Background

Six years after the Supreme Court ruled that the right to privacy falls within the ambit of Article 21 of the Constitution of India in Justice Puttaswamy (Retd) v. Union of India, India has finally enacted the Digital Personal Data Protection Act, 2023 (Act), published in the Gazette of India on 11 August 2023. The Act saw a tumultuous path towards enactment which started with the appointment of a special committee headed by Justice B N Srikrishna followed by the introduction of several drafts and severe criticisms surrounding them. This legal update is prepared with the objective to provide you with a brief overview of the Act and implications on its non-compliance as it is applicable to every organisation (small or large) in India.

Scope and Applicability | Personal Data

The Act defines ``personal data`` as any information that can pinpoint an individual’s identity and processing of personal data entails various activities such as gathering, storing, utilizing, and sharing of such data.

The Act covers the handling of digital personal data in India, whether collected online or offline, as long as it is in digital form. Additionally, the Act applies to processing personal data outside India if it is related to providing goods or services within India.

The Act however does not apply to personal data that is made publicly available by the person to whom such personal data relates; or to any other person who is obligated under any law for the time being in force in India to make such personal data publicly available.

Consent | Data Principal

The Act emphasises that before processing any personal data, a Data Fiduciary, i.e. a person who processes personal data (Data Fiduciary), must take consent from the Data Principal, i.e. the individual to whom the personal data relates (Data Principal). In order to take consent, the Data Fiduciaries must first provide a notice specifying the particular personal data to be collected and the specific purpose for which it will be used (Notice). The consent given by the Data Principal shall be limited only to the extent of the specific purpose as made out in the Notice and any consent taken beyond the specific purpose shall not be considered valid.

A Data Principal may also appoint a consent manager, i.e. a person registered under the Act to act as a single point of contact to enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform (Consent Manager). A Consent Manager shall be accountable to the Data Principal under the Act and a Data Principal shall have a right of redressal of grievances by the Consent Manager.

Further, Data Principals retain the right to revoke their consent at any time upon which the Data Fiduciary shall within a reasonable time cease and cause its data processor, i.e. a person who processes the personal data on behalf of a Data Fiduciary, to cease the processing of the personal data of such Data Principal.

Obligations of Data Fiduciaries

The Act places substantial responsibilities on the Data Fiduciaries. These obligations encompass making reasonable efforts to ensure data accuracy and completeness, establishing security measures to prevent data breaches, promptly notifying both the Data Protection Board of India and affected Data Principal in the event of a breach, and erasing personal data once its intended purpose is fulfilled and legal retention is no longer necessary. Further, if a Data Fiduciary sends personal data to a data processor, the Data Fiduciary is liable for the actions/ inactions of the data processor.

Rights and Duties of Data Principals

The Act further acknowledges the rights of the Data Principals. These rights encompass the ability to obtain information about how their data is being processed, request corrections or erasure of their personal information, nominate a representative in case of incapacity or death, and seek remedies from the Data Fiduciary of any grievance they may have. Certain responsibilities have also been imposed upon the Data Principal such as refraining from making false or unnecessary complaints and providing accurate information.

Cross-border Data Transfer

The Act allows personal data to be transferred beyond India, except to countries which may be specifically notified by the Central Government. This provision however does not restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India.

Significant Data Fiduciaries

Under the Act, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a significant data fiduciary, on the basis of an assessment of relevant factors a such as the volume and sensitivity of personal data being processed, potential risk to the rights of Data Principal, impact on the sovereignty and integrity of India, security of the State and public order. Entities that are notified as significant data fiduciaries have to maintain extra compliances such as conducting independent and periodic data audits and appointing a data protection officer and an independent data auditor to gauge the impact of their actions and ensure compliance with the regulations.

Data Protection Board of India

The Act envisages the appointment of a Data Protection Board of India (Board) to be established through a notification by the Central Government to that effect. The Board shall act as the adjudicating body for any breach of personal data.

Breach of Personal Data

Personal data breach has been defined under the Act as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

1. In case of a breach of personal data, the Data Fiduciary must immediately inform the Board as well as the Data Principal, whose personal data was breached.

2. The Board would then inquire into the breach.

3. If the Board is of the opinion that there are insufficient grounds to proceed with the complaint, it may close the proceedings and impose costs if the Board believes that the complaint was frivolous.

4. If after inquiring into the complaint, the Board believes that there are sufficient grounds to proceed with the complaint, it shall conduct a further investigation into the complaint.

5. After investigating into the complaint, the Board may issue interim orders.

6. If the Board believes that there has been a breach of personal data, the Board may impose a penalty which can range from Rs 10,000 (Indian Rupees Ten Thousand) to Rs 250,00,00,000 (Indian Rupees Two Hundred and Fifty Crores). The specific penalties have been laid down in the Schedule of the Act.

7. While deciding the amount of the monetary penalty, the Board shall look into the following matters:

• the nature, gravity and duration of the breach;
• the type and nature of the personal data affected by the breach;
• repetitive nature of the breach;
• whether the person, as a result of the breach, has realised a gain or avoided any loss;
• whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
• whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of the Act; and
• the likely impact of the imposition of the monetary penalty on the person.

8. Any person aggrieved by the order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days from the date of receipt of Order of the Board, and the TDSAT shall dispose of the appeal within 60 days of the presentation of the appeal. The TDSAT shall have all the powers of a civil court.

9. Additionally, the Board has the power to direct any complaint to be resolved through mediation.

MHCO Comment:

In this age of inevitable digitalisation of all personal information, the Act comes as a welcome move to protect people’s privacy. However, a perusal of the Act shows that the Central Government has been given significant powers such as the powers of exclusion of specific Data Fiduciaries and instrumentalities of the State from the ambit of the Act and to notify a Data Fiduciary as a significant data fiduciary. Concerns about inordinate Executive interference may hence arise and this could alter the effectiveness of the Act. This would also make the Rules to be notified under the Act essential in carving out the operative aspects of the Act.

Further the Act suffers from the practical difficulty of a lack of timeline for the appointment of the Board by the Central Government without which the Act would be remain powerless. It is also very ambitious of the Act to envisage compliance with the heavy obligations imposed upon all the Data Fiduciaries, considering the wide ambit of the term, which would also cover under it the smallest of enterprises such as photocopy stores which receive bulks of personal data on a daily basis. Such obligations also include the establishment of grievance redressal mechanisms by every Data Fiduciary. The severity of the obligations imposed upon the Data Fiduciaries stands further enhanced when the burdensome penalties laid down under the Act are considered. The Act hence has a large feat to accomplish.

---

Authors: Bhushan Shah - Partner | Shreya Dalal - Associate Partner | Veena Hari - Associate

---

This update was released on 17 Aug 2023.

The views expressed in this update are personal and should not be construed as any legal advice. Please contact us directly on +91 22 40565252 or legalupdates@mhcolaw.com for any assistance.

Legal Update Team
MANSUKHLAL HIRALAL & COMPANY
Advocates, Solicitors and Notaries
T: +91 22 40565252
Mumbai Office: Surya Mahal, 2nd Floor, 5, Burjorji Bharucha Marg, Fort, Mumbai-400 023, India
Delhi Office: Block C-9, Lower Ground Floor, Jangpura Extension, New Delhi - 110 014, India
www.mhcolaw.com

"Noted lawyer in the Real Estate practitioner from India" - Chambers & Partners

Please consider the environment before printing this email

The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. This communication may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or action taken relying on the contents is prohibited and may be unlawful. If you have received this communication in error, or if you or your employer does not consent to email messages of this kind, please notify the sender immediately by responding to this email and then delete it from your system. No liability is accepted for any harm that may be caused to your systems or data by this message.