Rules (refer to the infographics) once notified will facilitate the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act).
About DPDP Act 2023
- Background:
- 2011: Justice AP Shah Committee recommended privacy legislation
- 2017: Supreme Court in Justice KS Puttaswamy (Retd) vs Union of India recognized privacy as a fundamental right
- Scope: Covers digital personal data processing in India where such data is collected online or offline and is digitised.
- Data Protection Framework
- Obligations for Data Fiduciary (entity determining purpose and method of data processing)
- User (Data principals) Consent: Personal data may be processed after obtaining the consent of the individual.
- Consent will not be required for ‘legitimate uses’ like if data has been provided voluntarily, provision of benefit or service by the government, medical emergency, etc.
- Processing of personal data of children or a person with disability: Verifiable consent of parent or the lawful guardian is mandatory.
- Establishment of Data Protection Officer (DPO): Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary.
- Significant Data Fiduciary shall appoint a DPO who shall reside in India and be the point of contact for the grievance redressal mechanism.
- User (Data principals) Consent: Personal data may be processed after obtaining the consent of the individual.
- User Rights: Right to get a summary from the Data Fiduciary of how their personal data is being processed, which other entities have access to their data or any other information related to the personal data.
- Enforcement: Data Protection Board (DPB) has civil court powers for personal data breach complaints.
- Obligations for Data Fiduciary (entity determining purpose and method of data processing)
