India's new Digital Personal Data Protection Act, 2023, applies to any organization or business involved in the collection or management of personal data. The Act doesn't only cover data handling within India; it also has authority over data processing that occurs outside India.
India's rapidly evolving tech landscape has achieved a significant milestone with the introduction and subsequent passage of the Digital Personal Data Protection (DPDP) Bill in 2022. This pivotal legislation gained approval from the Union Cabinet on July 5 and was presented during the Monsoon Session of Parliament, which commenced on July 20, 2023. It swiftly moved through the legislative process, earning approval in both the lower house (Lok Sabha) on August 7 and the upper house (Rajya Sabha) on August 9.
With the President's official assent granted on August 11, 2023, as indicated in the Government of India's Gazette notification, the Digital Personal Data Protection Bill of 2022 officially transitioned into the Digital Personal Data Protection Act of 2023.
The reach of the Digital Personal Data Protection Act, of 2023, extends beyond India's borders, encompassing the processing of digital personal data even when conducted abroad.
Mr. Rajarshi Bhattacharyya, Chairman and Managing Director of ProcessIT Global, compared the Act with the existing General Data Protection Regulation (GDPR) of the European Union (EU). He said, “It is more advanced because GDPR came out some time ago. This policy is more advanced and comprehensive, which will further India's progress.”
As per a collaborative report from the industry organization IAMAI and the market data analytics company Kantar, known as the 'Internet in India Report 2022,' it was revealed that over half of India's population, amounting to 759 million individuals, actively used the internet, accessing it at least once a month during 2022. The report also highlights that out of these active users, 399 million reside in rural India, surpassing the 360 million users in urban areas. This suggests that internet expansion in the country is primarily being propelled by rural India.
New Data Protection Act Emphasizes Ethical AI and Global Reach
Deepika Loganathan, CEO, of HaiVE, said, “We are delighted to welcome the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA-2023) by the Parliament of India. This landmark legislation aligns perfectly with our longstanding commitment to ethical AI and data protection. We are pleased to announce that our existing framework for on-premises AI solutions already adheres closely to the seven principles and obligations outlined in the Act.”
The Act applies to any organization or business involved in the collection or management of personal data. It categorizes these organizations into two groups: those that determine the reasons and methods for processing (referred to as Data Fiduciaries) and those that carry out the processing based on the instructions of the Data Fiduciaries (referred to as Data Processors).
The Act doesn't only cover data handling within India; it also has authority over data processing that occurs outside India, particularly concerning goods and services offered to individuals in India. This means that any businesses offering goods or services to Indian residents, regardless of their physical location, would fall under its jurisdiction.
Mr. Nageen Kommu, CEO, of Digitap, said, “At Digitap, we consider ourselves data processors. We don't store data; we process it on behalf of our clients, who are the data fiduciaries. While there may not be specific guidelines for data processors, we voluntarily adopt the same policies and procedures that data fiduciaries follow. If a customer wishes to revoke consent, we ensure that the data is deleted, complying with the Act's requirements."
He also mentioned that the act also addresses data security during storage and transmission and Digitap already has robust security mechanisms in place, as they deal with RBI's outsourcing norms, which mandate data localization within India.
Obligations for Entities
The Act outlines several obligations that entities must adhere to when it comes to handling personal data. Some of the key responsibilities include:
- Informing individuals before collecting their personal data, specifying what data will be collected, the purposes for which it will be used, and the rights individuals have.
- Obtaining consent or relying on legitimate reasons when necessary.
- Collecting only the personal data required for the stated purpose.
- Keeping personal data only as long as needed for the intended purpose and deleting it afterward.
- Establishing a mechanism for addressing grievances and concerns raised by individuals.
- Implementing appropriate technical and organizational security measures.
- Notifying the Data Protection Board and affected individuals in case of a personal data breach.
- Seeking parental or guardian consent and refraining from activities like behavioral monitoring, tracking, or processing that could harm children or individuals with disabilities.
- Limiting the transfer of personal data outside India to specified territories.
- Conducting data protection impact assessments, periodic data audits, and appointing a Data Protection Officer and auditors for Significant Data Fiduciaries.
- Complying with requirements regarding the cross-border transfer of personal data and seeking applicable exemptions.
To further align with the obligations of the Digital Personal Data Protection Act, of 2023, Loganathan stated that HaiVE is in the process of fine-tuning the company policies and processes. “We are developing a Digital Personal Data Protection Act, 2023, compliance framework that will serve as a comprehensive guide for our team and our clients. This framework will automatically apply to all our future engagements in India, ensuring seamless compliance with the Act's provisions,” she added.
Your Rights and Duties Regarding Your Personal Data
Individuals have been granted specific rights under the law concerning how their personal data is handled. These rights encompass:
- Right to Access: Individuals have the right to be informed if their personal data is being processed. They can request a summary of the data being processed, details about processing activities (like its use for targeted advertising), the identities of entities with whom their data has been shared (such as processors or third parties), and the types of data shared.
- Right to Correction & Erasure: Individuals possess the right to have inaccurate or misleading data corrected, incomplete data completed, and their personal data updated, particularly when this data is shared with other entities or used for decision-making. They can also request the deletion of their personal data (or withdraw consent if consent is the basis), although entities may retain it if required for legal compliance.
- Right to Grievance Redressal & Nomination: The Act introduces a grievance redressal mechanism allowing individuals to file complaints with entities regarding compliance with the Act. Entities must respond within a specified time frame. If dissatisfied with the response, individuals can escalate the matter to the Data Protection Board. Moreover, individuals can nominate someone to exercise their rights concerning personal data in case of their incapacitation or demise.
- Duties: The Act also outlines certain responsibilities for individuals, such as providing accurate information, refraining from impersonation, withholding material information, or submitting false complaints to the Data Protection Board.
Healthcare Sector Braces for Impact
Kapil Kumar, Chief Technology Officer- Medical Informatics, Artemis Hospitals Gurugram has raised concerns about its implications in the healthcare sector. He said, “Due to the growing uptake of digital health technologies like electronic health records and telemedicine, the Digital Personal Data Protection Act, 2023 will have a significant impact on the healthcare sector.”
According to Mr. Kumar, this measure aims to regulate the collection, storage, and distribution of sensitive patient data, thereby safeguarding individuals' privacy rights. He also referenced previous incidents that underscore its significance. For instance, in 2019, there was an unauthorized access breach that compromised the health records of nearly 6.8 million patients and doctors. Similarly, in 2021, a breach of Indian government websites exposed the COVID-19 lab results of over 1,500 residents. In Kerala, personal information from more than 200,000 patients was inadvertently disclosed. This regulation emerges as a champion of data privacy in the healthcare sector.
The Act is significantly distinct from the existing law, which offers limited protection, mainly in cases of security breaches, and only for specific types of data (sensitive personal data). In contrast, the Act offers extensive safeguards for personal data by imposing responsibilities and granting individuals greater control and awareness over their personal information.
While the Act unquestionably marks a substantial advancement in safeguarding individuals' digital rights, the Data Protection Board's subsequent rulemaking and advocacy efforts will play a crucial role in not only reinforcing these rights but also establishing a structured framework for data processing.