[FAQs] on the Digital Personal Data Protection Act, 2023 (DPDP Act)
- Blog|Company Law|
- 8 Min Read
- By Taxmann
- |
- Last Updated on 19 August, 2023
Table of Contents
- Introduction
- Information Technology Act vis-à-vis the Digital Personal Data Protection Act, 2023
- Key Definitions
- Cross-Border Sharing of Personal Data
- Rights and Obligations under the Act
Check out Taxmann's Digital Personal Data Protection Act 2023 which provides a Bare Act of the Digital Personal Data Protection Act 2023 (DPDP Act) supplemented by a comprehensive FAQ section. The FAQs delve into key aspects of the DPDP Act, such as cross-border data sharing, rights and obligations, and data protection for children.
1. Introduction
FAQ 1. What is the Digital Personal Data Protection Act (DPDP Act)?
The DPDP Act is a legal framework introduced in India to safeguard the personal data of individuals and ensure that their data is shared only with their consent. It regulates the processing of digital personal data and outlines various provisions to protect individuals’ privacy in the digital age.
FAQ 2. How was the DPDP Act developed and passed in India?
The DPDP Act was introduced in August 2023 after several stages of development and legislative processes. It evolved from the 2017 Committee of Experts on Data Protection’s recommendations, which led to the introduction of the Personal Data Protection Act in 2019. After several iterations and consultations, the Digital Personal Data Protection Act, 2023, was introduced and subsequently passed by both the Lok Sabha and the Rajya Sabha. Later on, the Hon’ble President has given assent to the new Digital Personal Data Protect Act, 2023 on 11th Aug, 2023 and it become effective from 11th Aug, 2023.
FAQ 3. What is the conceptual basis of the DPDP Act?
The conceptual basis of the DPDP Act is the report of the Expert Committee set up under the chairmanship of Justice BN Srikrishna tittled
“A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”
FAQ 4. What are the principles on which the DPDP Act is based on?
The DPDP Act is based on the following Seven principles:
- The principle of consented, lawful and transparent use of personal data;
- The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
- The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
- The principle of data accuracy (ensuring data is correct and updated);
- The principle of storage limitation (storing data only till it is needed for the specified purpose);
- The principle of reasonable security safeguards; and
- The principle of accountability (through adjudication of data breaches and breaches of the provisions of the DPDP Act and imposition of penalties for the breaches).
FAQ 5. What are the current Acts governing data protection in India?
Before the introduction of the DPDP Act, India does not have a standalone Act on data protection. The use of personal data was regulated under the Information Technology (IT) Act, 2000.
FAQ 6. Whom does the DPDP Act apply to?
The DPDP Act applies to the processing of digital personal data within India, whether collected online or offline and digitized later on. It also extends its applicability to data processing conducted outside India if it involves offering goods or services within India.
FAQ 7. Whether the DPDP Act applies to the data collected offline?
If the data is collected offline and digitised later on it shall apply to that data also. However, the offline personal data which is not digitised is kept out of the ambit of this Act.
FAQ 8. What are the circumstances when DPDP Act shall not apply?
The DPDP Act shall not apply in the following cases:
(a) Personal data processed by an individual for any personal or domestic purpose.
(b) Personal data that is made or caused to be made publicly available by the person himself (Data Principal) to whom such personal data relates or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
FAQ 9. Can personal data be used for any purpose under the DPDP Act?
No, personal data can only be used for the specific purpose for which consent was given. Consent must be free, specific, informed, unconditional, and unambiguous, and it is limited to the personal data necessary for the specified purpose. Any part of consent that violates the provisions of the Act or other applicable Acts will be considered invalid.
FAQ 10. Under what grounds can personal data be possessed?
Personal data can be possessed if it is retained for a lawful purpose and with the consent of the data principal.
FAQ 11. In case of a conflict between a provision of this Act and a provision of any other law currently in effect, what will be the outcome?
The provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force. When a conflict arises between a provision of this Act and any provision of another law currently in force, the provision of this Act will take precedence to the extent of that conflict. This ensures that the rules and principles established in this Act hold sway in situations where there might be inconsistency with other existing laws.
2. Information Technology Act vis-à-vis the Digital Personal Data Protection Act, 2023
FAQ 12. An organization is currently following all the personal data obligations outlined in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). With the enactment of the DPDP Act, what new responsibilities will the organization need to adhere to?
Even if an organization is currently meeting all existing personal data obligations, you’ll need to ensure compliance with the DPDP Act. Here are a few extra responsibilities your organization will have to fulfil:
(a) Obtaining individuals’ consent before collecting or processing their personal data,
(b) ensuring comprehensive security measures for all personal data,
(c) providing data principals access to their personal data and enabling corrections,
(d) reporting breaches to both the Board and affected individuals.
Beyond these, the DPDP Act introduces further provisions necessitating a review of your organization’s data processing policies and practices to ensure alignment and compliance with the law and its upcoming rules.
FAQ 13. Mr X is a compliance officer of a technology company that has been operating under the guidelines of the Information Technology Act, 2000 (ITA 2000) in India for several years. The organization handles sensitive user data and has implemented various security measures to comply with ITA 2000 requirements.
However, news has just broken out that a new Personal Data Protection Act will be implemented soon. This Act aims to enhance data protection and privacy standards for all organizations handling user data.
In this context, the CEO of the Company approaches MR. A and asks, “With the upcoming implementation of the Personal Data Protection Act, does the organization still need to adhere to the compliances outlined in the Information Technology Act, 2000? How will this affect the current data protection measures?”
Certainly yes, while the enactment of the DPDP Act will retain the applicability of compliance obligations under the Information Technology Act, 2000 (IT Act), there will be notable changes. Specifically, Section 43A of the IT Act, encompassing compensation for mishandling sensitive personal data, along with its corresponding SPDI Rules, which constitute a significant portion of the current data protection framework in India, is slated for repeal under the DPDPB upon its enactment and subsequent notification.
Nevertheless, it is important to emphasize that various other provisions within the IT Act will endure and maintain their relevance. In scenarios where inconsistencies arise between the stipulations of the IT Act and those outlined in the DPDPB, the proposed course of action is for the provisions of the DPDPB to take precedence, ensuring a coherent and harmonized regulatory landscape.
FAQ 14. Does the Information Technology Act, 2000 have an overriding effect over the Digital Personal Data Protection Act, 2023?
No, the Information Technology Act, 2000 doesn’t have an overriding effect over the Digital Personal Data Protection Act, 2023. Proviso to section 81 of the Information Technology Act, 2000 has been amended by this Act to exclude the Digital Personal Data Protection Act, 2023 from the overriding power of the Information Technology Act, 2000.
3. Key Definitions
FAQ 15. What amounts to “Personal Data”?
Personal Data is defined as any data about an individual who is identifiable by or in relation to such data.
FAQ 16. What amount to a personal data breach?
“Personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromise confidentiality, integrity or availability of personal data.
FAQ 17. Who is a “Data Principal”?
“Data Principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, including the parents or lawful guardian of such a child
(ii) a person with a disability, including her lawful guardian, acting on her
FAQ 18. Who is a “Data Fiduciary”?
Data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
FAQ 19. Who is a significant data fiduciary?
“Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10.
FAQ 20. What is the meaning of the term ‘person’ under the Act?
As per Section 2(s) of the Act, (s) “person” includes—
(a) an individual;
(b) a Hindu undivided family;
(c) a company;
(d) a firm;
(e) an association of persons or a body of individuals, whether
(f) incorporated or not;
(g) the State; and
(h) every artificial juristic person, not falling within any of the preceding sub-clauses.
4. Cross-Border Sharing of Personal Data
FAQ 21. ABC Corp is a well-known international social media platform that allows users to connect, share content, and communicate with each other. While headquartered outside of India, ABC Corp has a substantial user base in India and offers its services to Indian citizens. Users in India create profiles, share personal information, and engage in various activities on the platform. Whether their data processing activities fall within the scope of the DPDP Act?
Yes, it will also apply to the processing of data outside India if it is for offering goods or services in India.
FAQ 22. Can data be transferred outside India under the DPDP Act?
Yes, data transfers outside India are allowed under the DPDP Act, but they must adhere to specific requirements, including obtaining explicit consent from the data principal and ensuring that the recipient country offers an adequate level of data protection. However, it restricts the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified.
FAQ 23. Is it permissible for my organization to move personal data beyond the borders of India?
Yes, subject to certain conditions. Under clause 16 of the Act, the Central Government has the authority to limit the transfer of personal data by a Data Fiduciary to a foreign country or territory as may be notified. However, this clause doesn’t prevent any existing Indian law that offers greater protection or restrictions on such transfers from applying, whether for specific data or certain Data Fiduciaries.
FAQ 24. Do the regulations outlined in the DPDPB apply to my offshore online platform that offers services to individuals in India?
The DPDPB’s provisions predominantly pertain to the handling of personal data within India’s jurisdiction. In the case of organizations operating outside India, the DPDPB applies to a limited extent—specifically, when such an organization processes the personal data of Indian data subjects to provide goods or services.
In practical terms, if your offshore online platform offers goods or services to users in India and processes their personal data for the purpose of delivering these offerings, you would qualify as a data fiduciary under the DPDPB. Consequently, you would be required to adhere to the stipulated obligations as outlined in the regulation.
5. Rights and Obligations under the Act
FAQ 25. What responsibilities are being cast upon a data principal?
The DPDP Act also imposes certain duties on the data principals to prevent the misuse of their rights. The duties are as follows:
(a) Do not register false and frivolous complaints with the Data Protection Board of India.
(b) Do not impersonate another person while providing personal data to data fiduciaries.
(c) Do not suppress any material information while providing personal data for any document.
(d) Furnish only authentic information while exercising the right to data correction or erasure.
FAQ 26. Does the data principal have the right to withdraw consent?
Yes, the data principal at any time can withdraw the consent and ask the data fiduciary to erase data.
Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.
Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.
The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:
- The statutory material is obtained only from the authorized and reliable sources
- All the latest developments in the judicial and legislative fields are covered
- Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
- Every content published by Taxmann is complete, accurate and lucid
- All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
- The golden rules of grammar, style and consistency are thoroughly followed
- Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied