Specials

Understanding the key intricacies of India’s DPDP Act

By Vishal Gupta

The Digital Personal Data Protection Act (DPDP Act) of 2023 is a substantial legislative development within the legal framework of India due to its comprehensive approach to safeguarding personal data, which entails numerous complexities. Despite its inception in 2017, the legislation did not attain official status until August 11, 2023, when it was gazetted. Regardless of whether they are the data principal, data originator, data fiduciary, or data processor, the consequences of personal data processing impact every individual, business, and organization engaging in such activities.

Framework to Protect Personal Data

The DPDP Act establishes a methodical framework intended to address personal data. This framework distinguishes personal information from general information and non-personal data. It also defined several crucial concepts, including data principal, data fiduciary, and data processor.

  • Data Principal encompasses any individual, entity, or organization that produces personal data.
  • Data Fiduciary is a legally recognized entity charged with the duty of determining the way the personal information of a data principal will be implemented.
  • Data Processor is responsible for executing the specific processing operations on behalf of the data fiduciary.

The DPDP Act defines “personal data” as any information relevant to a specific individual. This includes fingerprints and iris scans, names, emails, passport information, Aadhar or PAN cards, and passport details. Furthermore, the legislation explicitly addresses violations of personal data, focusing on incidents where unauthorized or inadvertent access, disclosure, modification, or deletion of such data compromises its accessibility, integrity, or confidentiality.

Data Fiduciaries

The DPDP Act delineates a fundamental principle that data fiduciaries must obtain explicit and informed consent from data principals before processing their data. This consent should not be regarded as a mere formality; instead, it should be obtained through an open and honest process that ensures fairness and transparency. Failure to adhere to this regulation may result in significant penalties amounting to Rs 250 crore per infraction.

The regulation introduces the “significant data fiduciaries” concept, paralleling the “significant social media intermediaries” delineated in the Information Technology Act. Furthermore, organizations that meet specific criteria may fall within this category, necessitating adherence to additional policies and obligations, including the designation of a data protection officer. Apart from being answerable to the board, this officer also serves as the intermediary for resolving complaints.

Navigating the Legislation

Notwithstanding the substantial progression, the DPDP Act signifies the empowerment of data principles, but it is critical to remember that it does not function as independent legislation. It operates in conjunction with established legislation, the Information Technology Act of 2000 being particularly significant. The former shall prevail if the DPDP Act and the mentioned legislation conflict with safeguarding personal data.

The legislation prioritizes data localization and grants companies permission to transfer personal data beyond the borders of India, contingent upon the fulfilment of specific requirements and the consideration of notified jurisdictions. However, this raises concerns regarding possible inconsistencies with the RBI’s current policies regarding data localization. Such discrepancies could suggest that particular sectors require exemptions from regulations or modification of existing ones.

Despite the DPDP Act’s establishment of a robust framework, its practical execution will be contingent upon the regulations and rules that are subsequently promulgated. The enforcement of these legislations will delineate crucial aspects, including data offenses, enforcement mechanisms, and compliance standards. Businesses that wish to avoid hefty fines must meticulously prepare, ensuring they adhere to all applicable regulations and standards.

Violators of the DPDP Act may be placed at risk of enduring incarceration, hefty fines, or both. Infractions may also be subject to accountability from upper management, including chief executive officers and board members. Consequently, organizations that handle personal information must adhere to both legal requirements and established standards about information technology.

Conclusion

The DPDP Act introduces a novel era of data protection in India, placing significant importance on transparency, consent, and oversight. Although individuals are entrusted with significant responsibilities as data fiduciaries, this also empowers them to exert authority over their data. As the government finalizes the laws, it is critical that organizations proactively align themselves with the law to manage the ever-evolving data landscape effectively. Adherence to the DPDP Act is not solely an obligation under the law but also a critical imperative in safeguarding data and maintaining trust in the digital environment.

 

(The author is Vishal Gupta, CEO and Co-Founder Seclore, and the views expressed in this article are his own)