In the era of information and innovation, data has become the currency of the digital realm, and its protection is paramount. India has stepped into this new digital age with a resounding declaration – the Digital Personal Data Protection Act, 2023 (“DPDP Act”). Enacted with precision, this legislation marks a turning point in how businesses and organisations ought to manage personal data.
Notice and consent requirements have gained added significance in the DPDP Act, playing a vital role in upholding data privacy and individual autonomy. To understand the concept of notice under the DPDP Act, let us first understand the three key players as encapsulated under the DPDP Act.
| DATA PRINCIPAL | DATA FIDUCIARY | DATA PROCESSOR |
| A Data Principal (“Data Principal”) means the individual to whom the personal data relates. Regarding children, their parents or lawful guardians serve as the Data Principals. A child is defined as an individual below the age of eighteen. | A Data Fiduciary (“Data Fiduciary”) is any individual or entity, whether acting alone or in collaboration with others, that has the authority to determine both the purpose and the methods employed for the processing of personal data. | A Data Processor (“Data Processor”) refers to any individual or entity that carries out the processing of personal data on behalf of a Data Fiduciary. |
Notice
Section 5 of the DPDP Act addresses the notice obligations to be adhered to by a Data Fiduciary.
| KEY REQUIREMENTS |
| When a Data Fiduciary requests an individual’s consent, either during or before such a request, it is mandatory to provide the individual with a clear and comprehensible notice. The notice must include the following: A. Detailed description of the personal data intended to be collected and the purpose for processing such data; B. The specified methods for the Data Principal to exercise their rights; and C. The established process for the Data Principal to file a complaint with the Data Protection Board[1] (“Board”) against the Data Fiduciary. A similar notice should also be furnished to the Data Principal as soon as reasonably practicable when the consent was secured prior to the enactment of the DPDP Act. It is to be noted that the specific duration of the retrospective period has not been specified in the DPDP Act. The obligation to provide notice is an integral part of obtaining consent and does not apply when processing is justified by a legitimate use. The DPDP Act mandates the option to access the information contained in the notice either in English or any language listed in the Eighth Schedule to the Constitution. Corrida legal’s perspective: Organizations can take advantage of this chance to showcase transparency and assist the Data Principal in making an informed choice regarding the handling of their personal data. This notice serves as an educational tool for the Data Principal, enabling them to better understand typical situations they may encounter and how to correct inaccuracies or withdraw their consent. |
| Next steps for businesses: Data Fiduciary should evaluate the need to revise the structure and substance of their privacy policies and consent notices to align with the stipulations of the updated legislation. Consent notices must encompass the necessary details and be translated into regional languages to adhere to the requirements of the new legal framework. |
CONCLUSION
As the DPDP Act ushers in a new era of responsible data handling, businesses should take proactive steps to ensure compliance. This includes revising privacy policies and consent notices to align with the act’s stipulations and translating them into regional languages to cater to a diverse population.
By embracing these changes, businesses can not only meet their legal obligations but also build trust with their customers and contribute to a safer and more secure digital environment for all. The DPDP Act sets the stage for a data-driven future that respects individual rights and protects personal data, and businesses must be prepared to navigate this new landscape effectively.
[1] Section 18, the Digital Personal Data Protection Act, 2023.