DPDP Act: Why Companies Should Pay Attention
dpdpa-newsletter

Introduction:                  

After 6 years of the Supreme Court of India recognizing the Right to Privacy as a fundamental right enshrined in the Right to Life i.e. Article 21 of the Indian constitution, on August 11, 2023, the Indian Government officially published the digital Personal Data Protection Act, 2023 on its official Gazette and reserving it enforcement for a future date. The Act contains 44 provisions which mandate the processing of personal data on a legitimate and legal basis, apart from the compliance requirements under the DPDP Act, the  Minister of State for Electronics and Information Technology Honorable Mr. Rajeev Chandrasekhar during a press conference informed that the Indian Government will notify the DPDP Rules within the mid of October and according to a government official source it is being expected that at least 25 rules have been formulated by the government to implement the DPDP Act and the draft of the said rules are being completed and awaiting official release for public enforcement. It is also being mentioned by the IT Minister that no more than 12 months will be provided as a grace period for transition and in the case of Multinational companies who were already in compliance with other Privacy regulations including GDPR etc. will not be provided with additional time extensions for DPDP compliance.

It doesn’t mean that the corporations who were in the journey of GDPR compliance will have negligible work to do, but in reality, the compliance requirements of the DPDP Act 2023 are unique and require a specific implementation plan than other international data protection compliance requirements.

Compliance Requirements under the Digital Personal Data Protection Act 2023:

According to Section 8 of the DPDP Act, there are nine main duties of data fiduciaries:

  • To comply with provisions of DPDPA irrespective of the actions of the data principal.
  • Employ Data Processor through a valid contract.
  • Ensure completeness, accuracy, and consistency when the processing of data is used to make a decision that affects data principals or if it is being disclosed to other data fiduciaries.
  • Shall implement technical and organizational measures to comply with provisions of DPDPA. (Technical measures including setting up firewalls, VPN, encryption etc. and organizational measures comprised of internal policies, methods, practices for ensuring retention, access control, backup, quality control, information security management etc.)
  • Adopt reasonable security safeguards to prevent data breaches ( including data processed by the data controller) ( reasonable security safeguards including security like ISO / IEC audit certifications, implementing comprehensive information security policy like Governance and risk compliance team etc.)
  • Shall report the data breach to the data protection board and affected data principals.
  • Ensure erasure requirements when it is being requested or the specified purpose for which the Personal Data is being collected is no longer being served or whichever is earlier and mandate the Data Processor to do the same.
  • Shall publish the contact details of the Data Protection Officer or other representative to address the requests of data principals on behalf of data fiduciaries.
  • Shall set up an effective grievance redressal mechanism for data principals.

According to Section 10 of the DPDP Act, the central government may notify a data fiduciary as a significant data fiduciary based on 6 factors and the said Significant Data Fiduciaries are obliged to:

  • Appoint a Data protection officer based in India to represent the said Significant Data Fiduciary.
  • Appoint an independent data auditor to evaluate the compliance requirements of the said fiduciary.
  • Shall conduct periodic data protection impact assessments, data audits and other such measures as prescribed.

Consent and Notice requirements:

According to section 6, the Data fiduciary shall obtain free, specific, unconditional, informed, unambiguous consent with a clear affirmative action signifying an agreement to the processing of personal data and every such request for consent shall be accompanied by a notice informing the Data Principal about:

  • Purpose in which the personal data is collected.
  • How the Data Principal can exercise their rights (including the right to make complaints to the Data Protection Board)

Setting up a Data Principal Rights Framework:

Chapter III of the DPDP Act has empowered the Data principals to exercise six inherent rights in case the personal data is being processed based on the consent of the Data Principal. They are:

  • Right to withdraw consent and the said mechanism shall be easily done comparable to the method deployed for obtaining consent.
  • Right to access: Summary of Personal Data Processed and processing activities undertaken, Identities of third parties to whom the Personal Data has been shared and the description of the shared Personal Data.
  • Right to correction, erasure, completion, and updating of Personal Data
  • Right to Grievance Redressal: Through a readily available and easy, effective redressal mechanism established by the Data Fiduciary.
  • Right to nominate other individuals who shall act on behalf of the Data Principal upon death or incapacity of the Data Principal.
  • Right to complain to the Data Protection board after exhausting the grievance redressal framework established by Data Fiduciary.

Apart from the exceptions provided in Chapter III or other provisions of this act, the Data Fiduciary is not eligible to refuse the request of the Data Principal and unlike other regulations like GDPR which provides options for rejecting requests of a repetitive nature, the act indirectly implies that utmost compliance to honour the request of the Data Principal.

Penalty for Non-compliance:

In case of non-compliance with any provisions of the act or the rules made in, according to section 33 of the DPDP Act, the Data Protection Board shall impose a monetary penalty based on the schedule specified.

According to the Schedule, the penalty for data fiduciaries shall be ranging from Rs. 50 crores to Rs. 250 crores depends upon the breach of concerned provisions.

The amount of the penalty as mentioned in the Schedule shall be determined based on the:

  • Nature, gravity, duration of the personal data breach
  • The repetitiveness of the breach
  • Type, nature of persona data affected by the breach
  • Whether the person has realized gain or avoided any loss due to the breach
  • Action taken and its nature, effectiveness, timeliness of the action taken.
  • Likely impact of the monetary penalty imposed on the said person.

Conclusion:

Apart from the monetary penalty for non-compliance, the said entity who was not serious about the compliance of the data breach shall be prone to reputational damage and such damage can cause a catastrophic impact on the business of the said entity. For instance, a research report showcases that one-third of customers in finance, retail and healthcare will stop doing business with an organization that has experienced a data breach and around 33.5 per cent of them will use social media to vent out their opinion about the damage that occurred due to the breach.

According to a news report the awareness about the mishandling of personal data has increased in recent times and the Data Principals are actively involved in Data Activism to enforce their Data Protection rights as a result, most of the big business firms are actively involved in the Journey of compliance with DPDP Act and it is the right time that the companies should pay attention to the compliance requirements of DPDP Act 2023.

Major Privacy Updates of the Week

business-corporate-protection-safety-security-concept_53876-64964_11zon

New York law bans explicit deepfake distribution.

Kathy Hochul, Governor of New York, has signed a new law prohibiting the distribution of AI-generated pornographic images without the subject’s consent. This measure aims to combat the use of AI tools to create convincing deepfake content, particularly targeting women. Under the new legislation, offenders could face up to a year in jail, and victims now have the right to pursue legal action in civil court. The legislation has received unanimous support in both legislative chambers and follows a nationwide trend, with at least 46 states already banning revenge porn, highlighting concerns about the increasing realism of deepfakes and their potential for abuse. Read More.

standard-quality-control-concept-m_23-2150041862

Parliament orders halt on Worldcoin's Kenya services.

Kenyan lawmakers demand cryptocurrency project Worldcoin halt operations until stricter regulations are enacted. The government had initially suspended the project in August due to privacy concerns surrounding iris scanning for digital IDs. Worldcoin, launched globally by Tools for Humanity, co-founded by OpenAI CEO Sam Altman, had faced scrutiny in multiple countries, including Britain, Germany, and France. However, despite the suspension, Worldcoin maintains an online presence in Kenya. As a result of several Privacy concerns, a parliamentary panel had recommended the Communications Authority of Kenya to disable Tools for Humanity’s virtual platforms and IP addresses. They had also urged for a physical presence suspension until proper regulations for virtual assets and services are established. Read More.

Canadians have 'right to be forgotten' on Google, court rules.

A Canadian court has ruled that Google’s search engine is subject to federal privacy law, potentially granting individuals the “right to be forgotten.” In a 2-1 decision, the Federal Court of Appeal rejected Google’s exemption claim for journalistic or artistic purposes under Federal Law. The case began with a privacy complaint in 2017, where a man sought to delist outdated and harmful information about him on the internet. Google has argued that it acted as an intermediary, disseminating news and information whereas the Lawyers for the complainant praised the ruling. Read More.

Denmark's High Court fines hotel chain over data storage.

On September 26, 2023, the Danish data protection authority, Datatilsynet, had imposed a fine of DKK 1 million (approx. $142,280) on Arp-Hansen Hotel Group A/S, for not deleting customer data as required by GDPR Article 5(1)(e). Following a 2020 investigation, Datatilsynet found that Arp-Hansen kept customer data beyond their deletion deadlines. Initially recommended at DKK 1.1 million (approx. $156,500), the fine was imposed by the High Court despite a previous District Court decision against a fine. The High Court similarly ruled that Arp-Hansen violated GDPR Article 5(1)(e) by not following its own data retention policies. Read More.

Personal Information of Air Canada Employees exposed in recent Cyberattack.

Air Canada, Canada’s largest airline, reported a data breach involving employee information, however, flight operations and customer data remained unaffected. An unauthorized group had briefly accessed limited employee data, but no customer info was compromised. Air Canada is cooperating with authorities and cybersecurity experts to enhance security. This incident coincided with a suspected pro-Russia hacking group’s cyberattack causing airport disruptions. No group claimed responsibility, but Canada faced ongoing attacks following its support for Ukraine last year. Read More.

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay

WEEKLY PRIVACY NEWSLETTER

Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro