or decree or order.
The language of the 'legitimate use' events is extremely broad and gives wide powers to the State to interpret it broadly, widely and may be even lopsidedly. While the need to balance the requirements of private sector and individual liberty is paramount, the apprehension continues to be on whether this will be fairly and properly used.
4. Right to erasure & other obligations of the data fiduciary
The Act creates an obligation on the data fiduciary to erase personal data, on the earlier of, withdrawal of consent or where it is reasonable to assume that the specified purposes5 is no longer being served. The exception to this rule is that the data fiduciary can continue to hold the data if such retention is necessary for compliance with applicable law.
The confusion around the language being 'specified purpose no longer being served' is further enhanced in scenarios where the data principal does not approach the data fiduciary for performance of or exercised any rights in relation to a specified purpose.
Apart from the above, the data fiduciary is subject to obligations to maintain & hold the personal data, meet certain minimum technical standards and implement grievance redressal mechanisms.
5. Rights and duties of the data principals
The data principals have control over their data shared by them including the right to seek access and information about the extent of personal data used by data fiduciary, right to correct and/or erase data, avail grievance redressal and power to nominate individuals to act on their behalf. This, of course, lends statutory legitimacy to ensure that the express rights and duties of the data principals are incorporated in the Act.
Certain obligations are also cast upon the data principals like requirement of providing verifiably authentic and complete information.
6. Data Localisation
Presently, the RBI has in place guidelines to ensure that financial data in the possession of certain RBI regulated entities should be stored locally. These regulations will continue to be in force and not be subject to the provisions of the Act.
Wide powers have been given under the Act to the Central Government to restrict transfer of personal data by data fiduciaries outside India.
Several spokesmen of the Central Government, have in various forums, voiced concerns of unregulated and bulk transfer (and occasional leakage) of personal data of Indian citizens.
7. Significant Data Fiduciaries
The Act provides for a concept of a significant data fiduciary, which term is not defined. The key factors or elements for determination of a significant data fiduciary would be the volume and sensitivity of personal data processed by such entities, security of the state, public order and risk to the rights of data principals whose data is collected and processed.
For such significant data fiduciary, the Act provides for enhanced obligations like undertaking periodic audits, appointment of a data protection officer and an independent data auditor, undertaking periodic data protection impact assessments, etc.
8. Exemptions
Certain provisions of the Act are not applicable for identified scenarios like enforcement of legal right or claim, processing of data by a judicial or quasi-judicial body for regulatory or supervisory function, processing of data in case of default of payment of a loan taken from a bank or financial institution.
The Central Government has the power to exclude applicability of the provisions of the Act in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States or maintenance of public order or for statistical or archival purposes.
The Central Government also has the powers within 5 (five) years of the commencement of this Act to exclude certain data fiduciaries from compliance of the provisions of the Act for an identified period, as they may deem fit.
The scope of the exemptions is drafted broadly and gives seemingly unlimited powers to the State to process personal data without adhering to the key elements of data privacy.
9. Data Protection Board and its powers.
The Act has constituted the Board as a quasi-judicial body having representatives from the fields of IT, law, digital economy etc, with 1 (one) mandatory member being an expert in law.
The Board is primarily responsible to investigate and inquire into any breach of personal data either due to notification from the data fiduciary or by any Central or State Government and/ or address complaints of a data principal.
Any appeal from the decision of the Board lies with the Telecom Disputes Settlement and Appellate Tribunal established under the Telecom Regulatory Authority of India Act, 1997.
The penalties which may be levied may extend up to a maximum of INR 250 crores. However, the Act provides for the construct of voluntary undertaking by the alleged breaching party.
The Central Government has the power to block access to any information generated, transmitted, received, stored or hosted by a data fiduciary, subject to the recommendations by the Board.
CONCLUSION.
While this is a great and welcome step in the right direction, the devil is always in the details. The rules will, to a large extent, determine the steps which each organisation needs to put in place to meet its obligations under the Act. A lot of processes and systems will need to be introduced and streamlined to meet the requirements of the Act, which could also entail significant cost incurrence. One major cause of concern for both the data principal and the data fiduciary will be the ambit of the exceptions built in the Act, which is the "X" factor in the Act.
Footnotes
1. Justice K.S. Puttaswamy and Anr. v. Union of India (UOI), Writ Petition (Civil) No. 494 of 2012.
2. 'Personal Data' means any data about an individual who is identifiable by or in relation to such data.
3. "Data Principal" means the individual to whom the personal data relates and where such individual is (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
4. "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
5. "Specified Purpose" means the purpose mentioned in the notice given by the data fiduciary to the data principal in accordance with the provisions of this Act and the rules made thereunder.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
