Partner, Kreston OPR Advisors
Darshil Surana is a seasoned professional and Partner at O. P. Rathi & Co., where he has been instrumental in driving business process improvements and implementing strategic digital transformations since April 2023. With a diverse skill set that includes internal audits, information technology, and management accounting, Darshil is known for his expertise in financial advisory and analytics across Ahmedabad’s dynamic market.
Before his current role, Darshil was the Proprietor of Darshil Surana & Associates, a testament to his entrepreneurial spirit and his proficiency in strategic planning, financial analysis, and comprehensive taxation. His background also includes pivotal roles in Intech Systems, where as SBU Head and Delivery Head, he led cross-functional teams and managed the strategic business unit performance for MS Dynamics NAV/BC.
Darshil’s ascent from a Functional Consultant to a Project Manager reflects his exceptional leadership and project management skills. His early career foundations were laid at CA Pradeepkumar H. Shah & Co., where he honed his accounting and auditing abilities during his articleship. Darshil Surana’s career is a blend of robust professional experiences and a deep understanding of the intricacies of financial and business strategies.
India’s Digital Personal Data Protection Act, 2023 (DPDP Act)
November 3, 2023
The Digital Personal Data Protection Act, 2023 (DPDP Act) was passed in India on 11th August 2023. The Act seeks to protect the personal data and privacy of Individuals in this digital world. This is a landmark legislation which can empower individuals and the State to ensure data privacy. The Act lays out a framework to ensure the utilisation of data for appropriate and designated purposes and avoid misuse. Darshil Surana at Kreston OPR Advisors explains.
Definitions of The Digital Personal Data Protection Act
The Act emphasises on “Protection of Digital Personal Data”. Hence, any person’s data in the digital world needs to be safeguarded by those responsible for collecting, storing, and processing them. First, let us try to understand some definitions under section 2 of the Act:
- Data – “a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means” – Section 2(h).
- Personal Data – “any data about an individual who is identifiable by or in relation to such data” – Section 2(t).
- Digital Personal Data – “personal data in digital form” – Section 2(n)
The first set of definitions are quite simple. Data, personal data and digital personal data have been explicitly defined so as to remove any confusion and ambiguity. It is noteworthy that data has been extensively defined to mean “… suitable for communication, interpretation or processing by human beings or by automated means”. Hence, whether data are handled by human intelligence or artificial intelligence, they will both be covered by the Act. Some examples of digital personal data are:
• KYC records such as PAN, Aadhaar, Driving License etc.
• Contact details such as e-mail address, phone numbers, etc.
• Social media user IDs and profiles.
• Audio – Visual identification of individuals such as CCTV footage, webcam images, photos and videos on social media etc.
• Biometrics such as fingerprints, iris scans, face recognition, etc.
- Data Principal – “the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with a disability, includes her lawful guardian, acting on her behalf”
- Section 2(j).
- Data Fiduciary – “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data” – Section 2(i).
- Data Processor – “any person who processes personal data on behalf of a Data Fiduciary” – Section 2(k).
The Data Principal
The next set of definitions are important. They lay the foundation for the data protection framework. The individual to whom the data pertains is called ‘Data Principal’. It is the Data Principal who is at the centre of the Act. ‘Data Fiduciary’ would mean the person who would collect, store, process the data either in own capacity or together with ‘Data Processor’. Both these terms have been defined widely. Let us understand the definitions through couple of examples:
A Limited is a stock exchange broker and Ms. X wishes to open a Demat account with them. A Limited collects her Name, Address, Contact No., PAN and Aadhaar and utilizes services of B Limited, which is a Data Repository, to verify the KYC. Here, Ms. X is the Data Principal, A Limited is Data Fiduciary and B Limited is Data Processor.
Ms. X runs a music academy whereby she teaches classical music. Baby Y (aged 10 years) is one of her students. Ms. X collect’s Baby Y’s Name, Address and Contact details for her records. Here, Baby Y and her parents are Data Principal and Ms. X is Data Fiduciary.
- Processing – “in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction” – Section 2(x).
Data processing engulfs all modes and methods right from data collection to data destruction. Any activity conducted in between by utilizing data will be covered in the definition of Processing. It’ll also include facial recognition or voice recognition software and tools used to identify individuals.
Applying the Digital Personal Data Protection Act
The Digital Personal Data Protection Act applies to the processing of digital personal data within the territory of India where the personal data is collected – in digital form; or in non-digital form and digitised subsequently. It also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.
If the Data Principal’s data are breached even outside India, the Act would still apply if the goods/services were procured by the Data Principal within India. Hence, the Act has expanded the scope of applicability and is not limited within the boundaries of India.
Ms. X is a programmer based in Pune and does freelancing work through a Portal (registered in the USA) that acts as an aggregator for service providers and service receivers and for that purpose gathers data such as name, address, contact information, bank details, credit card details etc. In this case, the Portal would be covered by the provisions of the Act in case of a breach of the digital personal data of Ms. X.
However, this Act would not apply if the personal data were processed by an individual for personal purposes and the data were made available by the Data Principal or by any other person under obligation of law.
Obligations of Data Fiduciary
- Consent – The Act lays various obligations on the Data Fiduciary for the manner in which data should be processed and protection of the same. The first and foremost obligation is to obtain ‘Consent’ from the Data Principal. According to section 6 of the Act, the consent given by the Data Principal should be ‘free, specific, informed, unconditional and unambiguous with a clear affirmative action’. It further specifies that the ‘consent shall signify an agreement to the processing of personal data for specified purpose and limited to such personal data as is necessary for such specified purpose’. This means that even if the data principal has given consent to relevant and irrelevant data, the consent would be limited to the relevant data only and the data fiduciary would be liable for breach of obligation for the irrelevant data.
Ms. X registered as a buyer on an eCommerce portal. The eCommerce portal asked for her mobile number, address and her phone contact list. Ms. X gives her consent to both. However, the phone contact list is not necessary for supplying her goods/services. Hence her consent will be limited to her mobile number and address for the purpose of availing goods/services from the eCommerce Portal, though she may have explicitly consented to provide a contact list as well.
Thus, if the data fiduciary processes data for which consent is not obtained or is deemed to be not obtained as per provisions of the Act, they shall be liable for breach of their obligations.
Further, every request made to Data Principal by the data fiduciary shall be accompanied by or preceded by a notice informing the data principal about:
• The personal data and purpose for which it is to be processed.
• How the data principal can withdraw the consent and file for grievance redressal.
• How the data principal may make a complaint to the Data Protection Board of India.
If the consent contains anything which infringes the provisions of the Act or rules made thereunder, the consent shall be invalid to the extent of such infringement.
X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid.
The data principal also has the right to withdraw consent for the personal data for which a valid consent was granted earlier. On withdrawal of the consent, the data fiduciary will have to get the data erased from its database and ensure that they are not used for processing anymore.
- Certain Legitimate Use of Personal Data – The data fiduciary may process personal data of data principal for certain legitimate purposes such as:
a. Where the data principal has voluntarily provided personal data and has not explicitly indicated non-consent to such data.
b. Data requested by the State for the purposes of any law for the time being in force.
c. Compliance with judgment or decree
d. Responding to a medical emergency involving threat to life or immediate threat to the health of data principal of any other individual
e. Taking measures to provide medical treatment or health services
f. Taking measures to provide safety to any individual during a disaster or breakdown of public order.
g. For the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.
- General Obligations of Data Fiduciary – Data fiduciary has certain obligations to be followed to comply with the Act:
a. The data fiduciary shall be responsible for complying with the provisions of the Act irrespective of the failure of the data principal to carry out duties under the Act.
b. Data fiduciary may engage a data processor only under a valid contract.
c. Ensure completeness, accuracy and consistency of data.
d. Implement appropriate technical measures to ensure effective observance of provisions of the Act.
e. Shall have reasonable security safeguards to protect personal data in its possession or control including data which is processed in its own capacity or by data processor.
f. Intimate the Data Protection Board of India in the event of a personal data breach.
g. Shall erase and cause the data processor to erase personal data on withdrawal of consent by data principal or the specified purpose if no longer being served.
- Personal Data of Children – The data fiduciary shall:
a. Obtain verifiable consent of the parent/legal guardian of a child before processing any personal data.
b. Not undertake tracking or behavioural monitoring of children or targeted advertisements directed at children.
Rights and duties of Data Principal
The data principal has been accorded various rights and privileges under the Act in order to maintain the privacy of their personal digital data. They are also duty-bound to comply with the provisions of the Act.
- Rights of Data Principal:
a. Right to access information about personal data: The data principal has the right to obtain a summary of personal data which are processed by the data fiduciary.
b. Data principal has to right to amend the personal data or get them erased by withdrawing consent under the Act.
c. In case of breach by a Data Fiduciary, the data principal will have the right of grievance redressal through the data fiduciary as well as the Data Protection Board of India.
- Duties of Data Principal:
a. Comply with the provisions of the Act.
b. Not to impersonate another person while providing personal data for a specific purpose.
c. Not to suppress material information while providing personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities.
d. Not to register false or frivolous grievance or complaint
e. Furnish information which is verifiable and authentic.
Penalties for Breach of Provisions of the Act
The Act has stringent provisions for compliance by the data fiduciaries. It also has severe penalties for breach of provisions of the Act. Let us take a look at some of the penalties levied by the Act:
Sr. No. Breach Penalty
1 Breach in observing the obligation of the Data Fiduciary to take reasonable security safeguards to prevent a personal data breach under sub-section (5) of section 8 May extend to INR 250 Crores.
2 Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8. May extend to INR 200 Crores.
3 Breach in observance of additional obligations in relation to children under section 9 May extend to INR 200 Crores.
4 Breach in observance of additional obligations of Significant Data Fiduciary under section 10. May extend to INR 150 Crores.
5 Breach of any other provision of this Act or the rules made thereunder. May extend to INR 50 Crores.
As you can see, the penalty can range from INR 50 Crore to INR 250 Crores depending on the type of breach. This calls for all organizations falling under the definition of data fiduciary or data processor to take measures to address compliance to the Act and its rules in a timely manner. It is expected that the Government will provide a transition period to allow the implementation of measures to ensure compliance.
The organisations should proactively get a Data Protection Impact Assessment done and get an inventory of measures to be adopted. These may cover the following areas:
- Design Consent Mechanisms.
- Adopt IT / IS and Cyber Security measures.
- Appoint appropriate compliance officers within the organization.
- Design data storage, data archival, data purging policies and tools to implement the same.
Individuals should also educate themselves about the Act and know their rights and privileges. They have exposed huge amounts of data online to multiple portals. This Act empowers them to take control of how their data might be utilised and protected.
If you would like to learn more about The Digital Personal Data Protection Act in India, please get in touch.