Explore the recently passed Digital Personal Data Protection Bill, 2023. Introduced in Lok Sabha on August 3, 2023, by the Minister of Electronics & Information Technology, it gained approval from both Lok Sabha on August 7, 2023, and Rajya Sabha on August 9, 2023, followed by Presidential assent on August 11, 2023.
The Digital Personal Data Protection Bill 2023 is a watershed moment orchestrated by the Central Government of India (CG) to address the intricate nuances of safeguarding personal data. Let's delve into the core aspects of this transformative legislation.
The core objective of the act is to establish an impenetrable framework that shields personal data and streamlines its processing. This legislative effort originates from the Supreme Court's landmark recognition of the 'Right to Privacy' as an integral facet of the 'Right to Life,' as enshrined in Article 21 of the Indian Constitution. This recognition propelled the need for a comprehensive data protection mechanism.
● Emphasis on Global Engagement: The Act's jurisdiction casts a wide net, covering the processing of personal data within India's borders as well as internationally. This extended jurisdiction is particularly pertinent in cases where goods or services are extended to Indian citizens, ensuring that data privacy remains paramount even in cross-border transactions.
To navigate the Act effectively, understanding its fundamental terms is paramount:
Data constitutes any information, ranging from facts to opinions, that humans or automated systems can process. When such data pertains to an individual whose identity is discernible, it falls under the umbrella of Personal Data.
Example: An individual's name, email address, and location data constitute personal data.
Sensitive Personal Data or Information ("Sensitive Personal Data or Information") comprises personal information like finances, health records, biometric details, and sexual orientation. This data demands enhanced protection due to its sensitivity.
Example: Sensitive Personal Data or Information includes medical records, financial data, and biometric information such as fingerprints.
Critical Personal Data refers to a specific subset of personal information designated by the Central Government. This data holds exceptional importance and can only be processed within India.
Example: Critical Personal Data might include data related to national security or vital infrastructure, necessitating processing solely within India's jurisdiction.
Processing involves a series of automated actions executed on digital Personal Data. This encompasses collection, storage, sharing, use, and erasure. However, these operations are only permissible when they are lawful and backed by the individual's consent or legitimate reasons defined by the Act.
Example: When a company uses a person's email address to send them promotional offers, this constitutes the processing of personal data.
Consent assumes a pivotal role in data processing. It must be voluntary, well-informed, specific, unequivocal, and affirmative. Before seeking approval, a notice elucidating the data collection and processing purpose must be provided. Individuals retain the right to withdraw their consent at any juncture. Notably, specific scenarios termed legitimate uses do not necessitate explicit consent.
Example: When a social media platform seeks permission to access a user's camera for posting photos, the user's consent is sought.
The Act confers specific rights and responsibilities on individuals, Data Principals, and entities responsible for managing data, known as Data Fiduciaries.
Data Principals can access information about their data's processing, rectify or erase erroneous data, nominate representatives for posthumous or incapacitated scenarios, and raise grievances. Conversely, they are obligated not to submit false complaints or suppress vital information.
● Example: A user can request a social media platform to correct their birthdate in their profile information.
Data Fiduciaries bear a host of significant duties. They must process data solely for authorised purposes with the individual's consent, ensure data accuracy, employ security measures, respond promptly to data inquiries, and erase data once the designated objective is fulfilled unless legal retention is mandated.
● Example: An e-commerce website is responsible for securely storing customer data and using it only for order fulfilment and customer service.
Acknowledging the global nature of data flows, the Act permits the extraterritorial processing and transfer of Personal Data, except to countries restricted by CG.
Certain exemptions come into play as well. Provisions related to Data Fiduciaries' responsibilities and Data Principals' rights are waived in specific scenarios, such as activities involving national security or public order.
A fundamental entity in the Act's framework is the Data Protection Board of India. Comprising a Chairperson and members, this board wields the authority to address data breaches, conduct inquiries, and levy penalties. It is pivotal in resolving disputes and overseeing compliance, enjoying exclusive jurisdiction.
The Digital Personal Data Protection Bill, 2023 introduces the role of a Data Protection Officer (DPO). This officer will oversee data protection activities within organisations and ensure compliance with the law.
Appeals against the board's decisions find their recourse through the Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT), with further avenues for appeal before the Supreme Court. The Act's comprehensive penalty structure fines up to Rs 250 crore for non-compliance, security lapses, unauthorised disclosure, and prohibited data transfers, underscores the significance of adhering to obligations and data security measures.
The enactment of the Digital Personal Data Protection Bill 2023 heralds a seismic shift for companies and businesses involved in any Personal Data processing. This section elucidates the Act's anticipated impacts and delves into its implementation challenges.
The Act mandates a paradigm shift in the operational dynamics of companies. To ensure compliance, entities must:
● Standard Operating Procedures: Develop meticulous operational procedures to adhere to the Act's provisions.
● Personnel Training: Train employees to navigate data handling within the legal confines.
● Cooperation with Data Protection Officer: Collaborate with the Data Protection Officer designated by the Significant Data Fiduciary under Section 10.
● Engaging Independent Data Auditors: Appoint Independent Data Auditors to scrutinise data management practices.
● Consent Management Mechanism: Implement a comprehensive mechanism to gather, update, and track consent from individuals.
● Data Protection Assessments: Undertake regular assessments to fortify data protection mechanisms.
● Valid Contracts with Data Processors: Maintain robust contracts with data processors to ensure accountable data management.
● Example: An e-commerce platform must revise its data handling policies, train its customer support team on consent collection, and engage an auditor to assess its adherence to data protection norms.
However, uncertainty hovers over the criteria used to classify companies, especially startups, as Data Fiduciaries. Questions abound concerning thresholds like net worth, assets, personnel size, and qualifications that warrant such classification. Achieving clarity in these aspects becomes crucial for consistently applying the Act.
While the Act's intent to safeguard Personal Data is evident, potential concerns emerge regarding its technical implementation. Notable provisions raise eyebrows:
● Broad Powers of Central Government: Section 36 empowers the Central Government (CG) to solicit 'information' from the Board or any Data Fiduciary or intermediary, invoking concerns of potential surveillance.
● Instrumentality of the State Exemptions: Section 17(2)(a) grants the CG the authority to exempt state instrumentalities from specific provisions, raising questions about favouritism.
● Impact on Right to Information: Amending Section 8(1)(j) of the Right to Information Act, 2005 (RTI Act) under Section 44(3) poses a challenge to the delicate balance between privacy and informational rights.
● Example: The provision allowing the CG to seek 'information' may inadvertently lead to data fishing expeditions that could compromise user privacy.
As the Digital Personal Data Protection Act 2023 strides into action, its impacts and challenges are poised to reshape data-handling landscapes. Striking a balance between compliance and innovation and addressing concerns surrounding potential surveillance will define the journey ahead in India's data protection narrative.
With Perfios, you Unlock informed decisions through credit analytics, onboarding automation, and more.
Perfios Software Solutions is India’s largest SaaS-based B2B fintech software company enabling 900+ FIs to take informed decisions in real-time. Headquartered in mumbai, India, Perfios specializes in real-time credit decisioning, analytics, onboarding automation, due diligence, monitoring, litigation automation, and more.
Perfios’ core data platform has been built to aggregate and analyze both structured and unstructured data and provide vertical solutions combining both consented and public data for the BFSI space catering to their stringent Scale Performance, Security, and other SLA requirements.
You can write to us at firstname.lastname@example.org
Get in touch for more information@ https://solutions.perfios.com/request-for-demo