Digital Personal Data Protection Act 2023 (DPDP Act 23)

Overview of Digital Personal Data Protection Act(DPDP) 2023

Which all data protection issues have been addressed in newly enacted statute? What all checkpoints, controls and guidelines find a prominence in this act? Are there any conundrums that need to be addressed still further ? There are a lot of questions that come to our mind day in and day out. Let’s find in this article.

I. What is Digital Personal Data Protection Act(DPDP) 2023

Digital Personal Data Protection Act(DPDP) 2023 which has recently been assented by the President of India after it has been cleared by both the houses- Lok Sabha and Rajya Sabha. It was cleared on 11th Aug 2023 and thus now becomes an Act. it covers the objectives of protection of personal rights of individuals in INDIA and data processing of the Personal Data for lawful purposes. It lays great emphasis on the consent for any such personal data of the individuals.

There are in total 9 chapters 44 sections . These are broadly covering the scope of the act which includes the following :

CHAPTER 1: PRELIMINARY

Addresses:

  1. Short title and commencement
  2. Definitions
  3. Application of Act

CHAPTER 2: OBLIGATIONS OF DATA FIDUCIARY

ADDRESSES:

  1. Grounds for processing personal data
  2. Notice
  3. Consent
  4. Certain legitimate uses
  5. General obligations of data fiduciary
  6. Processing of personal data of children
  7. Additional obligations of significant data fiduciary

CHAPTER 3: RIGHTS AND DUTIES OF DATA PRINCIPAL

ADDRESSES:

  1. Right to access information about personal data
  2. Right to correction and erasure of personal data
  3. Right of grievance redressal
  4. Right to nominate
  5. Duties of data principal.

CHAPTER 4: SPECIAL PROVISIONS

ADDRESSES:

  1. Processing of personal data outside india.
  2.  

CHAPTER 5: DATA PROTECTION BOARD OF INDIA

ADDRESSES:

  1. Establishment of board
  2. Composition and qualifications for appointment of chairperson and members.
  3. Salary, allowances payable to and term of office.
  4. Disqualifications for appointment and continuation as chairperson and members of board
  5. Resignation by members and filling of vacancy
  6. Proceedings of board.
  7. Officers and employees of board.
  8. Members and officers to be public servants.
  9. Powers of chairperson.

CHAPTER 6: POWERS, FUNCTIONS AND PROCEDURE TO BE FOLLOWED BY BOARD

ADDRESSES:

  1. Powers and functions of board
  2. Procedure to be followed by board

CHAPTER 7: APPEAL AND ALTERNATE DISPUTE RESOLUTION

ADDRESSES:

  1. Appeal to appellate tribunal
  2. Orders passed by appellate tribunal to be executable as decree.
  3. Alternate dispute resolution.
  4. Voluntary undertaking

CHAPTER 8: PENALTIES AND ADJUDICATION

ADDRESSES:

  1. Penalties
  2. Crediting sums realised by way of penalties to Consolidated Fund of India

CHAPTER 9: MISCELLANEOUS

ADDRESSES:

  1. Protection of action taken in good faith
  2. Power to call for information
  3. Power of central government to issue directions
  4. Consistency with other laws
  5. Bar of jurisdiction
  6. Power to make rules
  7. Laying of rules and certain notifications
  8. Power to amend schedule
  9. Power to remove difficulties
  10. Amendments to certain acts

II.Definitions in the Act

The term ‘Personal Data’ used in the title of the Act and elsewhere in this act refers to information with whom an individual can be identified or any relation to such data. First, we understand what the Personal Data is – It could be any data which is very relatable to an individual like – A name, an address, an email id, an identification number, an Internet Protocol (IP) address; a cookie ID or sometimes even the data held by a hospital or doctor that can be uniquely used to identify a person.

Some of the very important terms we will look into in this Act:

I. (2)(b) “automated”

Refers to tasks carried out without human involvement. Automated data collection pertains to the utilization of machines and software to gather data without human input. Some automated data collection techniques, are as follows :

1.Optical character recognition (OCR): This technology can read and convert text from images or scanned documents into a digital format.

2.Barcode scanning: This technology can read and decipher barcodes, which are machine-readable codes used to identify products or other items.

3.Radio-frequency identification (RFID): This technology utilizes radio waves to identify objects. RFID tags can be affixed to or embedded within items.

  1. Natural language processing (NLP): NLP is a computer science field focused on computer-human language interaction. It enables the extraction of data from documents like customer reviews or social media posts.

Furthermore, automated data collection can gather data from an assortment of sources, including Sensors, Machines, Internet of Things (IoT) devices.

ii. (2)(g) “Consent Manager”

As per subclause g,  a consent manager is a “data fiduciary which enables a data principal (re: users) to give, withdraw, review, and manage his consent through an accessible, transparent, and interoperable platform.“

The DPDP also regulates this consent manager by maintaining that consent manager (legally, a person-  either a human being or a body of persons or a corporation or other legal entity. Apparently , these also have their set of rights and duties) is necessarily be a board member. The DPDP mandates the use of a consent manager by all organisations that gather, administer, or retain personal data of individuals in India. The manager of consent must be:

1.Accessible to users: Able to locate and use the consent manager with ease.

2.Transparent: The consent manager needs to be understandable and transparent.

3.Finally, the consent manager needs to be interoperable with other software and hardware.

Additionally, the consent manager must allow users to: 

1.Give or revoke their consent for different kinds of data collection.

2.Show their history of consent.

iii. (2)(h) “Data”

Data is a collection of information or observations that can be utilized to address questions, make decisions, or take action. It can be in quantitative form, involving numbers, or qualitative form, encompassing text, images, or sounds. Data can be obtained from various sources like surveys, experiments, or observations. In the field of computing, data refers to information that has been transformed into a format that is efficient for processing or transmission. There are diverse types of data, namely – Numerical data, Text data, Image data, Audio data, Video data.

iv. (2)(i) “Data Fiduciary”

What does the word ‘Fiduciary’ mean in legal parlance. As per thelawdictionary.org, the definition says ‘a person holding the character of a trustee, or a character analogous to that of a trustee’ . Thus, contextually , here this means, person/body Is a fiduciary who is invested with rights and powers to be exercised for the benefit of another person.

The DPDP Act identifies a data fiduciary as someone who is in charge of handling personal information. Such an individual holds responsibility for managing, utilizing, and safeguarding the data of other people. Anybody – from an individual to a corporate entity – who determines how personal data should be processed and why they are being processed, either alone or in concert with other people.

Some examples of Data Fiduciaries :

  • Platforms for social media
  • E-commerce sites
  • Financial institutions
  • Healthcare professionals

v. (2)(j) “Data Principal”

A data principal is a person whose personal information is being processed by a data fiduciary. The data principal has specific rights over how the personal data is dealt with and is the genuine owner of the data. According to this Act, a data principal is: “Any individual whose identifiable information is being processed by a data fiduciary.” Data principals are granted certain rights under the DPDP, including :

1.The right to information regarding the handling of their personal data.

2.The right to view and amend their personal information.

3.The option to object to how their personal data is processed.

4.The right to request the removal of their personal data.

5.The freedom to transfer data.

6.Access to the Data Protection Authority’s (DPA’s) complaint process.

Examples of Data Principals:

1.A customer who gives their name, email address, and phone number to a business in order to subscribe to a newsletter.

2.A customer who gives a retailer their credit card details to make a transaction.

3.A patient who divulges their medical history to a doctor so they might be treated.

4.A person who offers their biometric information to a government agency so it can identify them.

An extension to this clause is that it includes parents of lawful guardian OR any person with such disability that he or she cannot take data decisions on it’s own and as such depends on a data fiduciary for any such discretion.

To conclude, to keep pace with ever evolving, fast-paced technological setup and frameworks in our country it is important to adhere to guidelines for the sake of protection of personal identity as well as safeguard Right to privacy of each individual in our country.

Aman Khanna

Other Blogs

Exploring Mindfulness Techniques

BlogLawResearch and law

A New Dawn for Muslim Women’s Rights

This blog post will explore the momentous judicial decision that

BlogLawResearch

Genetic Dating: The Intersection of Love and Legal Challenges

-Ms. Kavya Nayak 1.     Introduction  In the evolving landscape

Uncategorized

Underpaid Positions or Career Gap? The elephant in the room.

Every day, our social media feeds are flooded with the

It’s Time You Turn Your

Export Dream Into Reality!

Let’s Talk Your Mentors