The Digital Personal Data Protection (DPDP) Act of 2023 lays down the obligations of a Data Fiduciary. It received presidential assent on August 11, 2023, and will come into force on a date to be subsequently notified, with different dates being appointed for different provisions. The law acknowledges the right of privacy and underlines the necessity of processing data only for lawful purposes.

Data Fiduciary

Section 2(i) of the DPDP Act defines the term ‘Data Fiduciary.’ According to section 2 (i) of the Act, ‘Data Fiduciary’ means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.

Obligations of a Data Fiduciary

Chapter II of the DPDP Act outlines the obligations of a Data Fiduciary, focusing on grounds for processing data. The Act states that a person can only process the personal data of a Data Principal for lawful purposes, with consent or for certain legitimate uses. The term ‘Data Principal’ refers to the person that personal data is about. If this person is a child, it also includes their parents or legal guardian. Similarly, if the person has a disability, it includes their legal guardian who acts on their behalf. Any request for consent must be accompanied by a notice from the Data Fiduciary, outlining the purpose of processing, complaint procedure, and access to the notice in English or any language specified in the eight schedule of the constitution. This provision applies even if the Data Principal has given consent before the Act’s commencement.

A. Consent

Section 6 of the Act mandates that Data Principals’ consent must be given freely, be specific, informed, unconditional, and unambiguous, indicating their agreement to the processing of their data for a specified purpose. Any part of the consent that infringes on the Act’s provisions will be considered invalid. Data Principals must be provided with clear consent requests in plain language, including contact information for a Data Protection Officer, where applicable, or any other designated individual authorized by the Data Fiduciary to respond to any communication from the Data Principal.

Data Principals have the right to revoke consent at any time, and if they withdraw consent, the Data Fiduciary must cease processing within a reasonable time, unless such processing is authorized by this Act or any other applicable Indian laws.

B. Appointment of a Consent Manager

The Data Principal can manage, review, or withdraw consent from the Data Fiduciary through a Consent Manager, who is accountable to the Data Principal and must act on their behalf, subject to prescribed obligations. Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial, and other conditions as may be prescribed.

C. Processing for Certain Legitimate Uses

According to section 7 of the Act, a Data Fiduciary may process the personal data of a Data Principal for any of the uses like when the Data Principal has voluntarily provided their data to the Data Fiduciary for a specific purpose, without indicating their consent to its use and other uses provided under the section.

D. Processing of Data for the State

The data fiduciary may process the personal data of a data principal for specific purposes, including allowing the State and its instrumentalities to provide subsidies, benefits, services, certificates, licenses, or permits. This is permissible under two conditions: either when the Data Principal has previously consented to such data processing by the State, or if the personal data is available in digital form or in non-digital form and subsequently digitized from within State-maintained databases or documents, subject to Central Government notification. Compliance with processing standards established by the Central Government’s policy or applicable laws is required.

E. General Obligations of a Data Fiduciary

Section 8 outlines the obligations of Data Fiduciaries, who must comply with the Act and rules related to processing personal data on their behalf. They must ensure data accuracy, completeness, and consistency, implement technical and organizational measures, protect personal data, inform the Board and affected Data Principals in case of breaches, and publish contact information for Data Protection Officers.

F. Processing of Personal Data of Children

Section 9 addresses the obligations of the Data Fiduciary when the Data Principal is a child or a person with a disability. The Data Fiduciary shall, before processing any personal data of a child or a person with a disability who has a lawful guardian, obtain verifiable consent from the parent of such child or the lawful guardian, in such manner as may be prescribed.

A Data Fiduciary shall not engage in processing personal data that is likely to cause any detrimental effect on the well-being of a child. Furthermore, a Data Fiduciary cannot carry out tracking or behavioral monitoring of children or engage in targeted advertising directed at children.

Significant Data Fiduciary

The Central Government, upon assessing the relevant parameters, may designate any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary.

Additional Obligations of a Significant Data Fiduciary

The Significant Data Fiduciary must appoint a Data Protection Officer, an independent data auditor, and other measures to ensure compliance with the Act. The officer should represent the Fiduciary, be based in India, and be responsible for the governing body. The officer should also conduct a periodic Data Protection Impact Assessment, manage risks to data rights, and implement other measures consistent with the Act.

Conclusion:

In conclusion, the Digital Personal Data Protection (DPDP) Act of 2023 stands as a robust framework safeguarding individuals’ right to privacy in India. Through a comprehensive set of obligations, the Act ensures that Data Fiduciaries process data lawfully, prioritize consent, and uphold the privacy of Data Principals. Notably, the Act introduces measures for managing children’s data, designates Significant Data Fiduciaries with heightened responsibilities, and outlines penalties for breaches. By striking a balance between data utility and protection, the DPDP Act contributes to a more accountable and secure digital landscape in the country.