Introduction

In August 2023, the Indian government enacted the first comprehensive data protection law in India – the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law, making it the latest data protection act in India. [The new data privacy law in India is not yet in effect. We expect the Indian government to notify the Digital Personal Data Protection Rules sometime in 2024 to enforce the new data privacy act]. The DPDP Act 2023 primarily regulates the processing of personal data by “data fiduciaries”, that is, entities that determine the purposes and means of processing personal data. Data fiduciaries have the overarching obligation to comply with the DPDPA 2023 for any personal data processing undertaken by data fiduciaries by themselves, or on their behalf by “data processors”. Data processors are not directly regulated under the DPDPA. The DPDPA further empowers the Indian government to notify certain data fiduciaries as “significant data fiduciaries” based on factors such as the types of personal data processed, risks to rights of data principals (the individuals to whom the personal data pertains), and other public interest reasons. Significant data fiduciaries are subject to additional obligations under the DPDPA.

Our leading data protection lawyers in India provide a brief overview of data fiduciary obligations under the DPDPA in this note. Organisations must seek the help of lawyers well-versed with data privacy laws in India within the best data privacy law firms to understand the implications.

Data Fiduciary Obligations

Data fiduciaries have the following obligations under the DPDPA:

1. Compliance with the DPDPA: Data fiduciaries are required to implement appropriate technical and organisational measures to ensure the effective observance of the provisions of the DPDPA. Data fiduciaries may consult with data protection lawyers to understand best practices in this regard.

2. Identify grounds for processing personal data: Personal data may only be processed with either the (i) consent of the data principal, or (ii) for certain “legitimate uses”, such as an individual’s voluntary provision of their data, certain processing by the State, compliance with a legal obligation to disclose personal data under law, compliance with the judgment, decree, or order, responding to certain medical emergencies, or taking measures to ensure safety or provide assistance during disasters or breakdowns of public order.

3. Notice requirements: If the legal basis of processing is consent, data fiduciaries are required to provide data principals with a privacy notice with details relating to personal data processing activities.

4. Engaging subprocessors: Data fiduciaries are only permitted to engage subprocessors under the terms of a valid contract.

5. Data accuracy: If personal data is to be processed to make decisions about the data principal, or to be disclosed to another data fiduciary, then data fiduciaries are required to ensure the completeness, accuracy, and consistency of such personal data. 

6. Implementing data security standards: Data fiduciaries are required to implement reasonable security safeguards to prevent personal data breaches.

7. Breach notification: Data fiduciaries are required to report personal data breaches to the Data Protection Board of India (the regulator to be established under the DPDPA) as well as data principals. [The form, manner, and threshold for such notification are yet to be notified.]

8. Data erasure: Unless retention is required under applicable law, data fiduciaries are required to (i) erase personal data upon the data principal withdrawing their consent or as soon as the specified purposes are not being served whichever is earlier, and (ii) cause their data processors to erase personal data.

9. Grievance redressal: Data fiduciaries are required to establish grievance redressal mechanisms and publish their business contact information.

10. Processing data of children or persons with disability: Prior to processing the personal data of children or persons with disabilities, data fiduciaries are required to seek the verifiable consent of the parent or legal guardian. Separately, data fiduciaries are not permitted to undertake processing detrimental to the well-being of children or undertake tracking or behavioural monitoring of children or targeted advertising directed at children.

11. Enabling data principal rights: If the data fiduciaries rely on the consent of the data principal to process personal data (including implicit consents through an individual’s voluntary provision of their data), data principals have rights to access information about their personal data, correction, and erasure of personal data. Additionally, data principals generally have the right of grievance redressal, or the right to nominate individuals to exercise their rights in the event of their death or incapacity.

12. Cross-border data transfers: Cross-border transfers of personal data from India are generally permitted under the DPDPA. The Indian government has reserved the power to notify a list of negative countries to which cross-border transfers will not be permitted. Organisations may engage any one of the best data protection law firms to determine cross-border protocols.

13. Obligations of significant data fiduciaries: Significant data fiduciaries are further required to (i) appoint data protection officers, (ii) appoint data auditors to carry out data audits and evaluate compliance with the DPDPA, and (iii) undertake periodic data protection impact assessments.

Next Steps

The DPDPA constitutes the new Indian data protection law. Organisations must undertake an analysis of whether they constitute data controllers under the DPDPA. If yes, data fiduciaries must come up with a roadmap or plan of action on how they may achieve compliance with the DPDPA. Companies based outside of India may need to revamp their data privacy policy in India to achieve compliance with the DPDPA. Organisations may consider engaging law firms well-acquainted with internet privacy laws in India. Spice Route Legal is one of the best data privacy law firms in India. It ranks tier 1 amongst a range of leading Indian data protection law firms that specialise in data protection and cybersecurity laws. Spice Route Legal also provides other legal compliance services, including under its regulatory law practice.