The Indian data protection regime, in recent times, has undergone significant revamping, starting from the landmark judgement of Justice K.S. Puttaswamy (Retd.) v. Union of India (where right to privacy was recognised as a fundamental right), followed by the introduction (and withdrawal) of personal data protection bills, and finally culminating into the introduction of the Digital Personal Data Protection Bill, 2022 ("Bill"). For our analyses of certain key aspects of the Bill, please refer our earlier newsletter (https://www.mondaq.com/india/data-protection/1259392/a-dive-into-the-digital-personal-data-protection-bill-2022).

The new data protection regime has been introduced as the Digital Personal Data Protection Act, 2023 ("Act") which received the assent of the President on August 11, 2023. In this article, we inter alia highlight certain material changes between the Bill and the Act as also certain key provisions of the Act:

  1. Non-Applicability: The provisions of the Act are not applicable to personal data that is made or caused to be made publicly available by (i) the Data Principal1 to whom such personal data relates; or (ii) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. The Bill had not covered within its ambit the (i) non-automated processing of personal data; (ii) offline personal data; and (ii) personal data about an individual that is contained in a record that has been in existence for at least 100 years. The aforesaid exclusions have not been included within the Act.
  2. Deemed Consent vs. Certain Legitimate Uses: The Act has relabelled the widely debated term 'deemed consent' to 'certain legitimate uses'. The Bill had provided for 'deemed consent' for inter alia performance of any function under any law, or any service or benefit to the 'Data Principal'. The aforesaid 'legitimate use' under the Act has been further qualified to include cases where (i) the Data Principal has previously consented to the processing of her personal data by the State or its instrumentalities; or (ii) such personal data is available in digital form in or subsequently digitised from any record maintained by the State or its instrumentalities and is notified by the Central Government.
  3. Notices: Under the Bill, the request notice to a Data Principal only needed to state the description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data. The Act requires the request notice to a Data Principal to additionally provide details related to (i) the manner in which she may exercise her rights under various provisions of the Act; and (ii) the manner in which the Data Principal may make a complaint to the Data Protection Board of India ("Board").
  4. Consent: Under the Act, the concept of consent has been narrowed down to inter alia such personal data as is necessary for the specified purpose which limitation was missing from the Bill.
  5. Harm v. Detrimental Effect: The Bill provided instances as to what would constitute 'harm' in relation to a Data Principal (including a child) and, also certain connected provisions related to harm. The Act excludes references to 'harm'. However, Data Fiduciary cannot undertake processing of personal data that is likely to cause any 'detrimental effect' (which term is not defined within the Act) on the wellbeing of a child.
  6. Right to access information about personal data: In respect of sharing of any personal data by a Data Fiduciary with any other Data Fiduciary where such sharing is for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences, the Act requires that a Data Principal cannot obtain (i) the identities of all other Data Fiduciaries and Data Processors2 with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and (ii) any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
  7. Transfer of Data outside India: In accordance with the Act, the Central Government may restrict the transfer of 'personal data' by a Data Fiduciary3 for processing to any country/territory notified by the Central Government.
  8. Profiling: References to 'profiling' i.e., any form of processing of personal data that analyses or predicts aspects concerning the behaviours, attributes or interest of a Data Principal, has been deleted under the Act.
  9. Data Fiduciary, Data Processor and Liability: The Act provides for processing undertaken by a Data Fiduciary itself or on its behalf by a Data Processor. The onus of protecting personal data in the possession/control of the Data Fiduciary (including in respect of any processing undertaken by it or on its behalf by a Data Processor) is upon the Data Fiduciary. The Act also casts a responsibility on the Data Fiduciary to cause its Data Processor to erase the personal data provided to it for data processing (which responsibility was missing under the Bill). Further, clarificatory provisions related to non-retention/erasure of personal data have been added vis-à-vis (i) instances where the specified purpose is no longer being deemed to be served; or (ii) instance where the Data Principal shall be considered not having approached the Data Fiduciary.
  10. Digital Personal Data: The Act defines the term 'Digital Personal Data' as 'personal data' in digital form (which was not defined in the Bill).
  11. Digital Office: The term 'Digital Office' (which was not defined in the Bill) has been defined under the Act to mean an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode. The Board and the Telecom Disputes Settlement and Appellate Tribunal ("TDSAT") are required to, as far as practicable, function as a digital office.
  12. Appellate Authority and Process: Appeals against the decision of the Board were previously required to be made before the High Court. Appeals against the decision of the Board will lie before the TDSAT. In addition to this, certain appellate procedures have also been prescribed under the Act.
  13. Right of Grievance Redressal: The Bill provided a timeline of 7 (seven) days for the Data Fiduciary to respond to the grievance of a Data Principal. The Act has removed such timeline. Redressal of grievances and response would need to be given in within a prescribed period. Additionally, the Act explicitly states that Data Principal would need to exhaust this remedy prior to approaching the Board.

Conclusion

India finally has its own comprehensive and all-encompassing digital personal data legislation after multiple bill introductions, deliberations and also withdrawals. Considering the expansive scope of the protection accorded under the Act, coupled with the significant quantum of penalties prescribed under the Act, the corporate world will need to analyse its existing data protection system to ensure it is proactive as opposed to being reactive.

Footnotes

1. The term 'Data Principal' defined under the Act means an individual to whom the personal data relates and where such individual is: (i) a child, includes parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.

2. The term 'Data Processor' defined under the Act means any person who processes personal data on behalf of a Data Fiduciary.

3. The term 'Data Fiduciary' defined under the Act means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

LexCounsel provides this e-update on a complimentary basis solely for informational purposes. It is not intended to constitute, and should not be taken as, legal advice, or a communication intended to solicit or establish any attorney-client relationship between LexCounsel and the reader(s). LexCounsel shall not have any obligations or liabilities towards any acts or omission of any reader(s) consequent to any information contained in this e-newsletter. The readers are advised to consult competent professionals in their own judgment before acting on the basis of any information provided hereby.