The Digital Personal Data Protection Act, 2023: A Deep Dive

Introduction

Over the years, India has seen various iterations of a draft data protection law. In August 2023, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was passed by the Indian parliament. It is expected to come into effect in a phased manner.

Applicability and Exemptions

The DPDPA 2023 regulates the processing of personal data in India that is either collected in digital form or personal data that is collected in non-digital form but is later digitised. It also applies extraterritorially if processing occurs outside India in connection with the offering of goods or services to data principals in India. It exempts processing (a) of publicly available data that is made available by the data principal to whom such data relates or any other person who is under an obligation under any law to make such data publicly available, (b) of non-digital personal data, (c) by individuals for personal or domestic purposes, (d) by state instrumentalities identified by the Indian government for public interest purposes, and (e) for research and statistical purposes.

Additionally, certain types of activities are exempt from specific provisions under the DPDP Act 2023. For instance, processing of personal data (a) for enforcement of legal rights or claims, (b) by courts, (c) in connection with investigation of offences, (d) in connection with mergers and acquisitions or corporate restructuring purposes, and (e) of non-resident Indians pursuant to a contract entered into with any person outside India by a person within India, is exempt from requirements on cross-border transfers, obligations in connection with data principals’ rights, and certain data fiduciary obligations.

Defined Actors as Per the Indian Data Protection Law

The DPDPA regulates “data fiduciaries”, “data processors”, and “data principals”. A “data fiduciary” is any person who either alone or in conjunction with others determines the purpose and means of processing personal data. A “data processor” is any person who processes personal data on behalf of a data fiduciary and a “data principal” is the natural person to whom personal data relates. The DPDPA does not impose any direct statutory obligations on data processors.

The Indian Government also has the power to create sub-categories of data fiduciaries, called “significant data fiduciaries”, based on factors such as the volume and sensitivity of the personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. Significant data fiduciaries will be subject to enhanced compliance obligations under the law.

The Indian Government will set up a “Data Protection Board of India” (the “Board”), an authority that is tasked with ensuring compliance with data protection laws in India and their and enforcement. The Board is intended to function as an independent body; however, the Indian Government has the right to prescribe its composition, selection, and conditions of appointment of its members. Separately, the DPDPA introduces the concept of “consent managers”. They are entities registered with the Board that act on behalf of data principals to manage their consent preferences.

Grounds of Processing

Consent is the primary ground for processing personal data. Personal data may also be processed for the following legitimate uses: (a) the data principal voluntarily provides personal data to a data fiduciary to which the data principal has not indicated that they deny consenting to the processing of such personal data; (b) the processing is necessary for the performance of any State function or the provision by the State of any service or benefit; (c) the processing is necessary for compliance with directions or orders issued by courts; (d) the processing is necessary for responding to a medical emergency that involves a threat to the data principal or any other individual; (e) the processing is necessary for the provision of medical treatment or health services during an epidemic, outbreak of disease, or other threat to public health; (f) the processing is necessary during a disaster or a breakdown of public order; and (g) the processing is necessary for employment-related purposes.

The carve-outs generally seen across international data protection laws, such as processing (a) for compliance with legal obligations, (b) for the performance of a contract, and (c) legitimate business interests are grounds excluded under the DPDP Act 2023. This will require businesses to rehaul global data protection compliances and create India-specific architectures.

Consent, Notices, and Translations

As per the data privacy policy in India, when personal data is processed on grounds of consent, it must be freely given, specific, informed, and an unambiguous indication of a data principal’s wishes. It must be in the form of clear affirmative action and must be capable of being withdrawn. Consent must be preceded by the provision of a privacy notice that must be available in English and the 22 languages specified in the Eighth Schedule of the Constitution.

Consent requests should also contain the contact details of a data protection officer or of any person authorised by the data fiduciary to respond to communication from the data principal. Privacy notices which accompany consent requests must include information about:

  1. personal data sought to be collected and the purposes of processing;
  2. the manner of withdrawing their consent;
  3. grievance redressal mechanisms; and
  4. the manner of filing a complaint with the Data Protection Board of India (“the Board”).

The Indian government will further prescribe the manner in which such notices must be provided and consent obtained.

Managing Pre-Law Personal Data and Ongoing Processing Activities

If data fiduciaries have relied on consent for processing prior to the commencement of the law (as would be the case for almost all businesses in India, in line with the existing data protection framework under the Information Technology Act, 2000), they are obliged to provide multiple-language privacy notices to data principals as soon as reasonably practicable in formats that will be prescribed by the Indian government.

Children’s Data

Data fiduciaries are prohibited from processing personal data that is likely to cause any detrimental effect on the well-being of a child, tracking, undertaking behavioural monitoring on, or directing targeted advertisements towards children. The Indian government may, however, create exemptions to these prohibitions.

The processing of personal data of individuals below the age of eighteen requires the consent of their parent or guardian, and the term “data principal” would, in relation to such an individual, include their parent or guardian. The consent obtained in this regard must be verifiable and in a manner that will be prescribed by the Indian government.

Further, if the Indian government is satisfied that a data fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, it may notify the age above which the data fiduciary may be exempt from applicability of certain obligations with respect to processing of children’s data.

Localisation

Cross-border data transfers are permissible with the exception of restricted territories notified by the Indian government. If any other law that is in force provides for a higher degree of protection or restriction on the transfer of personal data, such law will have an overriding effect. Accordingly, existing sector localisation restrictions are unlikely to change.

Security Safeguards and Data Breaches

Data fiduciaries must implement technical and organisational measures to ensure compliance with the DPDPA and implement security safeguards to prevent personal data breaches. They must notify the Board and affected data subjects of personal data breaches. Modalities of reporting requirements will be prescribed by the Indian government. A failure to implement security safeguards is punishable with fines of up to INR 2,500,000,000, and a failure to report incidents with fines of up to INR 2,000,000,000, which are among the highest penalties proposed under this law.

These obligations will apply in addition to the cybersecurity incident obligations arising out of the present cybersecurity regulations in India. These include the Directions under sub-section (6) of section 70B of the Information Technology Act, 2000, relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (“CERT-In Directions”), issued by the Indian Computer Emergency Response Team (“CERT-In”). The data protection and cybersecurity law together aim to strengthen the protection of sensitive information and enhance digital privacy in the country.

Additional Obligations

Data fiduciaries are primarily responsible and liable for compliance with the DPDPA and should therefore ought to be able to demonstrate compliance.

The DPDPA imposes general obligations on data fiduciaries including a limited notice requirement, obligations of accountability, accuracy, and completeness of personal data being processed, data retention obligations, implementation of security, technical, and organisational measures, implementation of an effective grievance redressal mechanism, and appointment of grievance redressal personnel. Additionally, data processors may only be appointed by data fiduciaries under a contract when the processing activity is in relation to goods and services offered to data principals.

Significant data fiduciaries are subject to marginally more complex obligations, including appointing a data protection officer located in India, appointing an independent data auditor to evaluate their compliance with the law, and undertaking data protection impact assessments and audits. Details and formats of these additional obligations will be prescribed by the Indian government.

Data Principal Rights and Duties

Data principals that have provided consent to process their personal data have a right to obtain a summary of personal data processed and the corresponding processing activity, identities of the data fiduciaries with whom personal data has been shared together with the categories of data, together with additional information that may be prescribed by the government. Data principals that have provided consent to process their personal data also have a right to correct and erase their personal data. All data principals, regardless of the grounds on which their personal data is processed, have a right to readily available means of grievance redressal and the right to nominate another individual to exercise their rights in the event of death or incapacity.

Data principals are subject to certain duties under the DPDPA. For example, data principals cannot register false or frivolous grievances with the Board (which has a corresponding ability to impose costs in such cases) furnish false information, suppress information, or impersonate another person while exercising their rights. Fines for non-compliance may extend to INR 10,000.

Process of Enforcement

The Board is tasked with the enforcement of the DPDPA. Enforcement proceedings may arise out of a complaint made by a data principal, a reference by the Central or any State Government, directions issued by courts, or what appears to be a suo moto ability to take action against data principals who fail to comply with their obligations under the proposed law.

The Board will determine if there are sufficient grounds to undertake an inquiry. If maintainable, inquiries must be conducted in accordance with the principles of natural justice. Enabled with the powers of a civil court, the Board has the ability to issue interim orders during proceedings, seek the assistance of the police and government officials, impose financial penalties, and where appropriate, direct complaints to be resolved by a Board-approved mediation or another alternate dispute resolution process. Appeals against any decision of the Board may be brought before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) within sixty days from the date of receipt of the order or direction appealed against in a manner that will be prescribed by the Indian Government. Appeals against TDSAT’s decisions may be brought before the Indian Supreme Court.

Voluntary Undertakings – A New Form of Compounding?

The DPDPA permits data fiduciaries to submit “voluntary undertakings”. These are commitments by entities to undertake certain actions, refrain from other actions, or publicise their commitments when a dispute has been raised before the Board. When submitted to and accepted by the Board, an undertaking acts as a bar on any proceedings before the Board that are connected with its subject matter.

Penalties

The financial penalties prescribed under the proposed law are among the larger fines prescribed by existing Indian laws and may extend to INR 2,500,000,000. The DPDPA also allows for the possibility for the Indian government, in the interest of the general public, to order intermediaries to block access to information processed in any computer resource that enables a data fiduciary to provide goods and services to data principals based in India. Penalties may be further be amended by notification by the Indian government to twice the amount specified under the DPDPA 2023. The table below provides a reference to the general obligations under the DPDPA with the corresponding penalties that may be imposed.

Sl. No. Particulars Sanction
1. Breach by a data fiduciary to take reasonable security safeguards to prevent data breaches Punishable with fines of up to INR 2,500,000,000
2. Breach in observing the obligation to give the Board or affected data principal notice of a personal data breach. Punishable with fines of up to INR 2,000,000,000
3. Breach in observance obligations with respect to processing of children’s personal data. Punishable with fines of up to INR 2,000,000,000
4. Breach in observance of obligations of applicable to significant data fiduciaries. Punishable with fines of up to INR 1,500,000,000
5. Breach by data principals of their duties prescribed under the DPDPA. Punishable with fines of up to INR 10,000
6. Breach of any term of voluntary undertaking accepted by the Board. Punishable with fines up to the extent applicable for the breach in respect of which the proceedings were instituted.
7. Breach of any other provision of the DPDPA or rules prescribed under the DPDPA for which penalties have not been specified. Punishable with fines of up to INR 50,00,00,000

Conclusion

The forthcoming law, on the verge of implementation, appears to be a simple and practical trigger towards a privacy compliant future in India.

To establish a foothold before notification of the DPDPA, companies should begin internally effecting comprehensive data inventories, restructuring their current data processes by evaluating the grounds on which the types of personal data are processed, escalating processes to ensure adequate security practices, and internally streamlining and appointing personnel to manage data subject requests. More practically, albeit a longer process towards compliance, companies must actively begin putting together notices, engaging translators to be in compliance with notice requirements, and rethink specific purposes for the use of personal data.

We also expect rules prescribed under the DPDPA will address any major ambiguities currently present under the draft.