The Digital Personal Data Protection Act, 2023 (DPDP Act) is a law enacted in India to regulate the processing of digital personal data. It aims to balance an individual's right to protect their personal data with the need to process such data for lawful purposes.
Chapter I: Preliminary
- Short Title and Commencement: The Act is called the Digital Personal Data Protection Act, 2023. It will come into force on a date appointed by the Central Government, and different provisions may come into force on different dates.
Definitions: This section defines key terms used throughout the Act. Some important definitions include:
- Appellate Tribunal: The Telecom Disputes Settlement and Appellate Tribunal.
- Automated: Any digital process that operates automatically for data processing.
- Board: The Data Protection Board of India.
- Child: An individual under 18 years of age.
- Consent Manager: A person registered with the Board who helps Data Principals manage their consent.
- Data: Information, facts, concepts, opinions, or instructions suitable for communication or processing.
- Data Fiduciary: Any person who determines the purpose and means of processing personal data.
- Data Principal: The individual to whom personal data relates. This includes parents/guardians for children and lawful guardians for persons with disabilities.
- Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
- Digital Personal Data: Personal data in digital form.
- Personal Data: Any data about an identifiable individual.
- Personal Data Breach: Unauthorized processing or accidental disclosure, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability.
- Processing: Any automated operation or set of operations performed on digital personal data, including collection, storage, use, sharing, and destruction.
- Significant Data Fiduciary: A Data Fiduciary or class of Data Fiduciaries notified by the Central Government based on factors like data volume and sensitivity, risk to Data Principal rights, and impact on India's sovereignty.
- Specified Purpose: The purpose mentioned in the notice given by the Data Fiduciary to the Data Principal.
- Application of Act: The Act applies to processing digital personal data within India, whether collected digitally or digitized later. It also applies to processing outside India if it relates to offering goods or services to Data Principals in India. It does not apply to personal data processed for personal/domestic purposes or data made publicly available by the Data Principal or by law.
Chapter II: Obligations of Data Fiduciary
- Grounds for Processing Personal Data: Personal data can only be processed for a lawful purpose, either with the Data Principal's consent or for "certain legitimate uses". A "lawful purpose" is one not forbidden by law.
- Notice: A Data Fiduciary must provide notice to the Data Principal before or along with a consent request, informing them about the data to be processed, its purpose, how to exercise their rights, and how to file a complaint. For data processed before the Act's commencement, a similar notice must be given as soon as practicable. The notice must be accessible in English or any language listed in the Eighth Schedule of the Constitution.
- Consent: Consent must be free, specific, informed, unconditional, unambiguous, and signified by a clear affirmative action. It must be limited to the personal data necessary for the specified purpose. Any part of the consent that infringes the Act or other laws is invalid. Consent requests must be in clear language and offer an option to view in English or other scheduled languages, providing contact details for a Data Protection Officer or authorized person. Data Principals have the right to withdraw consent at any time, with comparable ease to how it was given. Withdrawal consequences are borne by the Data Principal, but do not affect processing done before withdrawal. Upon withdrawal, the Data Fiduciary must cease processing the data unless otherwise required by law. Data Principals can manage consent through a Consent Manager. Consent Managers are accountable to the Data Principal and must be registered with the Board. The Data Fiduciary must prove consent was given if a question arises in a proceeding.
- Certain Legitimate Uses: Data Fiduciaries can process personal data for specific legitimate uses, including when the Data Principal voluntarily provides it and hasn't indicated non-consent , for the State to provide benefits/services where consent was previously given or data is from a notified government database , for state functions related to sovereignty, integrity, or security of India , for legal obligations to disclose information to the State , for compliance with court orders , for medical emergencies or public health threats , for disaster relief or public order maintenance , and for employment-related purposes or safeguarding the employer from loss/liability.
- General Obligations of Data Fiduciary: Data Fiduciaries are responsible for complying with the Act, even if they use a Data Processor. They can engage Data Processors only under a valid contract. They must ensure data completeness, accuracy, and consistency if the data is used for decisions affecting the Data Principal or disclosed to another Data Fiduciary. They must implement technical and organizational measures for effective observance of the Act. They must protect personal data by taking reasonable security safeguards to prevent breaches. In case of a personal data breach, they must inform the Board and affected Data Principals. They must erase personal data when consent is withdrawn or the specified purpose is no longer served, unless retention is required by law. The purpose is deemed no longer served if the Data Principal hasn't approached the Fiduciary for the purpose or exercised their rights for a prescribed period. They must publish contact information for a Data Protection Officer or a person who can answer data processing questions. They must establish an effective grievance redressal mechanism.
- Processing of Personal Data of Children: Data Fiduciaries must obtain verifiable parental consent before processing a child's personal data or that of a person with a disability who has a lawful guardian. They cannot process data that is likely to harm a child's well-being. They cannot track or behaviourally monitor children or direct targeted advertising at them. Certain classes of Data Fiduciaries or purposes may be exempt from these provisions. The Central Government can notify exemptions for verifiably safe processing of children's data.
Additional Obligations of Significant Data Fiduciary: The Central Government may notify certain Data Fiduciaries as "Significant Data Fiduciaries" based on factors like data volume, sensitivity, risk to Data Principal rights, and impact on national sovereignty, electoral democracy, and public order. Significant Data Fiduciaries must:
- Appoint a Data Protection Officer based in India, responsible to the governing body, and the point of contact for grievance redressal.
- Appoint an independent data auditor to evaluate compliance.
- Undertake periodic Data Protection Impact Assessments and periodic audits.
Chapter III: Rights and Duties of Data Principal
- Right to Access Information about Personal Data: Data Principals have the right to obtain from the Data Fiduciary a summary of their processed personal data and processing activities, identities of other Data Fiduciaries and Processors with whom data has been shared, and other related information. This right doesn't apply to data shared with other Data Fiduciaries authorized by law for crime prevention/detection/investigation or prosecution.
- Right to Correction and Erasure of Personal Data: Data Principals have the right to correction, completion, updating, and erasure of their personal data. Upon request, the Data Fiduciary must correct inaccurate data, complete incomplete data, and update data. Data Principals can request erasure of their data, and the Data Fiduciary must comply unless retention is necessary for the specified purpose or legal compliance.
- Right of Grievance Redressal: Data Principals have the right to readily available grievance redressal mechanisms from a Data Fiduciary or Consent Manager. The Fiduciary/Manager must respond within a prescribed period. Data Principals must exhaust this option before approaching the Board.
- Right to Nominate: A Data Principal can nominate another individual to exercise their rights in case of their death or incapacity. "Incapacity" means inability to exercise rights due to unsoundness of mind or bodily infirmity.
Duties of Data Principal: Data Principals have duties including:
- Complying with applicable laws while exercising rights.
- Not impersonating another person.
- Not suppressing material information when providing data for government-issued documents.
- Not registering false or frivolous grievances.
- Furnishing only verifiably authentic information when exercising correction or erasure rights.
Chapter IV: Special Provisions
- Processing of Personal Data Outside India: The Central Government can restrict the transfer of personal data for processing to countries outside India. This does not restrict existing laws that provide higher protection or restrictions on data transfer.
- Exemptions: Certain provisions of the Act (Chapter II except specific subsections of section 8, Chapter III, and section 16) do not apply in cases where processing is necessary for enforcing legal rights/claims , for judicial/quasi-judicial/regulatory/supervisory functions of courts/tribunals , for crime prevention/detection/investigation/prosecution , for processing data of non-Indian Data Principals under a contract with a person outside India , for company mergers/amalgamations/reconstructions approved by a competent authority , and for ascertaining financial information of loan defaulters from financial institutions. The Act also does not apply to processing by notified State instrumentalities in the interest of sovereignty, security, friendly relations, public order, or preventing cognizable offenses related to these, or processing by the Central Government of such data. It also doesn't apply to data processing for research, archiving, or statistical purposes if it's not used for specific decisions about a Data Principal and meets prescribed standards. The Central Government can exempt certain Data Fiduciaries (including startups) from specific sections of the Act. Certain provisions regarding data erasure and correction do not apply to processing by the State or its instrumentalities for purposes not affecting the Data Principal. The Central Government can also declare general exemptions for Data Fiduciaries for a specified period within five years of the Act's commencement.
Chapter V: Data Protection Board of India
- Establishment of Board: The Data Protection Board of India will be established by the Central Government as a body corporate with perpetual succession and a common seal. Its headquarters will be notified by the Central Government.
- Composition and Qualifications for Appointment of Chairperson and Members: The Board will consist of a chairperson and other Members as notified by the Central Government. They will be appointed by the Central Government and must possess ability, integrity, and experience in fields like data governance, law, technology, etc., with at least one legal expert.
- Salary, Allowances Payable to and Term of Office: The salary and terms of service will be prescribed and not varied to their disadvantage after appointment. The Chairperson and Members hold office for two years and are eligible for re-appointment.
- Disqualifications for Appointment and Continuation as Chairperson and Members of Board: Disqualifications include insolvency, conviction for an offense involving moral turpitude, physical/mental incapacity, financial/other interests affecting functions, or abuse of position prejudicial to public interest. They cannot be removed without an opportunity to be heard.
- Resignation by Members and Filling of Vacancy: Members can resign by written notice, with resignation effective based on Central Government permission, expiry of three months, successor entering office, or term expiry, whichever is earliest. Vacancies are filled by fresh appointment. Members cannot accept employment with a Data Fiduciary against whom proceedings were initiated by them for one year after leaving office without Central Government approval, and must disclose any such subsequent employment.
- Proceedings of Board: The Board will observe prescribed procedures for meetings, including digital means, and authenticate orders. Board acts/proceedings are not invalid due to vacancies, defects in constitution/appointment, or procedural irregularities not affecting merits. The senior-most Member discharges Chairperson's functions during their absence.
- Officers and Employees of Board: The Board can appoint officers and employees with Central Government approval for efficient functioning, on prescribed terms.
- Members and Officers to be Public Servants: The Chairperson, Members, officers, and employees are deemed public servants under the Indian Penal Code when acting in pursuance of the Act.
Chapter VI: Powers, Functions and Procedure to be Followed by Board
- Powers of Chairperson: The Chairperson has powers of general superintendence, directing administrative matters, authorizing officers to scrutinize complaints, and allocating proceedings to individual or groups of Members.
Powers and Functions of Board: The Board's powers and functions include:
- Directing remedial measures, inquiring into, and imposing penalties for personal data breaches.
- Inquiring into and imposing penalties for breaches by Data Fiduciaries regarding their obligations or Data Principal rights, or on reference from governments or court directions.
- Inquiring into and imposing penalties for breaches by Consent Managers.
- Inquiring into and imposing penalties for breach of Consent Manager registration conditions.
- Inquiring into and imposing penalties for breaches by intermediaries on Central Government reference.
- Issuing necessary directions to persons after giving them a hearing and recording reasons.
- Modifying, suspending, withdrawing, or cancelling directions based on representations or Central Government reference, with conditions.
- Procedure to be Followed by Board: The Board will function independently and, as far as practicable, as a digital office for complaints, hearings, and decisions. It will determine if there are sufficient grounds for inquiry and can close proceedings if not. If sufficient grounds exist, it will inquire into compliance with the Act. Inquiries must follow natural justice principles, and reasons must be recorded. The Board has civil court powers for summoning, evidence, document production, inspection, and other prescribed matters. The Board or its officers cannot prevent access to premises or take custody of equipment that adversely affects daily functioning. The Board can request assistance from police or government officers. During inquiry, it may issue interim orders after a hearing. Upon completion, after a hearing, the Board may close proceedings or proceed to impose penalties. If a complaint is false or frivolous, the Board may issue a warning or impose costs on the complainant.
Chapter VII: Appeal and Alternate Dispute Resolution
- Appeal to Appellate Tribunal: Any person aggrieved by a Board order or direction can appeal to the Appellate Tribunal within 60 days. Appeals can be entertained after this period if there was sufficient cause for delay. The Appellate Tribunal, after hearing parties, can confirm, modify, or set aside the order. It must send a copy of its order to the Board and parties. Appeals should be disposed of within six months, with reasons recorded if not. The Appellate Tribunal will deal with appeals according to prescribed procedures. Appeals against Appellate Tribunal orders fall under section 18 of the Telecom Regulatory Authority of India Act, 1997. The Appellate Tribunal will function as a digital office for appeals as far as practicable.
- Orders Passed by Appellate Tribunal to be Executable as Decree: An Appellate Tribunal order is executable as a civil court decree, with the Tribunal having civil court powers for this purpose. The Tribunal can also transmit orders to a civil court for execution.
- Alternate Dispute Resolution: If the Board believes a complaint can be resolved by mediation, it can direct parties to attempt resolution through a mutually agreed mediator or as provided by law.
- Voluntary Undertaking: The Board can accept a voluntary undertaking from any person regarding compliance with the Act at any stage of a proceeding. This undertaking can include taking/refraining from action and publicizing it. The Board can vary the terms with the person's consent. Acceptance of the undertaking bars further proceedings regarding its contents, unless the person fails to adhere to it.
Chapter VIII: Penalties and Adjudication
- Penalties: If the Board concludes that a breach of the Act or rules is significant, it may impose monetary penalties as specified in the Schedule, after giving the person an opportunity to be heard. When determining the penalty amount, the Board considers the nature, gravity, and duration of the breach; the type and nature of affected personal data; repetitive nature of the breach; any gain realized or loss avoided by the person; actions taken to mitigate effects; proportionality and effectiveness of the penalty; and the likely impact on the person.
- Crediting Sums Realised by Way of Penalties to Consolidated Fund of India: All penalties collected by the Board are credited to the Consolidated Fund of India.
Chapter IX: Miscellaneous
- Protection of Action Taken in Good Faith: No legal proceedings can be brought against the Central Government, the Board, its Chairperson, Members, officers, or employees for actions done in good faith under the Act.
- Power to Call for Information: The Central Government can require the Board and any Data Fiduciary or intermediary to furnish information for the purposes of the Act.
- Power of Central Government to Issue Directions: The Central Government, on reference from the Board regarding repeated monetary penalties on a Data Fiduciary and public interest, can direct any agency or intermediary to block public access to information that enables such Data Fiduciary's activities. Intermediaries must comply with such directions.
- Consistency with Other Laws: The Act's provisions are in addition to, and do not derogate from, other existing laws. In case of conflict, the Act's provisions prevail.
- Bar of Jurisdiction: Civil courts do not have jurisdiction over matters for which the Board is empowered under this Act, and no injunctions can be granted against actions taken under the Act.
- Power to Make Rules: The Central Government can make rules consistent with the Act to carry out its purposes, covering matters like notice content, Consent Manager accountability/registration, legitimate uses, breach intimation, data retention periods, Data Protection Officer information, child data processing, Data Protection Impact Assessment, Data Principal requests, grievance response periods, nominations, exemptions standards, Board appointments/terms, Board procedures, and fees.
- Laying of Rules and Certain Notifications: Rules and certain notifications must be laid before each House of Parliament for 30 days. Parliament can modify or annul them.
- Power to Amend Schedule: The Central Government can amend the Schedule (which lists penalties), but cannot increase any penalty to more than twice its original amount.
- Power to Remove Difficulties: If difficulties arise in implementing the Act, the Central Government can issue orders to remove them, provided they are consistent with the Act and published in the Official Gazette. Such orders cannot be made after three years from the Act's commencement. Every such order must be laid before Parliament.
- Amendments to Certain Acts: The Act amends other laws, specifically the Telecom Regulatory Authority of India Act, 1997, the Information Technology Act, 2000 (omitting section 43A, inserting reference in section 81, and omitting clause (ob.) in section 87(2)), and the Right to Information Act, 2005 (substituting clause (j) in section 8(1) to refer to personal information).
The Schedule: Penalties
The Schedule outlines the monetary penalties for various breaches of the Act:
- Breach of obligation to take reasonable security safeguards to prevent personal data breach (sub-section (5) of section 8): May extend to two hundred and fifty crore rupees.
- Breach of obligation to give the Board or affected Data Principal notice of a personal data breach (sub-section (6) of section 8): May extend to two hundred crore rupees.
- Breach in observance of additional obligations in relation to children (section 9): May extend to two hundred crore rupees.
- Breach in observance of additional obligations of Significant Data Fiduciary (section 10): May extend to one hundred and fifty crore rupees.
- Breach in observance of the duties under section 15: May extend to ten thousand rupees.
- Breach of any term of voluntary undertaking accepted by the Board (section 32): Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted.
- Breach of any other provision of this Act or the rules made thereunder: May extend to fifty crore rupees.
List of Sections
Chapter I: Preliminary
- Section 1: Short title and commencement
- Section 2: Definitions
- Section 3: Application of Act
Chapter II: Obligations of Data Fiduciary
- Section 4: Grounds for processing personal data
- Section 5: Notice
- Section 6: Consent
- Section 7: Certain legitimate uses
- Section 8: General obligations of Data Fiduciary
- Section 9: Processing of personal data of children
- Section 10: Additional obligations of Significant Data Fiduciary
Chapter III: Rights and Duties of Data Principal
- Section 11: Right to access information about personal data
- Section 12: Right to correction and erasure of personal data
- Section 13: Right of grievance redressal
- Section 14: Right to nominate
- Section 15: Duties of Data Principal
Chapter IV: Special Provisions
- Section 16: Processing of personal data outside India
- Section 17: Exemptions
Chapter V: Data Protection Board of India
- Section 18: Establishment of Board
- Section 19: Composition and qualifications for appointment of Chairperson and Members
- Section 20: Salary, allowances payable to and term of office
- Section 21: Disqualifications for appointment and continuation as Chairperson and Members of Board
- Section 22: Resignation by Members and filling of vacancy
- Section 23: Proceedings of Board
- Section 24: Officers and employees of Board
- Section 25: Members and officers to be public servants
- Section 26: Powers of Chairperson
Chapter VI: Powers, Functions and Procedure to be Followed by Board
- Section 27: Powers and functions of Board
- Section 28: Procedure to be followed by Board
Chapter VII: Appeal and Alternate Dispute Resolution
- Section 29: Appeal to Appellate Tribunal
- Section 30: Orders passed by Appellate Tribunal to be executable as decree
- Section 31: Alternate dispute resolution
- Section 32: Voluntary undertaking
Chapter VIII: Penalties and Adjudication
- Section 33: Penalties
- Section 34: Crediting sums realised by way of penalties to Consolidated Fund of India
Chapter IX: Miscellaneous
- Section 35: Protection of action taken in good faith
- Section 36: Power to call for information
- Section 37: Power of Central Government to issue directions
- Section 38: Consistency with other laws
- Section 39: Bar of jurisdiction
- Section 40: Power to make rules
- Section 41: Laying of rules and certain notifications
- Section 42: Power to amend Schedule
- Section 43: Power to remove difficulties
- Section 44: Amendments to certain Acts