Here are key points outlined in the Digital Personal Data Protection Act, organized by chapter.
CHAPTER I :- PRELIMINAR
1) The Act is titled the Digital Personal Data Protection Act, 2023.
2) It aims to regulate the processing of digital personal data, balancing individual privacy rights with the necessity of lawful data processing.
3) The Act came into effect on 11th August 2023, as per the notification by the Central Government.
4) Key definitions provided within the Act include terms like "Appellate Tribunal," "automated," "Board," "Data Fiduciary," "Data Principal," and more, to clarify its scope and application.
5) It establishes the Data Protection Board of India to oversee compliance and enforcement.
6) "Digital personal data" refers to personal data in digital form.
7) The Act extends its application to both digital personal data processed within India and data processed outside India concerning Indian data principals.
8) Exemptions include personal data processed for personal/domestic purposes and publicly available data made so by the data principal or under legal obligation.
9) It outlines provisions for the appointment of Data Protection Officers by Significant Data Fiduciaries.
10) The Act defines terms like "processing," "personal data breach," and "specified purpose" to ensure clarity in legal interpretation and enforcement.
CHAPTER II :- OBLIGATIONS OF DATA FIDUCIARY
1) Grounds for processing personal data: The Act stipulates that personal data can only be processed for lawful purposes, including with the consent of the Data Principal or for certain legitimate uses.
2) Notice requirements: Before processing personal data, the Data Fiduciary must provide a notice to the Data Principal, outlining the purpose of processing, rights of the Data Principal, and complaint procedures.
3) Consent: Consent from the Data Principal must be free, specific, informed, unconditional, and signify clear affirmative action. Any part of consent that violates the Act or other laws is deemed invalid.
4) Withdrawal of consent: The Data Principal has the right to withdraw consent at any time. The withdrawal should be as easy as giving consent, but the legality of processing before withdrawal remains unaffected.
5) Legitimate uses: The Act specifies certain legitimate uses for processing personal data, including fulfilling contractual obligations, providing government services, ensuring public safety, and responding to medical emergencies.
6) Responsibilities of Data Fiduciary: The Data Fiduciary is responsible for complying with the Act, engaging Data Processors under valid contracts, ensuring completeness and accuracy of data, implementing security measures, and notifying affected parties in case of a breach.
7) Retention and erasure: Personal data should be erased when the specified purpose is no longer served or upon withdrawal of consent, unless retention is necessary by law. Data Fiduciaries must ensure the completeness and accuracy of data.
8) Processing of personal data of children: Special provisions apply to the processing of personal data of children, including obtaining consent from parents or guardians, avoiding detrimental effects on children's well-being, and prohibiting tracking or targeted advertising directed at children.
9) Significant Data Fiduciary: The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries based on factors such as volume and sensitivity of data processed, risk to Data Principal rights, and impact on national security.
10) Significant Data Fiduciaries have additional obligations, including appointing a Data Protection Officer and conducting periodic audits and assessments.
CHAPTER III :- RIGHTS AND DUTIES OF DATA PRINCIPAL
1) Right to Access Information: Data Principals have the right to request and obtain a summary of their personal data being processed by a Data Fiduciary, along with information on processing activities and data sharing.
2) Right to Correction and Erasure: Data Principals can request correction, completion, updating, or erasure of their personal data if inaccurate, incomplete, or no longer necessary for the specified purpose.
3) Right of Grievance Redressal: Data Principals have the right to access grievance redressal mechanisms provided by Data Fiduciaries or Consent Managers for addressing any issues related to their personal data.
4) Right to Nominate: Data Principals can nominate another individual to exercise their rights in case of death or incapacity due to unsoundness of mind or bodily infirmity.
5) Duties of Data Principal: Data Principals are obliged to comply with applicable laws, provide authentic information, refrain from impersonation, and avoid suppressing material information while providing personal data.
6) Responsibility to Not Impersonate: Data Principals must ensure they do not impersonate others while providing personal data for specified purposes.
7) Prohibition of Suppression of Information: Data Principals must refrain from suppressing material information while providing personal data for official documents issued by the State or its instrumentalities.
8) Prohibition of False Complaints: Data Principals should not register false or frivolous complaints with Data Fiduciaries or the Board.
9) Requirement for Authentic Information: When exercising the right to correction or erasure, Data Principals should furnish only verifiably authentic information.
10) Compliance with Applicable Laws: Data Principals must comply with all applicable laws while exercising their rights under the Act.
CHAPTER IV :- SPECIAL PROVISIONS
1) Restriction on Transfer Outside India: The Central Government can restrict the transfer of personal data by a Data Fiduciary to countries or territories outside India through notification.
2) Exemptions from Certain Provisions: Certain provisions of the Act do not apply in specific circumstances, such as when processing is necessary for enforcing legal rights, judicial functions, law enforcement, contractual obligations, corporate activities like mergers, or financial investigations.
3) Exemptions for Certain Entities and Purposes: The Act does not apply to certain government instrumentalities for reasons of national security or to processing necessary for research, archiving, or statistical purposes, provided the data isn't used for making decisions specific to a Data Principal.
4) Exemption for Startups: Certain provisions of the Act do not apply to startups, as defined by the government, based on volume and nature of personal data processed.
5) Exemptions for State Processing: Some provisions do not apply to processing by the State or its instrumentalities, especially if it doesn't involve making decisions affecting the Data Principal.
6) Temporary Exemptions: The Central Government can declare certain provisions of the Act not applicable to specific Data Fiduciaries or classes of Data Fiduciaries for a specified period, not exceeding five years from the commencement of the Act.
CHAPTER V :- DATA PROTECTION BOARD OF INDIA
1. Establishment of Board:
- The Data Protection Board of India is established by the Central Government, with perpetual succession and a common seal.
- The Board has the power to acquire, hold, and dispose of property, contract, and sue or be sued.
2. Composition and Appointment:
- The Board consists of a Chairperson and other Members appointed by the Central Government.
- Members must possess expertise in various fields relevant to data governance, law, technology, etc.
- The Chairperson and Members serve a two-year term, eligible for reappointment.
3. Disqualifications and Resignation:
- Criteria for disqualification include insolvency, criminal conviction, incapacity, conflict of interest, and abuse of position.
- Resignations must be submitted to the Central Government and become effective upon approval or after three months.
4. Procedures and Functioning:
- The Board conducts its business as prescribed, including digital means.
- It has powers similar to a civil court, including summoning witnesses, receiving evidence, and inspecting documents.
- Interim orders may be issued during inquiries, and final decisions are based on principles of natural justice.
CHAPTER VI :- POWERS, FUNCTIONS, AND PROCEDURE
1) The Board exercises powers related to personal data breaches, inquiries, and penalties.
2) It issues directions, conducts inquiries, and may impose penalties for breaches of data protection laws.
3) The Board functions independently and digitally, with hearings and decisions conducted electronically.
4) It determines the grounds for inquiry and has powers similar to a civil court.
5) The Board may request assistance from law enforcement agencies or government officers.
CHAPTER VII :- APPEAL AND ALTERNATE DISPUTE RESOLUTION
1) Any person aggrieved by the Board's order may appeal to the Appellate Tribunal.
2) The Appellate Tribunal hears appeals, decides on modifications, and sends copies of orders to relevant parties.
3) Appeals are to be disposed of within six months, and reasons must be given for delays.
4) Orders of the Appellate Tribunal are executable as civil court decrees.
CHAPTER VIII :- PENALTIES AND ADJUDICATION
1) The Board imposes penalties for significant breaches of data protection laws, considering various factors.
2) Penalties collected are credited to the Consolidated Fund of India.
CHAPTER IX :- MISCELLANEOUS
1) Legal immunity is provided for actions done in good faith under the Act.
2) The Central Government may issue directions and seek information for implementing the Act.
3) The Act prevails over other laws in case of conflict.
4) Civil courts have no jurisdiction over matters under the Act.
5) The Central Government can make rules and amend penalties specified in the Schedule.
No comments:
Post a Comment