Which all data protection issues have been addressed in newly enacted statute? What all checkpoints, controls and guidelines find a prominence in this act? Are there any conundrums that need to be addressed still further ? There are a lot of questions that come to our mind day in and day out. Let’s find in this article.
I. What is Digital Personal Data Protection Act(DPDP) 2023
Digital Personal Data Protection Act(DPDP) 2023 which has recently been assented by the President of India after it has been cleared by both the houses- Lok Sabha and Rajya Sabha. It was cleared on 11th Aug 2023 and thus now becomes an Act. it covers the objectives of protection of personal rights of individuals in INDIA and data processing of the Personal Data for lawful purposes. It lays great emphasis on the consent for any such personal data of the individuals.
There are in total 9 chapters 44 sections . These are broadly covering the scope of the act which includes the following :
CHAPTER 1: PRELIMINARY
Addresses:
- Short title and commencement
- Definitions
- Application of Act
CHAPTER 2: OBLIGATIONS OF DATA FIDUCIARY
ADDRESSES:
- Grounds for processing personal data
- Notice
- Consent
- Certain legitimate uses
- General obligations of data fiduciary
- Processing of personal data of children
- Additional obligations of significant data fiduciary
CHAPTER 3: RIGHTS AND DUTIES OF DATA PRINCIPAL
ADDRESSES:
- Right to access information about personal data
- Right to correction and erasure of personal data
- Right of grievance redressal
- Right to nominate
- Duties of data principal.
CHAPTER 4: SPECIAL PROVISIONS
ADDRESSES:
- Processing of personal data outside india.
CHAPTER 5: DATA PROTECTION BOARD OF INDIA
ADDRESSES:
- Establishment of board
- Composition and qualifications for appointment of chairperson and members.
- Salary, allowances payable to and term of office.
- Disqualifications for appointment and continuation as chairperson and members of board
- Resignation by members and filling of vacancy
- Proceedings of board.
- Officers and employees of board.
- Members and officers to be public servants.
- Powers of chairperson.
CHAPTER 6: POWERS, FUNCTIONS AND PROCEDURE TO BE FOLLOWED BY BOARD
ADDRESSES:
- Powers and functions of board
- Procedure to be followed by board
CHAPTER 7: APPEAL AND ALTERNATE DISPUTE RESOLUTION
ADDRESSES:
- Appeal to appellate tribunal
- Orders passed by appellate tribunal to be executable as decree.
- Alternate dispute resolution.
- Voluntary undertaking
CHAPTER 8: PENALTIES AND ADJUDICATION
ADDRESSES:
- Penalties
- Crediting sums realised by way of penalties to Consolidated Fund of India
CHAPTER 9: MISCELLANEOUS
ADDRESSES:
- Protection of action taken in good faith
- Power to call for information
- Power of central government to issue directions
- Consistency with other laws
- Bar of jurisdiction
- Power to make rules
- Laying of rules and certain notifications
- Power to amend schedule
- Power to remove difficulties
- Amendments to certain acts
II.Definitions in the Act
The term ‘Personal Data’ used in the title of the Act and elsewhere in this act refers to information with whom an individual can be identified or any relation to such data. First, we understand what the Personal Data is – It could be any data which is very relatable to an individual like – A name, an address, an email id, an identification number, an Internet Protocol (IP) address; a cookie ID or sometimes even the data held by a hospital or doctor that can be uniquely used to identify a person.
Some of the very important terms we will look into in this Act:
I. (2)(b) “automated”
Refers to tasks carried out without human involvement. Automated data collection pertains to the utilization of machines and software to gather data without human input. Some automated data collection techniques, are as follows :
1.Optical character recognition (OCR): This technology can read and convert text from images or scanned documents into a digital format.
2.Barcode scanning: This technology can read and decipher barcodes, which are machine-readable codes used to identify products or other items.
3.Radio-frequency identification (RFID): This technology utilizes radio waves to identify objects. RFID tags can be affixed to or embedded within items.
- Natural language processing (NLP): NLP is a computer science field focused on computer-human language interaction. It enables the extraction of data from documents like customer reviews or social media posts.
Furthermore, automated data collection can gather data from an assortment of sources, including Sensors, Machines, Internet of Things (IoT) devices.
ii. (2)(g) “Consent Manager”
As per subclause g, a consent manager is a “data fiduciary which enables a data principal (re: users) to give, withdraw, review, and manage his consent through an accessible, transparent, and interoperable platform.“
The DPDP also regulates this consent manager by maintaining that consent manager (legally, a person- either a human being or a body of persons or a corporation or other legal entity. Apparently , these also have their set of rights and duties) is necessarily be a board member. The DPDP mandates the use of a consent manager by all organisations that gather, administer, or retain personal data of individuals in India. The manager of consent must be:
1.Accessible to users: Able to locate and use the consent manager with ease.
2.Transparent: The consent manager needs to be understandable and transparent.
3.Finally, the consent manager needs to be interoperable with other software and hardware.
Additionally, the consent manager must allow users to:
1.Give or revoke their consent for different kinds of data collection.
2.Show their history of consent.
iii. (2)(h) “Data”
Data is a collection of information or observations that can be utilized to address questions, make decisions, or take action. It can be in quantitative form, involving numbers, or qualitative form, encompassing text, images, or sounds. Data can be obtained from various sources like surveys, experiments, or observations. In the field of computing, data refers to information that has been transformed into a format that is efficient for processing or transmission. There are diverse types of data, namely – Numerical data, Text data, Image data, Audio data, Video data.
iv. (2)(i) “Data Fiduciary”
What does the word ‘Fiduciary’ mean in legal parlance. As per thelawdictionary.org, the definition says ‘a person holding the character of a trustee, or a character analogous to that of a trustee’ . Thus, contextually , here this means, person/body Is a fiduciary who is invested with rights and powers to be exercised for the benefit of another person.
The DPDP Act identifies a data fiduciary as someone who is in charge of handling personal information. Such an individual holds responsibility for managing, utilizing, and safeguarding the data of other people. Anybody – from an individual to a corporate entity – who determines how personal data should be processed and why they are being processed, either alone or in concert with other people.
Some examples of Data Fiduciaries :
- Platforms for social media
- E-commerce sites
- Financial institutions
- Healthcare professionals
v. (2)(j) “Data Principal”
A data principal is a person whose personal information is being processed by a data fiduciary. The data principal has specific rights over how the personal data is dealt with and is the genuine owner of the data. According to this Act, a data principal is: “Any individual whose identifiable information is being processed by a data fiduciary.” Data principals are granted certain rights under the DPDP, including :
1.The right to information regarding the handling of their personal data.
2.The right to view and amend their personal information.
3.The option to object to how their personal data is processed.
4.The right to request the removal of their personal data.
5.The freedom to transfer data.
6.Access to the Data Protection Authority’s (DPA’s) complaint process.
Examples of Data Principals:
1.A customer who gives their name, email address, and phone number to a business in order to subscribe to a newsletter.
2.A customer who gives a retailer their credit card details to make a transaction.
3.A patient who divulges their medical history to a doctor so they might be treated.
4.A person who offers their biometric information to a government agency so it can identify them.
An extension to this clause is that it includes parents of lawful guardian OR any person with such disability that he or she cannot take data decisions on it’s own and as such depends on a data fiduciary for any such discretion.
To conclude, to keep pace with ever evolving, fast-paced technological setup and frameworks in our country it is important to adhere to guidelines for the sake of protection of personal identity as well as safeguard Right to privacy of each individual in our country.