The Digital Personal Data Protection Act 2023
The Digital Personal Data Protection Act of 2023 aims to regulate the processing of digital personal data while balancing individuals' right to data protection and lawful data processing. It covers various aspects such as obligations of data fiduciaries, rights of data principals, and the establishment of a Data Protection Board. The act fills a void in India's data protection laws and aligns with global data protection standards like GDPR and PIPL.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
BACKGROUND BACKGROUND Justice K. S. Puttaswamy (Retd) vs Union Of India in 2017 (Aadhaar Card) Right to privacy is a fundamental right under Article 21 of Constitution. 1 Srikrishna Committee (report on privacy and gave recommendations regarding Personal Data Protection Bill) 2 Personal Data Protection Bill (2018, 2019, 2021) 3 Digital personal Data Protection Bill, 2022 4 Digital personal Data Protection Act, 2023 5 The DPDP Act had been assented by the president on 11 Aug, 2023 6
BASICS BASICS Purposeof this Act: This act provides for the processing of digital Personal Data in a manner that recognizes both: the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. Overview: It has total 9 Chapters & 44 Sections Various Provisions of this Act shall come in force from Different Dates may be notified. India did not have any specific law for Data Protection though Information Technology Act along with SPDI (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 regulate Personal Data to some extent.
WORLDWIDE DATA PROTECTION COVERAGE In E U GDPR In Chine - PIPL
DPDP ACT ,2023 BIRDEYE VIEW 3 1 2 5 6 7 9 4 8 OBLIGATIONS OF DATA FIDUCIARY Rights & Duties PRELIMINARY Special Provisions Power, Function & Procedure (27 & 28) Data Protection Board 4. Ground for Processing 1. Tittle 11. Access Personal data 12. Correction & Erase 16. Processing of Personal Data 18.Establishment Sec 2. Definition 5. Notice Appeal & Alternate Dispute (29-32) 19. Composition 17. Exemption 6. Consent 3. Application 13. Grievance Redressal 20. Salary 7. Legitimate Uses 8. Obligation 21. Disqualification Penalties & Adjudication (33 & 34) 14. Nominate 22. Resignation 23. Proceedings of Board 15. Duties of Data Principal 9. Personal Data of Children 24. Officers and employees of Board. Miscellaneous (35-44) 10. Obligations of Significant data fiduciary 25. Members and officers to be public servants. 26. Powers of Chairperson.
DATA PRINCIPAL DATA FIDUCIARY DATA PROCESSOR The individual to whom the personal data relates. In case where individual is a child or person with disability, parents or lawful guardian Eg. Client X Any person (state) who alone or in conjunction with other persons determines the purpose and means of processing of personal data. Eg. CA Y Any person who processes personal data on behalf of a Data Fiduciary Eg: Compu TAX, Genius
DATA DATA A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means. Personal Data means any data about an INDIVIDUAL who is identifiable by or in relation to such data. Applicable Personal Data (belonging to individuals) Other then Public available or under any Law Personal/Domestic purpose DATA Not Applicable Non-personal Data (other than individual) Digital Personal data Digital Personal data - - Personal Data in Digital Form, or non-digital form and which is subsequently digitized. (e.g. Scanned Documents)
PERSONAL DATA PERSONAL DATA Any data about an INDIVIDUAL who is identifiable by or in relation to such data Few Examples of Personal Data are: Phone number Email Address Home Address Date of Birth Photo Vehicle Registration No. Bank Account No. Credit Card No. Aadhaar No. Passport No. Mobile Device ID IP Address Cookie ID Password Location ID
APPLICABILITY OF THIS ACT APPLICABILITY OF THIS ACT Processing in India YES YES NO Applicable Digital Personal Data For offering of Goods & Services to Data Principal in India Processing outside India YES YES NO Not Applicable NO Cross border transfer of Data : The Central Government can restrict the transfer of personal data by Data Fiduciary to countries blocklisted by notification. However if sectoral specific law for higher degree of protection restricts transfer , then it will prevail over DPDP Act.
DATA PROCESSING DATA PROCESSING Collection Destruction Recording Processing - in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. Restriction Organization Transportation Structure Combination Storage Transmission Alteration
PROCESSING OF DATA OF CHILDREN & PERSON WITH DISABILITY PROCESSING OF DATA OF CHILDREN & PERSON WITH DISABILITY Obtain verifiable parental consent for child & person with disability. No processing that is likely to cause detrimental effect on well-being of child Exempted from processing restrictions: No tracking or behavioral monitoring of children or targeted advertising directed at children (a) for purpose to be prescribed (b) where processing is verifiably safe Government may specify age.
GROUNDS OF PROCESSING GROUNDS OF PROCESSING Personal Data can only be Processed for Lawful purposes. For Certain legitimate uses (deemed Consent) Consent from Data Principals
NOTICE AND CONSENT NOTICE AND CONSENT Provide notice in such a manner and as may be prescribed Data Fiduciary Data Principal Give Consent
NOTICE AND CONSENT NOTICE AND CONSENT Consent should be Free Specific Informed Unconditional Unambiguous With clear affirmative Action Signify an agreement to process data Notice accompanying a request of Consent must include: The option to access the contents of the Notice should be in English or any language specified in the Eighth schedule to the constitution. Personal Data & the purpose for which the Data is processed. 1 The manner in which she can exercise her rights to withdraw her consent 2 The manner in which the Data Principal may make a complaint to the Board. A similar Notice should also, as soon as reasonable practicable be provided to the Data Principal when consent was obtained before the commencement of the Act. 3 The manner in which she can exercise her right of grievance Redressal. 4 Rights of Data Principal 5
CONSENT CONSENT Consideration for consent What does this imply? Clear, Affirmative and Unambiguous Individual gives consent by clear and affirmative action Silence, pre-ticked boxes, or inactivity does not amount to consent Informed Individual must be aware of, at least: (1) Controller s identity (2) Purpose of processing (3) Possibility to withdraw consent Specific Consent can not be hidden in the privacy policy or the T&C Covers all processing activities for the same purpose If there are more purposes, consent must be given for each purpose Prohibition of Bundled consent Freely Given Consent must be a genuine and free choice and individuals must be able to refuse or withdraw it at any time without detriment Consent not valid when there is a clear imbalance between the individual and the controller Presumptions that consent is not freely given when: Individual is not allowed to give separate consent to different processing activities The provision of service depends on consent while it is not necessary for the performance
WITHDRAWAL OF CONSENT WITHDRAWAL OF CONSENT Data Principal has right to withdraw their consent at any time 1 Ease of such withdrawal shall be similar to the ease with such consent was given 2 Upon withdrawal Data Processor needs to cease processing of data within reasonable time . 3 Non-compliance by the processor will be considered non-compliance by the data fiduciary as the Act does not place a direct obligation on Data Processor.
CONSENT CONSENTMANAGER MANAGER A person registered with the board and acts as a single point of contact to enable a data principal to give, manage, review and withdraw their consent through an accessible, transparent and interoperable option. A Data Principal may give, manage, review or withdraw their consent to the Data Fiduciary through a Consent Manager. Consent manager will be accountable to the Data Principal and must act on behalf of the Data Principal in such manner and subject to obligations as may be prescribed.
PROCESSING DATA FOR CERTAIN LEGITIMATE USES PROCESSING DATA FOR CERTAIN LEGITIMATE USES Voluntarily provided personal data by data principal 1 For the purpose of employment or those related to safeguarding the employer from loss or liability 2 For matters concerning public interest. Eg. Medical emergency, judicial use. 3 By the state and any of its instrumentalities for any function under any law for the time being in force in India 4
SIGNIFICANT DATA FIDUCIARY SIGNIFICANT DATA FIDUCIARY Central Government can notify Data Fiduciary as Significant Data Fiduciary on assessment of following Factors: the volume and sensitivity of personal data processed a risk to the rights of Data Principal b potential impact on the sovereignty and integrity of India c risk to electoral democracy d security of the State e public order. f
ROLES OF SIGNIFICANT DATA FIDUCIARY ROLES OF SIGNIFICANT DATA FIDUCIARY Roles of Significant Data Fiduciary are as following: Appoint a Data Protection officer 1 Appoint a Independent Data Auditor to carry out Data Audit, who shall evaluate the compliance of the significant Data fiduciary in accordance with the Act. 2 Periodic Audit 3 Periodic Data Protection Impact Assessment, which shall be a process comparing a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data principals, and such other matters regarding such process as may be prescribed. 4
OBLIGATION OF DATA FIDUCIARY OBLIGATION OF DATA FIDUCIARY Implement technical and organizational measures to ensure effective adherence with the Act. 1 Report personal data breaches to Data Protection Board and Data Principals 2 Abstain from processing personal data that may cause harm to children or undertake behavioral monitoring of children or targeted advertising directed at children. 3 Provide a clear, concise and comprehensible notice to Data Principals 4 Protect personal data in its possession or with and on behalf of data processor also. Delete and cause its data processor to erase data as soon as the purpose is accomplished 5 Engage with a Data Processor to process personal data on its behalf through a valid contract only. 6 Obtain verifiable parental consent before processing children s personal data 7
EXEMPTION FROM OBLIGATIONS EXEMPTION FROM OBLIGATIONS Some Obligations of Data Fiduciary not applicable where the processing of personal data is: For enforcing any legal right or claim 1 The processing is by any court or tribunal or any other body entrusted with judicial or quasi-juidicial regulatory or supervisory function 2 Processing is in the interest of prevention, detection, investigation or prosecution of offence or contravention of any law 3 Processing is of personal data of data principals not principals not within the country pursuant to contract 4 Processing is necessary in the context of merger or amalgamation 5 Processing is for the purpose of ascertaining financial information of assets and liabilities of the defaulter. 6 Notified by Central Government 7 Processing is necessary for research, archiving or statistical purpose, where personal data is not used to take any decision specific to data principal. Notify class of data fiduciaries and startups ( may be DPIIT registered). 8
RIGHTS OF DATA PRINCIPAL RIGHTS OF DATA PRINCIPAL Right to access information regarding processing of personal Data 1 Right to Correction, completion, updating and erasure of her personal data for the processing. 2 Right of Grievance Redressal 3 Right to Nominate, on the event of Death/ Incapacity of Data Principal 4
DUTIES OF DATA PRINCIPAL DUTIES OF DATA PRINCIPAL Comply with provisions of all applicable laws. 1 To ensure not to impersonate another person while providing her personal data. 2 To ensure not to suppress any material information while providing her personal data for any proof of address issued by the state or any of its instrumentalities. 3 To ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary. 4 To furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act. 5 In case of any non-compliance of Duties by Data Principal Fine May extend to INR 10,000.
PERSONAL DATA BREACH PERSONAL DATA BREACH Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data. Even accidental disclosure that leads to person data breach is covered Huge responsibility on implementing systems to prevent accidental disclosure No exceptions where a person is a victim of cyber attack or hack. Eg : Aaddhar Data Leak
RETENTION OF PERSONAL DATA RETENTION OF PERSONAL DATA Data Fiduciary must erase and cause its Data Processor to erase the personal Data: Upon receipt of a withdrawal request, or as soon as it is reasonable to assume that the specified purpose is no longer being served. Whichever is earlier, unless retention is necessary for compliance of any law in force. DATA PROTECTION BOARD DATA PROTECTION BOARD Set up to enforce the law and award penalties by central government.
PENALTIES PENALTIES Board determines monetary penalties : Dependent on nature, gravity, duration of the breach & repetitive nature. Sensitivity and type of Data. Gain or loss incurred. May extend to INR 200 Cr. May extend to INR 150 Cr. May extend to INR 50 Cr. May extend to INR 250 Cr. Failure of data fiduciary to take reasonable security safeguards to prevent personal data breach Breach of any other provision of this Act or rules made thereunder Failure to notify Data Protection Board of India and affected data principal in case of personal data breach Non-fulfilment of additional obligation by significant data fiduciaries Non-fulfilment of additional obligation in relation to personal data of children
THANK YOU CA Swati Badaya