A Comprehensive Overview of the Digital Personal Data Protection Act, 2023

Objective of the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023, serves to regulate the processing of digital personal data, ensuring the protection of individual rights while permitting lawful data processing.

Salient Features

• Data Protection Framework:
  • Defines obligations for data fiduciaries (entities such as businesses and government departments that handle data) and establishes rights for data principals (the individuals to whom the data pertains).
  • Introduces penalties for violations to ensure compliance.
• Core Principles:
  • Consent: Personal data must be used in a consented, lawful, and transparent manner.
  • Purpose Limitation: Data can only be used for the purpose stated at the time of collection.
  • Data Minimisation: Only necessary data for the specified purpose is to be collected.
  • Accuracy: Ensures the data collected is accurate and up-to-date.
  • Storage Limitation: Data should not be kept longer than necessary.
  • Security: Adequate measures must be taken to protect the data.
  • Accountability: Entities must be accountable for their data practices, with breaches and non-compliance resulting in penalties.
• Inclusive Language:
  • Marks a shift by using “she” instead of “he” in the legal text, promoting gender inclusivity in law-making.
• Rights for Individuals:
  • Access: Individuals can find out what personal data is processed.
  • Correction and Erasure: Individuals can correct or delete their data.
  • Grievance Redressal: A pathway for individuals to raise concerns.
  • Nomination: Individuals can nominate someone to exercise their rights in case of death or incapacity.
  • Example: If a user finds incorrect personal data on a shopping website, they can request it to be corrected or deleted under this Act.
• Obligations for Data Fiduciaries:
  • Security: Implement safeguards against data breaches.
  • Notification: Inform the board and affected individuals about data breaches.
  • Data Erasure: Delete data when no longer needed or upon consent withdrawal.
  • Grievance Redressal: Establish a system to address individuals’ queries.
  • Example: A bank must erase a customer’s data upon their request if it’s no longer necessary for the purpose it was collected for.
• Child Data Protection:
  • Data of children can only be processed with parental consent, prohibiting harmful practices like tracking.
• Exemptions:
  • Includes specific scenarios like national security, research, and legal processes where standard rules may not apply.
• Board Functions:
  • Oversees compliance, addresses breaches, and can advise on actions against non-compliant entities.

Examples and Implementation

For instance, if a healthcare app collects more health data than needed for its service, it could be in violation of the data minimisation principle. Companies must now ensure they collect only what is explicitly required and safeguard it effectively to avoid penalties.

FAQs Simplified

This Act creates a framework that balances the protection of personal data with the needs of entities that process this data, offering a clear set of rights to individuals and imposing strict obligations on data handlers.