[FAQs] on the Digital Personal Data Protection Act, 2023 (DPDP Act)

The DPDP Act is a legal framework introduced in India to safeguard the personal data of individuals and ensure that their data is shared only with their consent. It regulates the processing of digital personal data and outlines various provisions to protect individuals’ privacy in the digital age.

The DPDP Act was introduced in August 2023 after several stages of development and legislative processes. It evolved from the 2017 Committee of Experts on Data Protection’s recommendations, which led to the introduction of the Personal Data Protection Act in 2019. After several iterations and consultations, the Digital Personal Data Protection Act, 2023, was introduced and subsequently passed by both the Lok Sabha and the Rajya Sabha. Later on, the Hon’ble President has given assent to the new Digital Personal Data Protect Act, 2023 on 11th Aug, 2023 and it become effective from 11th Aug, 2023.

The conceptual basis of the DPDP Act is the report of the Expert Committee set up under the chairmanship of Justice BN Srikrishna tittled

“A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”

The DPDP Act is based on the following Seven principles:

1. The principle of consented, lawful and transparent use of personal data;
2. The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
3. The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
4. The principle of data accuracy (ensuring data is correct and updated);
5. The principle of storage limitation (storing data only till it is needed for the specified purpose);
6. The principle of reasonable security safeguards; and
7. The principle of accountability (through adjudication of data breaches and breaches of the provisions of the DPDP Act and imposition of penalties for the breaches).

Before the introduction of the DPDP Act, India does not have a standalone Act on data protection. The use of personal data was regulated under the Information Technology (IT) Act, 2000.

The DPDP Act applies to the processing of digital personal data within India, whether collected online or offline and digitized later on. It also extends its applicability to data processing conducted outside India if it involves offering goods or services within India.

If the data is collected offline and digitised later on it shall apply to that data also. However, the offline personal data which is not digitised is kept out of the ambit of this Act.

The DPDP Act shall not apply in the following cases:

(a) Personal data processed by an individual for any personal or domestic purpose.

(b) Personal data that is made or caused to be made publicly available by the person himself (Data Principal) to whom such personal data relates or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

No, personal data can only be used for the specific purpose for which consent was given. Consent must be free, specific, informed, unconditional, and unambiguous, and it is limited to the personal data necessary for the specified purpose. Any part of consent that violates the provisions of the Act or other applicable Acts will be considered invalid.

Personal data can be possessed if it is retained for a lawful purpose and with the consent of the data principal.

The provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force. When a conflict arises between a provision of this Act and any provision of another law currently in force, the provision of this Act will take precedence to the extent of that conflict. This ensures that the rules and principles established in this Act hold sway in situations where there might be inconsistency with other existing laws.

Even if an organization is currently meeting all existing personal data obligations, you’ll need to ensure compliance with the DPDP Act. Here are a few extra responsibilities your organization will have to fulfil:

(a) Obtaining individuals’ consent before collecting or processing their personal data,

(b) ensuring comprehensive security measures for all personal data,

(c) providing data principals access to their personal data and enabling corrections,

(d) reporting breaches to both the Board and affected individuals.

Beyond these, the DPDP Act introduces further provisions necessitating a review of your organization’s data processing policies and practices to ensure alignment and compliance with the law and its upcoming rules.

Certainly yes, while the enactment of the DPDP Act will retain the applicability of compliance obligations under the Information Technology Act, 2000 (IT Act), there will be notable changes. Specifically, Section 43A of the IT Act, encompassing compensation for mishandling sensitive personal data, along with its corresponding SPDI Rules, which constitute a significant portion of the current data protection framework in India, is slated for repeal under the DPDPB upon its enactment and subsequent notification.

Nevertheless, it is important to emphasize that various other provisions within the IT Act will endure and maintain their relevance. In scenarios where inconsistencies arise between the stipulations of the IT Act and those outlined in the DPDPB, the proposed course of action is for the provisions of the DPDPB to take precedence, ensuring a coherent and harmonized regulatory landscape.

No, the Information Technology Act, 2000 doesn’t have an overriding effect over the Digital Personal Data Protection Act, 2023. Proviso to section 81 of the Information Technology Act, 2000 has been amended by this Act to exclude the Digital Personal Data Protection Act, 2023 from the overriding power of the Information Technology Act, 2000.

Personal Data is defined as any data about an individual who is identifiable by or in relation to such data.

“Personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromise confidentiality, integrity or availability of personal data.

“Data Principal” means the individual to whom the personal data relates and where such individual is—

(i) a child, including the parents or lawful guardian of such a child

(ii) a person with a disability, including her lawful guardian, acting on her

Data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

“Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10.

As per Section 2(s) of the Act, (s) “person” includes—

(a) an individual;

(b) a Hindu undivided family;

(c) a company;

(d) a firm;

(e) an association of persons or a body of individuals, whether

(f) incorporated or not;

(g) the State; and

(h) every artificial juristic person, not falling within any of the preceding sub-clauses.

Yes, it will also apply to the processing of data outside India if it is for offering goods or services in India.

Yes, data transfers outside India are allowed under the DPDP Act, but they must adhere to specific requirements, including obtaining explicit consent from the data principal and ensuring that the recipient country offers an adequate level of data protection. However, it restricts the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified.

Yes, subject to certain conditions. Under clause 16 of the Act, the Central Government has the authority to limit the transfer of personal data by a Data Fiduciary to a foreign country or territory as may be notified. However, this clause doesn’t prevent any existing Indian law that offers greater protection or restrictions on such transfers from applying, whether for specific data or certain Data Fiduciaries.

The DPDPB’s provisions predominantly pertain to the handling of personal data within India’s jurisdiction. In the case of organizations operating outside India, the DPDPB applies to a limited extent—specifically, when such an organization processes the personal data of Indian data subjects to provide goods or services.

In practical terms, if your offshore online platform offers goods or services to users in India and processes their personal data for the purpose of delivering these offerings, you would qualify as a data fiduciary under the DPDPB. Consequently, you would be required to adhere to the stipulated obligations as outlined in the regulation.

The DPDP Act also imposes certain duties on the data principals to prevent the misuse of their rights. The duties are as follows:

(a) Do not register false and frivolous complaints with the Data Protection Board of India.

(b) Do not impersonate another person while providing personal data to data fiduciaries.

(c) Do not suppress any material information while providing personal data for any document.

(d) Furnish only authentic information while exercising the right to data correction or erasure.

Yes, the data principal at any time can withdraw the consent and ask the data fiduciary to erase data.