Digital Personal Data Protection (DPDP) Act, 2023


Digital Personal Data Protection (DPDP) Act, 2023

Federation of Indian Petroleum Industry (FIPI), in association with EY as knowledge partner, organised a webinar on ‘Digital Personal Data Protection Act, 2023' on 5th December 2023. The webinar was conducted in order to shed light on the Act that provides processing of digital personal data in a manner which recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.

Mr. Vivekanand, Director (Finance, Taxation & Legal), FIPI began the session with the opening remarks. He said that with India being the most populous country in the world with more than 1.4 billion population, internet penetration has increased over the recent years resulting in country’s digital population totalling to 700 mn active users which includes 470 million social media users creating mammoth digital data. The generation of digital data has thus assumed greater significance in terms of ownership, sharing, data protection and maintenance of mutual trust among data transmitters. He highlighted that law to protect data privacy is thus important and hence, the need and importance of Digital Personal Data Protection Act arises. He said that Digital Personal Data Protection Act marked the first law in India to safeguard the rights and responsibilities associated with management of extensive digital personal data within the economy. He welcomed the notification on the DPDP Act and said that it would pave a way for conscious digital data collection, storage, its usage, and protection.

Ms. Rajiv Chugh, Partner, and National Leader, Policy Advisory and Specialty Services Ernst & Young LLP said that with technology being the defining paradigm of the 21st century, the DPDP Act underscores the nation’s focus on building a strong data privacy regime. He mentioned about the recent data breaches that has occurred in India such as – ICMR data leak of personal information of 81.5 crores Indians, Taj Hotel data breach of personal data of 15 lakh people, RailYatri data leak etc.  He said that building strong data privacy governance programs within the organisations is not only a business risk requirement but also crucial for building a transparent, long-term sustainable organisation for the future.

He highlighted a major point under the Act mentioning that the time between the notification of the Act and the constitution of the Act under Data Protection Board (DPB) should not be considered as an immunity period for companies as in case there is data breach in the intermittent period, the Data Protection Board (DPB) will take necessary action against it.

He further said that many Indian companies have already incorporated Global Data Protection Regulations (GDPR) within their organisations systems which ensures their state of readiness to comply with data privacy. He said many countries have adopted these regulations, with Australia being the first country to adopt it within their country.

He then explained the intricacies of the Act. He highlighted that the DPDP Act is applicable to any personal data which is collected either in a digital form or in a hard copy which is subsequently digitised within the Indian territory or any information that is made available to a person outside the Indian territory required for the purpose of supply of goods or services in India. The processing for domestic or personal purposes by individuals or personal data made public by Data Principal out of their own consent does not come under the purview of this Act.

He then spoke about the 5 pillars of DPDP Act 2023- Data Principal, Data Fiduciary, Consent, Processing, and Certain Legitimate uses. He mentioned that a notice is required to be given by Data fiduciary to Data Principal for obtaining consent to process the data. The notice shall give the purpose of processing the data and the way Principal can exercise their rights and make a complaint to the Board. They have an option to access the notice in English and other regional languages as specified in the Constitution.

Last but not the least, he spoke about the data touch points for MNCs- login credentials (name, date, address etc; KYC details like Aadhar Card, PAN, passport details; data collected from vendors – bank account details, business profile data etc. He also spoke about the monetary penalty payable on account of non-compliance to prevent data breach and thus stressed the need for maintaining the data in a rightful manner. 

The presentations were followed by a Q&A session wherein various queries posted by participants were well addressed by Mr. Chugh.

Lastly, Mr. DLN Sastri, Director (Oil Refining & Marketing), FIPI in his vote of thanks, emphasised that the topic for todays’ webinar was relevant for all individuals as well as corporates that are handling and managing the client data. He complimented EY team for an elaborate presentation on the topic as it created an awareness on legal provisions of personal data protection. He said that Mr. Chugh very elaborately mentioned about the procedural aspects related to data privacy such as – consent and transparent data privacy rights, cross border transfer of data, data processing, liability and ways of safeguarding mandatory data breach notification, magnitude of penalties and enforcement, consumer rights and remedies etc. He also thanked the participants from the energy industry for their active and interactive participation during the event.