NEW AGE DIGITAL GOVERNANCE: AN OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

Sonam Nanda – Advocate, Surana & Surana International Attorneys

INTRODUCTION

In an ever-evolving digital world, the Digital Personal Data Protection Act, 2023 (the “Act”), stands as a crucial framework that demands our attention. As technology continues to weave itself into the fabric of our daily lives, the Act addresses the pressing need for robust data security and responsible data handling. It signifies a pivotal shift towards greater accountability and transparency in the digital landscape of India. Through a comprehensive review of its key provisions, this article will examine the changes brought forth by the Act and critically analyse the implications it carries for stakeholders and the broader digital ecosystem.

With India being one of the fastest-growing digital economies in the world, the necessity for the Act became increasingly apparent to the Indian government. This imperative stemmed from the need to address the legal void surrounding modern digital technology. The Information Technology Act, 2000^[1] and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011^[2] which were India’s data protection regime up until recently, were not in touch with the digital transformation that took place in the second decade of this century. To bridge the gap between outdated laws and modern digital technology and to support the right to privacy as decided by the Hon’ble Supreme Court in the Puttaswamy judgment,^[3] the Act along with the Digital India Act, 2023 (presentation published on March 9, 2023)^[4], the Draft Indian Telecommunication Bill, 2022^[5] and the Draft National Data Governance Framework Policy,^[6] are being drafted to create a comprehensive legal framework to govern the activities in the digital world.

The roots of the Act can be found in the year 2018, when the Data Protection Bill, 2019 was introduced.^[7] After several rounds of changes, the Data Protection Bill was discarded and was replaced with the Digital Personal Data Protection Bill of 2022.^[8] The Digital Personal Data Protection Bill of 2022 (the “Bill”) was introduced in the Parliament and passed by the Lok Sabha and Rajya Sabha on August 7th and 9^th, respectively. The Bill received the President’s assent and was published in the official gazette notification on August 11, 2023 to become the Digital Personal Data Protection Act, 2023; law of the land.

KEY STAKEHOLDERS: THEIR RIGHTS AND OBLIGATIONS

The Act envisages five key stakeholders who contribute to the creation of personal data, the processing of personal data and the use of personal data. The five key stakeholders have been given precise definitions in the Act along with certain rights and obligations. The five coined key stakeholders will be elaborated below along with the functions they serve in the digital legal framework.

Data Principal

Data Principals are the individuals within the territory of India whose personal data is collected and processed.^[9] The personal data, under the scope of the Act, is the personal data of the Data Principal that is collected online or collected offline and then digitized later. The data that is not digitized will not come under the purview of the Act. Another category of data that will not come under the purview of the Act is the personal data that is made public by the Digital Principal itself.^[10] With regards to data that is processed outside India but is used in connection to offering goods and services within the territory of India, the Act imposes extra territorial jurisdiction and has the power to govern the Data Fiduciaries who have collected this personal data.^[11] For the first time, parents and guardians of a child, and the legal guardians of a person with disability, are included within the purview of the Act, to act on behalf of the said child and person with disability by way of Section 2(j) of the Act. This expands the definition of Data Principal to include the legal guardians of children and persons with disabilities.

The Data Principal has the right to know the summary of the personal data that has been processed by the Data Fiduciary, the identity of Data Fiduciaries and Data Processors with whom the personal data of the Data Principal has been shared along with description of the personal data shared. The Data Principal has the right to withdraw consent, by which, the Data Fiduciary will be stopped from processing the personal data of the particular Data Principal.^[12] The Date Principal can also force the Data Fiduciary to correct, complete, update, and erase any personal data which the Data Principal had earlier given consent.^[13] This is crucial right as it allows Data Principals to have autonomy over their data and gives them the ‘right to forget’ in the present day of the internet where most information is stored and remembered. The Act has also created a mechanism to give the Data Principals the right to grievance redressal where Consent Managers and Data Fiduciaries will now be responsible to respond and resolve the grievances of the Data Principals within a specific period.^[14] In case the Consent Managers and Data Fiduciaries are unable to resolve the grievance, the Data Principal has the option to approach the Board^[15].^[16] Last but not least, one of the most unique rights given to the Data Principal is the right to nominate an individual in the case of the death or incapacity of the Data Principal which will have the right to exercise the rights of the Data Principal.^[17]

While the Act grants several rights to Data Principals, it creates overarching exceptions that take away the rights of the Data Principal as observed under Section 17 of the Act for the purposes of enforcement of legal rights, prevention of investigation of offenses, debt enforcement, and more. The Data Principal along with its rights, has certain duties assigned to it as well, which primarily include the duty to not impersonate someone, suppress material information, and file false grievances. The Act places great importance upon the ordinary person, i.e., the Data Principal and has made several key provisions to ensure the Data Principal has autonomy over its personal data.

Data Fiduciary

Data Fiduciary is any person or company that collects personal data and determines the purpose and means of processing it.^[18] For the purposes of this Act, the Data Fiduciary can now transfer personal data to other countries unless restricted by the Central government. This right was limited in the Bill, whereby Data Fiduciaries could transfer personal data only with the specific permission of the Central Government.^[19]

The Act places specific importance on the processing of data of children.^[20] The Data Fiduciary is mandated to take obtain consent of the legal guardian of the child before it can process their personal data. The Act further forbids the Data Fiduciaries to process the personal data of children for tracking, behavioural monitoring, targeted advertising, or any purpose that is likely to have a detrimental effect on the well-being of a child. However, an exception has been carved regarding this, wherein the Central Government, if satisfied that the processing of data will be done in a manner that is verifiably safe, will exempt the particular Data Fiduciary from the forbiddance on the processing of a child’s personal data.^[21] The Data Fiduciary is responsible for several other functions such as ensuring protection of the personal data collected, giving privy notice for receiving the consent of Data Principles, setting up grievance redressal mechanisms, and signing a valid contract with Data Processors.

While this Act was made the law of the land on August 11, 2023, the Act allows the Central government for five years from the commencement of the Act to exempt any Data Fiduciary or a class of Data Fiduciaries from any provision of the Act for a certain period. While this delays the enforcement of the Act, it allows the nation to familiarize itself with it and make appropriate changes to accommodate the Act. ^[22]

Significant Data Fiduciary

A Significant Data Fiduciary is any Data Fiduciary as notified by the Central Government that processes a particular volume of personal data or has an adverse impact on the State or functioning of the State.^[23] By deeming a Data Fiduciary as a Significant Data Fiduciary, the Act imposes a special check and obligation upon it due to the enormous influence it may have on not only the Data Principles, but the State itself.

The Significant Data Fiduciary is obligated to appoint a Data Protection Officer, carry out periodic data audits by an independent data auditor who shall check the compliance of the Significant Data Fiduciary, and carry out periodic Data Protection Impact Assessment.^[24] A set of stringent regulations has been enacted to govern significant data fiduciaries, ensuring that their utilization of data does not have adverse impacts on individuals or the State.

Data Processor

Data Processor is any person or organisation that processes personal date on behalf of the Data Fiduciary in accordance to their instructions.^[25] The Data Processor is responsible for conducting audits and inspections and ensuring the Data Fiduciary is following the provisions of the Act. The crucial feature of the Act is that it makes it mandatory for the Data Processor to sign a valid contract with the Data Fiduciary. This makes the Data Fiduciary liable for non-compliance of provisions by the Data Processor as envisaged in Section 8(1) of the Act. The Data Processor also keeps a check on the Data Fiduciary to ensure no illegal activities are being conducted by the Data Fiduciary. This system of checks between the Data Processor and Data Fiduciary is hoped to prove effective. The Data Fiduciary is obligated to most of the provisions that a Data Fiduciary is obligated to, such as the deletion of personal data as per the wishes of the Data Principal, ensuring security of personal data and more.

Consent Manager

Consent Manager is any person registered with the Board who functions as a direct point of contact between for the Data Principal and the other four stakeholders to review, manage, and withdraw the Data Principal’s consent through a transparent and accessible platform.^[26] The platform has not yet been set up and will likely contain details in the Rules of the Act. The Consent Managers are obligated to work with the Data Fiduciaries to resolve any grievances of the Data Principal. Any grievance with the Consent Manager will be heard by the Board and penalised if they fail to carry out their obligations and duties. The Consent Managers are mandated to be registered with the Board, however, the procedure to be registered with the Board has not yet been specified. Data Protection Board is the new adjudicatory body established by the central Government that will have quasi-judicial powers and will monitor key stakeholders for any non-compliance and hear any disputes.^[27]

Conclusion

The Digital Personal Data Protection Act, 2023 represents an important step in India’s evolving legal framework, addressing key issues related to data security, privacy, and responsible data handling in the digital age. It aligns with India’s desire to adapt its regulations to the rapidly changing technological landscape while upholding the right to privacy, as recognized by the Supreme Court in the Puttaswamy judgment.

This legislation introduces a new framework for digital governance in India, outlining the roles and responsibilities of five key stakeholders: Data Principals, Data Fiduciaries, Significant Data Fiduciaries, Data Processors, and Consent Managers. Each stakeholder is granted specific rights and responsibilities, reflecting the Act’s attempt to balance various interests. As India positions itself as a leading digital economy, this Act signifies the nation’s commitment to finding a middle ground between technological progress and privacy concerns. It lays the groundwork for more responsible and secure personal data management in the digital era.

---

[1] The Information Technology Act, 2000.

[2] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[3] Justice K.S. Puttaswamy (Retd) v. Union of India, (2017) 10 SCC 1.

[4] Presentation on The Digital India Act, 2023, https://www.meity.gov.in/writereaddata/files/DIA_Presentation%2009.03.2023%20Final.pdf

[5] The Draft Indian Telecommunication Bill, 2022. https://dot.gov.in/sites/default/files/Draft%20Indian%20Telecommunication%20Bill%2C%202022.pdf

[6] The National Data Governance Framework (Draft) Policy. https://www.meity.gov.in/writereaddata/files/National-Data-Governance-Framework-Policy.pdf

[7] The Data Protection Bill, 2019.

[8] The Digital Personal Data Protection Bill, 2022.

[9] Section 3(a), The Digital Personal Data Protection Act, 2023.

[10] Section 3(c), The Digital Personal Data Protection Act, 2023.

[11] Section 3(b), The Digital Personal Data Protection Act, 2023.

[12] Section 6(7), The Digital Personal Data Protection Act, 2023.

[13] Section 12, The Digital Personal Data Protection Act, 2023.

[14] Section 8(10), The Digital Personal Data Protection Act, 2023.

[15] Section 2(c), The Digital Personal Data Protection Act, 2023.

[16] Section 13(3), The Digital Personal Data Protection Act, 2023.

[17] Section 14, The Digital Personal Data Protection Act, 2023.

[18] Section 2(i), The Digital Personal Data Protection Act, 2023.

[19] Section 16, The Digital Personal Data Protection Act, 2023.

[20] Section 9, The Digital Personal Data Protection Act, 2023.

[21] Section 9(5), The Digital Personal Data Protection Act, 2023.

[22] Section 17(5), The Digital Personal Data Protection Act, 2023.

[23] Section 10(1), The Digital Personal Data Protection Act, 2023.

[24] Section 10, The Digital Personal Data Protection Act, 2023.

[25] Section 2(k), The Digital Personal Data Protection Act, 2023.

[26] Section 2(g), The Digital Personal Data Protection Act, 2023.

[27] Section 2(c), The Digital Personal Data Protection Act, 2023.