Cracking the Code:

Understanding India's
Digital Personal Data
Protection Act, 2023
 HOW DID WE GET HERE?
Justice K.S. Puttaswamy (Retd) vs. Union of Personal Data Protection Bill, Personal Data Protection Bill,
India [August 24, 2017] 2018 2019
Right to Privacy recognized as part of Drafted by B.N. Srikrishna Introduced: December, 2019
Right to Life in landmark Supreme Committee - reviewed by the Cabinet Withdrawn: August, 2022
Court judgment Ministry

Report of Committee of Experts

DIGITAL PERSONAL DATA
No Standalone Law on Data
on Data Protection, chaired by PROTECTION ACT, 2023
Protection: Use of personal data
regulated under the Information Justice B. N. Srikrishna [2017- ["DPDPA"]
Technology Act, 2000, and 2018] Introduced and Passed:
Information Technology August, 2023
(Reasonable Security Practices and [The applicability of the
Procedures and Sensitive Personal provisions of the DPDPA is yet
Data or Information) Rules, 2011 to be notified.]
 Current Indian EV market trends and business sale observations

Battery manufacturing highlights and projections

WHAT WE NOW KNOW

Government schemes and programmes to facilitate EV growth
hh
PART I:
Targets and goals to be achieved in the coming years

INDIA'S ECONOMIC SNAPSHOT

Applicability Rights and obligations of the Data Principal Explaining Data Fiduciary, Significant Data Fiduciary, Data Processor, Consent
Manager, Data Protection Board and the Central Government Data Protection Board - Composition and Powers Understanding lawful
purpose, legitimate uses, due notice (multi lingual), consent (and its components) Withdrawal of consent and erasure of personal data
Data retention requirements prescribed by the DPDPA Grievance redressal procedures waterfall Treatment of Children's data Significant
data fiduciary and higher compliance/obligations Penalties
 APPLICABILITY - WHAT DATA DOES IT APPLY TO?

Personal Data: the DPDPA defines personal

Geographic applicability: Applies to all
processing of digital personal data that occurs:
(a) within India; and
(b) outside India, to any activity relating to the
offering of goods or services to Data Principals
in India.
data as “any data about an individual who is
identifiable either by such data or in relation
to such data”.
All personal data that is collected in digital
form or, digitized personal data that was
originally collected offline.

Automated Processing: It extends to all automated operations (in whole or part) performed on digital
personal data, including collection, recording, organization, storage, retrieval, use, indexing, sharing,
erasure and destruction of such personal data.
 EXCLUSIONS/EXEMPTIONS

Publicly Available Data: Any personal

Central Government Exemptions:
data that has been made (or caused to be
made) publicly available by:
the Data Principal, or
a third party required by law to make it
publicly available.
Personal/Domestic Purpose: does not
apply to the processing of personal data by
an individual for any personal or domestic
purpose.
processing by government instrumentalities for specific
purposes, such as in the interest of sovereignty and integrity
of India, security of the State, and friendly relations with
foreign States (Section 17(2)(a));
processing that is necessary for research, archiving or
statistical purposes provided that the personal data is not
used for making any decision specific to a Data Principal,
and such processing is in accordance with prescribed
standards (Section 17(2(b)); and
certain Data Fiduciaries, including startups, from select
obligations (Section 17(3)).
 KEY PLAYERS AROUND THE QUEEN

Data Protection Board Data Fiduciary

Established by the Central Government Any person who alone or with
to ensure compliance with the DPDPA. others determines the purpose and
means of processing personal data.
Data Principal
Individual who owns
the personal data,
including children
and persons with
Consent Manager disabilities
Proposed as the single point of contact
between the Data Principal and Data
Data Processor
Fiduciaries, and assists the Data Principal
Any person who processes personal
to give, manage, review, and withdraw
data on behalf of a Data Fiduciary.
consent through an accessible,
transparent, and interoperable platform.
 RULES OF THE DATA PROTECTION CHESSBOARD

Grounds for processing personal data: Only for a lawful purpose:

1)For which the Data Principal has given her consent;

2)For certain legitimate uses (without consent).

Consent Legitimate Uses

free, specific, informed, unconditional,
and unambiguous;
clear affirmative consent; and
limited to personal data that is necessary
for the specified purpose.
medical treatment/ health services/responding to
an emergency;
disaster relief;
compliance with a judgment; and
employment purposes, or to protect employers
from loss or liability.
 CONSENT NOTICE REQUIREMENTS

In writing and to be made available in vernacular languages

What personal data is to be collected
Specified purposes for which data will be processed
Manner of exercise of rights by the data principal;
Contact details of data protection officer or equivalent thereof for grievance redressal

Consent must be capable of being withdrawn as easily as it was given - manner of

withdrawing consent to be clearly explained and should be easy to access and
exercise.
 UNDERSTANDING THE CONCEPT OF A CONSENT MANAGER

Consent Management
Users
Database
Create, Update,
Revoke, Verify Consent

Registered with the Board Store and Retrieve

Acts on behalf of, and Consent
Consent Manager
accountable to the Data Portal
Data Fiduciary
Principal
Twin objectives of aiding Consent Application
in standardizing consent Reqest Info and Allow Programming Interface
or Deny Info
while also making consent
Interoperability
accessible to Data
Application
Principals Consent Validation

Yes ! Allow Access or

No! Deny Access Is Consent Authorized?

*Current pictorial representation is of our understanding of consent management platforms, but it may change based on offered
products and government requirements under DPDPA.
 Right to Access: (i) Summary of their data being processed, and processing activities undertaken;
and (ii) Identities of all Data Fiduciaries and Data Processors who have access to their data (except
where personal data has been shared for investigation/prosecution of offences). (Section 11)

Right to Correction and Erasure: Can request a Data Fiduciary to correct, complete, update, or
erase their personal data (except where data retention is required under law or for the specified
purpose). (Section 12)

RIGHTS OF
DATA Right of grievance redressal: Should be provided access to a readily available means of
grievance redressal. (Section 13)
PRINCIPAL

Right to nominate: Can nominate an individual to exercise their rights in the event of their death
or incapacity. (Section 14)
 Comply with the provisions of all applicable laws for the time being in force.

Not impersonate another person while providing personal data for a specified purpose.

Not suppress any material information while providing personal data, unique
identifier, proof of identity, or proof of address issued by the State/ its instrumentalities.
DUTIES OF
DATA
PRINCIPAL Furnish only such information as is verifiably authentic, while exercising the right to
correction or erasure under DPDPA.

Not to register a false or frivolous grievance or complaint with a Data Fiduciary or

the Board.
 OBLIGATIONS OF DATA FIDUCIARIES

Ensure completeness, accuracy,

Implement technical safeguards
and consistency of personal data
and take reasonable security
that they process when (a) used to
measures to effectively observe the
make a decision that affects a Data
provisions of the DPDPA and to
Principal, or (b) disclosed to another
prevent data breaches.
Data Fiduciary.

Publish details of a
grievance officer

Erase, destroy or anonymize

Notify personal data breaches
personal data if the Data Principal
to the DPB and each affected Data
withdraws consent or specified
Principal.
purpose is no longer served.
 SIGNIFICANT DATA FIDUCIARIES

Who is a Significant Data Obligations of Significant Data

Fiduciary? Fiduciary
As may be notified by the Central
Government based on:

volume and sensitivity of personal

data processed,
the risk posed to the rights of the
Data Principal, the Appointing a Data
potential impact on (a) the Protection Officer Periodic Data Protection
sovereignty and integrity of India, based in India Impact Assessment
(b) the risk to electoral Periodic Audit
Appointment of an
democracy, (c) security of the Independent Data
State, and (d) public order. Auditor to evaluate
compliance
 DATA PROTECTION BOARD - POWERS

Inquiry into a personal data breach/non compliance by a Data

Fiduciary of its obligations and imposition of penalties for such breaches or
directions for remedial measures.
Members
Central Government
appointees Inquiry into breach/non-compliance by Consent Managers of their
Two year term obligations and imposition of penalties for such breaches.
At least one legal expert

On reference by the Central Government, inquiry into violation of Central

Government's orders by an intermediary (as defined in the Information
Technology Act, 2000).

Power to impose penalties, act as a Civil Court, and required to follow

principles of natural justice while conducting inquiries.
 GRIEVANCE REDRESSAL

Files Grievance with Data Fiduciary or Significant

Data Principal
Data Fiduciary or Consent Manager

Not Satisfied With Grievance Redressal

Appeal
Telecom Disputes
Data Protection Board of India Settlement and Appellate
Tribunal

Pass an Order Voluntary Undertaking

Mediation
 PENALTIES AND ADJUDICATION
Data Protection Board
of India
After giving the person an
opportunity to be heard
Monetary Penalty
[Schedule of DPDPA]
No Criminal Sanctions: under
the DPDPA
The nature, gravity, and duration of the breach;
The type and nature of the personal data affected by the breach;
Repetitive nature of the breach;
Whether the person, as a result of the breach, has realized a gain or
avoided any loss;
Whether the person took any action to mitigate the effects and
consequences of the breach, and the timeliness and effectiveness of such
action;
Whether the monetary penalty to be imposed is proportionate and
effective, having regard to the need to secure observance of and deter
breach of the provisions of DPDPA; and
The likely impact of the imposition of the monetary penalty on the person.
PENALTIES AND
ADJUDICATION
 TREATMENT OF CHILDREN'S DATA AND DATA OF DISABLED PERSONS
Children's data (an individual under the age of 18)
Verifiable consent to be given by parent/legal guardian

Prohibitions
(a) on processing data that is likely to have a detrimental effect on the well-being of a child;
(b) tracking and behavioral monitoring of children; and
(c) targeted advertisements directed at children.

Exemptions
Central Government may exempt certain classes of data fiduciaries (to be notified) from processing the personal data of
children for such purposes and subject to such conditions (to be notified) without obtaining verifiable consent of the
parent of such child or the lawful guardian.
Central Government may permit certain classes of data fiduciaries (to be notified) to undertake tracking or behavioral
monitoring of children or targeted advertising directed at children.
If Central Government is satisfied that the Data Fiduciary is processing data in a verifiably safe manner, it can provide the
same exemptions as mentioned above processing data of children above certain prescribed age limits. [Eg: If a gaming
platform for children collects data of children from (5-18 years) in a verifiably safe manner to the satisfaction of the central
government, it can provide above stated exemptions to collection of data of children above 16.]
 WHAT DO I DO WHEN THERE IS A DATA BREACH?

Primary responsibility for compliance is on the Data Fiduciary

No standards have been prescribed.

Recommended Actions: start putting
systems and processes in place to cover:
Data Fiduciary must implement appropriate technical
and organizational measures to ensure effective Safeguards: such as encryption,
compliance with the DPDPA. monitoring, data back-ups and staff
training.

Incident management protocols:

In case of a personal data breach, Data Fiduciary should
intimate:
Data Protection Board of India; and
each affected Data Principal
such as a data breach response team,
mitigation and notification templates.
IS/ISO/IEC 27001 on Information
Technology - Security Techniques -
Information Security Management
System - Requirements.
 KEY POWERS OF THE CENTRAL GOVERNMENT

Exempt certain business entities and Startups from specific provisions of the DPDPA

Exempt “instrumentalities of the State” from the applicability of the DPDA, in the
interests of sovereignty and integrity of India, security of the State, friendly relations
with foreign States, and maintenance of public order or preventing incitement to any
cognizable offence.

Exempt certain data fiduciaries from obtaining verifiable consent from parents or
legal guardians for processing their children's data for specific purposes and under
specific conditions and may also permit certain Data Fiduciaries to conduct tracking,
behavioral monitoring, or targeted advertising directed at children.

Notify the “negative list” of countries to which Indian data cannot be transferred.

Appointment of all members to the Data Protection Board

 Current Indian EV market trends and business sale observations

Battery manufacturing highlights and projections

WHAT DO WE NOT KNOW AS YET?

Government schemes and programmes to facilitate EV growth
hh
PART I:
Targets and goals to be achieved in the coming years

INDIA'S ECONOMIC SNAPSHOT

Applicability Rights and obligations of the Data Principal Explaining Data Fiduciary, Significant Data Fiduciary, Data Processor, Consent
Manager, Data Protection Board and the Central Government Data Protection Board - Composition and Powers Understanding lawful
purpose, legitimate uses, due notice (multi lingual), consent (and its components) Withdrawal of consent and erasure of personal data
Data retention requirements prescribed by the DPDPA Grievance redressal procedures waterfall Treatment of Children's data Significant
data fiduciary and higher compliance/obligations Penalties
What is the Effective date of the DPDPA? The effective date of
implementation has not been notified yet. Likewise, no indication of any transition
period for entities to prepare for compliance with the DPDA.

How do I know if I am a Data Fiduciary or a Significant Data Fiduciary or

a Data Processor? By definition, Data Fiduciaries are those that determine the
purpose and means of processing personal data. On the other hand, Data Processors
are those entities that process personal data on behalf of a Data Fiduciary.
Eligibility/Qualifying criteria for “Significant Data Fiduciaries” are yet to be notified.
Further, exempted Data Fiduciaries are also to be notified by the Government.

Can I transfer data anywhere in the world? The DPDPA permits data transfer
outside India except to countries notified on the negative list, which the Government
is yet to notify.
 SO WHAT DO I DO NOW?

Review process and documentation for obtaining consent from Data Principals .

Assess your organization’s data processing requirements, including the reasons for collecting personal
data and the purposes for which such data is used.

Identify entities with whom you share data and review the contracts with such entities to ensure
sufficient obligations to comply with DPDP Act and provides the Data Fiduciary with periodic audit
rights.

Organizations that collect or process personal data of children or persons with disabilities, review
preparedness to implement higher thresholds for “verifiable consent procedures”.

Prepare to implement processes/technical measures to track withdrawal of consent and erasure of

data if consent is withdrawn by the Data Principal or data is no longer needed by the Data Fiduciary.
 THANK YOU!
CONTACT US
AMRUT JOSHI SAMHEETA RAO
Founder Partner Senior Partner
+91 99723 02080 +91 7259126262
amrut@gamechangerlaw.com samheeta@gamechangerlaw.com

SAKET RACHAKONDA ISHA B.D

Senior Associate Associate
+91 9711202920 +91 7406450366
saket@gamechangerlaw.com isha@gamechangerlaw.com

www.gamechangerlaw.com
#2259 l Level 22 l Regus World Trade Center
Brigade Gateway Campus l Malleswaram
West Bangalore - 560 055