It was a landmark day in the Indian judicial history when the Supreme Court delivered its verdict in the K.S. Puttaswamy v. Union of India case. The court ruled that Right to Privacy is a fundamental right under Article 21 of the Indian Constitution¹. This ruling was a game-changer, recognizing that individuals have a right to control their personal information. Later, in 2018 the Aadhar card data breach incident was a wake up call for India to move towards having robust data protection laws. The Puttaswamy judgment had set the stage for India’s journey toward comprehensive data protection laws. It underscored the importance of protecting citizens’ personal data and paved way for the Digital Personal Data Protection Act (DPDP). 

The Act replaces the earlier provisions of Information Technology Act, 2000. 

DPDP Act strikes a balance between an individual’s right to privacy and the need to process personal data for lawful purposes. 

Key Highlights of the Act 

1. Applicability of the Act:² 

• The Act shall apply to the processing of digital personal data within the territory of India where it is collected either in digital form or non-digital form, subsequently digitised, 

• The Act shall apply to the processing of digital personal data outside Indian territory, if it is in relation with activity of offering goods or services to Data Principals within the territory of India. 

• Exclusion of Applicability:  

1. Personal data processed by individual for personal or domestic purpose, or 

2. Personal data publicly made available by the Data Principal, or 

3. Personal data publicly made available by any other person under legal obligation. 

2. Data Fiduciary and Data Principal³: 

• Data Fiduciary is any person who either alone or in conjunction with others determines the purpose and means of processing of personal data. It may be any person, or a entity, or a company. 

• Data Principal is the individual to whom the personal data relates. 

• Data Principal will be- 

1. Parents or lawful guardian in case of child, and 

2. Guardian in case of a person with disability. 

3. Consent:⁴ 

• Consent of the Data Principal to process her digital personal data shall be free, specific, informed, unconditional and unconditional with a clear affirmative action. 

• Request for consent of Data Principal should be made in plain and clear language, along with access to the request in any language under the Eighth Schedule of Indian Constitution. 

• The Data Principal shall have a right to withdraw her consent at any time, through a Consent Manager, who on behalf of her may manage, review, or withdraw consent. 

• On withdrawal of the consent, the Data Fiduciary shall within reasonable time, cease the data processing. 

4. Notice:⁵ 

• Every request made to the Data Principal under Section 6 for consent shall be made with a request by Data Fiduciary to the Data Principal, informing her- 

1. Purpose for processing her personal data, 

2. Manner in which she may exercise her rights under the DPDP Act, and 

3. Manner in which she may make a complaint to the Data Protection Board. 

• Data Fiduciary may continue to process personal data until the Data Principal withdraws her consent. 

• Data Fiduciary shall give Data Principal the access to notice in English or any language mentioned in the Eighth Schedule of Indian Constitution. 

5. Legitimate Purposes for Processing the Personal Data:⁶ 

• Personal data can be processes on two basis⁷: 

1. when the Data Principal has given her consent; or 

2. for certain legitimate uses. 

• Certain legitimate uses are: 

• For any specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, or 

• Processing by the State or its instrumentalities to provide or issue to Data Principal any subsidy, benefit, service, certificate, license or permit; when: 

1. She has previously consented for such processing of her data for these purposes; 

2. Such personal data is available in any database, register, book, or other document which is maintained by the State or its instrumentalities, or 

• For the performance of any function by the State or its instrumentalities under any law, or  

• In the interest of sovereignty of India, or 

• For the security of the state, or 

• By any person who is under legal obligation to disclose such information to the State or any of its instrumentalities, or 

• For compliance with any judgment or decree or order passed in India, or 

• For compliance of judgment or order in relation to claims of contractual or civil nature under any law for the time being in force outside India, or 

• To respond to a medical emergency involving threat to life or immediate threat to health of the Data Principal or any other individual, or 

• To provide medical treatment or health services to any individual during epidemic, outbreak of disease, or any other threat to public health, or 

• For taking safety measures or to provide assistance or services to any individual during any disaster, or any breakdown of public order, or 

• For the purpose of employment or those related to safeguarding the employer from loss of liability. 

6.  General Obligations of Data Fiduciary⁸: 

1. Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals under a valid contract. 

2. Where personal data processed by a Data Fiduciary is likely to be – 

1. Used to make a decision that affects the Data Principal; or 

2. Disclosed to another Data Fiduciary, 

Data Fiduciary shall ensure its completeness, accuracy, and consistency. 

3. Implement appropriate technical and organisational measures to ensure effective compliance with the Act. 

4. Take reasonable security safeguards to prevent personal data breach of the Data Principal. 

5. Intimate the Data Protection Board and the affected Data Principal in the event of personal data breach. 

6. Erase the personal data on the fulfilment of specific purpose, or on withdrawal of consent, and also cause the Data Processor to erase such personal data; unless retention is necessary under any law. 

7. Publish the business contact information of a Data Protection Officer, or any other person who can answer the questions raised by the Data Principal on behalf of the Data Fiduciary. 

8. Establish effective redressal mechanisms for grievance redressal. 

9. Obtain verifiable consent of the parent or lawful guardian when processing personal data of a child or a person with disability. 

10. Not undertake tracking or behaviour monitoring of a child⁹. 

7. Rights of Data Principal: 

1. Right to access information about personal data¹⁰: 

Data Principal can have- 

• Access to a summary of personal data which is being processed and the processing activities of the Data Fiduciary with respect to such personal data. 

• Information about all other Data Fiduciaries and Data Processors with whom her personal data has been shared; along with the description of the personal data shared. 

2. Right to correction and erasure of personal data:¹¹ 

• Data Principal can opt for correction, completion, updating and erasure of her personal data which has consented for processing. 

• On such request made by the Data Principal, the Data Fiduciary shall correct the misleading or inaccurate personal data; complete the personal data; and update the personal data. 

• Data Principal may request for erasure of her personal data; upon such request, Data Fiduciary shall erase her personal data unless retention is necessary for the specific purpose or for legal compliance. 

3. Right of Grievance Redressal:¹² 

• Data Principal shall have right to have means of grievance redressal provided by Data Fiduciary or Consent Manager in respect of any act or omission by Data Fiduciary or Consent Manager. 

• Data Fiduciary shall respond to such grievances within a period of 90 days.¹³ 

• Data Principal should exhaust remedy under section 13 before approaching the Data Protection Board for grievance redressal. 

4. Right to Nominate:¹⁴ 

• Data Principal shall have a right to nominate any other person to exercise her rights under the Act, as the Data Principal in the event of her death or incapacity. 

8. Duties of Data Principal:¹⁵ 

1. Comply with the provisions of all other laws for the time being in force while exercising rights under the Act. 

2. Data Principal should not impersonate another person while providing her personal data for specified purpose. 

3. Data Principal should not supress any material facts while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the state or any of its instrumentalities. 

4. Data Principal should not register a false grievance or complaint with the Data Fiduciary or the Data Protection Board. 

5. Data Principal, while exercising right to correction or erasure should furnish verifiably authentic information. 

9. Data Protection Board of India: 

• Establishment:¹⁶ Data Protection Board shall be established by the Central Government.  

• Constitution: The Board shall be headed by a Chairperson and consist of such other number of members as appointed by the Central Government¹⁷. 

• Chairperson and members shall be persons of ability, integrity and standing who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or tehno-regulation, or any other field which is fit in the opinion of the Central Government and at least one among them shall be an expert in the field of law¹⁸. 

• Term: Chairperson and other members shall hold office for a term two years and are eligible for re-appointment.¹⁹ 

• Powers of the Chairperson:²⁰ 

1. General superintendence and giving direction in respect of all administrative matters of the Board, 

2. Authorise any officer of the Board to scrutinise any intimation, complaint, reference, or correspondence addressed to the Board and 

3. Authorise performance of any of the functions of the Board and conduct any of its proceedings, by an individual member or group of members and to allocate proceedings among them. 

• Functioning: the Board shall function as a independent body and shall as far as practicable, function as a digital office, with receipt of complaints and the allocation, hearing and pronouncement of decisions in digital design and adopt techno-legal measures.²¹ 

• Powers and Functions of the Board: 

1. Direct any urgent remedial or mitigation measures on receipt of an intimation of personal data breach and inquire into such personal data breach and impose penalty, 

2. Inquire into breach and impose penalty on- 

• Complaint made by Data Principal in respect of personal data breach; or 

• Breach of obligation by Data Fiduciary in respect with personal data of the Data Principal; or 

• Exercise of rights by Data Principal under the Act; or 

• Reference made by to it by the Central government or a State government; or 

• In compliance of directions of any court. 

3. Inquire into breach and impose penalty on a complaint made by Data Principal with respect of breach of obligations by Consent Manager in relation to her personal data, 

4. Inquire into breach and impose penalty on receipt of intimation of breach of any condition of registration of a Consent Manager, 

5. Inquire into breach and impose penalty on a reference made by the Central Government in respect of breach in observance of provisions under section 37(2) by an intermediary, 

6. Issue directions in discharge of its functions after giving an opportunity of being heard to the concerned person, 

7. Modify, suspend, withdraw or cancel such direction; with or without conditions, on representation made to it by affected person or on reference by the Central Government²². 

8. Determine whether there are sufficient grounds to proceed with an inquiry, 

9. The Board shall follow the principles of natural justice in conduct of proceedings. 

10. May issue interim orders after giving an opportunity of being heard, 

11. May require the services of any police officer or any officer of government, 

12. Issue warnings or impose costs on the complainant; if in the opinion of the Board the complaint is false or frivolous.  

• The Board shall have the same powers as are vested in a civil court under the Code of Civil Procedure, 1908 for the purpose of discharging its functions under this Act.²³ 

10. Penalties: 

• On determination of breach of the provisions of this Act, on conclusion of the inquiry and after giving opportunity of being heard to the concerned person; the Board may impose such monetary penalty as specified in the Schedule 

• Factors to determine the amount of monetary penalty: 

1. Nature, gravity and duration of the breach, 

2. Type and nature of personal data affected by the breach, 

3. Repetitive nature of the breach, 

4. Whether the person has realised a gain or avoided a loss as a result of the breach, 

5. Whether the amount of penalty is proportionate and effective to secure observance and deter breach of provisions of the Act, 

6. The likely impact of imposition of monetary penalty on the person²⁴. 

---

Author: Bhagyashri Gunari

---