FEBRUARY 07, 2024

By Mr M G Kodandaram, IRS.Assistant Director (Retd) ADVOCATE and CONSULTANT

Introduction

THE legal framework of data protection in India underwent a significant transformation with the enactment of the Digital Personal Data Protection Act, 2023 (herein after DPDP Act). The genesis of this regulatory framework can be linked to a landmark judgment on August 24, 2017, when a 9-Judge bench of the Hon'ble Supreme Court in the case of Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India and Ors., (2017-TIOL-311-SC-MISC-CB), recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India. (Please read Inadequacies in the Digital Personal Data Protection Act, 2023, by the author)This marked the recognition of privacy as an intrinsic part of life and liberty, setting the stage for the constitutional history of personal data protection.

Amidst global developments, it is noteworthy that currently, around 137 out of 194 countries have instituted legislation to strengthen the safeguarding of data and privacy. In this context, India has now introduced a dedicated law for the protection of its citizens' personal data. Until rules and procedural compliances are formulated, it is prudent for all data fiduciaries to prepare diligently, ensuring a smooth adoption of compliance requirements under the law by all relevant individuals and entities. This article examines into the intricacies of the key provisions of the Actandexplores the impact of the act on the practisers of tax compliance, shedding light on the emerging challenges in the evolving realm of digital personal data protection in India.

Application Of DPDP Act

The DPDP Act, as outlined in Section 3, encompasses the processing of all 'personal data', identifiable with an individual, gathered within the borders of India, irrespective of its digital or non-digital form, including subsequent digitization. The Act further covers the processing of personal data outside of India when linked to activities providing goods and services to Data Principals (individual to whom the personal data belongs) in India.

The term ‘Data' used in the legislation refers to representation of information, facts, concepts, opinions, or instructions presented in a manner suitable for communication, interpretation, or processing by either human beings or automated means. If such data involves information relating to an identifiable individual, it is termed as ‘personal data'. Such personal data in digital form is accorded the legal protection from any kind of breaches by the fiduciary or the processor. The individual to whom the personal data pertain is called the principal. This includes, where the individual is a child (less than 18 years), the parents or lawful guardian. For a person with a disability, it encompasses their lawful guardian acting on their behalf.

A "data fiduciary,”(herein after ‘fiduciary' for brevity) is any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. It also includes the processing personal data, either independently or in collaboration with other entities, the fiduciary may employ, designate, utilize, or (called as ‘data processor') to handle personal information on its behalf for activities related to providing goods or services to "data principals,". This engagement must occur through a valid contract. Regardless of any conflicting agreements, the ‘data fiduciary' retains the responsibility for adhering to legal provisions, including those pertaining to any processing carried out on its behalf by a data processor.

This law encompasses all professionals responsible for managing tax and financial affairs for individuals and entities, including chartered accountants, cost accountants, company secretaries, and GST practitioners. These professionals routinely collect and process personal data while fulfilling their clients' statutory responsibilities. As a result, they are obliged to comply with the mandatory provisions outlined in this Act.

It is essential to recognize that this legislation does not apply to personal data processed by an individual for personal or domestic purposes. Furthermore, it excludes personal data that is publicly available, whether disclosed by the relevant data principal or made accessible to the public by any other individual obligated by current Indian laws to do so.

Guiding Principles of DPDP act

In the complex terrain of protecting the gathering and handling of digital personal data in India, it is essential to adhere to the DPDPA. With significant penalties proposed for non-compliance, failure to abide by this law could endanger the entity's survival. At the heart of the framework lie seven core principles derived from the Data Economy, forming the foundation for conscientious management of personal information, drawing from personal data protection laws across different jurisdictions.

The initial principle, "Lawful Usage," underscores the importance of organizations utilizing personal data in a manner that is legal, fair, and transparent, with due consideration for the individuals involved. This highlights the ethical and legal aspects of data usage. The second principle, "Purposeful Dissemination," emphasizes that personal data should only be employed for the explicit purposes for which it was originally gathered. This principle underscores the significance of upholding the integrity and purpose-driven nature of data usage.

The third principle, "Minimal Data Collection," supports the idea of gathering only the necessary and essential data required to fulfill a specific purpose, promoting the concept of data minimization. This principle aims to prevent unnecessary intrusions into individuals' privacy by restricting the extent of data collection. The fourth principle, "Data Accuracy," highlights the importance of precision in data collection, discouraging duplication at any phase. This ensures that the gathered information is reliable and devoid of inaccuracies or redundancies.

The principle of "Limited Data Retention Period" challenges the idea of perpetual storage, asserting that personal data should only be retained for a defined duration. This principle aims to discourage indefinite storage, advocating for responsible and time-bound data management practices. The sixth principle, "Authorized Collection and Processing," emphasizes the need for robust safeguards to prevent unauthorized collection or processing of personal details. This principle strives to create a secure and controlled environment for the handling of sensitive information.

The final principle, "User Accountability," assigns responsibility to individuals who determine the purpose and methods of processing personal data. This accountability ensures that those overseeing the collection and processing of data adhere to the ethical and legal standards governing such activities. Collectively, these principles constitute the ethical and legal foundation of the DPDPA, promoting a secure, transparent, and responsible ecosystem for the management of personal information.

Obligations of Data Fiduciary

Under the DPDP act, data fiduciaries bear significant obligations aimed at ensuring the lawful and responsible processing of digital personal data. Section 4 outlines the grounds for processing digital personal data, restricting fiduciaries to processing only for lawful purposes explicitly approved by the data principal or for certain legitimate uses.

In Section 5, the issuance of a notice to seek consent is emphasized, requiring fiduciaries to inform users of the personal data to be collected and the intended purpose. This notice must be presented in a prescribed form. Section 6 delves into the specifics of user consent, emphasizing its necessity to be specific, informed, unconditional, and a clear affirmative action. Importantly, fiduciaries cannot seek consent for actions infringing the provisions of the Act. Section 7 enumerates certain legitimate uses for processing personal data, ranging from voluntary user provision to state or agency-related necessities and obligations under the law. It also includes responding to medical emergencies and employment-related purposes.

Section 8 emphasizes the maintenance of data accuracy and prevention of breaches, mandating data fiduciaries to make reasonable efforts to ensure accuracy and completeness. It also requires the publication of the business contact information of a Data Protection Officer.The grievance redressal mechanism is underscored in Section 8(10), necessitating data fiduciaries to establish an effective mechanism for addressing the grievances of data principals.

Section 9 focuses on the protection of personal data of children, requiring verifiable consent from parents or lawful guardians. It prohibits processing likely to cause harm to a child, as well as tracking, behavioural monitoring, or targeted advertising directed at children.

Section 10 introduces additional obligations for significant data fiduciaries, including the appointment of a Data Protection Officer and an independent Data Auditor to conduct data audits, along with other measures consistent with the Act's provisions. These comprehensive obligations collectively contribute to fostering a secure and ethically sound environment for the handling of personal data under the DPDP Act 2023.

Rights and Duties of Data Principal

The DPDP Act enumerates the rights and duties of data principals, ensuring a balanced and transparent relationship with data fiduciaries. The data principal is endowed with the right to access information about their personal data, entitling them to a summary of processed data, details of sharing with other fiduciaries and processors, and any additional prescribed information (Section 11).Section 12 grants the data principal the right to correction, completion, updating, and erasure of their personal data, subject to previous consent. Erasure requests, however, may be denied if data retention is legally mandated.The right of grievance redressal is affirmed in Section 13, empowering data principals with accessible means for addressing any acts or omissions concerning the fiduciary's obligations regarding their personal data. Section 14 introduces the nomination right, allowing data principals to designate individuals to exercise their rights in the event of death or incapacitation.

The responsibilities of a data principal include prioritizing truthful and legitimate complaints, abstaining from impersonation, and guaranteeing the verifiable authenticity of information submitted for correction or deletion, all of which are mandated. Penalties for breaching these duties, as specified in Section 15, can reach up to Rs. 10,000. This incentivizes individuals to exercise their rights responsibly in accordance with the Act. Furthermore, data principals are required not to withhold pertinent information when providing personal data for official documents issued by the State or its agencies.

Exemptions in the DPDPA

The DPDPA outlines a comprehensive framework for the protection and regulation of personal data. However, within this framework, there are provisions for exemptions under certain circumstances. Section 17 of the DPDPA outlines these exemptions, specifying scenarios where certain provisions of the Act do not apply. These exemptions are crucial for ensuring that the legal framework remains flexible and adaptable to diverse situations.

1. Legal Enforcement and Judicial Functions:Section 17(1)(a) exempts the processing of personal data when necessary for enforcing any legal right or claim. This exemption recognizes the need for access to personal data in legal proceedings and ensures that such data can be utilized effectively for legal purposes. Similarly, under Section 17(1)(b), processing by courts, tribunals, or regulatory bodies in India is exempted if necessary for the performance of judicial, quasi-judicial, regulatory, or supervisory functions. This exemption acknowledges the essential role of these institutions in administering justice and regulation, requiring access to personal data to fulfil their functions.

2. Law Enforcement and National Security: Section 17(1)(c) allows the processing of personal data in the interest of prevention, detection, investigation, or prosecution of offenses or contraventions of law in India. This exemption is critical for law enforcement agencies to effectively combat crime and uphold public safety and security.

3. International Transactions: Under Section 17(1)(d), personal data processing outside the territory of India but pursuant to a contract with a person based in India is exempted. This exemption facilitates international transactions while ensuring compliance with data protection standards.

4. Corporate Restructuring: Section 17(1)(e) exempts personal data processing necessary for corporate activities like mergers, amalgamations, or reconstruction approved by competent authorities. This exemption streamlines corporate processes while safeguarding personal data involved in such transactions.

5. Financial Information: Processing of personal data for ascertaining financial information related to loan defaults is exempted under Section 17(1)(f). This exemption enables financial institutions to manage loan defaults efficiently while adhering to relevant disclosure laws.

6. Government and Research Activities: Section 17(2) exempts data processing by state instrumentalities for reasons of national security or public order. The processing for research, archiving, or statistical purposes is exempted if not used for specific decision-making affecting data principals, as per Section 17(2)(b).

7. Notification Exemptions: The Central Government, under Section 17(3) and (5), has the authority to exempt certain data fiduciaries or classes of data fiduciaries from specific provisions of the Act based on the nature and volume of data processed or for a specified period.

These exemptions play a vital role in balancing data protection with the practical needs of various sectors, including legal, law enforcement, corporate, and governmental activities. Periodic review and reassessment of these exemptions are necessary to align with evolving technological advancements and societal needs while upholding data privacy principles.

Other Important Provisions

The DPDP Act incorporates many other provisions that contribute to the comprehensive regulatory framework governing data protection. Section 16 grants authority to the Central Government to assess and identify countries or territories outside India to which a data fiduciary may transfer personal data. The notification, to be issued after a careful evaluation of relevant factors, has powers to stipulate the terms and conditions for such data transfers.

Section 18, mandates for the establishment of a Data Protection Board of India (Board) for regulation and implementation of the personal data protection regime in the country. The Board, as outlined in Section 19, is to be composed of a Chairperson and members, the number of which will be notified by the Central Government. This institutional structure plays a pivotal role in overseeing and enforcing the provisions of the Act.

Section 31 introduces an alternative mechanism for dispute resolution, whereby the Board, if it deems more appropriate, may direct the involved parties to mediation or other dispute resolution processes. Under Section 32, the Act allows the Board to accept voluntary undertakings from entities concerning compliance with its provisions. These undertakings must specify actions and timelines, be publicized, and can be modified upon the Board's request. If accepted, ongoing proceedings against the entity are halted unless the terms of the undertaking are not complied with, ensuring a collaborative approach to regulatory compliance.

Financial Penalties

The financial penalties outlined in Schedule 1, under section 33(1) of the DPDP Act, serve as a deterrent for non-compliance and violations of data protection provisions. These penalties cover a spectrum of offences and negligence, reflecting the gravity of each contravention.

Penalties may extend up to Rs. 250 Crores for the failure to implement reasonable security safeguards to prevent personal data breaches, (as per Section 8(5)) underscoring the importance of robust data protection measures. Violation of the obligation to notify the Board and affected Data Principals of a personal data breach (Section 8(6)) may result in penalties reaching up to Rs. 200 Crores, emphasizing the significance of timely and transparent reporting. Penalties up to Rs. 200 Crores may be imposed for the non-fulfilment of additional obligations related to the processing of data concerning children, prioritizing the protection of vulnerable individuals (Section 9). Failure to meet additional obligations as a Significant Data Fiduciary (Section 10) may incur penalties up to Rs. 150 Crores, highlighting the heightened responsibility placed on entities handling significant volumes of personal data. In case of a breach of any term of a voluntary undertaking accepted by the Board under Section 32, penalties apply up to the extent applicable for the breach, considering the commitments made voluntarily. General Non-Compliance (All Other Clauses): For all other non-compliances not covered above, penalties may extend up to Rs. 50 Crores, providing a graded approach based on the nature and severity of the violation.

These financial penalties aim to instil a culture of compliance and accountability, ensuring that data fiduciaries adhere to the stipulated standards and obligations, thereby fostering a secure and ethical digital data environment.

Strategies for DPDPA Compliance

With the DPDPA taking precedence, organizations are obligated to establish robust compliance mechanisms to safeguard personal data and uphold privacy rights. This is essential to mitigate the risk of substantial penalties imposed by the board following the required adjudication procedures outlined in the legislation. Achieving successful implementation necessitates a comprehensive and coordinated approach, integrating vital components and strategic initiatives. Despite the pending notification of rules and compliance mechanisms, the author outlines crucial elements and strategies essential for potential DPDPA compliance, ensuring readiness for its eventual implementation.

a) Leadership Commitment and Cross-Functional Collaboration: Obtaining unwavering commitment from senior leadership to prioritize DPDPA compliance is necessary. Enhancing collaboration across departments, establishing a united front involving legal, IT, and business units are essential. The support of leadership ensures the allocation of resources and a shared understanding of the significance of data privacy.

b) Data Mapping and Inventory: Conduct of a thorough data mapping exercise to identify and document the personal data processed by the organization must be undertaken. Maintenance of an up-to-date data inventory, providing a foundational understanding of the data landscape and facilitating effective compliance management is essential.

c) Data Protection Gap Assessment and Impact Assessment (DPIAs): Conducting Data Protection Gap Assessments and Impact Assessments (DPIAs) is crucial. These evaluations comprehensively analyze and mitigate privacy risks linked to data processing activities. They identify vulnerabilities and facilitate the creation of targeted strategies to address potential privacy concerns.

d) Data principal's Rights: Setting up transparent procedures to uphold data principal's rights, including facilitating easy access, correction, and deletion of personal data. Ensuring transparency and simplicity in exercising these rights promotes trust with data subjects .

e) Consent Mechanisms: It is essential to implement robust user consent mechanisms for data processing activities. These mechanisms should offer users clear options to provide or withdraw consent, emphasizing transparency and empowering individuals to maintain control over their data.

f) Data Minimization and Erasure: Review and minimize the data collected, ensuring alignment with the principle of data minimization. Define data retention periods and establish effective erasure practices, promoting responsible data handling.

g) Third-Party Risk Management: Assess and manage risks associated with third-party vendors and service providers processing personal data on behalf of the organization. Embed necessary compliance clauses in agreements to ensure alignment with DPDPA requirements.

h) Privacy by Design: Integrate a privacy by design approach into the development of all products and services. Embedding privacy considerations from the outset ensures that data protection becomes an inherent aspect of organizational processes.

i) Security Testing and Validation: Regularly test and validate the effectiveness of data protection and privacy controls. Conduct security assessments to identify vulnerabilities and gaps, ensuring a proactive approach to data security.

Considering that data fiduciaries may ultimately bear responsibility for the actions of data processors, it is crucial to negotiate contracts between these entities with great care. In this context, data fiduciaries must take into consideration the risks associated with outsourced data processing activities, particularly concerning the following situations/issues:

- Compliance: In situations where a data processor fails to adequately comply with obligations under the DPDP Act regarding the implementation of appropriate technical and organizational measures, prevention of personal data breaches, and data protection.

- Contractual: Risks arising when a data fiduciary lacks the ability to enforce the terms of the contract with the data processor.

- Cyber security: Risks stemming from breaches in a data processor's information technology ("IT") systems, potentially leading to the loss, leakage, or breach of personal data.

- Legal: Risks wherein the data fiduciary may face financial penalties due to the negligence or omissions of the data processor.

- Operational: Risks arising from technology failures, fraud, errors, inadequate capacity to fulfil obligations, and/or an inability to provide remedies.

By preparing to follow the above components and strategies, organizations can overcome the complexities of DPDPA compliance successfully. In the evolving realm of data protection, proactive compliance becomes not just a legal requirement but a testament to an organization's dedication to ethical data handling practices.

Conclusion

The Digital Personal Data Protection Act, 2023 stands as a comprehensive and pivotal legislation, reflecting the government's commitment to fortifying the protection of personal data in the rapidly evolving digital terrain. The Act, with its streamlined definitions and a clear focus on jurisdiction, aims to establish a robust framework for safeguarding personal data, both within the geographical boundaries of India and beyond. By extending its jurisdiction to data processed outside India, involving Indian individuals, the Act addresses the global nature of data flows, emphasizing the need for stringent regulations to prevent privacy infringements. As the DPDP Act comes into force, it is poised to play a pivotal role in shaping a responsible and secure digital ecosystem, ensuring the privacy of individuals in the digital age.

Also read - Waning 'Public Interest' - RTI Act, 2005 amended by DPDP Act, 2023

DPDP Act 2023 Falls Short on Addressing 'Harm'

[The views expressed are strictly personal.]