India's DPDP Act: Obligations of Data Fiduciaries

Sameer Ahirrao -

The Digital Personal Data Protection (DPDP) Act of 2023 outlines the responsibilities of a Data Fiduciary. It was granted presidential approval on August 11, 2023, and will be implemented upon notification of a specified date, with separate timelines designated for individual provisions. The legislation recognizes the fundamental right to privacy and underscores the imperative of processing data solely for lawful objectives.

Data Fiduciary

In the India's DPDP Act, Section 2(i) provides the definition of 'Data Fiduciary.' As per this section, a 'Data Fiduciary' refers to any individual or group that, either independently or in collaboration with others, decides the objectives and methods of handling personal data.

Obligations of a Data Fiduciary

Chapter II of the DPDP Act elucidates the responsibilities of a Data Fiduciary, focusing on the principles governing data processing. According to the Act, personal data may only be processed by an individual or entity for lawful purposes, with explicit consent or under specified legitimate circumstances. The term 'Data Principal' denotes the individual to whom the personal data pertains, extending to include parents or legal guardians in the case of minors, and legal guardians in the event of individuals with disabilities. Before seeking consent, the Data Fiduciary is obligated to provide a detailed notice outlining the processing purpose, complaint procedure, and access to the notice in English or any language specified in the eighth schedule of the constitution. This obligation persists regardless of whether consent was previously obtained before the Act came into effect.

A. Consent

Section 6 of the Act mandates that consent from Data Principals must be freely given, specific, informed, unconditional, and clear, indicating their agreement to the processing of their data for a defined purpose. Any aspect of consent that violates the Act's provisions will be deemed void. Data Principals must receive transparent consent requests in simple language, including contact details for a Data Protection Officer, if applicable, or another authorized individual designated by the Data Fiduciary to handle communications from Data Principals. Data Principals can retain the right to revoke consent at any time, and upon withdrawal, the Data Fiduciary must promptly cease processing, unless such processing is permitted under this Act or other relevant Indian laws.

B. Appointment of a Consent Manager

The Data Principal has the authority to oversee, assess, or retract consent granted to the Data Fiduciary via a designated Consent Manager. This Consent Manager is responsible to the Data Principal and is obligated to act in their best interests, adhering to specified duties. Each Consent Manager is required to register with the Board in accordance with prescribed procedures, and they must comply with specified technical, operational, financial, and other requirements.

C. Processing for Certain Legitimate Uses

Under Section 7 of the Act, a Data Fiduciary is permitted to process the personal data of a Data Principal for various purposes, including instances where the Data Principal has willingly supplied their data to the Data Fiduciary for a particular purpose, without expressly consenting to its usage, along with other designated uses outlined within the section.

D. Processing of Data for the State

The Data Fiduciary is authorized to handle the personal data of a Data Principal for defined objectives, such as enabling the State and its entities to furnish subsidies, benefits, services, certificates, licenses, or permits. This action is permissible under two circumstances: firstly, when the Data Principal has previously consented to such data processing by the State, and secondly, if the personal data exists in digital format or in non-digital format and is subsequently digitized from State-maintained databases or documents, as stipulated by Central Government notification. Adherence to processing standards mandated by the Central Government's policy or relevant laws is obligatory.

E. General Obligations of a Data Fiduciary

Section 8 delineates the duties of Data Fiduciaries, requiring them to adhere to the Act and regulations concerning the processing of personal data. They are obligated to maintain the accuracy, entirety, and coherence of data, institute technical and organizational safeguards for data protection, notify the Board and affected Data Principals in the event of breaches, and publicly disclose contact details for Data Protection Officers.

F. Processing of Personal Data of Children

Section 9 outlines the responsibilities of Data Fiduciaries regarding Data Principals who are minors or individuals with disabilities. Prior to processing any personal data of a child or a person with a disability under lawful guardianship, the Data Fiduciary must obtain verifiable consent from the parent or lawful guardian, as specified. It is prohibited for a Data Fiduciary to conduct any processing of personal data that may adversely affect the well-being of a child. Additionally, tracking or behavioral monitoring of children, as well as targeted advertising aimed at them, is strictly prohibited for Data Fiduciaries.

Significant Data Fiduciary

Based on pertinent criteria evaluation, the Central Government reserves the authority to classify any Data Fiduciary or a group of Data Fiduciaries as Significant Data Fiduciaries.

Additional Obligations of a Significant Data Fiduciary

The Significant Data Fiduciary is mandated to designate a Data Protection Officer, an impartial data auditor, and implement additional measures to ensure adherence to the Act. The appointed officer must serve as a representative of the Fiduciary, operate within India, and report to the governing body. Responsibilities include conducting regular Data Protection Impact Assessments, mitigating risks to data rights, and implementing measures in accordance with the Act.

These consist of:

  • A Data Protection Officer is required to be appointed to serve as the primary contact for managing complaints and representing the organization in compliance with the Act.
  • For evaluating adherence to the DPDP Act, a significant data fiduciary must engage an independent data auditor.
  • Data Protection Impact Assessments (DPIAs) should regularly assess the impact of data processing on the rights of data principals.
  • Routine audits should be conducted to verify compliance with the Act.
  • Government notifications may stipulate additional measures for Significant Data Fiduciaries to comply with the Act.

Conclusion:

In conclusion, the Digital Personal Data Protection (DPDP) Act of 2023 establishes a strong framework to protect the privacy rights of individuals in India. With a thorough set of obligations, the Act mandates that Data Fiduciaries handle data lawfully, give paramount importance to consent, and safeguard the privacy of Data Principals. Significantly, the DPDP Act incorporates measures for managing children's data, assigns greater responsibilities to Significant Data Fiduciaries, and specifies penalties for violations. By striking a harmonious equilibrium between data utility and protection, the DPDP Act plays a vital role in cultivating a more accountable and secure digital landscape in the country.