The Digital Personal Data Protection (DPDP) Act, 2023, is the primary legislative framework governing the processing of digital personal data in India. It aims to balance the individual’s right to protect their personal data with the lawful needs of organizations to process data for legitimate purposes, fostering a robust digital economy while ensuring privacy.
Core Definitions and Scope
The Act introduces specific terminology to define roles and responsibilities in the data ecosystem:
- Data Principal: The individual to whom the personal data relates. In the case of a child (under 18) or a person with a disability, this includes their parent or lawful guardian.
- Data Fiduciary: Any person or entity who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.
- Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
- Personal Data: Any data about an individual who is identifiable by or in relation to such data.
- Digital Personal Data: Personal data that exists in digital form.
Key Principles of Data Processing
The Act is built upon several foundational principles that govern the collection and use of data:
- Lawful Processing: Personal data may be processed only for a lawful purpose for which the Data Principal has given consent or for certain legitimate uses.
- Purpose Limitation: Data must be processed only for the specific purpose for which consent was given.
- Data Minimization: Only the data necessary for the specified purpose should be collected.
- Accuracy: The Data Fiduciary must ensure that the data collected is accurate and kept up to date.
- Storage Limitation: Personal data must not be retained longer than is necessary for the specified purpose.
- Security Safeguards: Data Fiduciaries must implement reasonable security safeguards to prevent data breaches.
- Accountability: Data Fiduciaries are responsible for ensuring compliance with the Act, regardless of whether they have engaged a Data Processor.
Rights and Duties of Data Principals
Data Principals are granted specific rights to exercise control over their digital footprint:
- Right to Access: The right to obtain a summary of personal data being processed and the identities of all Data Fiduciaries and Processors with whom the data has been shared.
- Right to Correction, Completion, and Erasure: The right to request the correction of inaccurate data, the completion of incomplete data, and the deletion of data that is no longer necessary.
- Right to Grievance Redressal: The right to have a mechanism in place to address grievances regarding the processing of their data.
- Right to Nominate: The right to nominate another individual to exercise these rights in the event of death or incapacity.
Data Principals are also subject to duties, including the obligation not to furnish false information, not to impersonate another person, and not to suppress material information when providing data for specified purposes.
Obligations of Data Fiduciaries
Data Fiduciaries, particularly those categorized as Significant Data Fiduciaries, face enhanced responsibilities:
- Consent Management: Consent must be free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action. Data Principals have the right to withdraw consent at any time.
- Data Protection Officer (DPO): Significant Data Fiduciaries must appoint a DPO based in India, responsible for ensuring compliance and acting as the point of contact for grievances.
- Data Protection Impact Assessment (DPIA): Significant Data Fiduciaries are required to conduct periodic audits and impact assessments.
- Breach Notification: In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board of India and each affected Data Principal.
The Data Protection Board of India
The Act establishes the Data Protection Board of India as the independent regulatory body responsible for enforcement:
- Functions: The Board is tasked with inquiring into data breaches, hearing complaints from Data Principals, and imposing penalties for non-compliance.
- Independence: The Board functions as an independent body, with members appointed by the Central Government.
- Penalties: The Board has the authority to impose significant financial penalties for breaches of the Act. These penalties are determined based on the nature, gravity, and duration of the breach.
Exemptions and Sovereign Powers
The Act provides specific exemptions to balance privacy with national security and public interest:
- State Exemptions: Certain provisions of the Act, such as notice and consent requirements, may be waived for agencies of the state in the interest of sovereignty, integrity of India, security of the state, public order, and prevention of cognizable offenses.
- Legitimate Uses: Personal data can be processed without explicit consent for certain “legitimate uses,” such as performing functions required by law, responding to medical emergencies, or providing services during disasters.
- International Data Transfer: The Act allows the transfer of personal data to notified countries, unless restricted by the Central Government.
Important Facts for UPSC Prelims
- Applicability: The Act applies to the processing of digital personal data within India, and also to processing outside India if it involves offering goods or services to Data Principals within India.
- Penalties: The Act prescribes monetary penalties for non-compliance, which can extend up to ₹250 crore in specific cases of failure to take reasonable security safeguards.
- Children’s Data: Processing data of children requires verifiable parental consent. Tracking, behavioral monitoring, and targeted advertising directed at children are strictly prohibited.
- Supreme Court Precedent: The Act is a direct outcome of the K.S. Puttaswamy v. Union of India (2017) judgment, where the Supreme Court declared the “Right to Privacy” as a fundamental right under Article 21.
- Relationship with Other Laws: In case of conflict between the DPDP Act and other sectoral laws regarding data protection, the provisions of the DPDP Act or specific provisions in other laws may apply as per the notification of the Central Government.