The Digital Personal Data Protection Act of 2023 received the President's assent on August 23, 2023, but has not been enforced yet in the country. This Act aims to provide for the protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in the processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected in addition to that or incidental to that.

The Act imposes various legal obligations upon the entities whether government or private regarding the collection, storage, and processing of personal data. The companies that come under the garb of this Act are required to adhere to certain legal obligations mentioned hereunder:

1. Grounds for processing Personal Data
   • As per Section 4 (1) of the Act, a company can process the personal data of a Data Principal only in accordance with the provisions of the Act and for a lawful purpose:
     • for which the Data Principal has given her consent, or
     • for certain legitimate uses.
   • According to Section 4 (2) of the Act, the expression "lawful purpose" means any purpose which is not expressly forbidden by law.
      
2. Nature of Consent
   • According to Section 6 (1) of the Act, the consent given by a Data Principal to a company concerning the processing of personal data shall be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. It shall also signify an agreement to the processing of her personal data for the specified purpose. Further, the extent to which the personal data of a Data Principal is processed must exactly correspond to the purpose specified by her.
   • Section 6 (3) of the Act says that every request for consent made by a company under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule of the Constitution.
      
3. Withdrawal of Consent
   • Although Section 6 (4) of the Act empowers a Data Principal to withdraw her consent for the processing of personal data at any time, a company processing such data must make sure that such withdrawal shall not affect the legality of the processing of the personal data based on consent before its withdrawal. So, the transactions already made before withdrawing the consent by the Data Principal shall continue to operate and this has to be ensured by the concerned company [Section 6 (5)].
   • As per Section 6 (5) of the Act, if a Data Principal withdraws her consent to the processing of personal data, the company shall, within a reasonable time, cease to process the personal data of such Data Principal unless such processing without her consent is required or authorized under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.
      
4. Notice
   • As per Section 5 (1) of the Act, every request made to a Data Principal to obtain her consent for the processing of personal data shall be accompanied or preceded by a notice given by the company to the Data Principal and must inform her about:
     • the personal data and the purpose for which the same is proposed to be processed.
     • how the Data Principal may make a complaint to the Data Protection Board of India, in such a manner that is prescribed.
        
5. Proceeding relating to Consent
   • Section 6 (10) of the Act mentions that where consent given by the Data Principal is the basis of the processing of personal data and a question arises in this regard in a proceeding, the company shall be obliged to prove that a notice was given by it to the Data Principal and consent was given by such Data Principal to the company following the provisions of this Act and the rules made thereunder.
      
6. Legitimate Uses
   • Section 7 of the Act mentions certain legitimate uses for which a company can process the personal data of a Data Principal. Such uses inter alia are:
     • for the specified purpose for which the Data Principal has voluntarily provided her personal data to the company, and in respect of which she has not indicated to the company that she does not consent to use her personal data. This means that consent is not required in every scenario;
     • for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of the sovereignty, integrity or security of the State;
     • for taking measures to ensure the safety, or provide aid or services to any individual during any disaster, or any breakdown of public order. In this clause, the expression "disaster" shall have the same meaning as assigned to it in clause (d) of Section 2 of the Disaster Management Act, 2005;
     • for employment or purposes related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, or respective provision of a service or benefit sought by a Data Principal who happens to be an employee.
        
7. Some General Obligations
   • As per Section 8 (1) of the Act, a company shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.
   • Section 8 (3) of the Act mentions that where personal data processed by a company is likely to be—
     • used to make a decision that affects the Data Principal; or
     • disclosed to another Data Fiduciary,
     the company processing such personal data shall ensure its completeness, accuracy, and consistency.
   • Section 8 (5) of the Act says that a company shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach.
   • Section 8 (6) of the Act says that in the event of a personal data breach, the concerned company shall give the Data Protection Board of India and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
   • As per Section 8 (10) of the Act, a company is required to set up an effective mechanism to address the issues raised by its Data Principals.
      
8. Processing of Personal Data of Children
   • According to Section 9 (1) of the Act, a company shall, before processing any personal data of a child or a person with a disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
   • As per Section 9 (2) of the Act, a company is duty-bound not to undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child.
   • As per Section 9 (3) of the Act, a company shall not undertake tracking or behavioral monitoring of children or targeted advertising directed at children.

Conclusion
In conclusion, the Digital Personal Data Protection Act of 2023, represents a robust legislative framework designed to safeguard individuals' privacy, especially in a rapidly digitizing world. By establishing clear guidelines for consent, data processing, and accountability, the Act mandates a high level of transparency and security from entities handling personal data. It also takes critical steps to protect vulnerable groups, such as children, from potential harm arising from data misuse.

As noted by the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) vs Union of India, "Privacy is the constitutional core of human dignity." This Act not only upholds this principle but also strengthens the trust between individuals and organizations, fostering a culture of data responsibility and individual rights in the digital age. The Act's full implementation will be pivotal in shaping a more privacy-conscious society, ensuring that technological advancement does not come at the expense of fundamental rights.

References:

• https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
• https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law?lang=en
• https://www.scconline.com/blog/post/2024/11/11/digital-personal-data-protection-act-2023-employers-guide/
• https://www.manupatracademy.com/legalpost/manu-sc-1044-2017

Written By: Tassaduq Hussain, a third-year law student at the Department of Law, University of Kashmir