Data usage and ground-rules: Inside India's new Digital Personal Data Protection framework

A new law that defines how companies should process users' data came into force with the President giving assent to the Digital Personal Data Protection (DPDP) Act passed by Parliament in the just-concluded monsoon session.

The law arms individuals with greater control over their data while allowing companies to transfer users' data abroad for processing, except to nations and territories restricted by the Centre through notification.

It also gives the government power to seek information from firms and issue directions to block content. While the new law seeks to establish a robust framework for the protection of personal data in the digital realm, it has drawn criticism from some quarters over broad exemptions granted to state entities and some of its provisions diluting the landmark Right to Information (RTI) law.

The new legislation comes after the government, last year, withdrew a December 11, 2019 bill that had alarmed tech companies like Facebook and Google with its proposals for stringent restrictions on cross-border data flows.

Here are key takeaways from the freshly-minted, landmark law:

Obligations of data fiduciary: Data fiduciaries, which are entities collecting and processing personal data, are required to obtain free, informed and unconditional consent from individuals before processing their data. Data must be deleted when its purpose has been fulfilled or consent is withdrawn. Entities must protect personal data in their possession by taking reasonable security safeguards to prevent a data breach, and alert Data Protection Board of India and affected persons when data breach occurs.

A Data Fiduciary has to publish the contact information of a Data Protection Officer or a person who will answer questions about the processing of personal data. Data Fiduciary will have to establish an effective grievances redressal mechanism.

Rights and responsibilities of individuals: Individuals have the right to access the personal data collected about them and know with whom it has been shared. They can request the deletion, correction, or updating of their personal data. In case of grievance, they can approach such a mechanism set up by data fiduciaries. The rights, however, come with certain duties. They cannot impersonate another individual while providing personal data, cannot register a false complaint, or suppress material information. Breach of duties can be punishable with a penalty of up to Rs 10,000.

Special provisions: The government can restrict the transfer of personal data to certain countries for security and sovereignty reasons. It can also exempt certain classes of fiduciaries, including startups, from complying with specific provisions.

Powers of government: The government can order the blocking of a data fiduciary after a hearing based on the recommendation of a Data Protection Board. Immunity from legal proceedings is extended to the central government, the board, its chairperson, and members. Decisions of the board are now appealable before TDSAT.

Timelines: The Lok Sabha approved the bill on August 7, and the Rajya Sabha on August 9, marking the completion of the Parliamentary approval process. The government expects to implement DPDP within 10 months, IT Minister Ashwini Vaishnaw had said. The draft bill had been circulated in November 2022 for public comments, after the Government withdrew a previous version of data protection bill from Lok Sabha on August 3, 2022.

Applicability: Personal data is defined as data about an individual. The norms will apply to personal data collected in digital form, from individuals in India, and personal data collected offline but digitised subsequently. It will also apply to processing outside India, if it has to do with offering goods or services to individuals in India. The Act does not apply to personal data processed by an individual for any domestic purpose, nor to personal data made publicly available by an individual.

Processing of personal data: Processing means activities related to digital personal data, including collection, storage, indexing, sharing, use, disclosure, dissemination and even erasure. Personal data can be processed only for a lawful purpose for which an individual has given consent and for certain legitimate uses. For consent, notice has to be given by a data fiduciary (data using entity) to the data principal (individual) describing the data and purpose to be processed, also the manner in which the individual can make a complaint to the data protection board.

Consent: Consent of individuals should be free, unambiguous, and clear affirmative action, agreeing to processing of personal data only for the specified purpose. This means even if consent is for other purposes, say where a telemedicine app seeks access to users' contact list, the consent will be considered to be limited only to the actual purpose of data being collected (telemedicine services). Consent can be withdrawn at any time.

Processing of personal data of children: DPDP mandates parental consent for processing of children's data. Data collecting entities cannot undertake processing of personal data that is likely to cause detrimental effect on the well-being of a child, nor can they undertake tracking or behavioural monitoring of children or targeted advertising directed at children. It defines a child as an individual who has not completed 18 years of age. However, the government can lower the age of consent for certain entities if satisfied that they process children's data in a "verifiably safe" way.

Exemptions: Exemptions are applicable in cases where processing of personal data is needed for prevention and probe of offences, enforcing legal rights or claims, merger or amalgamation, detecting financial frauds, among others. The Centre can exempt the application of the law for Government entities in the interests of the sovereignty, integrity, and security of the State, or for public order.

Data protection board of India: The Act envisages the establishment of a Data Protection Board of India, tasked with monitoring compliance, inquiring into breaches, and imposing penalties, and directing remedial or mitigation measures in case of data breach.

Penalities: The provisions lay down different penalties for different offences -- failure to take reasonable security safeguards to prevent data breaches entails up to Rs 250 crore penalty, while non-fulfillment of obligations to give Board and individuals notice of data breach draws penalty of up to Rs 200 crore. The penalty for non-compliance of additional obligations in relation to children is up to Rs 200 crore.

Criticism: According to the Internet Freedom Foundation, the new law seems to prioritise data processing over privacy protection, which contradicts the original intent of safeguarding individuals' rights. Also, the broad exemptions granted to state entities are of concern. The law does not contain any meaningful safeguards against "over-broad surveillance".

While opposition MPs and digital experts say the legislation would allow the government and its agencies to access user data from companies and personal data of individuals without their consent, the Editors Guild of India says it affects press freedom, creates an enabling framework for surveillance of citizens including of journalists and their sources, and dilutes the Right to Information law.