Contributed by Pushpesh Srivastava

Introduction

In the dynamic realm of digital data, India makes tremendous progress with the enactment of the Digital Personal Data Protection Act, 2023 (“Act”). It aims to strike a balance, acknowledging both the necessity of safeguarding individual’s personal data and legitimate reasons for processing it. The law tackles a variety of issues with the handling of digital personal data, including rules for processing data in a lawful manner that ensures the confidentiality of individuals’ rights at all times.  The Act serves as a protection, ensuring that each individual has the ability to determine how their personal information is used, even as data turns into increasingly integrated into our daily life. Consent, a fundamental principle that allows people to control what happens to their data, is central to this Act.

At its core also lies the concept of Consent Managers who play a crucial role by enabling users in providing, monitoring, and withdrawing their consent for the collection and use of their personal data.  Essentially, the Consent Manager acts as a mediator between users and entities that collect personal data, making sure that the consent procedure is interoperable, simple to understand and complies with accessibility, and transparency standards.

Encouraging Users with Informed Consent

The Act recognises consent as the foundation of ethical data processing and highlights the need of getting clear and informed consent from the individuals to whom the data pertains. It formulates a set of guidelines to certain that people are aware of and in control of their own personal data. It underlines specificity, voluntariness, and clarity when gaining consent and restricts the quantity of data that can be gathered  to what  is absolutely necessary for the intended use. The purpose of this framework is aimed at safeguarding  people’s rights and privacy when processing digital data.

Section 5 of the act mandates that, before or alongside the request for seeking consent under Section 6, Data Fiduciaries are required to provide a clear notice to Data Principals. This notice includes details about the personal data to be processed and the specific purpose for processing. It should explain how the Data Principals can exercise their rights under Section 6(4), which states that in cases where the processing of personal data is authorised by consent granted by the data principal, the data principal should have the right to revoke their consent at any time, with the ease of doing so being similar with the ease of providing the consent. Section 13 of the Act which emphasises the implementation of accessible grievance redressal channels by Data Fiduciaries and Consent Managers, providing Data Principals with an initial route to address issues before resorting to regulatory bodies such as the Data Protection Board. Additionally, it should outline the procedure for making a complaint to the Data Protection Board. Encouraging accessibility and comprehension, Section 5 gives Data Principals the authority to view the contents of the notice in the language of their choice.

For pre-existing consents prior to the Act’s implementation, the Data Fiduciary was required to notify Data Principals of the continuing processing of their data and its intended use. By informing people about the ongoing procedure under the new regulatory framework, this correspondence helps to ensure a smooth transition. In light of the realities of implementing the new legal structure, Section 5 permits Data Fiduciaries to keep processing personal information up until the Data Principal revokes consent. This clause maintains service continuity while respecting the changing privacy situation.

 Section 6 of the Act describes the requirements for valid consent, the importance of communication transparency, the role of consent managers, and the legal responsibilities related with obtaining and managing consent for the processing of personal data. Consent should be given for a specific purpose, and persons should understand exactly what they are committing to.  People should be given sufficient information about why their data is being gathered, how it will be used, and any other vital information. They should be aware of the implications of providing consent. Conditions which are not clearly communicated in the consent should not be applicable – it should be clear and not tied to unrelated terms. The language that is used to request consent shall be clear and simple to understand. There should be no ambiguity regarding what is being requested. Consent should be demonstrated by a clear and affirmative action that indicates the individual has actively agreed. This can include clicking an option, checking a box, or doing another explicit action.

Section 11 permits Data Principals to inquire about details from Data Fiduciaries regarding the processing of their personal data, including information on the consent obtained. Data Principals have the right to rectify, complete, and amend their personal data that they have consented to.

Verifiable Consent for Children and Persons with Disability

Before processing any personal data of a child or a person with a disability who has a lawful guardian, the Data Fiduciary is mandated to obtain verifiable consent from the parent of the child or the lawful guardian, as applicable.The essence of Section 9 of the Act is a proactive step towards preventing harm to minors and reflects a commitment to protect vulnerable segments of society in an increasingly digital world. As such, it plays a crucial role in creating a safer online environment for younger users.

Responsibilities of Data Fiduciaries: Protecting the Ethics of Consent

Importantly, the Act imposes considerable duties on Data Fiduciaries concerning consent. It requires the establishment of a Data Protection Officer (DPO) who is responsible for ensuring compliance with the act. Section 8 highlights the necessity of Data Fiduciaries implementing suitable security controls to prevent personal data breaches, as well as the importance of secure data processing even after consent has been received.

The Central Government is empowered to appoint “Significant Data Fiduciaries” based on particular requirements. These Significant Data Fiduciaries must comply with obligations such as appointing a Data Protection Officer and an Independent Data Auditor, as well as implementing additional measures such as periodic Data Protection Impact Assessments (“DPIAs”), audits, and other measures outlined in the Act to ensure data protection and compliance. The DPIAs includes a thorough examination of the purpose of processing and the associated risks. Consent is essential to this assessment because it ensures that the impact of data processing on individual rights, including consent, is properly addressed and handled. The DPIA process recognises the importance of consent as a fundamental component of responsible data processing.

Imposing Accountability and Penalties

The act establishes a strong system of responsibility and penalties to guarantee that data protection standards are met. In the event of a breach, the Data Protection Board has the authority to take action, including imposing monetary penalties (Section 33). The procedure of calculating those penalties requires the Board to consider a variety of considerations. These criteria consist of the nature, gravity, and duration of the breach, with a particular emphasis on severity and duration. The kind and nature of the personal data compromised are critical, with breaches involving sensitive data incurring harsher penalties. The repeated nature of the breach shows systemic flaws, which may result in greater fines. The penalty is influenced by the gain or loss saved as a result of the breach, so that the responsible party does not benefit. Mitigation measures, such as punctuality and efficacy, are considered, which may result in a reduced penalty. Penalties are designed to be adequate and effective in discouraging future violations while preserving compliance with the Act. The potential consequence of the penalty. Section 33’s essence ensures that penalties are not arbitrary; rather, they are established based on the nature, gravity, and duration of the violation, guaranteeing a proportionate and effective response.

Conclusion

The Digital Personal Data Protection Act, 2023, serves as a sign of user-centric law as India advances fearlessly towards a digital future. As outlined in the Act’s structure, the job of Consent Managers is critical in ensuring that user rights are safeguarded, data processing is transparent, and accountability is maintained. The Act establishes a high bar for ethical data practices by encouraging informed consent, particularly among vulnerable groups such as children. Individuals lacked a strong framework to protect their digital information prior to this legislation, leaving them vulnerable to misuse. The Act establishes revolutionary principles centred on consent and user control, transforming the way personal data is handled. This legal step underscores India’s commitment to global data protection norms, while also building a secure digital environment for its inhabitants.