OBLIGATIONS OF A DATA FIDUCIARY UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
The Digital Personal Data Protection (DPDP) Act of 2023 lays down the obligations of a Data Fiduciary. It received presidential assent on August 11, 2023, and will come into force on a date to be subsequently notified, with different dates being appointed for different provisions. The law acknowledges the right of privacy and underlines the necessity of processing data only for lawful purposes.
Data Fiduciary
Section 2(i) of the DPDP Act defines the term ‘Data Fiduciary.’ According to section 2 (i) of the Act, ‘Data Fiduciary’ means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.
Obligations of a Data Fiduciary
Chapter II of the DPDP Act outlines the obligations of a Data Fiduciary, focusing on grounds for processing data. The Act states that a person can only process the personal data of a Data Principal for lawful purposes, with consent or for certain legitimate uses. The term ‘Data Principal’ refers to the person that personal data is about. If this person is a child, it also includes their parents or legal guardian. Similarly, if the person has a disability, it includes their legal guardian who acts on their behalf. Any request for consent must be accompanied by a notice from the Data Fiduciary, outlining the purpose of processing, complaint procedure, and access to the notice in English or any language specified in the eight schedule of the constitution. This provision applies even if the Data Principal has given consent before the Act’s commencement.
A. Consent
Section 6 of the Act mandates that Data Principals’ consent must be given freely, be specific, informed, unconditional, and unambiguous, indicating their agreement to the processing of their data for a specified purpose. Any part of the consent that infringes on the Act’s provisions will be considered invalid. Data Principals must be provided with clear consent requests in plain language, including contact information for a Data Protection Officer, where applicable, or any other designated individual authorized by the Data Fiduciary to respond to any communication from the Data Principal.
Data Principals have the right to revoke consent at any time, and if they withdraw consent, the Data Fiduciary must cease processing within a reasonable time, unless such processing is authorized by this Act or any other applicable Indian laws.
B. Appointment of a Consent Manager
The Data Principal can manage, review, or withdraw consent from the Data Fiduciary through a Consent Manager, who is accountable to the Data Principal and must act on their behalf, subject to prescribed obligations. Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial, and other conditions as may be prescribed.
C. Processing for Certain Legitimate Uses
According to section 7 of the Act, a Data Fiduciary may process the personal data of a Data Principal for any of the uses like when the Data Principal has voluntarily provided their data to the Data Fiduciary for a specific purpose, without indicating their consent to its use and other uses provided under the section.
D. Processing of Data for the State
The data fiduciary may process the personal data of a data principal for specific purposes, including allowing the State and its instrumentalities to provide subsidies, benefits, services, certificates, licenses, or permits. This is permissible under two conditions: either when the Data Principal has previously consented to such data processing by the State, or if the personal data is available in digital form or in non-digital form and subsequently digitized from within State-maintained databases or documents, subject to Central Government notification. Compliance with processing standards established by the Central Government’s policy or applicable laws is required.
E. General Obligations of a Data Fiduciary
Section 8 outlines the obligations of Data Fiduciaries, who must comply with the Act and rules related to processing personal data on their behalf. They must ensure data accuracy, completeness, and consistency, implement technical and organizational measures, protect personal data, inform the Board and affected Data Principals in case of breaches, and publish contact information for Data Protection Officers.
F. Processing of Personal Data of Children
Section 9 addresses the obligations of the Data Fiduciary when the Data Principal is a child or a person with a disability. The Data Fiduciary shall, before processing any personal data of a child or a person with a disability who has a lawful guardian, obtain verifiable consent from the parent of such child or the lawful guardian, in such manner as may be prescribed.
A Data Fiduciary shall not engage in processing personal data that is likely to cause any detrimental effect on the well-being of a child. Furthermore, a Data Fiduciary cannot carry out tracking or behavioral monitoring of children or engage in targeted advertising directed at children.
Significant Data Fiduciary
The Central Government, upon assessing the relevant parameters, may designate any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary.
Additional Obligations of a Significant Data Fiduciary
The Significant Data Fiduciary must appoint a Data Protection Officer, an independent data auditor, and other measures to ensure compliance with the Act. The officer should represent the Fiduciary, be based in India, and be responsible for the governing body. The officer should also conduct a periodic Data Protection Impact Assessment, manage risks to data rights, and implement other measures consistent with the Act.
Conclusion:
In conclusion, the Digital Personal Data Protection (DPDP) Act of 2023 stands as a robust framework safeguarding individuals’ right to privacy in India. Through a comprehensive set of obligations, the Act ensures that Data Fiduciaries process data lawfully, prioritize consent, and uphold the privacy of Data Principals. Notably, the Act introduces measures for managing children’s data, designates Significant Data Fiduciaries with heightened responsibilities, and outlines penalties for breaches. By striking a balance between data utility and protection, the DPDP Act contributes to a more accountable and secure digital landscape in the country.
Major Privacy Updates of the Week
Several Tech Companies to face new Compliances under EU’s Digital Services Act
The EU’s stringent Digital Services Act (DSA) has come into effect on 25th August 2023, compelling major digital companies, such as Amazon, Apple, Google, and prominent social media platforms, to take a more proactive role in policing online content, combating disinformation and hate speech. Failure to comply with the Provisions of the DSA can lead to substantial fines of up to 6% of global revenue.
While companies like Meta and TikTok are already taking steps to comply, the law’s impact extends to Twitter (Now ‘X’) and Google’s transparency initiatives. The DSA is part of a broader strategy to empower individuals, enhance accountability, and ensure user protection. Read More.
YouTube and other companies plead for Dismissal of Lawsuit over Children’s Privacy
Google, Cartoon Network, Hasbro, and other companies are requesting a federal judge to dismiss a class-action complaint accusing them of violating children’s privacy by tracking YouTube views for targeted ads. Google argues that even if tracking claims are true, they aren’t highly offensive and align with routine data collection rulings.
Moreover, Google has claimed that the collection of online activity, geolocation, and browser/device information in accordance with clear public disclosures is not actionable and the lawsuit is liable to be dismissed. However, the channel operators, including Cartoon Network and Hasbro, maintain they weren’t in concert with Google for tracking. Read More.
Data of 2.6 Million Duolingo Users Leaked on Hacking Forum
The security of Duolingo had been compromised as data from 2.6 million users has surfaced on a hacking forum. This data encompasses authentic names, login credentials, email addresses, and internal service-related particulars. Initially presented for sale at $1500, the leaked data’s alarming inclusion of private email addresses could potentially lead to targeted phishing endeavors. While Duolingo has confirmed that the data originated from publicly accessible profiles, questions persist about the security of users’ private information.
The breach reportedly stemmed from an exposed API in March 2023, enabling unauthorized email retrieval. Duolingo’s handling of the situation, including API accessibility post-abuse, has been severely criticized for negligence. Read More.
Facebook owner Meta Facing legal action in Norway for GDPR Violations
Meta Platforms is facing legal action in Norway for violating European data privacy regulations, resulting in a daily fine of one million crowns ($94,145) since August 14. This penalty stems from the company’s breach of user privacy through data harvesting for targeted advertising, a practice common among Big Tech firms.
Seeking a temporary injunction against the fine, Meta is accused of disregarding the European General Data Protection Regulation (GDPR). While Meta had claimed before the Court that is had already committed to asking for User Consent, the Norwegian Data Protection Authority, Datatilsynet, highlighted the uncertainty surrounding Meta’s commitment to user consent resulting in the Fine. Read More.
French Employment Agency Breach Results in potential exposure of Sensitive Data of 10 Million Individuals
The French employment agency, Pôle emploi, has fallen victim to a cyber-attack potentially exposing sensitive data of around 10 million individuals. This breach is believed to be connected to the Clop ransomware gang’s MOVEit campaign, which has affected numerous organizations and millions of people.
The compromised information includes names, employment statuses, and social security numbers of six million recent registrants and four million individuals off the register for less than a year. Investigations are ongoing, and Pôle emploi has reported the incident to data protection authorities while assuring the security of its systems and the continuity of welfare payments. Read More.
Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay
WEEKLY PRIVACY NEWSLETTER
Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!
*By clicking on subscribe, I agree to receive communications from Tsaaro