Data PrivacyThe Digital Personal Data Protection Act, 2023 in India : Decoded – II

The Digital Personal Data Protection Act, 2023 in India : Decoded – II

1. Scope and Applicability

• What it Means: The Act applies to all entities, public or private, that collect and process personal data. This includes foreign entities if they deal with the data of Indian residents.
• Extraterritorial Jurisdiction: The Act also applies to foreign entities if they process data of Indian residents. This means that global companies with Indian customers must also comply.
• Legal Implications: Non-compliance can attract penalties, even for foreign entities. Legal contracts must specify the obligations under DPDPA, 2023.
• Best Practices: Clearly define the scope of data processing activities in all legal agreements and ensure that third-party vendors are also compliant.
• Legal Strategies: Companies should conduct a thorough risk assessment to determine whether they fall under the jurisdiction of the Act.

2. Data Subject Rights

• What it Means: Individuals have the right to access, correct, and delete their data. They can also object to data processing and have a right to data portability.
• Legal Implications: Failure to provide these rights can result in legal action and penalties.
• Best Practices: Implement user-friendly interfaces for data subjects to exercise their rights. Keep records of all such interactions for legal safety.

3. Data Fiduciaries and Processors

• What it Means: The Act distinguishes between data fiduciaries (entities that determine the purpose and means of data processing) and data processors (entities that process data on behalf of controllers).
• Joint Controllers or Fiduciaries: In some cases, multiple entities may jointly determine the purposes and means of data processing. Legal agreements must account for this complexity.
• Processor Agreements: Data Fiduciaries must have legal agreements with processors that mandate compliance with the Act.
• Legal Implications: The responsibilities and liabilities differ for fiduciaries and processors, affecting legal contracts and compliance programs.
• Best Practices: Clearly define these roles in all legal documents and ensure that processors are compliant with the Act.

4. Consent Mechanism

• What it Means: Explicit consent is required for data collection and processing. The consent form should be in clear language.
• Granular Consent: Best practices include offering granular consent options, allowing data subjects to choose exactly what types of data they are comfortable sharing.
• Age Verification: For minors, Consent from lawful parent must be obtained towards the consent mechanism.
• Legal Implications: Obtaining consent in a manner not compliant with the Act can render the data processing activity illegal.
• Best Practices: Use plain language in consent forms and provide options for the data subject to withdraw consent.

5. Data Localization

• What it Means: Certain types of sensitive data must be stored within India.
• Legal Implications: Non-compliance can result in penalties and may require changes in data storage contracts.
• Best Practices: Audit current data storage solutions and migrate sensitive data to servers located within India.

6. Data Protection Board of India (DPB)

• What it Means: An independent Board will oversee the enforcement of the Act.
• Legal Implications: The DPB has the power to impose penalties, conduct audits, and solicit DPIAs.
• Best Practices: Maintain open channels of communication with the DPB and promptly respond to any inquiries or directives.

7. Penalties and Liabilities

• What it Means: Non-compliance can result in severe penalties.
• Legal Implications: Organizations can face legal action.
• Best Practices: Invest in robust compliance programs and legal advice to mitigate risks.

8. Data Protection Officer (DPO)

• What it Means: Organizations processing large volumes of sensitive data must appoint a DPO.
• Legal Implications: Failure to appoint a DPO where required can result in penalties.
• Best Practices: The DPO should be well-versed in data protection laws and compliance mechanisms.

9. Impact Assessment

• What it Means: A DPIA is required for certain types of data processing activities.
• Consultation: Companies may be required to consult with stakeholders or even the public when conducting a DPIA.
• Review: DPIAs may need to be updated regularly, especially when introducing new data processing activities.
• Legal Implications: Failure to conduct a DPIA where required can halt data processing activities and attract penalties.
• Best Practices: Conduct DPIAs in the planning phase of any new data processing activity and consult legal experts.

10. Cross-Border Data Transfers

• What it Means: The Act has specific requirements for transferring data outside India.
• Data Transfer Agreements: Legal agreements governing cross-border data transfers must be robust and compliant with multiple jurisdictions.
• Data Sovereignty: The concept of data sovereignty, where data is subject to the laws of the country in which it is located, can complicate cross-border transfers.
• Legal Implications: Non-compliance can result in penalties and may require renegotiation of international contracts.
• Best Practices: Ensure that foreign data processors are compliant with the Act and consider using Standard Contractual Clauses for data transfers.

The DPDPA, 2023, is a game-changer in the field of data protection in India. Its comprehensive provisions and stringent penalties make it imperative for all stakeholders to understand it thoroughly.