| Publication Date | Version | September 13, 2023 | 1.0 |
| Keywords | Personal Data, Data Principal, Consent, Notice, Data Fiduciary, Data Processor |
| Legislation(s) |
|
| Jurisdiction | India |
Introduction
The Parliament of India passed The Digital Personal Data Protection Act, 2023 (‘Act’) on August 11, 2023.
The Act recognises the right of individuals to protect their personal data and the need to process such personal data.
This write-up enquires into the manner in which personal data is to be shared by an individual while also discussing the manner in which entities may process this personal data.
Given that the concepts of privacy and data protection are nascent, it would take some time for the legal framework in this regard to develop.
Therefore, this write-up also identifies certain aspects concerning data protection that must be addressed going forward.
Specific issues are likely to be addressed in the rules to be made by the Central Government under the Act and new legislations that may be introduced, such as the much anticipated Digital India Act.
The Act and Applicability
The Act applies to the processing of digital personal data within the territory of India where the personal data is collected:
- In digital form; or
- In non-digital form and digitised subsequently.
The Act is also applicable to digital personal data being processed outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.
The provisions of the Act shall not be applicable to the processing of personal data by an individual for any personal or domestic purpose.
The Act is also not applicable to personal data being made or caused to be made publicly available by:
- The Data Principal to whom such personal data relates; or
- Any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
There are several questions to be asked and answered concerning applicability.
- Situation: Personal data of X is processed outside India in respect of services rendered to X, who is ordinarily resident in India but at the relevant time is travelling outside India. Would the Act apply to X’s digital personal data, which is being processed outside the territory of India?
- The meaning of ‘publicly available’? Would information shared in a closed WhatsApp group constitute ‘publicly available’? Similarly, would information sent via broadcast over WhatsApp constitute ‘publicly available’?
Data Principal
A Data Principal is an individual to whom the personal data relates.
Unless an exemption under the Act or the rules is available, the consent in writing of the Data Principal is required to be obtained by the Data Fiduciary for processing their personal data.
In the case of children, the parents or the lawful guardian, and in the case of a person with disability, the lawful guardian is considered to be the Data Principal.
A Data Principal has the right to:
- Know from the Data Fiduciaries, a summary of personal data being processed and the processing activities being undertaken.
- Know the identities of Data Fiduciaries and Data Processors.
- Require the Data Fiduciary to undertake correction, completion, updation and erasure of personal data.
- Grievance redressal mechanism which is required to be established by the Data Fiduciary and the Consent Manager.
- Nominate an individual on its behalf in the event of death/incapacity.
Illustration 1
X, an individual registers themselves on a poker platform and provides personal data to the poker platform.
X is also redirected by the website to a third-party portal for making deposits.
X incurs heavy losses and makes multiple deposits.
X resolves not to get lured to the platform.
But then, X receives several SMS notifications with deposit offers, and temptation gives way.
X plays poker again on the platform and loses yet again.
X had given their consent to process their personal data regarding accessing the poker platform to play and nothing more.
Unknown to X, his losing record is being processed and tracked, which is why they were selected for the SMS notifications.
X is entitled to require the poker platform operator to share a summary of the personal data being processed and the processing activities being undertaken.
A Data Principal has a duty to:
- Comply with applicable laws while exercising rights under the Act.
- Not impersonate another person.
- Not suppress any material information.
- Not register a false grievance.
- Furnish verifiably authentic information.
Illustration 2
X, an individual registers themselves on a poker platform and, in the process, provides personal data to the poker platform.
X is also redirected to a third-party portal by the website for making deposits.
X makes a massive profit playing on the platform.
X’s father comes across his bank account statement and informs him that such massive profits would attract a heavy income tax.
To get information regarding the TDS deducted by the poker platform, X writes to the poker platform operator, claiming to be an officer in the Income Tax Department.
While X is entitled to access the information regarding TDS deduction, he cannot exercise such rights by impersonating another person.
Data Fiduciary
A Data Fiduciary is a person (alone or in conjunction with others) who determines the purpose and means of data processing.
A Data Fiduciary may continue to process the Personal Data of the Data Principal until she withdraws their consent.
A Data Fiduciary may also engage Data Processors for processing personal data obtained from the Data Principal.
However, the Data Fiduciary shall remain liable for all Data Processor acts for personal data processing.
A Data Fiduciary has the following obligations:
- To obtain consent to process data only for specified purposes or legitimate uses.
- To give notice to the Data Principal in respect of personal data and purpose.
- Ensure completeness, accuracy, and consistency of personal data.
- Protect personal data and take reasonable security safeguards.
- Publish contact details of authorised persons.
- Implement appropriate technical and organisational measures.
- Establish a grievance redressal mechanism.
- Erase personal data if consent is withdrawn.
- Comply with retention requirements.
- Intimate the Data Protection Board of India and Data Principal of any personal data breach.
- Correct, complete, and update personal data upon request.
- Give notice for consent in respect of personal data obtained before enactment of the Act.
A Data Fiduciary may process the personal data of a Data Principal for legitimate uses including:
- Specified purpose for which personal data has been voluntarily provided.
- State functions and public services.
- Compliance with any law.
- Compliance with judgments, decrees or orders.
- Medical emergencies and health services.
- Safety measures during disasters.
- Employment purposes.
Consent
A Data Fiduciary may make a Request for Consent to the Data Principal accompanied or preceded by a notice.
The Data Principal has the option to access such notice in English or any of the 22 languages specified in the Eighth Schedule of the Constitution of India.
The notice shall inform the Data Principal in respect of:
- Personal data being obtained and purpose.
- Manner of exercising rights.
- Manner of making a complaint to the Board.
- Contact details of authorised person.
The Rules in respect of such a notice are yet to be notified by the Central Government.
The Act also introduces the concept of a Consent Manager.
Under the Act, a Data Principal may have their consent managed by a Consent Manager who acts as a single point of contact.
The Consent Manager acts on behalf of the Data Principal and instructs the Data Fiduciary.
The duties of the Consent Manager involve:
- Responding to grievances of the Data Principal.
- Enabling the Data Principal to manage and withdraw consent.
Data Processing
The Act defines ‘processing’ to include operations such as collection, storage, retrieval, use, sharing, disclosure, dissemination, restriction, erasure or destruction.
The Act states that personal data may be processed only for specified purposes and legitimate uses.
The Data Fiduciary is held accountable for the processing of personal data being provided to them.
However, a Data Processor may also process the personal data on behalf of the Data Fiduciary.
It is the duty of the Data Fiduciary to:
- Have in place a valid contract with the Data Processor.
- Ensure that personal data is erased unless retention is required under law.
- Ensure that the identity of the Data Processor is shared with the Data Principal.
Exemptions
Provisions of the Act do not apply to:
- Processing of personal data by such instrumentality of the State as the Central Government may notify.
- Processing of personal data necessary for research, archives or statistical purposes.
- Enforcement of legal rights or claims.
- Processing undertaken by courts, judicial and quasi-judicial bodies.
- Prevention, detection, investigation or prosecution of offences.
- Cross-border processing involving contracts with foreign entities.
- Mergers, acquisitions and corporate restructuring.
- Financial information relating to defaulters.
When the State or its instrumentalities process data, certain obligations under the Act shall not apply.
Grievance Redressal
Both the Consent Manager and the Data Fiduciary are required to have mechanisms to address grievances of the Data Principal.
The Data Principal must first exhaust the grievance mechanism before approaching the Board.
Recourse to Board
The Board has the power to inquire or direct urgent remedial measures:
- On complaints by the Data Principal.
- On complaints regarding Consent Managers.
- On references by the Central Government involving intermediaries.
The Board has the power to issue directions and impose penalties after giving parties an opportunity of being heard.
The Board may also direct parties to mediation.
The Appellate Tribunal
Any individual aggrieved by the decision of the Board may appeal to the Appellate Tribunal within 60 days.
The Appellate Tribunal may entertain appeals beyond 60 days if sufficient cause is shown.
Appeals are to be disposed of within six months.
What Lies Ahead
The Central Government is empowered to make rules under the Act.
Rules are expected regarding:
- The manner in which notices for consent are to be sent.
- The manner in which notice is given for existing data.
- The obligations of Consent Managers.
- Registration of Consent Managers.
- Procedure for reporting data breaches.
- Standards for processing data for research and statistical purposes.
- Appellate Tribunal procedures.
As and when the rules are framed, several issues are likely to be addressed and new ones may arise.
Viewpoint
- As an individual, it is essential to be mindful of the information being divulged in the public domain.
- Businesses need to examine the extent to which the Act may be applicable to their operations.
- There is a need for organisations and businesses to monitor the chain of custody in respect of personal data.
- The manner in which personal data is to be erased following exercise of rights by a Data Principal needs to be addressed effectively.
- The rules under the Act should establish robust standards, technical measures, and time frames to ensure that personal data is removed effectively.
- Clarity is required with respect to processing of data outside the territory of India.
Suniti Kaur (Ms) and Ashwini Panwar (Mr)
Co-Founder & Managing Partner at Alaya Legal
Associate at Alaya Legal
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)
-
Ashwini Panwar (Mr)



