Features of Digital Personal Data Protection Act, 2023 (DPDPA)

The Digital Personal Data Protection Act, 2023 (DPDPA) was enacted to regulate the processing of digital personal data while balancing individual rights and lawful processing. Here are the salient features of the Act:

1. Applicability

• Applies to personal data in digital form, whether collected online or digitized from offline sources.
• Covers processing by Indian entities and foreign entities processing data of individuals in India for offering goods/services.

2. Key Definitions

• Personal Data: Any information that can identify an individual.
• Data Principal: The individual whose data is processed.
• Data Fiduciary: The entity determining the purpose and means of processing personal data.
• Consent Manager: A platform that helps individuals manage their data consent.

3. Grounds for Data Processing

• Consent-Based Processing: Personal data can only be processed with explicit consent from the Data Principal.
• Legitimate Uses (Without Consent): Includes government functions, judicial proceedings, medical emergencies, and employment purposes.

4. Rights of Data Principals

• Right to Access Information: Know how and why their data is processed.
• Right to Correction & Erasure: Request corrections or deletions of incorrect/incomplete data.
• Right to Grievance Redressal: Complain to the Data Fiduciary and escalate to the Data Protection Board (DPB) if unresolved.
• Right to Nominate: Appoint a nominee in case of death or incapacity.

5. Obligations of Data Fiduciaries

• Lawful and Transparent Processing: Data must be processed only for lawful purposes.
• Data Security: Ensure protection against breaches.
• Data Retention Limits: Cannot retain data beyond necessary duration.
• Accountability: Must appoint a Data Protection Officer (DPO) if classified as a Significant Data Fiduciary (SDF).

6. Special Provisions for Children’s Data

• Parental consent is mandatory for minors (under 18 years).
• Prohibits tracking, behavioral monitoring, and targeted advertising for children.

7. Cross-Border Data Transfer

• Allows international data transfer but may restrict transfers to certain blacklisted countries (not yet specified).

8. Data Protection Board (DPB)

• An independent body to handle complaints, enforce compliance, and impose penalties.

9. Penalties for Non-Compliance

• Failure to prevent a data breach: Up to ₹250 crore.
• Failure to comply with obligations: Up to ₹200 crore.
• Non-compliance with children’s data rules: Up to ₹200 crore.
• Failure to fulfill security obligations: Up to ₹150 crore.

10. Exemptions

• The government may exempt certain entities from compliance for national security, law enforcement, and research purposes.

Conclusion

The DPDPA, 2023 ensures data privacy, security, and accountability while enabling businesses to process data lawfully. It empowers individuals with rights over their personal data and imposes strict obligations on Data Fiduciaries to ensure responsible data handling.