The Existing Pre-PDP Era
1. Introduction
The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s first comprehensive law focused exclusively on personal data protection in the digital era. This milestone legislation emerged after decades of operating under the limited framework of the Information Technology Act, 2000 (IT Act), which was later amended by the IT Act 2008 and its Sensitive Personal Data or Information (SPDI) Rules, 2011.
The IT Act and SPDI Rules were among India’s initial attempts to address data protection concerns. However, they were designed primarily for cybersecurity and e-commerce rather than personal data privacy. They lacked a clear and enforceable framework for modern data protection challenges, such as cross-border data transfers, informed consent, and grievance redressal mechanisms.
Recognizing these gaps, India began its journey toward a robust data protection regime, culminating in the enactment of the DPDPA. This new law is a significant leap forward, shifting the focus from generic security provisions to detailed, enforceable rights and responsibilities for individuals and entities handling personal data.
2. The Evolution of India’s Data Protection Framework
1. The IT Act and SPDI Rules
The IT Act of 2000, introduced during the early days of India’s digital revolution, included a few provisions on personal data protection. The SPDI Rules, 2011 extended these by defining categories like “Sensitive Personal Data or Information” and mandating reasonable security practices for entities handling such data.
However, the SPDI Rules had several shortcomings:
- Limited applicability: They only applied to “body corporates” and not government entities.
- No comprehensive rights: Individuals had limited control over their data.
- Weak enforcement: There was no dedicated regulator for overseeing compliance.
2.The Path to the DPDPA
Several key milestones marked the journey to the DPDPA:
1 2017: Puttaswamy Judgment and Justice Srikrishna Committee: In 2017, the Supreme Court of India delivered the landmark Puttaswamy judgment, declaring that the right to privacy is a fundamental right under the Indian Constitution. This historic ruling recognized the significance of privacy in an increasingly digital world and set the stage for comprehensive data protection laws. The Court’s decision emphasized that privacy is integral to personal autonomy and human dignity, which should be protected even in the context of the digital economy.
The government formed the Justice Srikrishna Committee to identify the current situation and potential solutions that would respect individual privacy while balancing the needs of businesses and the state. The committee’s task was to create a comprehensive legal structure to address the challenges posed by rapid technological advancements and data usage in India.
- 2018: The First Draft Bill: The Personal Data Protection Bill, 2018, was introduced, emphasizing individual rights and obligations for entities processing personal data. It borrowed heavily from global frameworks like the GDPR.
- 2019-2021: Revised Drafts and Public Consultations: The bill underwent multiple revisions based on stakeholder feedback. Key debates revolved around exemptions for government processing, data localization, and penalties for non-compliance.
- 2022: Withdrawal of the PDP Bill: The government withdrew the 2019 draft, citing the need for a simplified, more effective framework.
- 2023: Introduction and Passage of the DPDPA: The Digital Personal Data Protection Bill, 2023, was introduced in Parliament in August 2023. It passed quickly, reflecting a renewed commitment to data protection. The Act received the President’s assent on August 11, 2023, and became effective from November 1, 2023, with phased implementation for different provisions. Now let’s understand the features of DPDPA:-
3. Applicability of the DPDPA
The DPDPA applies to processing of digital data if the processing of personal data collected in digital form or digitized later is done within India. It also covers processing outside India if it relates to offering goods or services to data principals within India.
1. Key Definitions under the DPDPA
The DPDPA introduces new terms to describe roles and responsibilities related to data:
- Data Principal: This refers to the individual whose personal data is being collected. For example, if you share your phone number with a company, you are the Data Principal.
- Data Fiduciary: The organization or person that decides why and how the personal data will be used. For instance, an online retailer collecting your address for delivery is a Data Fiduciary.
- Significant Data Fiduciary: Organisations that are designated as Significant Data Fiduciary based on the following considerations; the volume and sensitivity of personal data processed, the risk to the rights of the Data Principal, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, the security of the State, and public order process. These entities have extra responsibilities, like conducting periodical audits and appointing data protection officers.
2. Exclusions under the DPDPA
The DPDPA does not apply in certain situations:
- Personal Use: If you collect data for personal reasons, like saving someone’s contact details on your phone, the law does not apply.
- Public Data: Data that is made public by the individual themselves, such as posting your email address on a public website, and by third persons who are obligated by law, are not covered.
2.3 Limited to Digital Data
The DPDPA’s applicability is restricted to digital personal data. This includes:
- Data collected in digital form.
- Data initially collected in physical form but later digitized for processing.
4. Obligations on Data Fiduciaries
Data Fiduciaries (organizations or individuals handling personal data) must follow strict rules under the DPDPA to ensure that people’s data are protected.
4.1 Lawful Processing
Every Data Fiduciary must ensure that data is collected and processed on one of the following two grounds, consent or legitimate uses.
4.2 Consent Notice
Every Data Fiduciary must provide the following details to Data Principal when they seek consent:
- Why personal data is being collected.
- What types of data are collected.
- How the data will be used.
- The rights available to the data principals and manner in which they may exercise it
- Grievance redressal mechanism
4.3 Consent Requirements
Before processing any personal data, in cases where processing is based on consent, the Data Fiduciary must get clear and explicit consent from the individual. This consent must be:
- Free: The individual should not feel forced to give consent.
- Informed: The purpose of data collection must be explained clearly.
- Specific: Consent should be for a specific reason, not a broad or unclear purpose.
- Unconditional: Consent should not be based on any conditions.
- Unambiguous: Consent must be explicit and clear, leaving no room for doubt about the individual’s intentions.
- Clear affirmative action: Consent must involve an active step, such as ticking a checkbox or clicking “Agree,” rather than being inferred.
4.4 Grievance Redressal Mechanisms
To address complaints or concerns from Data Principals, Data Fiduciaries must:
- Set up a grievance redressal system.
- Appoint a Data Protection Officer (DPO) if they are a Significant Data Fiduciary.
- Share the DPO’s contact details publicly so people know where to reach out.
4.4 Reasonable Security Safeguards
Data Fiduciaries must implement strong security measures to protect personal data from breaches. This may include:
- Using encryption.
- Regularly updating security systems.
- Conducting audits to check for vulnerabilities.
To know more about the duties and obligations of data fiduciaries, click here
- Rights of Data Principals
5.1 Right to Access
Under the DPDPA, data principals can request a summary of their personal data being processed, details of processing activities, identities of entities with whom their data is shared, and additional prescribed information. However, this excludes data shared with authorized entities for lawful purposes like crime prevention or investigation.
5.2 Right to Correction and Erasure
The DPDPA grants data principals the right to request correction, completion, updating, or erasure of their personal data. Data fiduciaries must fulfill such requests unless the data’s retention is necessary for lawful or specified purposes.
5.3 Right of Grievance Redressal
Under the DPDPA, data principals can seek grievance redressal through mechanisms provided by data fiduciaries or consent managers, who must respond within a prescribed period of time. Data principal can approach the Data Protection Board only after exhausting the grievance redressal mechanism of the data fiduciary.
5.4 Right to withdraw consent
Individuals can withdraw previously given consent for data processing at any time, and data fiduciaries must cease processing activities based on such withdrawal.
5.5 Right to Nominate
The data principal has the right to nominate another individual to act on his behalf and exercise his rights in the event of his death or incapacitation.
To know more about the rights and duties of data principals, click here
6. Cross-Border Data Transfers
According to the DPDPA, The Central Government may restrict data fiduciaries from transferring personal data to specific foreign countries or territories through notification. This provision does not override existing Indian laws that mandate stricter protections or restrictions on cross-border data transfers.
7. Penalties for Non-Compliance
The DPDPA has strict penalties for companies or individuals who violate its rules. These penalties are designed to ensure compliance and discourage negligence. The penalties include (but not limited to) the following:-
- Up to ₹250 crores penalty: Breach in the obligation of the Data Fiduciary to take reasonable security safeguards to prevent a personal data breach
- Up to ₹200 crores penalty: Failure to give data breach notice to the board or affected data principal as well as failure to fulfil obligations related to children’s data.
- Up to ₹150 crores penalty: Breach of obligations by significant data fiduciary.
The severity of penalties reflects the government’s commitment to enforcing the Act and ensuring strict adherence.
To get an overview of compliance with the DPDPA, click here
8. Conclusion
The DPDPA is a transformative step in India’s journey toward a robust and globally aligned data protection framework. By shifting the focus from mere guidelines under the IT Act to a well-structured, enforceable legal framework, the DPDPA strengthens the rights of individuals and sets clear obligations for entities handling digital personal data.
With provisions for informed consent, stringent security safeguards, and strict penalties for violations, the Act not only prioritizes privacy but also fosters trust in India’s digital ecosystem. By regulating cross-border data transfers and introducing accountability measures for Data Fiduciaries, it ensures that personal data is handled responsibly, both within and beyond India’s borders.
As organizations adapt to the new compliance landscape, the DPDPA promises to create a balance between protecting individual privacy and supporting the legitimate needs of businesses. It marks a critical milestone in safeguarding the data rights of Indian citizens in an increasingly data-driven world.
……………………………………………………..
Authored by Samya Gupta
Samya is a lawyer practising in IP & Technology Law and works with Tsaaro as a Privacy Consultant.
[1] Explanation (i), Section 43A, IT Amendment Act, 2008.
[2] Press Release, Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under Section 43A, IT Act, 2000.
[3] Rule 2(1)(i), SPDI Rules, 2011.
[4] Rule 3, SPDI Rules, 2011.
[5] Proviso to Rule 3, SPDI Rules, 2011.
[6] Rule 5(1), SPDI Rules, 2011.
[7] Rule 5(3), SPDI Rules, 2011.
[8] Rule 5(9), SPDI Rules, 2011.
[9] Rule 8, SPDI Rules, 2011.
[10] Rule 8(3), SPDI Rules, 2011.
[11] Rule 8(3), SPDI Rules, 2011.
[12] Rule 5(2)(a), SPDI Rules, 2011.
[13] Rule 5(5), SPDI Rules, 2011.
[14] Rule 5(2)(b), SPDI Rules, 2011.
[15] Rule 5(4), SPDI Rules, 2011.
[16] Rule 6, SPDI Rules, 2011.
[17] Rule 6 (1), SPDI Rules, 2011.
[18] Rule 6 (1), SPDI Rules, 2011.
[19] Proviso to Rule 6 (1), SPDI Rules, 2011.
[20] Rule 6 (2), SPDI Rules, 2011.
[21] Rule 6 (3) & (4), SPDI Rules, 2011.
[22] Rule 7, SODI Rules, 2011.
[23] Section 43A, IT Amendment Act, 2008.
[24] Section 72A, IT Act, 2000.
Recent Comments