By Sanjay Kumar Satpathy, AGM(Law) & Zonal Legal Head, Union Bank of India, ZO, Delhi

Introduction:

The Digital India Program was started with the object to ensure that citizens may access government services electronically by eliminating paperwork on Ist July, 2015. Various digital initiatives were initiated by Government of India such as eAadhaar, Digi locker, digital filing of documents etc. Though, widespread use of information & communication technology has enhanced the efficiency of services and facilitated everyday life, has also brought challenges to individual privacy. In order to establish comprehensive framework for the protection and processing of personal data, Government of India has enacted Digital Personal Data Protection Act, 2023.

Evolution Of Digital Personal Data Protection Act, 2023:

Hon’ble Supreme Court in Justice K.S. Puttaswamy vs. Union of India, while upholding  the ‘Right to Privacy’ as a part of the fundamental right-‘Right to Life’  under Article 21 of the Constitution of India, had suggested the Government of India to put in place an Act/Regime for protection of Personal Data. Accordingly, in the Year 2017, the Government of India constituted a Committee of Experts on Data Protection with Mr. Justice B.  N.  Srikrishna as Chairman of Committee, to examine issues relating to data protection in the country. Based on the recommendations of the Committee in its Report submitted in July, 2018, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019, subsequently, referred to a Joint Parliamentary Committee which submitted its report in December 2021. In August, 2022, the said Bill was withdrawn from Parliament. In November 2022, the Draft Bill was released for public consultation. The previous Personal Data Protection Bills of 2019 & 2022 underwent numerous amendments, subsequently, were withdrawn by the Government of India. The present Digital Personal Data Protection Bill, 2023 was introduced in Parliament in August 2023 and passed by Parliament and received the Presidential assent on 11.08.2023. Prior to enactment of The Digital Personal Data Protection Act(DPDPA), India does not have a standalone law on data protection. Use of personal data was regulated under the Information Technology Act, 2000.  The DPDPA is yet to come into effect. Ministry of Electronics and Information Technology has released the draft rules for implementing the Digital Data Protection (DPDP) Act, 2023.

Object Of The Digital Personal Data Protection Act, 2023 (DPDPA):

The primary objective of the Act is to establish a comprehensive framework for the protection and processing of personal data. The DPDPA applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised, besides,  to the processing of personal data outside India if it is for offering goods or services in India.  Personal data is defined as “any data about an individual who is identifiable by or in relation to such data”. Processing is defined as “wholly or partially automated operation or set of operations performed on digital personal data which includes collection, storage, use, and sharing”.

Grounds For Processing Personal Data:

Sec 4 of the Act provides that  under the DPDPA, Data Fiduciaries (means any person or persons determines the purpose & means of processing personal data)  are responsible for processing personal data of a Data Principal (means Individual to whom the personal data relates, with respect to child the parent or lawful guardian of such child, with respect to person with disability, her lawful guardian on her behalf)  in accordance with the provisions of the Act and for a lawful purpose, and only if the Data Principal has given consent, or if it pertains to a legitimate use of such data.

Consent:

Sec 6 (1) of the DPDPA requires consent to be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action signifying an agreement for processing for specified purpose and limited to such personal data as is necessary for the specified purpose. It provides that the DPDPA imposes a purpose limitation on collected data i.e., the data may only be used for the specified purpose pursuant to which it was collected, and separate consent must be obtained to process data for a new purpose.

Notice:

Sec 5(1) of the said Act provides that the data fiduciary must provide a notice to the data principal either prior to or at the time of collection of personal data in order to obtain consent. Such notice must state the data being collected and the purpose of collection, rights of a data principal and grievance redressal measures. Sec 5(2) provides the procedure with respect to the data collected prior to its enactment. Under such circumstances, the Data Fiduciary is required to give notice to the Data Principal in the manner prescribed in Sec 5(1) as soon as it is reasonably practicable. So long as the Data Principal has not withdrawn the consent, data fiduciary may continue to process the personal data.

Burden Of Proof:

Sec 6(10) of DPDPA deals with the burden of proof in a proceeding. Where a question arises with respect to consent in a proceedings and the consent forms the basis for collection of data, the burden to prove that valid consent in terms of provisions of the Act was obtained from a Data Principal,  lies on the Data Fiduciary.

For Legitimate Uses:

Sec 7 of the said Act classifies other lawful grounds for processing personal data as a legitimate use, in additions to the consent. A Data Fiduciary may process personal data that is shared by a Data Principal voluntarily and without any indication of objection to such processing, subject to purpose limitation. This includes data shared during a medical emergency or for providing medical emergency or health services, disaster relief or for compliance with a legal order.

However, the State & any of its instrumentalities have been granted wide powers in respect of processing personal data for carrying out any function required by law etc, including for providing benefits or subsidies, service, certificate, licence or permit and in the interest of sovereignty and integrity of India or security of the state.

Obligations Of Data Fiduciary:

Sec 8 of the DPDPA provides the general obligations of Data Fiduciary. The Data Fiduciary shall (i) be responsible for complying with the provisions of DPDPA and the rules made thereunder in respect of any processing of data undertaken by it or its behalf by Data processor, (ii) make reasonable efforts to ensure the accuracy and completeness of data, (iii) build reasonable security safeguards to prevent personal data breach, (iv) intimate the Data Protection Board of India and affected persons in the event of a breach and (v) erase personal data upon withdrawal of consent or as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation). However, the Act provides certain exemptions such as  if a customer wants to close her SB account with Bank and Bank is required by law applicable to banks to maintain the record of identity of its customers for a period of ten years beyond closing of account. Since retention is necessary for compliance with law, Bank can retain the said customer’s personal data for the said period.

Processing of Data of Children:

Sec 9 of the Act deals with the processing of personal data of children & person with disability. The Data Fiduciary shall not undertake any processing which has detrimental effect on well-being of child.  The Data Fiduciaries to obtain verifiable consent from the parent or legal guardian before processing the personal data of a child & person with disability.  To comply with this provision, every Data Fiduciary shall ascertain the age of the person signing up for its services.  It will be needed to determine whether the person is a child, and thereby obtain consent from their legal guardian.  This may help avoid instances of children giving false declaration.  However, this may reduce anonymity in the digital sphere.

Significant Data Fiduciary:

Sec 10 of the Act empowers the Central Government to notify certain data fiduciary or classes of data fiduciaries as Significant Data Fiduciary depending on volume and nature of personal data, risk to the right of Data Principal, potential impact on the sovereignty and integrity of India etc.

Rights & Duties of Data Principal:

Under the provisions of Sec 11, the Data Principal has the right to obtain from the Data Fiduciary to whom consent was given, the summary of personal data processed by him or the processing activities undertaken by him, the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary. However, exemption is granted for information shared, if authorised by law & pursuant to request in writing for the purpose of prevention or detection or investigation of offences or cyber incidents or prosecution or punishment of offences. A Data Principal can correct, complete, update and erase his personal data given for processing in accordance with the requirement & procedure under any law for the time being in force. The DPDPA requires Data Fiduciary to establish a grievance redressal mechanism and the Data Protection Board may only be approached by a Data Principal after exhausting the remedy available through a Data Fiduciary’s grievance redressal mechanism. A data principal may exercise these rights through a consent manager, who must be accountable to the data principal. Simultaneously, it imposes duties on the Data Principal to ensure compliance with the Act, not to impersonate another person, not registering false/frivolous complaints and only furnishing authentic information.

Transfer Of Personal Data Outside India:

The Act allows transfer of personal data outside India, except to countries restricted by the Central Government by way of notification.

Exemptions:

Rights of the Data Principal and obligations of Data Fiduciaries (except data security) will not apply in specified cases which include prevention and investigation of offences and enforcement of legal rights or claims etc. The Government of India may, by notification, exempt certain activities from the application of the Act which include (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes etc. certain exemption is also granted under Sec 17 to Bank or Financial Institution in the event the processing is for the purpose of ascertaining the Financial Information and assets & liabilities of any person who has defaulted in payment of loan or advance taken from Bank or Financial Institution subject to such processing is in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force.

Data Protection Board of India: 

The Act contains a provision for establishment of the Data Protection Board of India, having powers & functions including (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons etc.

Appeal:

The Appeal against the decisions of the Board shall, as per Section 29, lie with the Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) established under the Telecom Regulatory Authority of India Act, 1997 (TRAI Act). Limitation to prefer such an Appeal is sixty (60) days from the date of receipt of the Board’s decision. Further, the Orders passed by TDSAT shall be appealable before the Hon’ble Supreme Court as per Section 18 of the TRAI Act.

Penalties:

If the Data Protection Board determines on conclusion of an enquiry any breach of the provisions of this Act & Rules made thereunder, may, after giving an opportunity of hearing, impose penalties as prescribed in the  schedule to the Act for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches.

Impacts On Banks:

Banks & Financial Institution, dealing with Personal Data in any manner whatsoever, have to develop standard operating procedure for compliance of the provisions of the DPDP Act such as cooperating with the Data Protection Officer appointed by the Significant Data Fiduciary under Section 10 of the Act, appoint an Independent Data Auditor to carry out data audit, undertake periodic Data Protection Impact Assessment, put in place a consent management mechanism to collect, maintain, track, and update consent from the customers, maintaining valid contracts with data processors etc.

Account Aggregator ecosystems:

Reserve Bank of India, in its Master Direction-Non Banking Financial Company, Account Aggregator (Reserve Bank) Directions has outlined the registration, duties & responsibilities of Account Aggregator to manage consent for financial data sharing etc. RBI had already issued instructions to the Regulated Entities (RE) to ensure compliance with the provisions of the Digital Personal Data Protection (DPDP) Act. The concept of Account Aggregator is based on the Data Empowerment and Protection Architecture (DEPA), which is an attempt by Government of India to create a data-driven economy which includes and exceeds the concept of ‘open banking’ in terms of the recommendation of Justice Srikrishna Committee Report. It is an UPIstyle infrastructure layer to facilitate consent-based sharing of personal data. DEPA enables every Indian with control over their own data, democratizes access and enables secure portability of trusted data among service providers. The important points in the Account Aggregator ecosystem are such as Financial Information Provider (FIP), the institutions holding financial data -the Data Fiduciary e.g. Bank, NBFC, Mutual Fund Depository, Insurance Repository, Pension Fund Repository, etc and  Financial Information User (FIU), uses data from FIP to provide various services to the end consumer. Banks play the role both as FIP and FIU.

The technological aspects in the Account Aggregator framework are managed by Reserve Bank Information Technology Private Limited (ReBIT), a fully owned subsidiary of RBI for serving its IT and cybersecurity needs and to improve the cyber resilience of the Indian Banking Industry. Sahamati Foundation, a not-for-profit PLC u/s 8 of the Company Act, is creating the Account Aggregator ecosystem in India. Sahamati is providing resources, certification and also audit services for implementation of Account Aggregator framework. Presently, 15 companies certified as Account Aggregators includes M/s CAMS Financial Information Services Pvt Ltd, M/s Cookiejar Technologies Private Limited, M/s FinSec AA Solutions Pvt. Ltd, M/s NESL Asset Data Limited, Phonepay Technology Services Pvt. Ltd etc.

Conclusion: Under section 43A of the IT Act, a company breaching its obligations in respect of personal data was liable to compensate the person affected by such a breach. Though the DPDPA repeals the applicability of the IT Act relating to matters governing personal data, does any provision to pay compensation for the Data Principals suffered from non-compliance by Data Fiduciary. The Act marks a distinctive approach to safeguard Personal Data, addressing longstanding needs in view of increasing internet users, data generation and cross-border trade. The DPDP Act signifies India’s commitment on modern data protection.

About the Author:

He is presently posted as Asst.General Manager (Law) & Zonal Legal Head in Union Bank of India, Zonal Office, Delhi. He has a combined banking experience of more than 24 years, both in Canara Bank & Union Bank of India. He is Master of Law (LL.M) in Commercial Law from Berhampur University, Odisha and a graduate in Law (LL.B) and a graduate in Economics from Sambalpur University, Odisha.

In both the Banks, he was a visiting faculty to respective Staff Training Centre and handled training sessions on various aspects of Banking law including on Legal Aspects on Documentation, NPA Management, legal aspects of mortgages etc.

During his student career, he received various awards & prizes in various competitions in debates, essay, moot court etc.

His various articles are published in IBA journal “The Indian Banker” and also Union Bank’s inhouse law journal “SAMVidhi” on different topics. In the year 2021, he was awarded with the certificate & prize as the highest contributor to Union Bank’s inhouse law journal “SAMVidhi”.

(The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of INCLUSION. Comments are welcome at info@skoch.in)