Digital Personal Data Protection Act
Digital Personal Data Protection Act, 2023 (DPDP Act)
It is an Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data, the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
- This is the first Act of the Parliament of India where “she/her” pronouns were used unlike the usual “he/him” pronouns.
- The DPDP Act has been notified but awaits full enforcement pending the release of DPDP Rules and the establishment of the Data Protection Board.
PURPOSE
- It is a legislation designed to regulate the collection, storage, processing, and sharing of personal data in a digital environment.
- It aims to protect individuals’ privacy rights and ensure that their personal information is handled responsibly by organizations and businesses.
HOW DOES IT APPLY TO AML-CFT SPACE & PROFESSIONALS
- DPDP 2023 applies to banks and all organisations that process data of Indian citizens. The DPDP Act defines two main stakeholders – Data Principals and Data Fiduciaries (defined elsewhere on this page).
- Banks, NBFC’s are considered as “Data Fiduciaries” under the Act. Thus, they must comply with the provisions of the act with respect to data collection, usage, processing storage, sharing and individual rights
- The AML-CFT function collects the personal data/documents of the customer in digitalized form from bank’s various data sources for the purpose of transaction monitoring, filing of suspicious transaction reports (STR), data analysis and submission of monthly mandatory reports etc.
- It also collects and share such other customer information as per the requirement of FIU Ind and LEAs.
- The above data collection and processing is undertaken to discharge the bank’s obligation under PMLA 2002 & Rules 2005.
- As per Section 7.2 of the PML Rules 2005, the Principal Officer has to retain a copy of the data/information reported to FIU-Ind. However, the data has to be maintained in full confidentiality under section 12A of the PML Act, 2002 and preserved for at least 5 years in such manner as prescribed by the IT Act.
- Under the provisions of Sec 14 of the PML Act, 2002, (save as otherwise provided in Sec 13) the RE, its Directors and employees shall not be liable to any civil or criminal proceedings against them for furnishing information by a RE under Section 12 and 12AA (1) for the purpose of implementing the provisions of this Act.
- The resultant data purity and accuracy can help to reduce the number of false positives, enabling the private sector to comply in a faster and less burdensome manner.
- Section 17(1) (c) of the DPDP Act exempts applicability of the law when “Personal data is processed in the interest of prevention, detection, investigation or prosecution for any offence of any law for the time being in force in India”
- Under Sec 8(7) of DPDP Act, a data Fiduciary is permitted to retain document for compliance with any law for the time being in force.
- The provisions when applied can help prevent prospective victims from information leakage as they engage with multiple domestic and international entities.
DEFINITIONS AND KEY STAKE HOLDERS OF THE ACT :
- Data Principal: The individual to whom the data is related to;
in case of a minor (less than 18 years) includes the parents or lawful guardians.
in case of a person with disability the lawful guardian is to be identified and their consent must be obtained. - 2.Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
- Data Processor: The person who processes personal data on behalf of a data fiduciary, i.e, processor does the processing as per the instructions and guidance issued by the Data Fiduciary.
A Bank can be a data fiduciary or a data processor depending on the context.
Role of Data Fiduciary
To provide notice/ intimate the Data Principal in such a manner and as may be prescribed.
Role of Data Principal
Data Principal has given her consent
For certain legitimate uses
Data can be processed only after the Data Fiduciary has given a notice and the Data Principal has provided her consent.
The bill applies to the processing of digital personal data within India where such data is;
- Collected online
- Collected offline and digitized.
- Outside the Indian territory
- Any activity related to offering of goods or services to data principals within the territory of India.
- The bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.
Rights of Data Principal:
An individual whose data is being processed (data principal), will have the right to
- obtain information about processing,
- seek correction and erasure of personal data,
- nominate another person to exercise rights in the event of death or incapacity, and
- grievance redressal.
Duties of Data Principal : They must not;
- Register a false or frivolous complaint, and
- Furnish any false particulars or impersonate another person in specified cases.
- Violation of duties will be punishable with a penalty of up to Rs 10,000.
Obligations of data fiduciaries: The entity determining the purpose and means of processing, (data fiduciary), must:
- Make reasonable efforts to ensure the accuracy and completeness of data,
- Build reasonable security safeguards to prevent data breach,
- Inform the Data Protection Board of India and affected persons in the event of a breach, and
- Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).
In case of government entities, storage limitation and the right of the data principal to erasure will not apply.