The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is a new law in India that regulates the processing of personal data. This FAQ provides a brief overview of the DPDP Act, including its key definitions, the rights and duties of data principals and data fiduciaries, and the penalties for violating the Act.
- What is the Digital Personal Data Protection Act, 2023?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new law in India that regulates the processing of personal data. It was passed by the Indian Parliament on August 7, 2023, and came into force on August 11, 2023.
- Is the DPDP Act in force?
The DPDP Act came into force on August 11, 2023. However, the Central Government has not yet notified the date on which the different provisions of the Act will come into force.
- What is Personal Data?
Personal data is any information that can be used to identify an individual, directly or indirectly. This includes information such as name, address, email address, phone number, date of birth, and any other unique identifier.
- Who is covered by the DPDP Act?
The DPDP Act applies to the processing of personal data by data fiduciaries in India.
- Who is a Data Principal?
Data Principal means the individual to whom the personal data relates.
- Who is a Data Fiduciary?
Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
- What are the rights of Data Principals?
Data Principals have the following rights under the DPDP Act:
- The right to be informed about the processing of their personal data.
- The right to access their personal data.
- The right to correct their personal data.
- The right to delete their personal data.
- The right to restrict the processing of their personal data.
- The right to object to the processing of their personal data.
- The right to data portability.
- The right to file a complaint with the Data Protection Authority.
- What are the duties of Data Fiduciaries?
Data Fiduciaries have the following duties under the DPDP Act:
- To obtain the consent of data principals for the processing of their personal data.
- To collect personal data only for specified, explicit, and legitimate purposes.
- To keep personal data accurate and up-to-date.
- To take reasonable security measures to protect personal data from unauthorized access, use, disclosure, or destruction.
- To delete personal data upon the request of the data principal or when it is no longer necessary for the purposes for which it was collected.
- To comply with the other provisions of the DPDP Act.
Illustrations:
- X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing.
- X, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by Y, an e-commerce service provider, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method information to X, describing the personal data and the purpose of its processing.
- X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.
- X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid.
- X, an individual, is the user of an online shopping app or website operated by Y, an e-commerce service provider. X consents to the processing of her personal data by Y for the purpose of fulfilling her supply order and places an order for supply of a good while making payment for the same. If X withdraws her consent, Y may stop enabling X to use the app or website for placing orders, but may not stop the processing for supply of the goods already ordered and paid for by X.
- X, a telecom service provider, enters into a contract with Y, a Data Processor, for emailing telephone bills to the customers of X. Z, a customer of X, who had earlier given her consent to X for the processing of her personal data for emailing of bills, downloads the mobile app of X and opts to receive bills only on the app. X shall itself cease, and shall cause Y to cease, the processing of the personal data of Z for emailing bills.
- a pregnant woman, enrols herself on an app or website to avail of government’s maternity benefits programme, while consenting to provide her personal data for the purpose of availing of such benefits. Government may process the personal data of X processing to determine her eligibility to receive any other prescribed benefit from the government.
- X, an individual, registers herself on an online marketplace operated by Y, an e-commerce service provider. X gives her consent to Y for the processing of her personal data for selling her used car. The online marketplace helps conclude the sale. Y shall no longer retain her personal data.
- X, an individual, decides to close her savings account with Y, a bank. Y is required by law applicable to banks to maintain the record of the identity of its clients for a period of ten years beyond closing of accounts. Since retention is necessary for compliance with law, Y shall retain X’s personal data for the said period.
- Who and what activities are exempt from the DPDP Act?
- Any personal data processed by an individual for any personal or domestic purpose; and
- Any personal data that is made publicly available by the Data Principal to whom such data relates or any other person who is under an obligation under any law to make such personal data publicly available.
- What are the penalties for violating the DPDP Act?
The penalties for violating the provisions of DPDP Act are as follows:
- In case of breach of the obligation of Data Fiduciary to implement reasonable security safeguards to prevent breach of personal data of a Data Principal including breach of data at the time of processing of such date by Data Fiduciary or by Data Processor on behalf of Data Processor, such person or entity may be subject to a penalty of up to Rupees Two Hundred and Fifty Crores.
- In case of breach in intimating the Data Protection Board of India or affected Data Principal of a personal data breach, such person or entity may be subject to penalty of up to Rupees Two Hundred Crores.
- In case of breach of obligations in relation to children under Section 9, such person or entity may be subject to penalty of up to Rupees Two Hundred Crores.
- In case of breach obligations of Significant Data Fiduciary under section 10, such person or entity may be subject to penalty of up to Rupees One Hundred and Fifty Crores.
- In case of breach of the duties under section 15, such person or entity may be subject to penalty of up to Indian Rupees Ten Thousand.
- In case of breach of any of the provision of DPDP Act, such person or entity may be subject to penalty of up to Rupees Fifty Crores.
For more information about the Digital Personal Data Protection Act, 2023 you may write to us at: solutions@bridgeheadlaw.com.
Karan Narvekar | Partner
Sunny Nirmal | Associate
Views expressed are personal to the authors and do not constitute as legal advice.