Scribd
Upload
33 views

Digital Data Protection Act 2023

The Digital Personal Data Protection Act, 2023, applies to both Indian residents and non-residents processing data related to goods and services in India. It establishes rights for individuals regarding their personal data, including consent requirements and the right to access and rectify their data, while also allowing for certain exemptions and broad powers for government oversight. The act imposes significant penalties for non-compliance, affecting various organizational sectors in India.

Uploaded by

NIYATI MOHANTY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
33 views

Digital Data Protection Act 2023

The Digital Personal Data Protection Act, 2023, applies to both Indian residents and non-residents processing data related to goods and services in India. It establishes rights for individuals regarding their personal data, including consent requirements and the right to access and rectify their data, while also allowing for certain exemptions and broad powers for government oversight. The act imposes significant penalties for non-compliance, affecting various organizational sectors in India.

Uploaded by

NIYATI MOHANTY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

THE DIGITAL PERSONAL DATA PROTECTION ACT, 20231

Applicability to Non residents


The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents.
Interestingly, it also applies to non-citizens living in India whose data processing “in connection with
any activity related to offering of goods or services” happens outside India. 13 This has implications
for, say, a U.S. citizen residing in India being provided digital goods or services within India by a
provider based outside India.

Purposes of Data Collection and Processing2


The 2023 act allows personal data to be processed for any lawful purpose. 14 The entity processing data
can do so either by taking the concerned individual’s consent or for “legitimate uses,” a term that has
been explained in the law.
Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative
action” and for a specific purpose. The data collected has to be limited to that necessary for the
specified purpose. A clear notice containing these details has to be provided to consumers, including
the rights of the concerned individual and the grievance redress mechanism. Individuals have the right
to withdraw consent if consent is the ground on which data is being processed.

Rights of Users/Consumers of Data-Related Products and Services3


The DPDP Act also creates rights and obligations for individuals. 17 These include the right to get a
summary of all the collected data and to know the identities of all other data fiduciaries and data
processors with whom the personal data has been shared, along with a description of the data shared.
Individuals also have the right to correction, completion, updating, and erasure of their data. Besides,
they have a right to obtain redress for their grievances and a right to nominate persons who will
receive their data.

Moderation of Data Localization Requirement


The 2023 law reverses course on the issue of data localization. While the 2019 bill restricted certain
data flows, the 2023 law only states that the government may restrict flows to certain countries by
notification. While this is not explicit, the power to restrict data flows seems to be to provide the
government necessary legal powers for national security purposes. The law also states that this will
not impact measures taken by sector-specific agencies that have or may impose localization
requirements. For example, the Reserve Bank of India’s localization requirements will continue to be
legally valid.

A serious effort to protect Personal Data or an eyewash to gain Legitimate Control &
Surveillance
The Act in its present form prima facie proposes to protect the Personal Data, but it there may be
concerns with the implementation of the provisions technically. For instance, as per Section 36, CG
has been empowered to call for ‘such information’ from the Board or any Data Fiduciary or
intermediary. Such wide power and broad terminology once viewed with a legislative lens would
show the engrained intent of surveillance of the CG. Moreover, Section 17(2)(a) empowers the CG
to exempt any instrumentality of the State from the rigors of the provisions in respect of the
processing of Personal Data. Additionally, since Section 8(1)(j) of the Right to Information Act,
1
https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act
%202023.pdf
https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023

2
https://www2.deloitte.com/in/en/pages/risk/articles/the-digital-personal-data-protection-act-2023.html

3
https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-
the-GDPR-A-Comparison.pdf
2005 (RTI Act) is amended by Section 44(3) of the Act, the balance struck by the RTI Act between
privacy and informational right, will be lost as the power of a Public Information Officer (PIO) can
be seen to have been widened as now such PIO can reject an application made under RTI Act on the
pretext of information sought relates to Personal Data.

Exemptions From Obligations Under the Law4


The law provides exemptions from consent and notice requirements as well as most obligations of
data fiduciaries and related requirements in certain cases: (a) where processing is necessary for
enforcing any legal right or claim; (b) personal data has to be processed by courts or tribunals, or for
the prevention, detection, investigation, or prosecution of any offenses; (c) where the personal data of
non-Indian residents is being processed within India; and so on.
In addition, the law exempts certain purposes and entities completely from its purview. These include:

1. Processing in the interests of the sovereignty and integrity of India, security of the state, friendly
relations with foreign states, maintenance of public order, or preventing incitement to any
cognizable offense. This will allow investigative and security agencies to remain outside the
purview of this law.
2. Data processing necessary for research, archiving, or statistical purposes if the personal data is
not to be used to take any decision specific to a data principal.
3. The government can exempt certain classes of data fiduciaries, including startups, from some
provisions—notice, completeness, accuracy, consistency, and erasure.
4. One problematic provision allows the government to, “before expiry of five years from the date
of commencement of this Act,” declare that any provision of this law shall not apply to such
data fiduciary or classes of data fiduciaries for such period as may be specified in the
notification. This is a significant and wide discretionary power and is not circumscribed by any
guidance on the basis for such exemption, the categories that may be exempted, and the time
period for which such exemptions can operate.

Exclusions5
In the act, non-automated personal data, offline personal data and personal data in existence for at
least 100 years have been excluded. The maximum limit of INR500 crore for penalties has been
removed. At present, the provision for grievance redressal review is not included. The timeline of 72
hours within which a data breach is to be reported to authorities is excluded.

Sectors impacted
The act is expected to have an impact on the majority of organizational areas, including legal, IT,
human resources, sales and marketing, procurement, finance, and information security because of the
type and volume of personal data that is collected, stored, processed, retained, and disposed of in
India. Hence, organizations in these and related sectors must develop a strong data privacy and
protection implementation program in view of the DPDP Act, 2023.

Penalties
Another salient feature of DPDP Act is the penalty clause. There are penalties for non-compliance of
the provisions by data fiduciaries up to INR250 crore. Some of these are:
 Breach in observance of duty of data principal up to INR10,000
 Failure to notify the data protection board and affected data principals in the event of a
personal data breach is up to INR200 crore
 Breach in observance of additional obligation in relation to children up to INR200 crore

4
https://www.india-briefing.com/news/indias-digital-personal-data-protection-act-2023-key-provisions-
29021.html/

5
https://www.ey.com/en_in/cybersecurity/decoding-the-digital-personal-data-protection-act-2023

You might also like