Data Protection And Corporate Obligations Under Dpdp Act
I. Background and Objective of the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 establishes India’s first comprehensive framework for protection of digital personal data, balancing:
Individual privacy as a fundamental right
Legitimate corporate and state data processing needs
Ease of doing business and innovation
The Act applies to processing of digital personal data within India and to processing outside India where goods or services are offered to individuals in India.
II. Key Definitions Relevant to Corporates
1. Personal Data
Any data about an individual who is identifiable by or in relation to such data.
2. Data Principal
The individual to whom the personal data relates.
3. Data Fiduciary
Any person (including a company) who determines the purpose and means of processing personal data.
4. Data Processor
Any person who processes personal data on behalf of a Data Fiduciary.
III. Constitutional Foundation of Data Protection
Case Law 1: Justice K.S. Puttaswamy v. Union of India
Right to privacy is a fundamental right under Article 21
Informational privacy is an intrinsic part of dignity and autonomy
Any data processing must satisfy legality, necessity, and proportionality
This judgment is the constitutional bedrock of the DPDP Act and shapes corporate compliance expectations.
IV. Lawful Grounds for Processing and Consent Architecture
1. Consent-Based Processing
Consent must be:
Free, specific, informed, and unambiguous
Given through clear affirmative action
Withdrawable at any time
2. Legitimate Uses (Non-Consent Grounds)
Corporates may process data without consent for:
Employment purposes
Legal compliance
Medical emergencies
Public interest as notified
V. Corporate Obligations Under the DPDP Act
1. Core Duties of Data Fiduciaries
Corporates must:
Process data only for lawful purposes
Ensure data accuracy and security safeguards
Erase data once purpose is fulfilled
Prevent unauthorised access and breaches
Case Law 2: People’s Union for Civil Liberties v. Union of India
Information privacy requires procedural safeguards
Arbitrary or excessive data collection violates constitutional norms
This principle informs data minimisation obligations under the DPDP Act.
VI. Notice and Transparency Requirements
Corporates must provide a clear privacy notice specifying:
Nature and purpose of data collection
Rights of data principals
Grievance redressal mechanism
Case Law 3: Anuradha Bhasin v. Union of India
Transparency and proportionality are essential in any restriction of rights
State and private actions affecting informational access must be reasoned
Applied analogically to corporate disclosure and transparency standards.
VII. Rights of Data Principals
Individuals are entitled to:
Right to access information
Right to correction and erasure
Right to grievance redressal
Right to nominate another person
Corporates must establish internal systems to respond within prescribed timelines.
Case Law 4: R. Rajagopal v. State of Tamil Nadu
Right to privacy protects informational autonomy
Unauthorised publication or misuse of personal data is actionable
This case underpins corporate liability for misuse or over-disclosure of personal data.
VIII. Significant Data Fiduciaries (SDFs)
1. Enhanced Obligations
Corporates classified as Significant Data Fiduciaries must:
Appoint a Data Protection Officer
Conduct Data Protection Impact Assessments
Undertake periodic audits
Classification depends on volume, sensitivity, and risk of processing.
Case Law 5: Justice K.S. Puttaswamy (Aadhaar – II)
Large-scale data collection requires heightened safeguards
Purpose limitation and proportionality are mandatory
This rationale supports stricter compliance for high-risk corporates.
IX. Data Breach Obligations and Corporate Liability
1. Breach Notification
Corporates must:
Notify the Data Protection Board of India
Inform affected data principals where required
Failure can attract heavy monetary penalties.
Case Law 6: M.P. Sharma v. Satish Chandra (as revisited in later jurisprudence)
Though earlier privacy-restrictive, later courts clarified that intrusive data access must be justified
Reinforces need for lawful access controls
Relevant to breach-prevention and internal access governance.
X. Penalties and Enforcement Mechanism
1. Data Protection Board of India
Adjudicates non-compliance
Imposes penalties based on gravity and intent
2. Monetary Penalties
Can extend to hundreds of crores of rupees
No criminal liability, but strong deterrent effect
XI. Corporate Governance and DPDP Act
1. Director and Officer Responsibility
Compliance forms part of fiduciary duties
Failure may attract regulatory scrutiny and shareholder action
Case Law 7: Standard Chartered Bank v. Directorate of Enforcement
Companies and responsible officers can be held liable for statutory breaches
Corporate veil does not shield governance failures
XII. Interaction with Other Laws
IT Act, 2000 (limited role post-DPDP)
Sectoral regulations (RBI, SEBI, IRDAI)
Employment and consumer protection laws
Corporates must adopt a harmonised compliance approach.
XIII. Practical Compliance Roadmap for Corporates
Data mapping and classification
Consent and notice redesign
Vendor and processor agreements
Cybersecurity and breach response plan
Appointment of DPO (where applicable)
Periodic audits and board oversight
XIV. Key Takeaways
DPDP Act operationalises the constitutional right to privacy.
Corporates act as Data Fiduciaries, not mere data owners.
Consent, purpose limitation, and security are central obligations.
Enhanced duties apply to high-risk data processors.
Penalties are severe and reputation-sensitive.
Data protection compliance is now a core corporate governance function.
RELATED Blog
comments