After several iterations of the Data Protection Bill, the Indian government finally enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law in August last year. It established a comprehensive national framework for the processing of digital personal data within the territory of India. While the effective dates for the law are yet to be notified, we expect it to be enforced in the upcoming months with phased timelines for implementation.

The Digital Personal Data Protection Act will supersede and repeal the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000, which presently acts as the primary general data protection law in India.

This article aims to provide an overview of the material and territorial applicability of the DPDPA and provides practical tips for businesses to determine whether the new data protection law in India applies to them.

MATERIAL APPLICABILITY AND EXEMPTIONS

The DPDPA regulates “data fiduciaries”, “data principals”, and in limited circumstances, “consent managers” and “intermediaries”. The DPDPA also recognises “data processors” but does not regulate them directly. A “data fiduciary”  determines the purpose and means of processing personal data (either alone or in conjunction with others). A “data processor” is any person who processes personal data on behalf of a data fiduciary, and a “data principal” is the individual to whom the personal data relates. 

An “intermediary”, as defined under the Information Technology Act, 2000, is any person (with respect to any electronic record) who on behalf of another person receives, stores, or transmits that record or provides any service concerning that record, such as telecom service providers and online market places. The central government has reserved the power to issue directions for the blocking of any information processed by intermediaries under the DPDPA.

The DPDPA also introduces an additional category of “significant data fiduciaries”. The central government is empowered to designate entities as significant data fiduciaries, depending on the volume of personal data processed, the sensitivity of such data, the risk of harm posed to the rights of data principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, security of the State, and public order. The designated significant data fiduciaries will be held to satisfy enhanced obligations to remain compliant.

Separately, the DPDPA also introduces the concept of “consent managers”, who are intended to be independent entities registered with the Data Protection Board of India, and who act on behalf of data principals to manage their consent preferences.

The Digital Personal Data Protection Act excludes certain processing activities and types of data from its ambit. Particularly, it exempts (a) personal data made publicly available by the data principal or any other person who is under an obligation under any law to make such data publicly available; (b) non-digital personal data; (c) personal data used for personal or domestic purposes; (d) processing by state instrumentalities identified by the Indian government for public interest purposes; and (e) processing for research, archival, and statistical purposes. Additionally, it exempts the processing of personal data on the following: 

• for enforcement of legal rights or claims;
• by courts or other quasi-judicial bodies;
• in connection with investigation of offences;
• in the matters of mergers and acquisitions or corporate restructuring purposes; and 
• of personal data of data principles located outside India, pursuant to a contract entered into with any person outside the territory of India by any person based in India, are exempt from requirements on cross-border transfers, obligations in connection with data principals’ rights, and transparency and accountability principles and obligations.

TERRITORIAL APPLICABILITY

The DPDPA applies to the processing of “digital personal data” within the territory of India, where the personal data is collected in (a) digital form or (b) non-digital form but is digitised subsequently. Much like data protection acts found in the European Union and the United States of America, the Digital Personal Data Protection Act is also applicable extraterritorially to the processing of personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to individuals within the territory of India.

IMPACT ON BUSINESSES

With the enactment of the Digital Personal Data Protection Act, businesses are recommended to undertake a comprehensive data compliance exercise to determine the scope of their personal data processing activities and the extent of applicability of the DPDPA on its operations. The DPDPA acts as the overarching regulation for data laws in India and is applicable extraterritorially. Consequently, multinational companies must, during their global data reviews, perform assessments of their Indian presence to determine whether the DPDPA will be applicable to their Indian operations. If businesses suspect that their operations may be regulated by the DPDPA, they may take additional steps to prepare for compliance, including:

• undertaking a data mapping exercise to identify the personal data points collected and processed by the organisation;
• identifying actor characterisation for each processing activity. Since data processors do not have any direct obligations under the law, characterisation as a data processor significantly reduces compliance obligations;
• identifying appropriate legal bases for processing each category of personal data; and
• identifying the cross-border data flows and preparing server maps
• consulting the best data privacy law firms to assist with compliance.