Understanding the Rules of the Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act, 2023, is designed to protect personal data in India. It sets up the Data Protection Board and defines its operational rules, including consent management and data breach reporting. The Act also covers data handling for children, significant data fiduciaries, and the rights of Data Principals, with regulations to be issued by the central government.
The Digital Personal Data Protection Act is a legislative framework enacted to safeguard personal data in the digital realm. It establishes data collection, storage, and processing guidelines, ensuring individuals’ privacy rights. The Act mandates transparency, accountability, and security measures for organisations handling personal data. It also outlines individuals’ rights, such as consent and data access. It imposes penalties for non-compliance to protect against data breaches and misuse.
The Digital Personal Data Protection Act of 2023 (DPDP Act) establishes a comprehensive framework to safeguard personal data in India. Section 40 of the Act empowers the central government to develop rules and regulations that operationalise its provisions. The Act aims to become fully operational during the upcoming monsoon session of Parliament through the formulation of laws by the central government.
One of the DPDP Act’s primary focuses is establishing the Data Protection Board of India, which is integral to its enforcement. According to Section 18(1), the central government will officially establish the Board by notification. Section 18(3) also mandates that the government notify the headquarters of the Board. The composition and qualifications for appointing the chairperson and members of the Board are detailed in Section 19, which the government will also notify in the rules.
The Act also includes provisions regarding the terms of service for the Board’s members. Section 20 specifies that the central government will formulate rules related to the salary, allowances, and terms of office for the chairperson and other members. In addition, Section 23 outlines the rules concerning the proceedings of the Board, including procedures for conducting meetings and authenticating decisions. The Board is empowered under Section 24 to hire officers and staff, with their appointment terms prescribed by the central government.
The Board’s operations are designed to be digital and independent, as stipulated in Section 28. It will handle complaints, allocate cases, conduct hearings, and make decisions using technological and legal methods. Furthermore, Section 28(7)(d) grants the Board the same legal powers as a civil court, such as summoning witnesses, administering oaths, and collecting evidence.
Appeals against the Board’s decisions can be made to the Appellate Tribunal, as per Section 29(2). Individuals aggrieved by the Board’s decisions must file appeals within 60 days, following the prescribed procedures and fee requirements.
Another critical aspect of the DPDP Act is the consent framework. Section 5 of the Act mandates that Data Fiduciaries provide notice to Data Principals, explaining the purpose of collecting personal data and how to exercise their rights under Sections 6(4) and 13. This notice must also inform Data Principals about the procedure for filing complaints with the Board, which the central government will prescribe in the rules.
Section 6 outlines the role of Consent Managers, who are accountable to the Data Principals. According to Section 6(8), Consent Managers must act on behalf of Data Principals as per prescribed obligations. Section 6(9) mandates their registration with the Board, subject to technical, operational, and financial conditions.
The Act also addresses the processing of personal data by government agencies. Section 7(b)(ii) allows government entities to use personal data to provide services like benefits or licenses, provided they adhere to the processing standards notified by the central government. Furthermore, Section 8(6) requires Data Fiduciaries to inform the Data Protection Board about any personal data breaches, with the form and manner of this notification to be prescribed.
The general obligations of Data Fiduciaries are detailed in Section 8(8). This section requires deleting personal data upon withdrawal of consent by the Data Principal, given that the specified purpose is no longer relevant. However, this requirement does not apply if the Data Principal does not engage with the Data Fiduciary for the intended purpose or exercise related rights. The central government will prescribe specific timeframes for deletion, varying by Data Fiduciary classes and purposes.
Section 8(9) also requires Data Fiduciaries to publicly disclose contact information for a Data Protection Officer or a representative who can answer questions about using personal data. The central government will prescribe the procedures for this disclosure.
Section 9 of the Act deals with the processing of children’s data. Before collecting and using a child’s data, Data Fiduciaries must obtain consent from the child’s parent or guardian, as prescribed. Moreover, Section 9(4) provides exemptions for certain Data Fiduciaries from specific provisions concerning children’s data, such as obtaining parental consent and avoiding targeted advertising, based on rules prescribed by the central government.
Significant Data Fiduciaries, those handling large volumes of personal data or data critical to national security, public order, or electoral processes, are subject to additional obligations under Section 10(1). These include conducting Data Protection Impact Assessments and adhering to other prescribed measures to protect data rights. Section 10(2)(c) mandates regular data protection impact assessments, audits, and adherence to additional prescribed measures.
The DPDP Act also outlines the rights of Data Principals in Chapter III. Rules will be formulated to operationalise the rights to access personal data (Section 11), correct and erase personal data (Section 12), and address grievances (Section 13). Additionally, Section 14 allows Data Principals to nominate another individual to exercise their rights in the event of death or incapacity, with specific procedures to be prescribed by the central government.
Lastly, the central government can exempt certain Data Fiduciaries, like startups, from specific provisions of the Act based on the amount and type of personal data they handle, as noted in Section 17(3). These exemptions will be detailed in the prescribed rules.
The DPDP Act of 2023 provides a robust framework for personal data protection in India, with comprehensive rules and regulations to be developed by the central government.
(Sanhita Chauriha is a Data Privacy & Technology Lawyer)
(Views are personal)