The Digital Personal Data Protection Act (DPDP) Act, 2023, received assent on August 12, 2023, marking India’s inaugural legislation addressing data protection and privacy. The Act aims to balance individual rights with the necessity of processing personal digital data, establishing guidelines for both Data Fiduciaries (entities collecting/processing data) and Data Principals (individuals providing personal data).

Key Features Introduced

Recognition of the Concept of Consent: The Act emphasizes the significance of consent, allowing Data Fiduciaries to process data only when Data Principals provide explicit consent. Exceptions include situations where consent is impractical, and data processing is necessary for medical emergencies or compliance with a judgment.

Establishment of Data Protection Board of India: Introducing the Data Protection Board of India, the Act grants it powers akin to a Civil Court. The Board, operating digitally, investigates data breaches based on complaints and holds the authority to impose penalties as per the Act.

Punishment for Data Breach: A pivotal feature is the introduction of penalties for data breaches. Data Fiduciaries can face a maximum penalty of 250 crores in case of a breach, ensuring a deterrent against unauthorized data handling.

Classification of Certain Entities as Significant Data Fiduciaries: Entities dealing with significant volumes of sensitive data are classified as Significant Data Fiduciaries. They must appoint a Data Protection Officer to address Data Principals’ grievances.

Changes Incorporated

Data Fiduciary to Provide a Notice: Data Fiduciaries must provide a notice outlining the purpose of data processing, the methods for Data Principals to exercise their rights, and the complaint filing process. This ensures transparency and informs individuals providing consent.

Obligation to Erase Data When Consent is Withdrawn: Once a Data Principal withdraws consent, the Data Fiduciary is obligated to promptly erase the associated data, highlighting the Act’s commitment to data privacy.

Appointment of a Consent Manager: A Consent Manager, appointed by Data Fiduciaries, serves as the point of contact for Data Principals. This individual facilitates the management, review, or withdrawal of consent.

Telecom Disputes Settlement and Appellate Tribunal’s Appellate Jurisdiction: The Telecom Disputes Settlement and Appellate Tribunal now holds appellate jurisdiction in cases related to data breaches, providing an avenue for individuals aggrieved by the Data Protection Board’s decisions.

Emphasis on Data Protection of Children: The Act recognizes and safeguards the rights of children by mandating parental/guardian consent for data processing. Failure to comply with these provisions incurs penalties.

Effective Grievance Redressal: Significant Data Fiduciaries appoint Data Protection Officers, while others establish a grievance redressal mechanism through the Consent Manager, ensuring effective resolution of grievances before approaching the Board.

Impact

The Act significantly impacts sectors involved in data collection, including sales, marketing, finance, banking, human resources, and information technology. Entities within these sectors are given a one-year timeline for compliance.

Conclusion

As India’s inaugural data protection law, the Digital Personal Data Protection Act, 2023, effectively addresses the complexities of data processing, technology, and individual rights. It introduces innovative concepts, providing statutory protection for the fundamental right to privacy and establishing a robust data protection regime in India. While commendable, certain provisions may require further refinement and development.