TL;DR: The Digital Personal Data Protection Act, 2023, which came into force on 11th August 2023, aims to protect individuals' digital identities and personal data in India. With companies facing fines of up to $30 million for non-compliance, the Act emphasizes lawful, fair, and transparent data processing. Hypersign, a pioneer in decentralized identity solutions, has long been aligned with the Act's objectives, offering self-sovereign identity-based solutions for privacy-preserving user data management. Its blockchain identity, verifiable credentials, and selective disclosure features ensure user control, data minimization, and enhanced security.
Introduction to the Digital Personal Data Protection Act, 2023:
The Digital Personal Data Protection Act 2023, a significant development in India, seeks to regulate the processing and protection of digital personal data. With companies facing substantial fines for violations, the Act's core principles focus on lawful, fair, and transparent data usage. Additionally, it grants individuals rights to obtain information, seek correction, and file grievances related to their personal data.
Digital Personal Data Protection Act official document
Digital Personal Data Protection Act official document
Key Features of the Act:
- Applicability: The Act applies to processing digital personal data within India and overseas, where the processing relates to offering goods or services to individuals in India. It doesn't apply to personal data processed for personal or domestic purposes or data that is made publicly available under certain circumstances.
- Grounds for Data Processing: The Act outlines two grounds for data processing - consent by the individual and certain legitimate uses, including state functions, compliance with court orders, public health emergencies, and more.
- Notice: Data Fiduciaries must provide clear notice to Data Principals about the personal data that will be processed, the specified purpose, methods to withdraw consent, and grievance redressal mechanisms.
- Obligations of Data Fiduciary: Data Fiduciaries are responsible for complying with the Act's provisions, implementing technical and organizational measures, protecting personal data, providing breach notifications, and more.
- Concept of Significant Data Fiduciary: The government can designate certain Data Fiduciaries as "Significant Data Fiduciaries" based on factors like data volume and sensitivity. Such entities must appoint an independent data auditor and a Data Protection Officer and conduct audits and impact assessments.
- Processing of Personal Data of Children or Persons with Disabilities: Special provisions are in place for processing personal data of children or individuals with disabilities, including obtaining consent from parents or guardians and avoiding detrimental effects on well-being.
- Rights & Duties of Data Principal: Data Principals can access information, correct and erase personal data, seek grievance redressal, and more. They also have duties to comply with applicable laws and provide accurate personal data.
- Cross-Border Data Transfer: Cross-border transfer of personal data for processing is allowed unless restricted by the government or any other law.
- Exemptions: Some processing activities are exempt from certain provisions of the Act, such as processing for enforcing legal rights, court orders, prevention/investigation of crime, and more.
- Data Protection Board: A Data Protection Board will be established by the central government to oversee complaints, impose penalties, and make decisions related to data protection.
- Penalties: The Data Protection Board can issue monetary penalties for non-compliance, with penalties reaching up to INR 250 crore (approximately $30 million) for certain breaches.
- Appellate Procedure: Appeals from Data Protection Board orders can be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
- Other Provisions: The Act allows the government to exempt certain Data Fiduciaries like startups from some provisions and enables blocking public access to platforms in specific situations.
Christopher Allen's Influence:
Christopher Allen's 10 principles of self-sovereign identity resonate with the Act's objectives, aligning the focus on user autonomy and control over their digital identities. Hypersign, with its decentralized identity solutions, has been championing these principles even before the Act was introduced, promoting secure and privacy-preserving data management.
Hypersign's Alignment with Act's Objectives:
Hypersign's innovative identity solutions, rooted in decentralized identifiers (DIDs) and blockchain technology, empower individuals with self-sovereign identity. By enabling users to control their data through encrypted data vaults and verifiable credentials, Hypersign ensures data collection minimization and protection, adhering to the Act's principles. Selective disclosure and zero-knowledge proofs add an extra layer of privacy, allowing users to reveal only necessary information without compromising their entire dataset.
Enabling Self-Sovereign Identity-Based User Data Management:
Hypersign offers a comprehensive framework for companies to adopt self-sovereign identity-based data management flows. By integrating decentralized identifiers and verifiable credentials, organizations can give users control over their personal data, allowing for selective disclosure when engaging with services. Hypersign's identity wallet ensures secure storage and sharing of verifiable credentials, further aligning with the Act's focus on transparency and user control. Businesses can adopt Hypersign infrastructure to comply with the Digital Personal Data Protection Act 2023.
The Digital Personal Data Protection Act, 2023, represents a significant leap towards safeguarding individuals' privacy and data in the digital age. Hypersign's early alignment with the Act's objectives and its pioneering self-sovereign identity-based solutions showcase the company's commitment to user autonomy and data privacy. By empowering individuals with control over their personal data and offering privacy-preserving identity management, Hypersign is poised to support companies in adopting compliant and secure data management practices. As India moves towards a new era of data protection, Hypersign stands as a reliable partner, paving the way for a safer and user-centric digital landscape.
Hypersign is an innovative, permissionless blockchain network that manages digital identity and access rights. Rooted in the principles of Self-Sovereign Identity (SSI), Hypersign empowers individuals to take control of their data and access on the internet. It provides a scalable, interoperable, and secure verifiable data registry (VDR) that enables various use cases based on SSI. Built using the Cosmos-SDK, the Hypersign Identity Network is recognized by W3C (World Wide Web Consortium), promoting a seamless and secure identity management experience on the Internet.
Get in touch with us today to understand the nuances of the Act and the process of complying with it at firstname.lastname@example.org