Digital Personal Data Protection Act, 2023 (DPDPA)1 is like the superhero India has been waiting for, and after more than 5 years of legislative battle, it finally made its grand entrance last year (2023) to protect one’s digital personal data. Before this, data protection in India was pretty much running without a seatbelt. Now, we have a law that has got our backs online.
Until the DPDPA comes into force, the Information Technology Act, 20002, as amended by the Information Technology (Amendment) Act, 20083, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 20114 governs privacy and data protection in India. One of the main purposes of the Information Technology Act, 2000 is securing information rather than protecting data from misuse; however, it governs specific dimensions pertaining data lifecycle on IT networks in India but does not have well-defined principles for dealing with personal data manipulation or movements.5
Apart from this, several sectoral laws like the Protection of Children from Sexual Offences Act, of 20126, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act of 20167; the Credit Information Companies (Regulation) Act of 20058, etc. partially govern privacy in India.
Nowadays, almost every company irrespective of its size has transactional or informational websites collecting personal data of an individual. If the fiduciary though their respective website has the option which enables to identify the user behind the IP address, this is also considered to be the collection of personal data.9 Suppose, a website collects IP address when someone is visiting it, and the website owner (data fiduciary) by asking the internet service provider can get insighted with the personally identifiable information (PIIs) like name and contact details linked to that IP address, the IP address is considered personal data because it can identify a person. From this it can be considered that, the websites do get covered within the definition of data fiduciaries most of the time.
After the enforcement of the DPDPA, it will also fall under the scope of this Act to amend the existing websites of the company being the data fiduciary to make it compliant with the provisions of the DPDPA. This compliance will be beneficial for the companies to get and maintain trust, enhance the security of the collected data, and develop greater opportunities. Plus, the last thing you want is a fine up to 250 crores banging your door for taking “privacy” casually.
Theoretically, companies need to take care of their respective websites from different angles as the DPDPA dictates — Section 410 of the DPDPA, requires that explicit consent should be obtained from data principals, while Section 511 of the Act, brings out the need to give the “notice for consent” pertaining to the data that has been processed including its purpose and methods of withdrawal of consent or filing complaints. Such consent ought to be voluntary, well defined, diligent, and unmistakable along with an unequivocal positive act which must be articulated in a simple and easy way to understand words and in one of those languages as stated under the Eighth Schedule of the Constitution of India12 as desired by the user. In addition, the Act also mandates sharing details of a grievance officer or a data protection officer where needed. Section 813 states that data fiduciaries should ensure completeness, accuracy, and consistency of data especially when a decision concerning data principal is made; robust technical as well as organisational security arrangements must be in place to prevent any possible data breaches. The notification regarding the breach should be given immediately to the Board and all affected data principals by the data fiduciary. Withdrawing consent or when consent is no longer required should mean deleting the data along with establishing mechanisms for grievance redressal. Section 914 highlights the need for verifiable parental consent for processing children’s data (18 years) or specially-abled data principals, prohibiting tracking or targeted advertising aimed at minors. Additional obligations for significant data fiduciaries include appointing a Data Protection Officer (DPO) based in India and conducting periodic data audits as outlined in Section 1015. Sections 11 to 1416 detail further responsibilities, including providing summaries of processed personal data, enabling rights to correction and erasure, and ensuring access for nominees in case of the data principal’s incapacity or death.
In case of practising this compliance in reality — the following companies can start with the assessment of DPDPA compliance status that is to assess how the website currently stacks up against the compliance requirements to understand which you meet and which ones you do not yet meet. It can be done by conducting a DPDPA assessment. The most efficient way to do this is with compliance software coming up in India that scans the security controls, the website, and its operations against the DPDPA requirements. This tool will help to identify areas of non-compliance to see where it is required to make changes to the website and its security measures.
Next, by adding requests for consent whenever the law so dictates and changing from inferred to express consent. The concept of implicit consent holds that by visiting a company’s website, customers implicitly consent to the organisation’s data gathering practices — users give their express agreement to data collecting procedures when they do so. Data fiduciaries are required by DPDPA to take specific consent for the procedures of data gathering. As soon as a user visits the website, it should inform them of any usage of cookies or any other data collection that is not done voluntarily. They should also be given the option to opt-out. Before adding any of this data, such as surveys or forms, that you use from online sources, you must obtain consent.
Users have the right to know what happens to their data, according to DPDPA. This means that your company needs to be transparent about the data it collects, how it uses it, how it processes it, who can access it, and with whom it shares it. You can add this information to the privacy notice page or put it on a new page or document that you create and post on your website.
A lot of websites are reliant on third-party components in various ways; these include, among others, analytical and tracking tools, plug-ins that enable the implementation of specific features or designs, or even chat services offered by different persons. If they are collecting, processing, or storing data using instruments that are DPDP compliant, it is the responsibility of the data fiduciary and not the data processor.
Users are guaranteed specific rights under DPDPA with relation to personal data, including the ability to nominate themselves or request that you remove all of your records of them. To exercise their rights, users must be able to get in touch with the organisation. Provide the grievance officer’s and data protection officer’s contact details in the privacy notice so that the data principal will know to whom to direct these inquiries.
To meet DPDPA requirements, companies will have to protect the personal data they collect or handle. This is to ensure that it does not get into the wrong hands or be misused. Some of the most important methods for data protection are to access controls limit, who can see or use the data. Only authorised people should have access. Specific employee identifications to ensure every employee has their unique login credentials, so you can track who is accessing the data. Anti-virus software to use software to protect against viruses or harmful programs that may steal or damage data. Install firewalls to act as a security barrier, blocking unauthorised access from outside sources like hackers.
The DPDPA ensures that users possess specific data privacy rights, necessitating the management and response to user demands. Among these are requests to view all of the information you possess on them, requests to have all of their information removed from your systems, and requests to have their information corrected, including their rights to be nominated. In order to comply, an organisation must have published a privacy notice on its website to make it clear to the data principal and internal policies outlining the procedures and guidelines for handling these requests. It will be considered one of the best practices to maintain policies for potential data breaches, such as methods for responding to a breach and notifying users that their data has been compromised, along with several other policies. Compliance with DPDPA, 2023, is not just a legal formality, but also about weaving concrete information security. Good privacy is always considered a significant security in disguise.
*Working at K&S Digiprotect (Offshoot of K&S Partners IP Attorneys). Author can be reached at: rishirajsaha2000@gmail.com.
1. Digital Personal Data Protection Act, 2023.
2. Information Technology Act, 2000.
3. Information Technology (Amendment) Act, 2008.
4. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
5. Data Protection in India: Overview. (khaitan.com, 25-05-2023).
6. Protection of Children from Sexual Offence Act, 2012.
7. Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
8. Credit Information Companies (Regulation) Act, 2005.
9. General Data Protection Regulation, Key Issues and Personal Data, intersoft consulting (gdpr-info.eu).
10. Digital Personal Data Protection Act, 2023, S. 4.
11. Digital Personal Data Protection Act, 2023, S. 5.
12. Constitution (92nd Amendment) Act, 2003; Constitution (71st Amendment) Act, 1992; Constitution (21st Amendment) Act, 1967. and Constitution of India, Sch. 8.
13. Digital Personal Data Protection Act, 2023, S. 8.
14. Digital Personal Data Protection Act, 2023, S. 9.