How Is the New Digital Personal Data Protection Act Revolutionizing the Consent Landscape?
In the digital era, personal data protection has emerged as a critical concern globally, prompting stringent legal measures. Among these, India's Digital Personal Data Protection Act, 2023 (DPDP Act) stands out for its unique approach to consent. This revolutionary Act is dramatically altering the way businesses interact with personal data. But what are the implications for Data Fiduciaries and Data Principals? Is this Act a harbinger of change or added complexity?
The DPDP Act introduces a paradigm shift in the personal data processing sphere, prioritizing explicit consent. Unlike the GDPR, the DPDP Act mandates permission from data principals to process their personal data in most cases. However, under Section 6(6), processing may continue even after consent withdrawal if required by law or for specific purposes outlined in the Act. Let's unpack this groundbreaking legislation.
Unraveling the DPDP Act Provisions
The Primacy of Consent
The DPDP Act obligates data fiduciaries to secure explicit permission from Data Principals before commencing data collection or processing. This consent is not perpetual, shall be specific, limited to the purpose for which it is obtained, may be withdrawn at any time, and the data must not be retained beyond the fulfillment of its processing purpose.
Issuing Notices
Concurrent with the DPDP Act's enforcement, Data Fiduciaries are required to issue notices to individuals whose data they possess, irrespective of previously obtained consent. Every request made to a Data Principal for obtaining their consent shall be accompanied or preceded by a notice given by the Data Fiduciary. These notices must be delivered in English or any other language recognized under the Indian Constitution, and contain essential information as regards the purpose of data process, the manner in which the Data Principal may exercise their rights and the manner in which the Data Principal may make their complaint to the Data Protection Board of India.
Managing Consent
The DPDP Act innovatively introduces Consent Managers, registered with the Data Protection Board of India. Data Principals can grant, modify, or withdraw consent through these Consent Managers. Moreover, Data Fiduciaries can employ consent management platforms (CMPs) to accumulate, monitor, and synchronize consent.
Invalidity of consent
The DPDP Act also provides that where a consent constitutes infringement of the Act, its rules or any other extant law, such consent shall be invalid to the extent of that infringement.
Cessation of consent
In the event the Data Principal withdraws their consent, the Data Fiduciary shall within reasonable time cease to process the Data Principal’s data, unless required or authorized under law.
领英推荐
Information Accessibility
Data Principals are entitled to access a summary of their data, the identities of sharing entities, and other processing-related information.
Child Data Protection
The DPDP Act stipulates distinctive provisions for processing the personal data of children under 18 years, necessitating verifiable parental or guardian consent.
Implications for Foreign Companies
Foreign companies must provide notice and seek consent only if their data processing is associated with offering goods or services to Data Principals in India.
The DPDP Act heralds a new era, conferring Data Principals with unprecedented control over their personal data while imposing substantial obligations on Data Fiduciaries and Consent Managers. This seminal Act impacts data processes of major industries including finance, IT, healthcare, travel, legal, renewables, and retail. Hence, as we transition into this new phase, it is vital for organizations to comprehend and adapt to these transformations.
What's the Way Forward for Your Organization?
Now is the opportune time to reassess your data protocols and align them with the DPDP Act's stipulations. Familiarize yourself with the intricacies of explicit consent, prepare for multilingual data notifications, utilize consent management platforms, and above all, respect the data principal's enhanced authority.