THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (“DPDPA”): RIGHTS OF DATA PRINCIPALS

After multiple iterations, India passed the Data Protection Bill into law— Digital Personal Data Protection Act, 2023 (“DPDPA”). Among other things, the new data protection act in India recognises the need of individuals to protect their personal data and, for this purpose, provides rights to individuals to whom the personal data relates, who are referred to as “data principals”. Where the “data principal” is— (a) a child, the term data principal includes the parents or lawful guardian of such a child or; (b) a person with disability, including their lawful guardian, acting on their behalf.

Basis our in-depth experience in assisting clients in the data protection domain, this article provides an overview of the data principal rights available under the privacy act in India and makes practical recommendations on how businesses may implement and maintain processes to enable such requests.

RIGHTS OF DATA PRINCIPALS UNDER THE EXISTING LEGAL FRAMEWORK

The existing framework for data principal rights is rooted in the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) issued under the Information Technology Act, 2000. Under the SPDI Rules, data principals are empowered with —

(a) the right to review their personal data, 

(b) the right to obtain rectification of their personal data, 

(c) the right to withdraw consent to the processing of their personal data,

(d) the right to grievance redressal.

The Digital Personal Data Protection Act is set to repeal the SPDI Rules when it comes into effect and enhance the rights available under the SPDI Rules.

RIGHTS OF DATA PRINCIPALS UNDER THE DPDPA

Under DPDPA, data principals are empowered with certain rights, including:

Access to Information: Where the ground for processing personal data is consent, a data principal has the right to make a request to the data fiduciary and seek:

(a) A summary of personal data being processed and the activities undertaken with respect to such personal data.

(b) The identities of all other data fiduciaries and data processors with whom the personal data has been shared, along with a description of such data.

(c) Any other information prescribed by the Indian government.

Correction and erasure: A data principal is entitled to request the personal data to be corrected, completed, updated, and erased, where the ground for processing personal data is consent. The right to erasure may be exercised when the specified purpose for which their personal data was collected is no longer served by its retention.

Nomination: A data principal is entitled to nominate another individual who will exercise the rights of the data principal under the new privacy act in India (DPDP) in the event of the data principal’s death or incapacity.

Withdraw consent: Where consent given by the data principal is the basis of processing personal data, the data principal has the right to withdraw their consent at any time. It should be as easy for the data principal to withdraw consent as it is to give consent.

Grievance redressal: A data principal is invested with the right to seek means of grievance redressal readily available that is offered by a data fiduciary or consent manager concerning any act or omission in the performance of its obligations or the exercise of data principal rights under the law.

DUTIES OF DATA PRINCIPALS

The DPDPA also lays down specific duties for data principals. These include 

  • Compliance with the law, 
  • To not impersonate another person, 
  • To not suppress any material information in certain circumstances, 
  • To not file frivolous grievances or complaints
  • To furnish information only that is verifiably authentic.
IMPACT ON BUSINESSES

The Digital Personal Data Protection Act is set to expand upon the rights available to individuals under the SPDI Rules. Accordingly, businesses ought to evaluate and revamp their internal data principal rights processes under the data protection act in India.  In order to do that, businesses can take the following steps — 

(a) appoint an officer to handle the front-end relationship with customers, particularly to respond to communications from customers (such as the data protection officer, where applicable).

(b) institute a proper UI/UX journey to ensure seamless facilitation of data subject rights, such as putting in place a data principal rights portal.

(c) set up internal mechanisms for request tracking, timeline maintenance, acknowledgements, and role divisions, and ensure that refusals and replies are in compliance with the law. 

CONCLUSION

Non-observance of the obligation to comply with rights requests of the data principal may attract fines as high as INR 50 crores. As a data protection law firm, we recommend that businesses start evaluating their data principal rights processes at this stage itself. Businesses may contact their respective data protection law firm for assistance in this regard. They may also perform a global data review of other data privacy laws and best practices to inform their own compliance.

If you have any queries or would like to know more about the DPDPA, 2023, reach out to Spice Route Legal, recognised as the best data protection law firm in India. Email id:  contact@spiceroutelegal.com.