Summary: A massive win for the world’s largest democracy, as it adopts the Digital Personal Data Protection Act, 2023 after Indian President Droupadi Murmu gives her assent. The act is acclaimed as a significant milestone in guarding the fundamental right of every Indian citizen “the right to data privacy” both in the real and virtual world. Read this blog to find out the key highlights of this law and its stance in terms of data disposal for protecting sensitive data.
After remaining in the shadows for 6 years and witnessing multiple iterations between 2017 and 2023, India’s Digital Personal Data Protection Act (DPDP) was established as a dedicated legal framework for safeguarding the constitutional rights of Indian citizens within the country and even outside. This law is an essential measure in regulating the manner in which companies collect, handle, store, process, and dispose of users’ sensitive and personal data digitally.
The formation of the DPDP Act in the Parliament came after 6 years of long debates and negotiations post the Puttaswamy v. Union of India case in which the Supreme Court recognized the fundamental right to privacy in India including informational privacy within the right to life (provision of India’s constitution). In this judgment, a panel of nine Supreme Court judges recommended the Indian government to create a meticulously designed security framework for the protection of personal data privacy. This vital data protection framework borrows some of its scope and provisions from the EU-GDPR and other International data protection laws to handle data protection challenges faced by the citizens. Let’s have a look at some of the key provisions related to data disposal and other progressive aspects of the DPDP Act for safeguarding data privacy and promoting safe online existence.
Key Act Provisions on Data Protection & Disposal
Some of the key provisions, as highlighted by the Indian Digital Personal Data Protection Act, include:
- The scope of the Indian Digital Personal Data Protection Act applies to processing personal data not only within India but also extends its jurisdiction to data processing activity outside India if it involves offering goods and services within the Indian market.
- In Chapter II, Sec 4- Obligations Of Data Fiduciary, Page 4, the act defines Data Fiduciary (someone who alone or jointly determines the purpose and means of processing personal data). It stresses on the importance of the consent of data principals (Individuals whose data is being collected, stored, and processed) for processing their personal data for legitimate purposes. However, specific legitimate applications, like voluntary sharing of individual data, and data processing by government entities for licenses, permissions, benefits, and services, might not necessitate consent.
- Further, in Chapter II, Sec 8 – General Obligations of Data Fiduciary, Page 7, this law establishes the responsibility of data fiduciaries to safeguard personal data under its control and possession. They are entrusted with upholding data accuracy, ensuring data security, and erasing data securely once its intended purpose is fulfilled. It necessitates implementing sound data security measures to mitigate data breach risks.
- Chapter II, Section 8, Part 7, also obligates data fiduciaries to routinely monitor the data and erase the personal data of Data Principals after it is no longer necessary for retention in order to comply with various laws and regulations.
- Under Chapter II, Sec 9, Processing Personal Data of Children, Page 8, the law mandates businesses to obtain the consent of parents or guardians for collecting and processing the personal data of children below 18 years or persons with disabilities.
- Chapter III, The Rights & Duties of Data Principals, Page 9, bestows the Data Principals with certain rights as mentioned below. We will look at the above rights in detail later in the blog:
- Right to access information,
- Right to correction and erasure of personal data
- Right of grievance redressal
- Right to nominate individuals in the absence of data principals to exercise their rights under this provision.
- Chapter IV, Section 17- Exemptions, Page 1- mentions certain exclusions to government agencies from the rights of data principals and responsibilities of data fiduciaries for instances concerning national security, maintenance of public order, or the prevention of criminal activities. Government bodies are free from strict adherence to the provisions of the law.
- In Chapter 5, Section 18, Establishment of Board, Page 12 – the law authorizes the establishment of ‘The Data Protection Board’ of India by the central government. This body will have the power to inquire and impose penalties on non-compliance as per the DPDP Act provisions. It will also be responsible for mitigating personal data breach instances.
The Rights of Data Principals (aka Data Subjects / Individuals)
The data principles are same as the data subjects defined in the EU-GDPR. India’s Digital Personal Data Protection Act 2023 articulates and grants rights to Data Principals heightening the protection of their sensitive data. Unlike the basic protections offered under the Information Technology Act 2000 for guarding sensitive data (such as sexual orientation, health data, etc.), the new DPDP law broadly covers all Personal Data by which an individual can be easily identified or related.
As mentioned above, Chapter III (Rights and Duties of Data Principal) highlights the rights that can be exercised by them. Let’s briefly look at the rights.
1) Right to Access Information about Personal Data:
Section 11 (1), Page 9 allows the Data Principal the right to request information from a Data Fiduciary, to whom they have previously given consent for personal data processing. The data principal can request a summary of processed personal data and related processing activities, disclosure of identities with whom the data is shared, and additional data processing details.
For example, X, an individual, registers herself on an online marketplace operated by Y, an e-commerce service provider. X gave her consent to Y for the processing of her personal data for selling her used car. The online marketplace helps conclude the sale. Y shall no longer retain her personal data. X can ask Y to disclose the names of individuals with whom Y shared her data of used cars.
2) Right to Correction & Erasure of Personal Data:
The Data Principal gets the right to rectify, complete, update, and erase their personal data for which they previously gave their consent. A data fiduciary must act upon the request of the Data principal. For erasing data, the Data Fiduciary is obligated to follow the procedure of using professional data-wiping tools in a way that data is not recoverable.
3) Right of Grievance Redressal:
Under this right, the Data Principals are entitled to accessible mechanisms provided by Data Fiduciaries or Consent Managers in order to address concerns. The Data Fiduciary or Consent Manager is obliged to handle these grievances within the specified timeframe. Before assistance from the Board, the Data Principal should initiate resolution of their grievance through this section.
4) Right to Nominate:
The Data Principal has the right to nominate an individual as per the procedural norms. The nominated person can exercise the Data Principal’s rights in case of their demise or inability to act, following the Law and its associated regulations.
Penalties of the DPDP Act on Businesses and Individuals
Under Section 33, the law summarises the various penalties and consequences regarding the breach of this DPDP Act or its rules. If found that organizations are mishandling or neglecting to protect individuals’ digital data or fail to inform the authoritative body about the breach, they can be penalized with monetary fines of up to ₹250 crore ($30.1 million). Upon violation of any other provision of this Act or its associated regulations, organizations can face a penalty of up to ₹50 crore. The monetary penalty will be imposed by the Data Protection Board after giving the person an opportunity to be heard. The penalty amount depends on crucial factors like breach severity, personal data impact, repetition, gains or losses due to the breach, mitigation efforts, and proportionality.
How to Properly Dispose Data To Comply With The Indian Digital Personal Data Protection Act?
We mentioned above that as per Chapter II, Section 8, Part 7, the law mandates data fiduciaries to regularly monitor and erase the personal data of Data Principals after it has served its purpose. Upon failing to do so not only do the data fiduciaries aka organizations decline a major right of data principals- The Right to Data Correction and Data Erasure but also fall under the radar of non-compliance. In order to ensure compliance with the Indian DPDP Act 2023, and provide adequate data protection an organization must follow the below checklist:
- Data Identification, Classification, and Labeling: Determine what data falls under the scope of the Indian Digital Personal Data Protection Act (DPDPB). Label data on account of the nature of sensitivity and determine the purpose of processing.
- Implement Data Disposal Policies: Chalk out a relevant and effective data disposal process aligned with the requirements of data disposal that comply with the law and helps avoid legal repercussions.
- Perform Secure Erasure: Consider secure erasure methods such as data wiping or encryption to ensure data is permanently destroyed beyond recovery. A Professional data erasure software like BitRaser supports 24+ data wiping standards and also generates a certificate of destruction (CoD) to verify data erasure.
- Implement Data Retention Policies: Implement clear data retention policies that dictate the duration for which data can be stored before disposal.
- Ensure compliance with Third-party vendors: If your organization uses third-party services for data disposal, ensure they too follow the DPDP Act guidelines.
- Transparency with Data Principals: Notify the data principals whose information you process and are going to dispose of about the data disposal process.
- Frequently Review Data Disposal Process: Regularly review and update data disposal processes to align with any changes in DPDPB regulations.
Does India have a Data Protection Act?
Yes, India got its first data protection law- The Indian Digital Personal Data Protection Act (DPDPB) 2023 on 11th August 2023 after approval from their President.
Who does the Indian DPDPB apply to?
The Indian Digital Personal Data Protection Act (DPDPB) applies to organizations processing personal data not only within India but also extends its jurisdiction to data processing activity outside India if it involves offering goods and services within the Indian market.
Why is the Indian DPDPB so important?
This law is an essential measure in regulating the manner in which technology companies collect, handle, store, process and dispose of users' sensitive and personal data. It grants rights to Data subjects heightening the protection of their sensitive data and protecting their fundamental right- The right to Privacy.
What is the penalty under The Indian Data Protection Act?
Suppose organizations are found mishandling or neglecting to protect individuals' digital data or fail to inform the authoritative body about the breach. In that case, they can be penalized with monetary fines of up to ₹250 crore ($30.1 million).