By Antony Alex, Founder & CEO, Rainmaker
After multiple drafts and several years of research, the eagerly anticipated Digital Personal Data Protection Act (DPDP) of 2023 came into effect on August 11, 2023. Its primary purpose is to safeguard the rights and responsibilities associated with the management of extensive digital personal data within the economy.
Let’s deep dive into some key legal dimensions and components related to data protection.
Data protection laws: Many countries have specific laws and regulations that govern data protection. These laws outline the rights and obligations of individuals and organisations regarding the collection, storage, processing and sharing of personal data. Examples include the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Digital Personal Data Protection Act in India.
Personal data definition: Data protection laws typically define what constitutes personal data. Personal data refers to any information that can directly or indirectly identify an individual, such as names, addresses, identification numbers (UIDAI in India), biometric data or online identifiers. Understanding the scope of personal data is crucial for determining the applicability of data protection regulations.
Consent and lawful basis: Data protection laws often require organisations to obtain valid consent from individuals before collecting, processing or sharing their data with agencies, businesses or for processing by the State for permits, licenses, benefits and services. Consent must be given freely, should be specific, informed and unambiguous. Additionally, data processing must have a lawful basis, such as the necessity for contract performance, compliance with legal obligations, protection of vital interests, performance of a task carried out in the public interest, or legitimate interests pursued by the data fiduciary.
Data subject rights: Data protection laws grant individuals certain rights over their personal data. These rights may include the right to access their data, rectify inaccuracies, erase data (right to be forgotten), restrict processing, object to processing, data portability and the right not to be subject to automated decision-making. Organisations must facilitate the exercise of these rights by providing clear procedures and timely responses. In India, through the latest data protection legislation, a consent management framework has been proposed as well, details of which are awaited through the Rules.
Data fiduciary and data processor: Data protection laws differentiate between data fiduciaries and data processors. The data fiduciary determines the purposes and means of processing personal data, while the data processor processes data on behalf of the fiduciary. Data fiduciaries have primary responsibilities for ensuring compliance with data protection laws, while data processors have contractual obligations to process data only as directed by the fiduciary.
Security and confidentiality: Data protection laws typically require organisations to implement appropriate technical and organisational measures to ensure the security and confidentiality of personal data. This may include measures such as encryption, access controls, regular security assessments and employee training on data security best practices. Breaches or unauthorised access to personal data may have legal consequences, necessitating breach notification to authorities and affected individuals.
Cross-border data transfers: Data protection laws often regulate the transfer of personal data to countries outside the jurisdiction where the data is collected. In some cases, organisations must ensure that the receiving country offers an adequate level of data protection.
Alternatively, organisations may rely on specific legal mechanisms, such as standard contractual clauses or binding corporate rules, to legitimize such transfers. In India, for instance, through DPDPA, the Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to a particular country or territory outside India.
Regulatory authorities and enforcement: Data protection laws establish regulatory authorities responsible for enforcing compliance and ensuring the protection of individuals’ rights. These authorities may have powers to investigate data breaches, issue fines or penalties for non-compliance, provide guidance to organizations, and promote awareness of data protection principles.
The Central Government has proposed the establishment of a Data Protection Board of India to deal with data breaches and ensure the protection of individual’s rights. The Board will be responsible for monitoring compliance and imposing penalties, directing data fiduciaries to take necessary measures in the event of a data breach, and hearing grievances of affected persons.
