The Digital Personal Data Protection Bill 2023 is a landmark legislation that aims to provide individuals with greater control over their personal data and ensure that businesses and organizations handle this data responsibly. In this article, we will explore the key provisions of the bill and its potential impact on data privacy in the digital landscape.
Digital Personal Data Protection Act
A significant change in data privacy management in India has been made with the introduction of the “Digital Personal Data Protection Bill 2023”. The two major changes that stand out are- the idea of deemed consent, and the strengthened right to withdraw consent. These changes are prompting discussions about corporate data collection practices, and how employees view their data rights.
“Deemed consent” is a concept introduced in the Digital Personal Data Protection Bill (2022), which suggests that individuals’ silence or inaction could be deemed consent.
There has been a significant shift from the deemed consent concept in section 7 of the Digital Personal Data Protection Bill (2023). It now focuses on “certain legitimate uses”, including personal data for specified purposes, for the state and its instrumentalities.
Under section 7 of the DPDP, data principals may allow their personal data to be processed for the specified purpose for which they voluntarily provided it, unless they explicitly withheld their consent. For instance, in the context of new employment, data collected about an employee’s immediate employment could fall under legitimate use, as long as it aligns with the purpose for which the data principal provided the information. Consent is not required unless the company intends to process the data for a purpose other than the data principal’s employment.
As a relatively new concept, ‘Certain legitimate use’ has not been tested until now. Its interpretation and application by organizations in practice will be interesting to observe. Some organizations may adopt a cautious approach, relying on legitimate use only in limited circumstances, while others might use it more expansively. It is also possible for courts to clarify ‘Certain legitimate use’ in specific cases, providing organizations with additional guidance.
Highlights of the DPDPA
Some of the major highlights of DPDPA are as follows-
- The scope of the legislation only covers digitized personal information and excludes personal data that is made publically available by the Data Principal.
- Situations which were earlier named as deemed consent have been categorically permitted as “certain legitimate uses”.
- Now, cross border transfers are valid under certain transfers explicitly restricted by the government.
- Data Processors must sign a valid contract and comply with all obligations, including data deletion, when onboarded.
- If the services for which the consent has been provided are not utilized by Data Principal in the prescribed time period, then it might expire.
- For five years from the commencement of the DPDPA, the central government has the power to exempt a Data Fiduciary or a class of Data Fiduciaries.
- Consent managers are required to be registered with the Data Protection Board and are liable to Data Principals for enforcement of Data Principal rights.
Key Stakeholders Defined in the DPDPA
The key stakeholders defined in the DPDPA are –
- Data Principals- Individuals within the territory of India whose personal data is being processed.
- Data Fiduciary- Organisations that act as Data Fiduciaries decide what kinds of data to collect, how to collect them, and for what purposes they should be used.
- Significant Data Fiduciary- A significant data fiduciary is defined by the government as an organization that processes a large amount of sensitive data.
- Data Processors- Data processors are organizations that process data on behalf of Data Fiduciaries based on their instructions.
- Consent Manager- Consent Managers would assist Data Principles and Data Fiduciaries to give, manage, review, and withdraw consent.
The DPDPA imposes a penalty for non-compliance on Data Principals, Data Fiduciaries, Significant Data Fiduciaries, and Consent Managers.
The legislation has adopted a layered penalty mechanism, where severe violations leading to data breaches have been levied with the highest penalty of INR 250 crores. A fine of Rs. 10,000 shall also be imposed on Data Principals who violate their duties as defined in the Act.
How to Prepare for DPDPA Privacy Compliance?
Let’s take a look at the five steps that privacy professionals can undertake to construct a proactive compliance roadmap, emphasizing the operational aspects that are both resource-intensive and reliant on technology.
The act is limited to digital personal data, covering information collected in digital form or digitized from offline sources. Privacy professionals must determine applicability by addressing whether the organization processes digital personal data within or outside India for goods or services to Indian data principals.
Exemptions exclude personal or domestic data processing by individuals and situations where data is publicly disclosed or legally obligated to be disclosed. If the organization handles digital personal data under specified conditions, compliance with the Act is mandatory.
Notably, understanding exemptions requires careful analysis, given broad exclusions for government entities and potential additions by the central government for specific data fiduciaries, like startups.
Build a Data Inventory and Data Map
In order to achieve effective privacy compliance, robust data governance must be established. There is no explicit requirement for data inventory and mapping in the Act, but privacy professionals should know what data is processed, where it is stored, how it is processed, and how data processors interact with one another.
Key obligations, such as ensuring data accuracy, facilitating data principal rights, enforcing data erasure, and providing transparent processing notices, rely on a comprehensive data inventory.
Crafting a tailored data inventory involves various approaches, from manual interviews to automated solutions like code scanning or machine learning. Choosing the most suitable method should be guided by factors such as data complexity, volume, resources, executive backing, and scalability.
Setup Consent Mechanism
To comply with consent requirements under the Act, organizations must follow these steps:
- Examine data maps to identify consent-dependent processing activities.
- Define when and where consent is necessary.
- Data protection officer contact details and an explanation of the consent process should be established.
- Develop processes for obtaining verifiable consent from parents of minors and guardians of individuals with disabilities.
- Set up a privacy preference center or dedicated email address for consent withdrawal.
- Track and synchronize consent across systems for timely cessation of in-scope data processing post-revocation.
- For proof of compliance, keep consent logs, including data principal identifiers, consent timestamps, methods, and versions of consent notices.
Enable Data Principal Rights
According to the act, organizations must develop procedures for preserving the rights of users to access, correct, erase, grieve, and nominate their data. Privacy professionals can initiate this by:
- Utilizing data maps to discern in-scope data.
- Formulating a privacy rights intake system, logging requests via web forms, in-app preference centers, or dedicated email addresses.
- Enforcing identity-verification for requesters, considering minors, guardians, and nominees.
- Deciding on manual, automated, or hybrid rights fulfillment methods.
- Establishing procedures to transmit correction and erasure requests to data processors.
Implement Technical and Organizational Measures
- Initiate a comprehensive security and privacy training program for employees and contractors managing personal information.
- Develop standard operating procedures outlining precise requirements for handling personal data.
- Disseminate internal policies on security and privacy, integrating acknowledgment into employee onboarding or periodic training sessions by human resources.
- Utilize anonymization techniques to de-identify personal data effectively.
- Enforce robust access controls for personal data.
- Ensure secure configurations of devices and software handling personal data are established and maintained.
Positive Aspects of the DPDPA
Some of the major positive aspect of DPDPA are-
- Boosts growth and innovation: In the business sector, DPDPA has a significant effect and was inevitable considering the speed of digitization in India.
- Distributed liability for organization: The DPDPA allows both, the Data Fiduciary and Consent Managers to be held liable before the board when they fail in carrying out their respective responsibilities.
- Effective data processor governance: It requires Data Fiduciaries to engage Data Processors only under an agreement. This can help Data Fiduciaries plan their risk appetite and set-off risk with obligations which are shared responsibilities with the data processor.
- Ease in implementation: The DPDPA suggests a gradual implementation, allowing organizations to strategically plan and minimize resources needed to comply with its provisions.
Some other positive aspects include empowering data principals, increased accountability, and relaxed cross-border transfer.
Potential Challenges in Implementation of DPDPA
Like any Act, the DPDPA too has its own set of implementation challenges. Here are some of the more critical ones.
Data processing under contractual obligations: Moving away from the deemed consent, the law now seeks to require Data Fiduciaries to process personal data on consent and certain legitimate uses.
Limitations on data principal rights: The rights of data principals with respect to access correction, and erasure do not apply when data is processed for legitimate uses except when the data principal voluntarily provides their personal data.
Exemption on classes of data fiduciary: The central government can exempt a data fiduciary or a class of data fiduciaries from certain obligations under the DPDPA. However, the rationale behind such exemption is unclear.
As a result of the Digital Personal Data Protection Bill, India’s data privacy landscape is poised for a significant shift, emphasizing how proactive compliance efforts are necessary. Developing robust data inventories and mapping initiatives or understanding nuanced concepts such as “deemed consent” can be challenging for organizations.
All of these factors emphasize the comprehensive nature of compliance strategies, including
consent requirements, identity verification, and phased implementation.
An integrated approach to data protection encompasses both technical and organizational measures as well as training and awareness programs.
Personal data safeguarding remains paramount to ensuring a responsible and compliant digital future as organizations adapt, evolve, and rigorously align with these regulations.