The recently passed Digital Personal Data Protection Act, 2023 (“DPDP Act”) has generated a lot of discussion and rightly so, since it is a significant development for India to finally get a comprehensive and dedicated data protection law comparable to global standards.
While the DPDP Act is yet to be brought into effect, or rules to be prescribed and the Data Protection Board of India to be set up, the corporate world is already gearing up to ensure their systems and processes are compliant with the new regulations.
But what does the DPDP Act hold for arguably the most important stakeholder – the source of the data, the data principal? As the DPDP Act intends to overhaul the existing laws and regulations on data protection and privacy in India, it is crucial for data principals to be versed with the requirements and rights available, to mitigate the misuse of their personal data and protect their personal data & privacy in the digital age.
This handbook explores certain key aspects of the DPDP Act and its implications from a data principal’s perspective.
Step 1 – Identifying the Data Principal
The first and most important step is to identify who is considered as a data principal under the DPDP Act.
A data principal is primarily considered to be the natural person or individual to whom the data relates i.e., the person whose data is being processed (collected, stored, shared, etc.). The DPDP Act also considers within the scope of a data principal the parent / lawful guardian of a child to whom the personal data relates and the lawful guardian of a ‘person with disability’.
Step 2 – What Data is covered?
Having identified the data principal, the next logical step is recognizing the type of data covered under the ambit of the DPDP Act.
The DPDP Act only covers ‘digital personal data’ (i.e., personal data in digital form). That means offline data / records or non-personal data (business analysis, anonymized data, etc.) are outside the scope of the DPDP Act.
Personal data is any data which is capable of identifying an individual. Interestingly, there are no subsets of personal data (such as ‘sensitive personal data’ – financial information, sexual orientation, medical records and history, biometric information, etc.) and the DPDP Act treats all personal data at par.
Step 3 – When can Data be processed?
So now that we know who is a data principal and the categories of data covered, what are the prerequisites, if any, for processing such personal data?
Consent is one of the key features of the DPDP Act. To put it simply, data fiduciaries (akin to data controllers in other international privacy laws) need to obtain explicit consent from data principal before collecting, using and sharing their personal data. Such consent should be free, specific and informed. You as the data principal must be informed by the data fiduciaries / data controllers about the purposes for which your data is being collected and you must be also provided with an option to opt-out of such collection or use.
Certain special scenarios are given in the DPDP Act where personal data may be processed without the consent of the data principal. These are known as ‘legitimate uses’ and include processing for purposes of employment, responding to medical emergencies, performing any function under law or the State providing any service or benefit to the data principal etc. As an example, your employer does not need your consent to process the data relating to your bank account or PAN number since that is required to pay your salary i.e., it is for “the purpose of employment”.
Step 4 – Know your rights
Similar to other countries, the DPDP Act confers certain rights on you as the data principal with respect to your personal data.
- Right to Access Information
Data principals may seek a summary of their personal data being processed by the data fiduciary and the processing activities in which the data fiduciary utilizes their data. In addition, the data principal may also seek the identities of other data fiduciaries with whom their personal data is shared.
However, these rights may not be available if the data was shared with another authorized data fiduciary for cyber incident prevention or prosecution.
- Right to Correction and Erasure of Personal Data
Data principal can require the data fiduciary to correct or update misleading or inaccurate personal data, complete incomplete data, or erase (unless mandated to be retained under law) their personal data, even if they had previously given consent for the processing. A classic example of this would be if you gave your personal data to avail an online service and at that time, you agreed to receive regular tailor-made marketing messages, you can now require the data fiduciaries to erase all personal data that they collected from you for such targeted marketing.
- Right of Grievance Redressal
It will become mandatory to make available to you as data principal, grievance redressal mechanisms through data fiduciaries or consent managers, to ensure you receive prompt responses within prescribed timeframes. If the grievance redressal mechanism is exhausted without resolution, then the data principal can file a complaint with the Data Protection Board. Keeping in mind the importance of such a Board, we will be tracking the setting up of the Board and the rules which will determine its functioning and powers and update this handbook.
- Right to Nominate
Data principals may now nominate individuals to exercise their rights in case of death or incapacity. We expect more details on the process to be specified under the rules to be notified.
Step 5 – Duties of Data Principals
Where there is a right there is also a duty and the DPDP Act is no different in this regard. It introduces a unique requirement by outlining certain duties on the data principals. These duties include (i) compliance with legal requirements, (ii) duty to provide only verifiably authentic information or (iii) duty not to register a false or frivolous grievance or complaint. Any non-compliance by data principals with their duties may lead to imposition of a penalty of up to INR 10,000. Therefore, you as a data principal will now be obligated under law to provide true and confirmable data about yourself.
To summarize, for far too long, Indian law has been out-of-date with the basic idea of protection of privacy of the data subjects namely, people like you and us. The DPDP Act is a crucial step in moving towards an era where the privacy of the data principals is at the center by giving a reasonable form of control to be exercised over how their data is to be used. While it remains to be seen how it will be implemented and enforced, it appears to be the right move in the right direction.