Digital Personal Data Protection Act, 2023 – A Brief Analysis

The Digital Personal Data Protection Bill, 2023, which was introduced in Lok Sabha on August 3, 2023, by the Minister of Electronics & Information Technology has been passed by the Parliament i.e., by Lok Sabha on August 7, 2023, and unanimously by Rajya Sabha on August 9, 2023; and has further received Presidential assent on August 11, 2023.

The previous Personal Data Protection Bills of 2019 & 2022 being ascribed to numerous amendments, laced with several issues relating to data localization, transparency, compliance intensive, etc., had been withdrawn by the Central Government (CG). The said Bill came into being after the Supreme Court, in Justice K.S. Puttaswamy vs. Union of India, (2017), upheld the ‘Right to Privacy’ as a part of the fundamental right-'Right to Life’ enshrined under Article 21 of the Indian Constitution and had suggested the CG to put in place an act/regime for protection of Personal Data.

The primary objective of the Act is to establish a comprehensive framework for the Protection and Processing of Personal Data (as defined below).

“The Act provides for the processing of digital Personal Data in a manner that recognizes both the rights of the individuals to protect their Personal Data and the need to process such Personal Data for lawful purposes and matters connected therewith or incidental thereto”.

The Act shall apply to the processing of Personal Data in India, including both online and digitized offline data, and shall further extend to the processing of such data outside India relating to the offering of goods or services in India.

The Act also lays the foundation for various other laws such as the Digital India Act and other industry-specific laws around privacy and data protection to augment India’s march towards the adoption of Artificial Intelligence (AI) and other future technologies while protecting Personal Data. The Act may also aid Indian businesses to enhance collaboration with other businesses located internationally under reciprocal arrangements while safeguarding Personal Data.

Notably, the Act is the first-ever central law in India to use she/her pronouns while referring to individuals.

1. Data: Any representation of information, fact(s), concept(s), opinion(s), and instruction(s) which is capable of being communicated, interpreted, and processed by human beings or by automated means. Further, any data about an individual (Data Principal) who is identifiable by or in relation to such data has been referred to as Personal Data in the Act.

2. Processing of Personal Data: Processing has been defined as the performing of a set of operation(s) by wholly or partly automated means on digital Personal Data and includes collection, storage, indexing, sharing, use, disclosure, dissemination, and includes erasure thereof. Such processing can only be undertaken for a ‘lawful purpose’ for which a Data Principal has given her consent and for certain legitimate uses as laid down in the Act.

3. Applicability:  The Act shall apply to the processing of digital Personal Data within India where such data is: (i) in digital form, or (ii) in non-digital form and is digitised subsequently.  However, the Act shall also apply extraterritorially to the processing of digital Personal Data if such processing is in connection with any activity related to offering goods or services to Data Principals within India. It shall not apply to the Personal Data when such data is (i) processed by an individual for any personal or domestic purpose, and (ii) is made or caused to be made publicly available by the Data Principal herself or any other person being under an obligation (under any law in force in India during that time being) to make such Personal Data publicly available.

4. Consent:  It has been provided in Section 6 of the Act that Personal Data may be processed only for the specified purpose and after obtaining the consent of the Data Principal (individual).  Such consent has to be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. A notice as per Section 5 must be given by the Data Fiduciary before seeking consent, containing details about the Personal Data to be collected and the purpose of processing.  The individual whose data is being processed can withdraw her consent at any point of time.  Notably, such consent, as per Section 7, shall not be required for ‘legitimate uses’ which inter alia include: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) for the State to provide benefit or service such as subsidy, certificate, license, benefit, permits, etc., (iii) for the security of the State or in the interest of sovereignty and integrity of the country (iv) for responding to a medical emergency, treatment or health services, (v) for safety, and in interest of the security of the State and public order, and (vi) employment. For individuals with disabilities or below eighteen (18) years of age, the Act provides that their consent will be provided by their parent(s) or legal guardian.

   However, the State or any instrumentality of the State has been empowered to retain Personal Data or reject any request made for the erasure of Personal Data vide Section 17(4).

5. Rights and Duties of Data Principal:  An individual whose data is being processed shall have certain rights as per Sections 12 to 14 which include the right to (i) obtain information about processing, (ii) seek correction and erasure of Personal Data, (iii) nominate another person to exercise rights in the event of death or incapacity, (iv) for any grievance redressal and (v) withdraw her consent at any time during or after the processing of Personal Data. Further, as per Section 15, Data Principals will be duty-bound and under an obligation not to: (i) register a false or frivolous complaint; (ii) suppress any material information while providing her Personal Data; and (iii) furnish any false particulars or impersonate in specified cases.  The breach of said duties will attract a penalty as per the Schedule to the Act.

6. The obligation of Data Fiduciary: The Data Fiduciary as per Section 8 of the Act, must: (i) process the Personal Data only for which the Data Principal has given her consent or deemed consent (when any individual does not indicate to the Data Fiduciary that she does not consent to the use of her Personal Data); or for certain legitimate uses; (ii) make reasonable efforts to ensure the accuracy and completeness of data, (ii) implement appropriate measures to protect Personal Data in its possession or under its control, (iii) Respond to any communication from the Data Principal for the purpose of exercise of her rights, (iv) inform the Data Protection Board of India and affected persons in the event of personal breach, and (v) erase Personal Data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation). In the case of government entities, storage limitation and the right of the data principal to erasure will not apply. Any breach of the said obligation is to be dealt in accordance with Section 33 of the Act read with the Schedule thereto.

7. Transfer of Personal Data outside India:  Section 16 allows extraterritorial processing and transfer of Personal Data, except to such countries restricted by CG through notification.

8. Exemptions:  As per Section 17 of the Act, provisions contained in Chapter II (except Section 8 (1) & (5) and Chapter III (except Section 16) of the Act i.e., provisions related to ‘Obligations of Data Fiduciaries’ and ‘Rights & Duties of Data Principal’ have been made inapplicable (exempted) in specified cases which inter alia includes: (i) prevention, investigation or prosecution of offences, and (ii) enforcement of legal rights or claims (iii) not within the territory of India (iv) processing for the purpose of ascertaining financial information, assets, and liabilities. Further, as per Section 17(2), the provisions of the Act shall not apply in case of processing of Personal Data: (i) by the State or any other instrumentality of the State in the interest of the security and public order, and; (ii) necessary for research, archiving, or statistical purposes.

9. Data Protection Board of India: CG shall, in terms of Chapter V of the Act, establish a Data Protection Board of India (Board) consisting of a Chairperson and other members. The Board will exercise and perform such powers and functions laid down in Sections 27 and 28 of the Act, which inter alia includes (i) directing urgent remedial/mitigating measures in case of any breach of Personal Data (ii) inquiring into such breach and (iii) imposing penalties as per the Act. The Board will be a civil court with Original jurisdiction to entertain the complaints/matters pertaining to the Act and any other civil court will be barred under Section 39 to entertain any Suit or proceeding in respect of any matter for which the Board is empowered to adjudicate upon under the Act.

10. Appeals: The Appeals against the decisions of the Board shall, as per Section 29, lie with the Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) established under the Telecom Regulatory Authority of India Act, 1997 (TRAI Act). Limitation to prefer such an Appeal is sixty (60) days from the date of receipt of the Board's decision. Further, the Orders passed by TDSAT shall be appealable before the Hon’ble Supreme Court as per Section 18 of the TRAI Act.

11. Penalties: The Schedule to the Act lays down the quantum of penalties to be imposed for various offences and breaches committed under the Act. For instance, a penalty amounting to (i) INR 200 Crore for non-compliance of obligations in relation to children; (ii) INR 250 Crore for failure to take security measures to prevent data breaches, under Section 8(5); and (iii) INR 200 Crore for breach in giving notice of a Personal Data breach to the Board or the Data Principal under Section 8(6). Such penalties will be imposed by the Board after conducting an inquiry under Section 33.  

With this new Act, the Companies and businesses handling Personal Data in any manner whatsoever would now have to develop a standard operating procedure and train their personnel in order to oblige with certain compliances such as cooperating with the Data Protection Officer appointed by the Significant Data Fiduciary under Section 10 of the Act; hiring an Independent Data Auditor; put in place a consent management mechanism to collect, maintain, track, and update consent from individuals; doing assessments to protect data; maintaining valid contracts with data processors; etc. However, the basis of classifying companies, and start-ups as Data Fiduciaries need to be clarified especially concerning certain thresholds and eligibilities such as net worth, assets, size, number of personnel, and their qualifications, etc.

The Act in its present form prima facie proposes to protect the Personal Data, but it there may be concerns with the implementation of the provisions technically. For instance, as per Section 36, CG has been empowered to call for ‘such information’ from the Board or any Data Fiduciary or intermediary. Such wide power and broad terminology once viewed with a legislative lens would show the engrained intent of surveillance of the CG.  Moreover, Section 17(2)(a) empowers the CG to exempt any instrumentality of the State from the rigors of the provisions in respect of the processing of Personal Data. Additionally, since Section 8(1)(j) of the Right to Information Act, 2005 (RTI Act) is amended by Section 44(3) of the Act, the balance struck by the RTI Act between privacy and informational right, will be lost as the power of a Public Information Officer (PIO) can be seen to have been widened as now such PIO can reject an application made under RTI Act on the pretext of information sought relates to Personal Data.

The Act marks a distinctive approach to safeguarding Personal Data, addressing longstanding needs in the context of increasing internet users, data generation, and cross-border trade. However, it is felt that various details regarding implementation need clarification which may happen upon the establishment of the Data Protection Board of India and the promulgation of Rules under the Act. In its entirety, the Act signifies India's unique stance on modern data protection, enriched by extensive post-draft consultations. While the provisions of the Act are less detailed than European Union’s GDPR, it certainly mandates a significant shift from how Indian businesses should now approach privacy and Personal Data, while legitimizing CG’s act to control, retain, and monitor its citizens’ personal information.

While the notification of the Sections of the Act for their implementation is still awaited, one has to wait and watch how the Courts interpret wide empowering provisions and in what manner the Act evolves.

Ishwar Ahuja is a Principal Associate and Sakina Kapadia is an Associate at Saga Legal.

The views and opinions expressed in this Article are those of the author(s) alone and are meant to provide the readers with an understanding of the new Act. The contents of the aforesaid Article do not necessarily reflect the official position of Saga Legal. The readers are suggested to obtain specific opinions/advice concerning their individual case(s) from professionals/experts and not to use this Article in place of expert legal advice.