SAMVĀD: PARTNERS

INSIGHTS

DIGITAL PERSONAL DATA PROTECTION ACT, 2023

THE GOOD, BAD & AMBIGUOUS
Introduction

In the backdrop of the rapid commercialisation, digitalisation of

information and fungibility of personal data, balancing the rights of
private citizens with commercial interests has been at the forefront of
multiple discussions. In the historic judgement1, the Hon’ble Supreme VINEETHA MG
Court recognised right of privacy as a fundamental right. Partner

The first and foremost legislation in India primarily dealing with and
addressing concerns of the personal data of citizens was the
Information Technology Act, 2000 read with the Information
Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011 which has not
been able to sufficiently address the newer and nuanced issues
NEHA MIRAJGAOKER
relating to data privacy.
Partner
After multiple iterations of data protection bills, various reports by
eminent jurists and industry wide suggestions over half a decade, the
Digital Personal Data Protection Act, 2023 (“Act”) has been passed by
both Houses of Parliament and has received the President’s assent.

Key Features of the Act

SHASHANK UPADHYAY
1. Commencement
Associate
Section 1(2) of the Act provides that the Central Government
will notify and appoint different dates for coming into force for
different provisions. The Act also envisages prescription of
significant rules for the implementation of the various sections
of the Act. It appears that for “smooth transition” the Central
Government may notify the sections along with their relevant
rules.

1
Justice K.S. Puttaswamy and Anr. v. Union of India (UOI), Writ Petition (Civil) No. 494 of 2012.
 SAMVĀD: PARTNERS DIGITAL PERSONAL DATA PROTECTION ACT, 2023
THE GOOD, BAD & AMBIGUOUS
INSIGHTS

2. Applicability

The Act applies to any, (a) personal data2 processed within the territory of India, which is
collected in digital form, or is digitalised subsequently after collection; (b) processing of digital
personal data processed outside the territory of India, where such personal data relates to any
products or services being provided in India.

The Act further clarifies that it does not apply to (a) any processing of personal data by an
individual for personal or domestic purposes or (b) personal data made publicly available by
the data principal3 or as required under law.

By omission, an argument may be made that any personal data which is not in digitised form
is not protected by the Act.

3. Processing of personal data

The Act provides that personal data can be used by a data fiduciary4 only for lawful purposes
and either by consent of the data principal or for certain legitimate uses.

(a) Consent Requirements:

One of the approved methods of use of personal data by a data fiduciary is by the
express consent of the data principal. In case of children or persons with disability, the
legal guardian is considered to be the data principal.

It clarifies that consent given by the data principal must be (a) free; (b) specific; (c)
informed; (d) unconditional; and (e) unambiguous, with a clear affirmative action. The
consent is required to signify an agreement for processing of personal data for the
specified purpose and be limited to personal data as is necessary for such specified
purpose.

The request for consent by a data fiduciary is required to be in a form of, and/or
accompanied by a notice inter alia informing the data principal about the personal data
required, use of such personal data, manner of withdrawal of consent and grievance

2 ‘Personal Data’ means any data about an individual who is identifiable by or in relation to such data.
3 “Data Principal” means the individual to whom the personal data relates and where such individual is (i) a child, includes the parents
or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
4 “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing

of personal data.
SAMVĀD: PARTNERS DIGITAL PERSONAL DATA PROTECTION ACT, 2023
THE GOOD, BAD & AMBIGUOUS
INSIGHTS

redressal mechanism. Therefore, the entire mechanism and use case of the personal
data should be informed to the data principal at the outset.

For easy understanding, it is emphasised that the notice and the consent be in clear
and precise wordings in a language which may be understood by the data principal.

A critical element of consent is also withdrawal of consent by the data principal for
processing their personal data and is required to be in a manner which is as easy as
giving consent. Ensuring this will also be a systemic challenge for the data fiduciary. If
this information has been obtained for meeting KYC or other legal obligations, the
question that emanates is whether this will fall within the ambit of exceptions
contemplated under the Act.

On withdrawal of consent, the data fiduciary is required to ‘within reasonable time’

cease processing of the personal data, unless however, such usage is pursuant to
‘legitimate reasons’. For sake of good order, it is clarified that the processing of personal
data prior to such withdrawal of consent continues to be valid and will not be illegal.

For the protection of the data principal, the Act has discussed the concept of a consent
manager who person registered with the Data Protection Board of India (Board) who
is the single point of contact for the data principal to give, manage, review or withdraw
consent through an accessible platform.

The lack of a definitive timeline to cease usage of data on receipt of withdrawal of

consent is of concern and can be misused, if not clarified.

(b) Legitimate Uses:

The Act permits data fiduciaries to process personal data for any identified events
which inter alia include:

(i) processing of personal data for the purposes of employment (relates to incidents
like corporate espionage, maintenance of confidentiality of trade secrets,
intellectual property, classified information or provision of any service or
benefit);

(ii) for responding to medical emergencies;

 SAMVĀD: PARTNERS DIGITAL PERSONAL DATA PROTECTION ACT, 2023
THE GOOD, BAD & AMBIGUOUS
INSIGHTS

(iii) for the performance of the State or any of its instrumentalities, function under
any law or in the interest of sovereignty and integrity of India or security of the
State; or

(iv) for compliance with any judgement or decree or order.

The language of the ‘legitimate use’ events is extremely broad and gives wide powers
to the State to interpret it broadly, widely and may be even lopsidedly. While the need
to balance the requirements of private sector and individual liberty is paramount, the
apprehension continues to be on whether this will be fairly and properly used.

4. Right to erasure & other obligations of the data fiduciary

The Act creates an obligation on the data fiduciary to erase personal data, on the earlier of,
withdrawal of consent or where it is reasonable to assume that the specified purposes5 is no
longer being served. The exception to this rule is that the data fiduciary can continue to hold
the data if such retention is necessary for compliance with applicable law.

The confusion around the language being ‘specified purpose no longer being served’ is further
enhanced in scenarios where the data principal does not approach the data fiduciary for
performance of or exercised any rights in relation to a specified purpose.

Apart from the above, the data fiduciary is subject to obligations to maintain & hold the
personal data, meet certain minimum technical standards and implement grievance redressal
mechanisms.

5. Rights and duties of the data principals

The data principals have control over their data shared by them including the right to seek
access and information about the extent of personal data used by data fiduciary, right to
correct and/or erase data, avail grievance redressal and power to nominate individuals to act
on their behalf. This, of course, lends statutory legitimacy to ensure that the express rights
and duties of the data principals are incorporated in the Act.

Certain obligations are also cast upon the data principals like requirement of providing
verifiably authentic and complete information.

5 “Specified Purpose” means the purpose mentioned in the notice given by the data fiduciary to the data principal in accordance with
the provisions of this Act and the rules made thereunder.
SAMVĀD: PARTNERS DIGITAL PERSONAL DATA PROTECTION ACT, 2023
THE GOOD, BAD & AMBIGUOUS
INSIGHTS

6. Data Localisation

Presently, the RBI has in place guidelines to ensure that financial data in the possession of
certain RBI regulated entities should be stored locally. These regulations will continue to be
in force and not be subject to the provisions of the Act.

Wide powers have been given under the Act to the Central Government to restrict transfer
of personal data by data fiduciaries outside India.

Several spokesmen of the Central Government, have in various forums, voiced concerns of
unregulated and bulk transfer (and occasional leakage) of personal data of Indian citizens.

7. Significant Data Fiduciaries

The Act provides for a concept of a significant data fiduciary, which term is not defined. The
key factors or elements for determination of a significant data fiduciary would be the volume
and sensitivity of personal data processed by such entities, security of the state, public order
and risk to the rights of data principals whose data is collected and processed.

For such significant data fiduciary, the Act provides for enhanced obligations like undertaking
periodic audits, appointment of a data protection officer and an independent data auditor,
undertaking periodic data protection impact assessments, etc.

8. Exemptions

Certain provisions of the Act are not applicable for identified scenarios like enforcement of
legal right or claim, processing of data by a judicial or quasi-judicial body for regulatory or
supervisory function, processing of data in case of default of payment of a loan taken from a
bank or financial institution.

The Central Government has the power to exclude applicability of the provisions of the Act
in the interest of sovereignty and integrity of India, security of the State, friendly relations
with foreign States or maintenance of public order or for statistical or archival purposes.

The Central Government also has the powers within 5 (five) years of the commencement of
this Act to exclude certain data fiduciaries from compliance of the provisions of the Act for an
identified period, as they may deem fit.

The scope of the exemptions is drafted broadly and gives seemingly unlimited powers to the
State to process personal data without adhering to the key elements of data privacy.
SAMVĀD: PARTNERS DIGITAL PERSONAL DATA PROTECTION ACT, 2023
THE GOOD, BAD & AMBIGUOUS
INSIGHTS

9. Data Protection Board and its powers.

The Act has constituted the Board as a quasi-judicial body having representatives from the
fields of IT, law, digital economy etc, with 1 (one) mandatory member being an expert in law.

The Board is primarily responsible to investigate and inquire into any breach of personal data
either due to notification from the data fiduciary or by any Central or State Government and/
or address complaints of a data principal.

Any appeal from the decision of the Board lies with the Telecom Disputes Settlement and
Appellate Tribunal established under the Telecom Regulatory Authority of India Act, 1997.

The penalties which may be levied may extend up to a maximum of INR 250 crores. However,
the Act provides for the construct of voluntary undertaking by the alleged breaching party.

The Central Government has the power to block access to any information generated,
transmitted, received, stored or hosted by a data fiduciary, subject to the recommendations
by the Board.

Conclusion.

While this is a great and welcome step in the right direction, the devil is always in the details. The
rules will, to a large extent, determine the steps which each organisation needs to put in place to
meet its obligations under the Act. A lot of processes and systems will need to be introduced and
streamlined to meet the requirements of the Act, which could also entail significant cost incurrence.
One major cause of concern for both the data principal and the data fiduciary will be the ambit of
the exceptions built in the Act, which is the “X” factor in the Act.