Decoding India’s Digital Personal Data Protection Act 2023
Today, data flows freely and is often described as the “new oil.” India is one of the top countries processing over 1.4 billion people’s data. With the need to protect that much personal data, the issue has become a critical concern for government, businesses, and individuals alike. Recognizing this, the Indian government passed the Digital Personal Data Protection Act (DPDPA) on 11 August 2023, aiming to provide comprehensive protection to the personal data of citizens. This landmark legislation is poised to transform the data protection landscape in India. In this blog, we’ll delve into the key provisions and implications of India’s Digital Personal Data Protection Act 2023.
Understanding the Need for Data Protection
The proliferation of digital technologies and the exponential growth of data-driven industries have given rise to concerns about how personal data is collected, processed, and shared. With the evolution of data breaches and privacy violations, individuals have become increasingly apprehensive about the safety of their personal information. In this context, the DPDPA seeks to address these concerns by establishing a robust framework for data protection.
Key Provisions of the Digital Personal Data Protection Act
Data Processing Principles: The DPDPA defines a series of principles that govern the processing of personal data. These principles include transparency, purpose limitation, data minimization, accuracy, storage limitation, and accountability. Organizations that collect and process personal data are required to adhere to these principles to ensure fair and lawful processing.
Data Principal Rights: The Act grants individuals a range of rights over their personal data, including the right to access, rectify, erase, and port their data. Data subjects can also withdraw consent for data processing at any time. This empowers individuals to have greater control over their personal information.
Data Protection Authority: The Act establishes the Data Protection Board, an independent regulatory body responsible for overseeing and enforcing data protection regulations. The Data Protection Board will have the authority to issue guidelines, conduct audits, and impose penalties for non-compliance.
Cross-Border Data Transfer: The DPDPAct allows data fiduciaries to transfer personal data for processing to any country or territory outside India, but it grants the central government the authority to impose restrictions through notifications. However, it does not prevent any other law from prescribing a higher threshold of data protection, such as the data localization requirements in relation to payment data imposed by the Reserve Bank of India (RBI). (Business restrictions imposed on American Express, MasterCard in the past by RBI)
Data Breach Notification: Organizations are required to report data breaches to the Data Protection Board and affected individuals within a stipulated time frame. This transparency ensures that individuals are promptly informed if their personal data is compromised.
Penalties for Non-Compliance: The Act prescribes severe penalties for non-compliance, including fines and imprisonment for data breaches and violations of data protection principles. This acts as a strong deterrent to organizations that may be lax in safeguarding personal data. The highest penalty declared so far is two hundred and fifty crore rupees.
Proposed penalties for data privacy breach in the DPDP Act 2023
| Type | Penalty |
|---|---|
| Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8. | May extend to two hundred and fifty crore rupees. |
| Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8. | May extend to two hundred crore rupees. |
| Breach in observance of additional obligations in relation to children under section 9. | May extend to two hundred crore rupees. |
| Breach in observance of additional obligations of Significant Data Fiduciary under section 10. | May extend to one hundred and fifty crore rupees. |
| Breach in observance of the duties under section 15. | May extend to ten thousand rupees. |
| Breach of any term of voluntary undertaking accepted by the Board under section 32. | Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. |
| Breach of any other provision of this Act or the rules made thereunder. | May extend to fifty crore rupees |
DPDPA is a significant step toward addressing the evolving challenges of data privacy in the digital age. Implementation and execution are aspects we will witness going forward as India continues to emerge as a global technology hub. The DPDPA will play a crucial role in shaping the country’s data protection landscape and setting a precedent for other nations to follow.
At PKWARE we believe data is the life-blood of any organization, so it’s essential that it be protected. And that protection starts with knowing what data you have, where it lives, and how to protect it.
Here is the link for the original document published by Ministry of Electronics & Information Technology, Government of India for THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 – https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
Ben Meyers March 13, 2024
