ACT ANALYSIS: THE DIGITAL PERSONAL DATA PROTECTION

ACT,2023

Q. What is the Digital Personal Data Protection Act, 2023(DPDPA,

2023)?

The digital personal data protection act gained president’s assent on

11th august, 2023. The act has remained in limbo for the last six
years has now become a law that is expected to uphold the sanctity
of every citizen’s fundamental ‘right to data privacy’ both in the real
and the virtual realms. At its core, the Act focuses on the responsible
processing of digital personal data, ensuring that individuals rights
are respected while enabling legitimate data usage.It provides for
the processing of digital personal data in a manner that recognises
both the rights of the individuals to protect their personal data and
the need to process such personal data for lawful purposes and for
matters connected therewith or incidental thereto. It is a significant
development in how we control technology, first attempt to explain
to technology companies how user’s rights must be protected given
the rate of change in the technology ecosystem and its governance.
It establishes broad obligations, imposing precisely defined legal
justifications for processing any personal data stored in digital form,
establishing purpose limitation obligations and their corollary—a
duty to delete the data once the purpose is achieved—leaving no
apparent room for secondary uses of personal data.
The act also explains to businesses—including startups—how they
must handle users' personal data and consent. The Act is also
anticipated to force businesses to respect users privacy rights and
data control. It also introduces a robust system of safeguards and
penalties to hold Data Fiduciaries accountable for any breaches of
data rights, duties, and obligations.

Q. What are the basic principles of The DPDP Act ?

The act is based on the following seven principles:

 The principle of consented, lawful and transparent use of

personal data;
 The principle of purpose limitation (use of personal data only
for the purpose specified at the time of obtaining consent of
the Data Principal);
 The principle of data minimisation (collection of only as much
personal data as is necessary to serve the specified purpose);
 The principle of data accuracy (ensuring data is correct and
updated);
 The principle of storage limitation (storing data only till it is
needed for the specified purpose);
  The principle of reasonable security safeguards; and
 The principle of accountability (through adjudication of data
breaches and breaches of the provisions of the act and
imposition of penalties for the breaches).

Q. What is the applicability and scope of the act?

The DPDP Act governs the processing of digital personal data within
India in two scenarios:
(i) when such data is collected from data principals in digital
format; or
(ii) when initially collected in non-digital form and subsequently
digitized. Thus, the DPDP Act shall not apply to processing of
personal data in non-digitised form.
Moreover, the scope of the law has been extended. It now has an
extra-territorial application, to encompass the processing of digital
personal data beyond India's borders if it pertains to the provision of
goods or services to data principals located within India. Digital
Personal Data as per the act means data either in digital form or
subsequently converted into that form.

Q. What are the key concepts of the act?

The legislation's fundamental precepts include strict requirements
for Data Fiduciaries, entities encompassing individuals, companies,
and government bodies engaged in data processing. These
obligations cover a range of data operations, from gathering to
storing, all the while upholding the rights and duties of Data
Principals, or the people to whom the data relates.

Personal data: Personal data refers to the data by which an

individual can be identified. Section 2(t) of the DPDP Act confines its
coverage to the processing of 'personal data’, defined as any data
about an individual who is identifiable by or in relation to such data.

Data principal: Data principal refers to the natural persons to

whom the data relates. It not only encompasses individuals but also
includes parents or lawful guardians of children and persons with
disabilities to whom the personal data pertains.
Under the DPDP Act, certain rights of data principals may be
highlighted: (i) Right to Information about Personal Data; (ii) Right to
Correction and Erasure; (iii) Right of Grievance Redressal; and (iv)
Right to Nominate.
As such, data principals have the right to know a summary of the
personal data processed, the identities of entities with whom their
data has been shared, and the categories of personal data shared.
The Act also casts responsibility on the data principal to not
impersonate another person or suppress information when applying
for any document or proof from the state, and to provide only
authentic information while exercising their right to data erasure.

Data fiduciary: Data fiduciary is the entity which determines the

purpose and means of processing of an individuals personal
information.
The act provides for following obligations on the data fiduciary:
 To have security safeguards to prevent personal data breach;
 To intimate personal data breaches to the affected Data
Principal and the Data Protection Board;
 To erase personal data when it is no longer needed for the
specified purpose;
 To erase personal data upon withdrawal of consent;
 To have in place grievance redressal system and an officer to
respond to queries from Data Principals; and
 To fulfil certain additional obligations in respect of Data
Fiduciaries notified as Significant Data Fiduciaries, such as
appointing a data auditor and conducting periodic Data
Protection Impact Assessment to ensure higher degree of data
protection.

Data processor is the person who carries out processing on behalf

of the data fiduciary. The DPDP Act, which clearly states that
fiduciaries may engage, appoint, or otherwise involve processors to
process personal data on their behalf "only under a valid contract".
There are no established guidelines for what should be included in a
processing contract. The DPDP Act, however, places all obligations
on data fiduciaries, who are still responsible for abiding by the law.
Regardless of any agreements to the contrary with data processors,
data fiduciaries are still responsible for overall compliance.
According to the DPDP act, data fiduciaries must order a processor
to delete data when a data principal withdraws consent, and they
must be able to share information about the processors they have
hired when a data subject requests it.

Consent manager act as an intermediary between the data

principal and the data fiduciary.
Personal data breach the unauthorised processing of such data is
known as personal data breach. When a data fiduciary is trusted
with data principal’s personal data and the consent is given for a
particular task and if there is consent breach then it will result to
personal data breach.
In case of such breach , the person approaches personal data
protection board for remedy.
Processing of Personal Data: The Act meticulously outlines the
scope of 'processing' by denoting it as a 'wholly or partly automated
operation or a series of operations conducted on digital personal
data'. This encompassing definition encompasses various actions,
including collection, recording, organisation, structuring, storage,
adaptation, retrieval, utilisation, alignment, combination, indexing,
sharing, and disclosure through transmission or other means.
Furthermore, the concept extends to encompass operations such as
restriction, erasure, or destruction of data. When it comes to
processing the personal data of a child, the DPDP Act requires
verifiable parental consent, although it doesn't explicitly define
'verifiable' consent. The Central Government has the authority to
exempt certain data fiduciaries from this requirement by lowering
the age limit for parental consent, provided that the processing is
considered safe. Additionally, data fiduciaries must avoid processing
personal data likely to have a detrimental impact on a child's well-
being.
The transfer of personal data to countries outside India is also
permitted under the DPDP Act, unless explicitly restricted by the
Central Government.

Q. What does DPDP Act say about consent and what role does
consent play in processing of personal data?
In the most simple words consent is the permission for something to
happen or to agree to do something. For anything to be lawful there
should be a valid consent. With respect to the DPDP act, consent is
the primary legal basis for personal data processing. The act
elaborates on what are the qualitative and technical attributes of
valid consent. Qualitative aspects of consent - must be free, specific,
informed, unconditional, and unambiguous. The technical aspect of
consent - as a clear affirmative action by the Data Principal
signifying agreement to PD processing for specified purpose
o Data fiduciaries are authorised to process personal data only
for lawful purposes, contingent upon obtaining consent. This
consent must be characterised by being free, specific,
informed, unconditional, and unambiguous. It necessitates a
clear affirmative action on the part of the data principal to
signify agreement for the processing of their personal data for
the specified and necessary purpose.
The request for consent must adhere to the following criteria:
 It must be presented in a clear and understandable
manner, providing the option to access the request in
 English or any of the 22 languages listed in the Eighth
Schedule to the Indian Constitution.
 The request must include contact details for the data
protection officer or an authorized representative to
handle communications from the data principal.
 Additionally, a data fiduciary must provide a detailed
notice to the data principal either during or before
seeking consent. This notice should encompass several
key elements:
(i) Explanation of the personal data to be collected and the
purpose of its processing
(ii) Description of the data principal's rights, including
correction, withdrawal of consent, and the procedure for
filing complaints with the Board
(iii) Clarity on how a complaint can be lodged with the Board.
In cases where consent was given prior to the DPDP Act's
enactment, the data fiduciary must furnish such notice "as soon as it
is reasonably practicable." The notice must be presented in
straightforward language, through a separate document,
electronically, or in a manner as prescribed.

o When it comes to data principals, the DPDP Act mandates that

they can provide, manage, review, or withdraw their consent
through a 'consent manager.'
These consent managers, registered with the Board, facilitate
accessible, transparent, and interoperable platforms for
managing consent. However, the exact role and obligations of
consent managers remain unclear, including whether all data
fiduciaries are required to engage with them for seeking
consent and the mechanisms they employ for performing their
functions. Data principals also retain the right to withdraw
consent at any time. Such withdrawal does not impact the
legality of prior data processing based on consent. Upon
withdrawal, the data fiduciary and its processors must erase
and cease processing the personal data, unless retention is
required by applicable laws.
o Parental consent
It is also noteworthy that the DPDP Act introduces the concept
of 'consent of the parent,' which encompasses the consent of a
lawful guardian where applicable.

Q. What does the act says about the data protection board?
The data principal is to approach the data protection board in case
of any breach of personal data. Among the notable changes in the
DPDP Act, the most significant pertains to the establishment and
composition of the Board. The framework for the Board's
constitution is explicitly outlined. Additionally, the authority of the
Central Government to establish rules, as well as the specific
scenarios under which entities can be exempted from complying
with the act's provisions, have undergone significant alteration.

Q. Does the act contains any clause for dispute resolution under the
act?
The DPDP Act aids in a paradigm shift in the arena of dispute
resolution, reflecting a nuanced interplay between the legislative
framework and established legal mechanisms.
A noteworthy departure lies in the empowerment of the Board to
levy monetary penalties as specified in the Schedule.
The appellate process, too, witnesses a transformative shift as it
finds its recourse in the Telecom Disputes Settlement and Appellate
Tribunal. This change instils the process with efficiency, outlining a
defined window of 60 days20 for appeals from the Board's decisions.

Q. What will happen to a platform if it has misused your data or

breached provisions of the act?
The act provides for penalties in case of breach. If the DPDPA
determines that a data fiduciary has breached the provisions of the
act, it can impose a monetary penalty on the platform. The penalty
will depend on the nature, gravity, duration of the breach (of the
provisions of the act) and so on.
The act says that if a data fiduciary has been adjudged to have
breached the provisions of the Act, specifically related to safeguards
to personal data, the fine can “extend to Rs 250 crore”.
If a data fiduciary fails to notify a person’s data breach, the platform
may attract a penalty of up to Rs 200 core. If a platform does not
abide by the restrictions imposed on processing children’s data, the
platform can be fined up to Rs 100 crore.

Analysis of the act

Is discretionary power to the government under this act an issue?
Even if India may be in need for such legislation but we cannot
ignore the fallacies this law contains; it sure may be a step forward
but it raises certain important concern which cannot be kept aside.
While there has been praise reserved for the DPDP Act in terms of
acting as an able standalone data protection framework, not
everything is as rosy as it seems. Concerns arise from the fact that
several provisions within the DPDP Act are still subject to
determinations made by the Central Government. Given that the
government is the biggest data repository, an effective data
protection law must not give wide discretionary powers to the
government. This aspect raises valid concerns about the potential
for unchecked and arbitrary rule-making, which could lead to
uncertainties and potential gaps in the regulatory framework.
Furthermore, for a legislation that is intended to protect the rights of
data principals, it seems ironic that the DPDP Act imposes duties on
data principals.

Does the act cause any threat to RTI of an Individual?

While the new digital personal data protection act seeks to establish
a robust framework for the protection of the personal data in a
digital realm it has drawn criticism from some quarters over board
exemptions granted to state entities and some of its provisions
diluting the landmark right to information law. It is crucial for DPDP
act to be interpreted in such clear an just way that it does not affect
Right to information of an individual. The personal information
exemption, officials are anticipated to reject more RTI requests,
which will limit access to important data. Activists and experts worry
that the change will make it more difficult to access information and
reduce transparency. Recently, The National Campaign for Peoples’
Right to Information (NCPRI) had expressed its disappointment over
the Digital Personal Data Protection Bill, 2023 saying it proposes
“regressive” amendments to the Right to Information (RTI) in the
name of privacy. Personal information is now subject to a broad ban
under the new law, making it challenging to access information,
even when it relates to public affairs or a larger public interest.

How does the idea of Certain legitimate use create a difference?

“Legitimate Uses” Are Narrowly Defined and Do Not Include
Legitimate Interests or Contractual Necessity.
Since the idea of "Certain Legitimate Use" is still relatively new and
unproven, it will be intriguing to see how organisations interpret and
implement it in actual practice. While some organisations might be
more cautious and only rely on the lawful use of personal data in
very specific situations, others might be more open to using it more
broadly. This broad interpretation can lead to confusion. Additionally,
it's plausible that the courts will have to decide how to define
"Certain Legitimate Use" in particular situations, which could help to
make clearer the term's implications for organisations. This may
result in additional burden on Indian judicial system.

As alternative to consent, all other lawful grounds for processing

personal data have been amalgamated under the “legitimate uses”
section, including some grounds of processing that previously
appeared under a “reasonable purposes” category in previous
iterations of the act. Among the defined “legitimate uses”, the most
relevant ones for processing personal data outside of a government,
emergency or public health context, are the “voluntary sharing” of
personal data under Section 7(a) and the “employment purposes”
use under Section 7(i). From the perspective of the employee, the
introduction of "legitimate use" and the strengthened right to revoke
consent signify enormous advancements in the protection of
personal data. Employees can now rest easy knowing that their
personal information won't be used without their explicit consent,
except for purposes unrelated to their employment, and that they
have the option to quickly withdraw or change their consent if they
change their minds. Employees are empowered by their newfound
control to make informed decisions about the sharing of their data,
helping to create a culture of trust between employers and their
workforce.

Consent is the centre of this act but DPDP Act provides for certain
'legitimate uses' for which a data fiduciary may process the personal
data of data principals, without obtaining the specific consent of the
data principal which renders the concept of consent meaningless.
One such legitimate use is if the data principal has voluntarily
provided his/her/their personal data to the data fiduciary, while
availing/ seeking out a specific service and for a specific purpose,
has not indicated that he/ she/they do not consent to the use of his/
her/their personal data. Legitimate use also extends to the
processing of personal data to comply with any judgment, decree, or
order issued under any Indian law, and any judgment, decree or
order relating to claims of a contractual or civil nature under any law
in force outside India as well.

What are certain exemptions provided under the act?

The exemptions provided in the act are as follows:
For notified agencies, in the interest of security, sovereignty, public
order, etc.;
For research, archiving or statistical purposes;
For startups or other notified categories of Data Fiduciaries;
To enforce legal rights and claims;
To perform judicial or regulatory functions;
To prevent, detect, investigate or prosecute offences;
To process in India personal data of non-residents under foreign
contract;
For approved merger, demerger etc.; and
To locate defaulters and their financial assets etc.

Can a startup or a platform also be exempted from the compliance

requirements of the act?

Yes. The act says that the Central government can notify
exemptions to a certain certain class of data fiduciaries including
startups. If granted exemption, a platform will not have to give
notice to a user detailing the type of personal data the platform can
process; the purpose for which the data can be processed and so
on.A platform can also be exempted from ensuring "completeness,
accuracy and consistency" if it is processing personal data that can
affect a user and also if that data is disclosed to another data
fiduciary.

Is there Implementation Challenge In The Age Of AI?

The Act directs setting up a Data Protection Board of India to ensure

the implementation. However, unlike GDPR, which has detailed the
fine print of implementing the law, the DPDP Act, 2023, misses
details on multiple fronts which makes implementation of the same
will be a real challenge. It is important to draw attention to parts of
the law that appear to be intended to facilitate the development of
AI trained on personal data given that this law comes at a time when
there is a global discussion about how to regulate artificial
intelligence and automated decision-making. The Act specifically
exempts the majority of publicly accessible personal data from its
application, provided that it was made public by the data subject –
for instance, a blogger or social media user publishing their personal
data directly – or by someone else under a legal obligation to
publish the data, such as the personal information of shareholders
that regulated companies are required by law to publicly disclose.

Additionally, Section 17(2)(b) of the Act exempts the processing of

personal data required for statistical or research purposes. The Act
will still apply to research and statistical processing if the processing
activity is used to make "any judgment specific to the data
principal," which is the only restriction in the core text of this
exemption.

Conclusion
The DPDP Act marks a distinctive approach by India to safeguard
personal data, reflecting the culmination of thorough discussions
after its initial draft. This data protection law represents a crucial
step in safeguarding personal data, addressing longstanding needs
in the context of increasing internet users, data generation, and
cross-border trade.
In its entirety, the DPDP Act signifies India's unique stance on
modern data protection, enriched by extensive post-draft
consultations. While its provisions are less detailed than standards
like GDPR, it mandates a significant shift in how Indian businesses
approach privacy and personal data.
However, the DPDP Act is not immune from criticism. Some argue it
could hinder innovation due to perceived strictness, while others
contend that it might not go far enough to ensure individual privacy,
primarily considering the discretionary power granted to the Central
Government in personal data processing. The forthcoming rules
through delegated legislation will play a vital role in shaping these
aspects. A standardised process for rule release, coupled with
industry consultations as seen in amendments to Information
Technology Rules for online gaming, would establish a robust data
protection framework benefiting entire technology sector in India.