Concept of Privacy and Data
Privacy is a fundamental right recognized by the Supreme Court of India.
Under DPDPA, privacy means safeguarding digital personal data—any data that can identify an individual.
Organizations must justify every instance of data collection and processing by lawfully balancing the individual’s privacy and business or government requirements.
Distinction of Personal and Non-Personal Data from Security Perspective
Personal Data: Data that identifies or relates to an identifiable individual (e.g., name, Aadhaar, email).
Non-Personal Data: Data that does not identify an individual—e.g., anonymized statistical data. DPDPA focuses only on personal data, not non-personal data.
Security: Personal data needs stronger technical and organizational safeguards; non-personal data is generally not regulated under DPDPA.
ITA 2000 and Privacy
Prior to DPDPA, Section 43A, ITA 2000, and its rules governed sensitive personal data.
DPDPA will replace Section 43A and establish more comprehensive requirements.
DPDPA-1: To Whom Applicable and When Applicable
Applies to processing of digital personal data in India (or of Indian residents, even if processed abroad, for goods or services offered in India).
Does not apply to:
Personal/domestic use.
Public information (made public by individual or law).
The Act comes into force in phases as notified by the government.
DPDPA-2: Obligations of Data Fiduciaries
Data Fiduciary: Entity that determines the purpose and means of processing personal data (e.g., companies, government agencies).
Key obligations:
Obtain valid, informed consent.
Ensure accuracy and completeness.
Implement reasonable security measures.
Delete data once the purpose is met or upon withdrawal of consent.
Notify Data Protection Board (DPB) and individuals in case of breach.
Grievance redress mechanism must be established.
For Significant Data Fiduciaries (SDFs):
Appoint Data Protection Officer (DPO).
Appoint an independent data auditor.
Conduct periodic impact assessments and audits.
DPDPA-3: Rights and Duties of Data Principals
Data Principal: The individual to whom the data relates.
Key rights:
Access to their data and processing summary.
Correction and erasure of data.
Withdraw consent at any time.
Data portability.
Grievance redressal.
Right to nominate a person to act on their behalf in case of death/incapacity.
DPDPA-4: Exemptions and Legitimate Uses
Full and partial exemptions to:
Government agencies for national security, public order, research, statistical purposes, etc.
Processing strictly for journalistic purposes (some flexibility under debate).
No consent needed for specific “legitimate uses,” such as providing government subsidies, legal duties, emergencies, or as authorized by law.
DPDPA-5: Data Protection Board and Grievance Redressal Mechanism
The Data Protection Board of India (DPB) will adjudicate non-compliance, data breach issues, and complaints—all processes are online.
Three-tier appeal system: DPB → TDSAT → Supreme Court.
Data fiduciaries must have internal grievance redressal processes.
DPDPA-6: Data Breach and Penalties
Mandatory reporting of all breaches, regardless of severity, to the DPB and affected individuals.
Penalty caps (as per the Act’s Schedule):
Personal data breach: Up to ₹250 crore.
Failure to notify breach: Up to ₹200 crore.
Violation involving children’s data: Up to ₹200 crore.
Miscellaneous/individual breaches: Up to ₹10,000.
Compliance Requirements under ITA 2000 and DPDPA 2023
Map all data collection and processing.
Assess if you are a Data Fiduciary or Significant Data Fiduciary.
Obtain consent, manage privacy notices, and ensure multifactor security.
Respond promptly to data principal requests.
Delete data upon purpose exhaustion or consent withdrawal.
Maintain records, conduct audits (for SDFs), and avoid cross-border transfer to countries on the government’s negative list.
Role of DPOs and Data Auditors
Data Protection Officer (DPO):
Required for Significant Data Fiduciaries (SDFs).
Handles compliance, answers data principal queries, manages grievances.
Must be based in India and report to top management.
Data Auditors:
Conduct independent periodic audits.
Review and ensure compliance with data protection obligations.