On 11 August 2023, the President of India signed the “The Digital Personal Data Protection Bill” following its approval from both houses of the Indian Parliament. This enactment establishes a dedicated legal framework in India, marking a significant milestone—India’s first-ever privacy Act that has been designed to regulate the processing of digital personal data, acknowledging both individuals- Right to safeguard their personal information and organizations. The exact dates for enforcement of the Digital Personal Data Protection Act, 2023, are presently awaiting final confirmation.
Any representation of information, fact(s), concept(s), opinion(s), and instruction(s) that is capable of being communicated, interpreted, and processed by human beings or by automated means. Further, any data about an individual (Data Principal) who is identifiable by or in relation to such data has been referred to as Personal Data in the Act. As per the Act, there must be consent obtained from the consumer, and the information pertaining to the consumer would need to be protected, and secured by whomsoever having access to the commercial process be it Manufacturers/ Retailers or the supply chain.
The illustration of Tele medicine is reproduced below from the gazette for better understanding.
The consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. Illustration. X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since a phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services. (2) Any part of consent referred to in subsection (1) which constitutes an infringement of the provisions of this Act, or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.
This leads to the appointment of a Data Fiduciary to carry out the duties provided under this Act and be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
The Act marks a defining approach to safeguarding Personal Data, addressing longstanding needs in the context of increasing internet users, and data generation, However, it is felt that various details regarding implementation need clarification which may happen upon the establishment of the Data Protection Board of India and the promulgation of Rules under the Act. In its entirety, the Act signifies India’s unique stance on modern data protection, enriched by extensive post-draft consultations. The Act certainly mandates a significant shift from how Indian businesses should now approach privacy and Personal Data.
It would be helpful if the Optical Industry Association formed a task force and prepared its members proactively to ensure compliance with the Act in the future when timelines are drawn by the Govt.
Mr. Ramachandran Parthasarathy