The protection of personal digital data has been a key priority for the Indian government in recent years. Data protection measures were first implemented in 2018, when the government launched the first draft of the Data Protection Bill. The bill underwent multiple rounds of amendments in 2019 and in 2021. However, in 2022, it was scrapped and replaced with the draft Digital Personal Data Protection Bill, 2022, which was circulated for comments by the Ministry of Electronics and Information Technology (MeitY) in November 2022.
MeitY reportedly received and reviewed around 21,666 suggestions for the draft bill, which was approved by the union cabinet in July 2023 for presentation in Parliament. In August 2023, both the Lok Sabha and the Rajya Sabha passed the bill. Finally, on August 11, 2023, the bill received presidential assent, followed by its official gazette notification, making it the Digital Personal Data Protection Act, 2023. The act now governs the processing of digital personal data in India, regardless of whether the data was originally collected in non-digital format and subsequently digitised. It aims to strengthen data protection and improve accountability of entities such as internet companies, mobile apps and businesses that handle citizen data.
A look at the key features and implications of the new act…
Key stakeholders defined in the act
The new Digital Personal Data Protection Act, 2023 defines five key stakeholders – data principals, data fiduciaries, significant data fiduciaries, data processors and consent managers. Individuals within the Indian territory whose personal data is being processed are data principals; organisations deciding what data to collect, how to collect it and the purposes for which it will be used are data fiduciaries; and organisations that process large volumes of sensitive data sets are significant data fiduciaries. Further, data processors are organisations that process data on behalf of data fiduciaries in line with their instructions, and consent managers assist data principals and data fiduciaries in giving, managing, reviewing and withdrawing consent.
The scope of legislation under the new act covers only digitised personal data, excluding personal data that is made publicly available by the data principal. Further, for the first five years after the act’s commencement, the central government has the authority to exempt a data fiduciary or a class of data fiduciaries from any provision for a specific time period. Moreover, cross-border transfers of digital personal data are valid unless explicitly restricted by the government. The act also mandates having a valid contract for onboarding data processors, ensuring that they comply with obligations such as data deletion.
In cases where services for which consent has been provided are not utilised by the data principal in the prescribed time period, the retention period will expire. Significant data fiduciaries have also been mandated to appoint a data protection officer, engage independent auditors for carrying out data audits and conduct periodic data protection impact assessments. Consent managers are also required to be registered with a Data Protection Board and are accountable to data principals for the enforcement of data principal rights.
Another key feature of the act is that it has introduced a unique data principal right – the right to nominate. This allows data principals to appoint a representative to exercise their right in case of incapacity or death. Further, the act has omitted any kind of criminal liability for non-compliance with the law. It imposes a financial penalty of up to Rs 2.5 billion per instance on the data fiduciary. Moreover, a penalty can be imposed on data principals for breaches in observance of their duties defined under the law. The act also states that the personal data of children should not be used for tracking, behavioural monitoring or targeted advertising.
The government has also proposed a phased implementation approach to notify the sequential periodic implementation of different aspects of the law or for different classes of data fiduciaries. To this end, the MeitY has recently announced its plan to hold a consultation with industry stakeholders on the Digital Personal Data Protection Act, 2023. The consultation meeting will be chaired by Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology and Skill Development and Entrepreneurship. According to industry sources, the government is likely to come out with a graded timeline for the implementation of rules under the act.
Impact on the industry
The implementation of the new act is expected to enhance cross-border trade, promote lawful processing of digital personal data, build customer trust and promote digital innovation. Industry experts also believe that it will empower individuals by granting them rights over their personal data, including the right to withdraw their consent, seek grievance redressal, access, update and correct their personal data, and appoint a nominee for their data, which in turn will enhance transparency. By restricting data processing to permitted purposes, the act can help businesses reduce the burden of implementing additional mechanisms for consent management, leading to cost savings. Another key positive impact is that it distributes the liability for the organisation as it allows both data fiduciaries and consent managers to be held liable before the Data Protection Board if they fail to carry out their responsibilities. Further, the phased implementation approach proposed in the act will give organisations time to plan their changes for complying with its provisions and reduce the resources required for compliance.
Gearing up for compliance
After passage of the new act, organisations must gear up for compliance with the law to ensure the protection of digital personal data. A few key steps are mandatory in this regard. For one, the current compliance status needs to be evaluated and a phased action plan needs to be devised, covering governance, people, processes and technology. Further, it is important to identify personal data systems and data processors or third-parties that are handling the organisations’ personal data. Moreover, draft versions of documents based on the requirements of the new act should be designed. These should include policies, processes, notices, consent, contractual clauses, etc. Further, the data retention period for various categories of data needs to be defined by organisations. They can also evaluate and implement data privacy technologies that can be leveraged for data protection. Communication and awareness programmes should also be conducted for various stakeholders.
In sum, the Digital Personal Data Protection Act, 2023, appears to be a significant step aimed at enabling organisations to adopt measures to secure data from unauthorised access, use or disclosure. While this seems to be a step in the right direction, the actual impact will become clear as the phased implementation process unfolds.
Kuhu Singh Abbhi