The Digital Personal Data Protection Act, 2023: Comprehensive Guide for Business Leaders

Understanding the Impact of India’s New Data Protection Law

“Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet.”

— Gary Kovacs, Former CEO of Mozilla

In today’s digital era, when data is considered the new oil, protecting data privacy is not only considered equivalent as personal freedom but is also associated with digital sovereignty. In the world around us, personal data is constantly being collected, processed, and shared, making data privacy a priority for government across the world. Recognizing the need for robust data protection mechanisms, India introduced the Digital Personal Data Protection (DPDP) Act in 2023, a landmark legislation aimed at safeguarding personal data while allowing businesses to continue leveraging data for innovation and growth. The DPDP Act strikes a balance between protecting individual privacy and allowing essential data processing by enforcing strict consent and security measures while providing exemptions for governance, national security, and business operations.

Road to DPDP: How we reached here?

• On 24^th August 2017: The Supreme Court’s Justice K.S. Puttaswamy, in a landmark judgement, established privacy as a fundamental right.
• 2018: The Srikrishna Committee deliberated on the data protection framework on India and “The Personal Data Protection Bill” draft was released.
• December 2019: The Personal Data Protection Bill, 2019 was tabled in Lok Sabha
• August 2022: The Personal Data Protection Bill, 2019 was withdrawn.
• 3^rd August 2023: A refined version of previous bill called, the “Digital Personal Data Protection Bill” was introduced.
• 11^th August 2023:  The DPDP Act was officially passed, setting a structured framework for data privacy in India.

What all are covered by the act?

The DPDP Act covers following digital personal data artefacts:

• Personal data collected in digital format
• Personal data in non-digital form but digitised subsequently

The act applies to data processing in following territories:

• India: All personal digital data which are collected and processed in India
• Outside India: The act also applies to digital personal data processed outside the territory of India, if such processing is in connection with any activity related to good and services being offered to people within the territory of India

However, following cases are excluded from the DPDP Act:

• Personal data processed by Individual for personal or domestic use
• Publicly available personal data by people themselves or due to legal obligation

(So our social media data or data made public by an election candidate during nominations are not protected by the act.)

What are the key roles defined in the DPDP act?

The DPDP Act defines several important roles to ensure that personal data is handled responsibly, ethically, and securely. Each of these roles carries distinct responsibilities that contribute to safeguarding data privacy.

Demonstration Case for Role explanation:

‘A cloud based small healthcare startup HealthCheckAI’

‘Consider a newly founded small health-tech startup named”HealthCheckAI” that provides an AI-powered diagnostic and online doctor consultations via its app. It integrates with a large hospital chain named “LargeHospitals” for storing patient records. HealthCheckAI leverages a SaaS service named “ThirdSaaS” for AI based analytics. ‘HealthCheckAI’ also has integration with another third party application called ‘HealthDataPermission’ which allows customers to revoke or allow permission for their health data across platforms. If a customer wants his / her health information (not collected by HealthCheckAI) to be used  for a second opinion he / she they can use a gateway provided by ‘HealthDataPermission’ to provide such access to ‘HealthCheckAI’.

Now let us discuss the following roles defined in the act:

1. Data Principal (Individual)

• The individual whose data is being collected.
• Has rights over their personal data, including:
  • Right to Access: Know how their data is processed.
  • Right to Correction: Request updates or corrections.
  • Right to Erasure: Request deletion of data.
  • Right to Grievance Redressal: Complain about misuse of data to data fiduciary or consent manager
  • Right to Consent Management: Withdraw consent anytime.

• Has following duties:
  • Provide Authentic Information: Provide authentic information without impersonation or suppressing any material information
  • Grievance: Should not register false or frivolous grievance
  • Compliance: Comply with the provisions of all applicable law in force while exercising the rights in the DPDP act

In our demonstration case, the person using the HealthCheckAI is the Data principal as his personal data like name, govt. identity, health related information etc. are being collected in digital form.

2. Data Fiduciary (Entity Processing Data)

• Any organization or entity that determines the purpose and means of processing personal data.
• Responsibilities include:
  • Obtaining Consent: Must take clear and informed consent before processing personal data.
  • Data Security: Implement appropriate safeguards to protect data.
  • Transparency: Inform Data Principals about data usage and rights.
  • Breach Notification: Report data breaches to the Data Protection Board and affected individuals.
  • Grievance Redressal: Provide a mechanism for users to file complaints.

In our demonstration case, the small startup HealthCheckAI is the Data Fudiciary as it is collecting key data points like customer’s personal data in digital form.

3. Significant Data Fiduciary (SDF)

• Large-scale entities processing high-risk data (such as sensitive personal data).
• Additional obligations:
  • Appoint a ‘Data Protection Officer (DPO)’.
  • Conduct Data Protection Impact Assessments (DPIA).
  • Periodic Audits: Ensure compliance with the DPDP Act.
  • Security & Risk Management: Implement advanced security measures.

In our demonstration case, the large hospital chain “LargeHospitals” is the Data Fudiciary as it is not only getting customer’s personal data in digital form but also has vast amount of such data for several hundred thousand customers. Therefore it is subjected to additional responsibilities which small data fudiciaries are not subjected to.

4. Data Processor

• A third party that processes data on behalf of a Data Fiduciary.
• Responsibilities:
  • Follow fiduciary instructions: Cannot process data beyond the agreed purpose.
  • Implement security measures: Protect data from breaches.
  • Assist in compliance: Help fiduciaries meet regulatory requirements.

In our demonstration case, the SaaS service ‘ThirdSaaS’ is the Data Processor as it is doing computations (processing) on behalf of the data fudiciary “HealthCheckAI”.

5. Consent Manager

• An intermediary that helps individuals manage their data consent.
• Must be independent and registered with the Data Protection Board.
• It must provide following facilitates:
  • Granting, managing, and withdrawing consent.
  • Providing easy access to personal data usage history.

In our case example the third party application called “HealthDataPermission” is the consent manager.

6. Data Protection Board of India (the Regulator)

• This is the Regulatory authority overseeing data protection compliance.
• Powers & responsibilities:
  • Investigate breaches and enforce penalties.
  • Handle grievances from Data Principals.
  • Issue directions and guidelines for compliance.
  • Order data deletion in case of non-compliance.

What are some of the key provisions mentioned in the act?

Following are some of the key provisions in the act:

• Data Residency: As of today, it is not mandatory for organizations to store data only in India. However as per the provision in Chapter IV of the act, the central government may restrict the data transfer by a Data Fiduciary.
• Exemption for government agencies: Personal Digital Data processing by Central government can be exempted from the clause of the act if done due to following reasons:
  • Protecting the sovereignty and security of the nation
  • Friendly relations with foreign states
  • Maintenance of public order and preventing incitement of cognizable offence
• Exemption for research and startups: Based on the volume and nature of personal data, the Central government may notify certain data fiduciary, who are exempted from certain responsibilities mentioned in the act.
• Exemptions for judicial bodies and law enforcement: Processing of personal data is exempted from the act when necessary for enforcing legal rights, investigating offenses, or prosecuting violations of law. This includes law enforcement agencies, courts, tribunals, and other judicial or quasi-judicial bodies performing their legal or supervisory functions, ensuring that their activities are not hindered by the Act’s provisions
• Voluntary Undertakings: Article 32 of the act allows the Data Protection Board of India to accept voluntary undertakings from data fiduciaries to take corrective actions in lieu of facing penalties, with consequences for non-compliance.

What are the provisions for penalty for breach of the act?

The DPDP Act lays down following provisions for breach and subsequent penalty which can be enforced by the Data Protection Board of India:

1. Breach of data safeguard duties by Data Fiduciary: The penalty may be up to INR 250 crores (INR 2500 Millions)
2. Failure by Data Fiduciary to Notify Data Breaches to the Data Protection Board: The penalty may be up to INR 200 crores (INR 2000 Millions)
3. Non-compliance by Data Fiduciary Regarding Children’s right: The penalty may be up to INR 200 crores (INR 1500 Millions)
4. Breach related to obligation of significant Data Fiduciary: The penalty may be up to INR 150 crores (INR 1500 Millions)
5. Breach of duties by Data Principals: The penalty may be up to INR 10000
6. Breach of terms under voluntary undertakings by Data Fiduciary: The penalty will be applicable in extent to the actual breach for correction of which the voluntary undertaking was accepted by the Data Protection Board of India
7. Breach of any other provisions or rules of the act: The penalty may be up to INR 50 crores (INR 500 Millions)

All sums realised by the way of penalties shall be credited to the consolidated fund of India.

Whom Do I reach out in case of grievance?

Following grievance redressal mechanism can be followed as per the DPDP Act:

1. First, reach out to the Data Fiduciary (company or entity processing the data:
   • The Data Principal (person whose data is collected and processed) should first reach out to the Data Fiduciary which should use it’s established mechanism to resolve the issue.
2. If required, Escalate to the Data Protection Board of India:
   • If the Data Fiduciary does not resolve the issue then one can approach the Data Protection Board of India.
   • The DPBI has the right and the authority to investigate, hold hearings and impose penalty if the Data Fiduciary or the Data Principal is found violating the act
3. Further, appeal to the Appellate Tribunal:
   • One should reach out to the Appellate tribunal should be made within 60 days of reception of order or direction against which the appeal is made
   • In case there are genuine reasons for the delay the tribunal may hear the case even after 60 days
   • The judgement by Appellate Tribunal will have the power of judgement by a civil court

Conclusion: A call for leadership

As India embraces the data driven future, the Digital Personal Data Protection Act, 2023 not only a simple regulation but it’s India’s GDPR moment. It’s a statement that one cannot take digital privacy for granted. marks a transformative step in the country’s data privacy framework and business have to take greater accountability for the same. For CXOs, CISOs, CIOs, Business leaders, Product leaders and founders, this is a defining moment. In today’s digital economy trust is the most importance currency and with DPDP Act that just got declared legally as well.