Data Protection in the Digital Era
Data Protection in the Digital Era: Unpacking the DPDP Act for Businesses and Individuals
Have you ever heard what the most common type of data leaked on the dark web is? Now, the point is, what actually the dark web is?
The dark web is a part of the internet where private computer networks can communicate and conduct business anonymously, without revealing identifying information like the user's location. It is a separate world on the web where personal information, important financial data, and user credentials are often leaked. Such leakage, which is sometimes inestimable in monetary terms, underscores the importance of digital data privacy. In response to this, and considering regulations like the GDPR, reputational and business risk requirement, transparent organization future the Indian government has introduced the Digital Personal Data Protection Act, 2023 (DPDP Act, 2023). This 21-page act is concise, clear, and easy to understand, featuring simple examples integrated within the act itself.
Recent Indian Incidents of Data Breaches: An Overview
|
Name of Breach |
Description of Breach |
Affected Sector |
Source of Information |
|
2016 Debit Card Data Breach |
Malware compromised 3.2 million debit cards from major banks. |
Banking |
|
|
SBI Data Breach (2019) |
Exposed customer data like partial bank account no, bank balances, transactions details etc. from an unprotected server. |
Banking |
|
|
Justdial Data Breach (2019) |
Leaked details of nearly 100 million users due to unprotected API. |
Technology |
|
|
Kudankulam Nuclear Power Plant Breach (2019) |
Malware attack collecting information, not affecting critical systems. |
Energy |
|
|
Big Basket Data Breach (2020) |
Leaked 20 million User details such as Full Name, E-Mail IDs, Contact Numbers, Address, DOB etc. |
E-Commerce |
|
|
Unacademy Data Breach (2020) |
Around 20 million User data such as User Name, Last Login Details, Joining Date, First/Last Name, E-Mail IDs was leaked |
Education |
|
|
Dominos India Data Breach (2021) |
Data of 18 crore orders leaked and was up for sale on dark web. |
Food Service |
|
|
ICMR (2023) |
About 815 million Indian Citizen Aadhaar-Passport details were on sale on Dark Web |
Healthcare |
|
|
Zivame (2023) |
About 1.5 million female customers data such as Name, Address, Contact details was on sale on non-public domain. |
E-Commerce |
Considering above biggest data breaches in India, it was almost necessary and compulsion to protect the data of the users. To protect the users on how their data can be used by the data Fiduciary, a consent mechanism is being introduced in the act in which a user has to give a consent to a data Fiduciary and data processor regarding use of personal data. Also, a consent withdrawal mechanism is being introduced once the need for data processing gets over.
So, compliances of DPDP Act are required in each and every sector where personal information is stored digitally. From finance to education, insurance to airlines, each industry faces unique cybersecurity challenges. In the energy and e-commerce sectors, safeguarding sensitive data is crucial, just as it is in banking, government, and food services and many more sectors.
Let’s decode the key takeaways form DPDP Act, 2023:
Definitions are always heart of the act and key definitions of the act are stated as under:
1. “digital personal data” means personal data in digital form.
2. “personal data” means any data about an individual who is identifiable by or in relation to such data.
3. “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
4. “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
5. “Data Principal” means the individual to whom the personal data relates and where such individual is—
i. a child, includes the parents or lawful guardian of such a child;
ii. a person with disability, includes her lawful guardian, acting on her behalf;
6. “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary.
The DPDP Act's applicability and scope:
The DPDP Act,2023 applies to the processing of digital personal data within the territory of India, whether the personal data is collected in digital form or in non-digital form and subsequently digitized. Additionally, it applies to the processing of digital personal data outside the territory of India if such processing is connected to any activity related to offering goods or services to data principals within the territory of India.
The act does not apply to personal data processed by an individual for personal or domestic purposes, nor does it apply to personal data that is voluntarily made publicly available by the data principal themselves such as through blogging personal views on social media or by any other individual obligated by law to make such data publicly accessible.
Consent:
Providing a consent for access of data by the data principal is the backbone of the DPDP Act, 2023. Without a consent, the data fiduciary can’t access the data of Data Principal. Such a consent must have been sought by the data principal by way of Notice to the Data Principal. It should be clear and unconditional and which should contain the purpose for which it is being sought by the Data Fiduciary. A consent mechanism is to be established by the data fiduciary in compliance of this Act.
Consent shall be accompanied by Notice:
Every request made to a Data Principal for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing them of the personal data and its purpose, the manner in which they may exercise their rights, and the procedure for making a complaint to the Board, as prescribed.
Let’s understand this through an example: To fulfil the Know-Your-Customer requirements mandated by law for opening a bank account, a live, video-based customer identification process is conducted. In this process, the data fiduciary is required to describe the personal data and the purpose of its processing to the Data Principal.
Pre-Act Consent: Providing Notice Post-Act
Where a Data Principal has given her consent for the processing of her personal data before the commencement date of the Act, in that case, the Data Fiduciary should give information to the Data Principal with information of use of such personal data by them through In App Notification, E-Mail or other means.
Let’s understand this through an example: If a person has given her consent to the processing of her personal data for an online shopping app or website before the commencement of this Act; upon the Act's commencement, such shopping app or website shall, as soon as practicable, provide information describing the personal data and the purpose of its processing through email, in-app notification, or other effective methods.
Invalid Waiver of Rights in Consent
Any part of consent that breaks the law or infringes upon the Act or its rules is not valid.
Let’s understand this through an example: An individual purchases an insurance policy through the mobile app or website of Company Y, an insurer. In the process, she consents to Company Y for processing her personal data for policy issuance purposes. Additionally, she agrees to waive her right to file a complaint with the Data Protection Board of India. However, such waiver of her complaint rights is deemed invalid under this act.
Certain legitimate uses:
A Data Fiduciary may process the personal data of a Data Principal for specified purposes. When the Data Principal has voluntarily provided their personal data to the Data Fiduciary for a specific purpose, and has not indicated to the Data Fiduciary that they do not consent to the use of their personal data. For example, when purchasing an item, one voluntarily provides personal data to get a receipt sent via SMS to their mobile phone, then in that case, the seller may process the personal data for the purpose of sending the receipt.
Protocol for Data Erasure
A Data Fiduciary shall, unless retention is necessary for compliance with any law currently in effect, erase personal data when the Data Principal withdraws their consent or as soon specified purpose is no longer being served, whichever occurs first. Additionally, the Data Fiduciary must ensure that its Data Processor erases any personal data that was provided for processing.
For example, if you are using an online marketplace and provided your consent for the processing of your personal data to sell your used car, the online marketplace, upon concluding the sale, should no longer retain your personal data.
Penalties:
When imposing a monetary penalty specified in the Schedule, the person shall be given a opportunity to be heard as a part of the natural justice.
The amount of monetary penalty is to be determined considering the following factors:
• The nature, gravity, and duration of the breach.
• The type and nature of the personal data affected by the breach.
• Repetitive nature of the breach.
• Whether the person realized a gain or avoided any loss as a result of the breach.
• Any action taken by the person to mitigate the effects and consequences of the breach, including the timeliness and effectiveness of such action.
• Whether the monetary penalty is proportionate and effective, considering the need to secure observance of and deter breach of the provisions of this Act.
• The likely impact of the imposition of the monetary penalty on the person.
All sums realized from penalties imposed by the Board under this Act shall be credited to the Consolidated Fund of India.
Scale of Penalties: From 10,000 to 250 Crore Rupees
• Penalty up to 250 crore rupees for breaching the obligation of Data Fiduciary to implement reasonable security safeguards to prevent personal data breaches in the event of a breach.
• Penalty up to 200 crore rupees for failing to notify the Board or the affected Data Principal of a personal data breach, or for failing to comply with additional obligations regarding children.
• Penalty up to 150 crore rupees for breaching additional obligations of Significant Data Fiduciaries.
• Penalty up to 50 crore rupees for breaching any other provision of this Act or the rules made thereunder.
• Penalty up to 10,000 rupees for breaching the duties of a data principal.
Way Forward for Businesses and Pro-active measures:
Many businesses will encounter challenges in complying with the DPDP Act, 2023 due to a lack of technical knowledge, disorganized IT systems, and data flow and data organization. Specifically, MSMEs will face difficulties in modernizing their IT infrastructure to align with this act's compliance requirements. Some key considerations as stated below will be useful in complying the requirement of this act:
1. Evaluation of Existing Compliance status
2. Data Impact Assessments
3. Analysis of Data Flow in the organisation
4. Rejig of Data Access Controls within the organisation
5. Ongoing Employee Training and Awareness on Data Privacy
6. To consider various encryption methods while securing personal data of the user
7. Adjusting Service Level Agreements (SLAs) to Ensure Alignment with Compliance Requirements in Relation to Data Processors (If any)
8. Establishing a Consent Framework and Designating a Consent Manager
9. Implementation of Data Breach Response Mechanism
Certainly, the above considerations mentioned are merely illustrative, and it's essential to account for additional, significant factors tailored to the unique needs of the organization.
Conclusion:
In a digital age marked by significant data breaches and privacy concerns in India, the introduction of the Digital Personal Data Protection Act, 2023 (The DPDP Act, 2023) by the Indian government represents a positive and proactive step towards safeguarding individuals' personal information thereby boosting confidence in Individual with respect to privacy of a personal data. This comprehensive legislation, with its emphasis on consent, transparency, and stringent penalties for non-compliance, aims to infuse trust and accountability in the digital ecosystem.
Disclaimer: This material and the information contained herein is intended for clients and other Chartered Accountants to provide updates and is not an exhaustive treatment of such subject. We are not, by means of this material, rendering any professional advice or services. It should not be relied upon as the sole basis for any decision which may affect you or your business.
