Major Development The Digital Personal Data Protection Act 2023
Mr. Ramachandran Parthasarathy enlightens us on India's groundbreaking Digital Personal Data Protection Act, 2023, and suggests proactive preparation, exemplified by the Optical Industry Association's proposed task force
On 11 August 2023, the President of India signed the “The Digital Personal Data Protection Bill” following its approval from both houses of the Indian Parliament. This enactment establishes a dedicated legal framework in India, marking a significant milestone—India’s first-ever privacy Act that has been designed to regulate the processing of digital personal data, acknowledging both individuals- Right to safeguard their personal information and organizations. The exact dates for enforcement of the Digital Personal Data Protection Act, 2023, are presently awaiting final confirmation.
Any representation of information, fact(s), concept(s), opinion(s), and instruction(s) that is capable of being communicated, interpreted, and processed by human beings or by automated means. Further, any data about an individual (Data Principal) who is identifiable by or in relation to such data has been referred to as Personal Data in the Act. As per the Act, there must be consent obtained from the consumer, and the information pertaining to the consumer would need to be protected, and secured by whomsoever having access to the commercial process be it Manufacturers/ Retailers or the supply chain.
The illustration of Tele medicine is reproduced below from the gazette for better understanding.
The consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. Illustration. X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since a phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services. (2) Any part of consent referred to in subsection (1) which constitutes an infringement of the provisions of this Act, or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.
This leads to the appointment of a Data Fiduciary to carry out the duties provided under this Act and be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.
A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
The Act marks a defining approach to safeguarding Personal Data, addressing longstanding needs in the context of increasing internet users, and data generation, However, it is felt that various details regarding implementation need clarification which may happen upon the establishment of the Data Protection Board of India and the promulgation of Rules under the Act.
In its entirety, the Act signifies India’s unique stance on modern data protection, enriched by extensive post-draft consultations. The Act certainly mandates a significant shift from how Indian businesses should now approach privacy and Personal Data.
It would be helpful if the Optical Industry Association formed a task force and prepared its members proactively to ensure compliance with the Act in the future when timelines are drawn by the Govt.
In summary, India's Digital Personal Data Protection Act of 2023 is a groundbreaking development that prioritizes the protection of individuals' digital personal data and sets clear expectations for organizations handling this information. The Act emphasizes the importance of obtaining informed consent from consumers and introduces the role of Data Fiduciaries to ensure data security.
While the Act is a significant step forward, some implementation details await clarification through the Data Protection Board of India and subsequent rulemaking. Nonetheless, it marks a crucial shift in how businesses in India approach privacy
and data protection.
The proactive stance taken by the Optical Industry Association in preparing its members for compliance with the Act serves as a commendable example for other industries. As India navigates this new era of data protection, readiness and cooperation will be essential to ensure a smooth transition and uphold the principles of the Digital Personal Data Protection Act, 2023.