In 2023, the Government Of India took a significant step by passing the Digital
Personal Data Protection Act to establish a framework for data protection in
India's rapidly evolving digital era. This law is India's first data protection
law which governs the processing of personal data of Indian citizens. This law
applies to all businesses operating in India and targeting Indian customers,
regardless of location. This law outlines specific requirements for privacy
notices in India.
A privacy notice is a document designated to inform users how their data will be
collected and processed per the provision of DPDPA, 2023. The primary purpose of
the privacy notice is to make possible communication between the website and its
users and visitors. So, providing a clear and concise privacy notice to users
and visitors is necessary for complying with this DPDPA, 2023. In this article,
I'm outlining the key requirement under DPDPA, 2023 for crafting a Privacy
Notice.
Relevant Provisions of DPDPA, 2023 for Privacy Notice
DPDPA mandates some conditions for Privacy notices such as obtaining valid
consent, outlining data principle rights, and keeping transparency in data
collection and process.
Consent Requirements
Consent Under DPDPA is a clear affirmative action by the data principle's will,
freely given, specific, informed, and unambiguous. It means the Data Principle
freely and actively agrees to collect and process their personal data but the
consent should be freely given and not obtained by undue influence or coercion.
Explicit Consent has several implications for privacy notices such as:
- Clearly Inform: The privacy notice shall clearly inform the type of data being collected, the purpose of data collection, how individual data will be used, and who the individuals involved in the processing are. The language of the privacy notice should be easy to understand for every individual.
- Specific Consent: Companies should obtain consent specific to a particular purpose of data processing. For example, if a company intends to process data for making a delivery to your address, the company should obtain specific consent for this purpose.
- Opt-in Consent: Opt-in Consent means consent by an individual to use their data for marketing. The DPDPA mandates opt-in consent, meaning individuals actively agree to data processing. Individuals can explicitly object to the data processing.
- Revocability: The DPDPA allows individuals to withdraw their consent at any time. The privacy notice must clearly contain instructions on how to revoke consent.
- Record: Organizations are responsible for maintaining a record of obtained consents, including the date, time, and manner in which consent was given.
- Organizations can use a checkbox stating "I agree to Privacy Policy/Notice" to obtain valid consent from users. This checkbox can be located in various places, including but not limited to:
- Account Registration Form
- Checkout Pages
- Email Newsletter Sign-up form
- Contact forms
Ensure that users take a clear action to agree and avoid automatic acceptance of the privacy notice upon registration.
- Data Principle/Users Rights: The DPDPA provides several rights to users to control their personal data, enhancing transparency in privacy notices. The rights include:
- Right to access Personal Data: Users have the right to access their data collected by Data Fiduciaries, including the purpose, categories of data, and data recipients.
- Right to Rectification: Users can request rectification if they believe their data is inaccurate, incomplete, or outdated.
- Right to Erasure: Users may request data deletion in certain circumstances, such as when the data is no longer necessary for processing or the processing is unlawful.
- Right to Restriction Processing: Users can limit data processing in specific situations, like when data accuracy is disputed.
- Right to Data Portability: Users have the right to obtain a copy of their data in a machine-readable format and may request data transfer to another controller.
- Right to Object: Users may object to data processing for purposes like direct marketing or profiling.
- Right to withdraw consent: Users can withdraw consent anytime, as the consent under this act is revocable.
- Right to Nominate: Users may nominate another individual to exercise their rights if they become incapacitated.
Outlining these rights in the privacy notice not only promotes transparency but
also helps to build trust between you and your user.
Transparency
DPDPA, 2023 gives special importance to transparency in data processing. The
basic principle of data protection is transparency in data processing.
Transparency makes sure that data principals are aware of how their data are
collected, processed, and protected. Privacy Notice plays an important role in
attaining transparency.
The privacy notice is a salient tool for guaranteeing transparency in data
processing.
Privacy Notice provides information to data principals about how their are being handled including:
- The reason for data collection and processing.
- The categories of personal data collected (e.g., financial, health, choices).
- Legal grounds for processing data.
- How long the company can retain your data.
- Whether a company shares your data with third parties; if so, the purpose of sharing.
- Above mentioned rights of data principals.
- Organizations demonstrate transparency by providing clear information in their privacy notices.
Elements of Privacy Notice under This Act
This ACT mandates that companies provide clear information to data principals regarding data processing activities in the Privacy Notice. Key elements include:
- Identity of Data Fiduciary:
- A data fiduciary is responsible for data collection and determining the purpose of data processing.
- If another organization processes data on behalf of a company, it is called a data processor under the Act.
- The Privacy Notice should provide contact details of the data fiduciaries, including name, email, and address.
- Purpose of Processing: A clear and concise description of the purpose of data processing helps users understand why their data is being collected and how it will be used, promoting transparency and trust.
- Legal Basis for Processing: The privacy notice must outline the legal grounds for data processing, such as consent, contract, legal obligation, vital interest, public interest, or legitimate interests.
- Data Sharing and Third-party Disclosures:
- Information on third parties with whom data will be shared.
- A clear explanation of why data is shared with third parties.
- The categories of data disclosed, such as financial and health data.
- The legal grounds for data sharing, such as contract or legal obligation.
- Data Retention Policy: Specifies the retention period, including factors such as legal obligations, business needs, and contractual obligations. Also outlines the right to data erasure after a specified period.
- Data Security Measures: Security measures to protect data from unauthorized access.
There are three types:
- Technical Measures: e.g., encryption, firewalls, access controls, and data backups.
- Organizational Measures: e.g., security policies, employee training, regular security audits.
- Physical Measures: e.g., access controls, environmental controls.
- Data Subject Rights: Details how individuals can exercise their rights, providing the contact information of the data controller and the request procedure.
- Grievance Redressal: Information on how individuals can raise concerns or make complaints, with contact details for the data protection officer, available hours, and response times.
There are other additional elements too that can be thought of to add to the
privacy notice. For example category of data, data breach notification etc.
Best Practice for Drafting Privacy Notice
As we know a Privacu notice is the most important document that informs users
how their data are collected, processed, shared, and protected. Here are some
basic tips for drafting the best compliance privacy notices:
Always use plain language that is easy to understand for every user. DPDPA
obligates data fiduciaries that Privacy should be in "English" and all other
languages in the 8th schedule of the Indian Constitution.
Make sure that your privacy notice is easy to access for all users including
those with disabilities. Use a clear structure and heading. Ensure compatibility
with screen readers. Use clear and consistent font. Consider audio-video
alternatives.
Privacy Notice is an evergreen document that should be periodically reviewed and
updated to ensure it remains accurate and compliant with applicable laws.
Updates are essential because of changes in the applicable law or changes in
business practices, security breaches incidents feedback complaints etc.
Enforcement and Penalties for noncompliance with the DPDPA,2023.
The DPDPA has outlined huge penalties for non-compliance with its provisions
including those related to privacy notice. The Penalties are as follows:
- The DPDPA impose fines of up to RS 5 Corer (Approx $610,000) for minor
data violations and up to Rs 25 corer (Approx $3 Million) for more serious
crimes.
- In certain serious crimes non- complying with the Act's provisions can
impose criminal penalties including imprisonment.
Conclusion
Organizations need to review their privacy notice confirming the compliance with
Digital Personal Data Protection Act, of 2023. Non-compliance with the act's
provision can result in heavy penalties and damage to reputation. By following
the best practices in this guide, organizations can draft privacy notices that
are legally compliant, and transparent and protect the rights of individuals.
Reference:
- https://www.meity.gov.in/writereaddata/files/Digital Personal Data
Protection Act 2023.pdf
- https://www.cookieyes.com/blog/india-digital-personal-data-protection-act-dpdpa/
Please Drop Your Comments