Unveiling India’s New Data Privacy Law
India’s first comprehensive data privacy law, the Digital Personal Data Protection Act (“DPDPA”), was enacted in August 2023, thereby marking a significant step towards regulating the processing of personal data in India. The law has however not come into force yet. The government recently released draft rules that seek to implement the DPDPA (“Draft Rules”), for public consultation which is presently ongoing. The law’s reach (and the size of India’s economy) has the potential for implications for North American companies doing business in India.
This article is the first in a two-part series authored by our friends at Kochhar & Co in Bangalore. This first part discusses the key aspects of the DPDPA, and the second part analyses the Draft Rules in detail. Thanks to Arun Babu and Stephen Mathias for their assistance.
Applicability of the Law
The law applies to the processing of all digital personal data within India. The DPDPA also has extra-territorial applicability and applies to the processing of personal data outside India where such processing is in connection with any activity aimed towards ‘offering’ goods or services to individuals within India. The scope of ‘offering’ is presently unclear. It however appears that the new law would certainly apply to foreign data controllers that are clearly involved in marketing goods and services to data subjects in India.
Exemptions
The DPDPA exempts certain processing scenarios. The law in its entirety does not apply to personal data processed for personal or domestic purposes, and to the processing of personal data made publicly available by the data subject or by any person legally obligated to do so. There is also a blanket exemption where personal data is processed by a notified government agency for national security purposes or for preventing an offence, or where processing of personal data is necessary for research, archival, or statistical purposes.
Additionally, almost all substantial provisions of the DPDPA do not apply to processing necessary for enforcing any legal right or a court approved corporate re-structuring, or for prevention, detection, or prosecution of an offence, or for ascertaining financial status of a loan defaulter, or where personal data of foreign data subjects is processed in India pursuant to a cross-border contract.
Except for the processing scenarios mentioned above, the DPDPA applies to the processing of digital personal data for all other purposes, and such processing must be based on a lawful ground prescribed under the law.
Lawful Grounds for Processing
Consent is the main lawful ground prescribed by the DPDPA, and the law does not include commonly used lawful grounds in other jurisdictions, such as ‘legitimate interest’ and ‘contractual necessity’.
The DPDPA prescribes a high standard for obtaining valid consent and requires consent to be free, specific, informed, unconditional, unambiguous, and indicated using a clear affirmative action. This would mean that a specific and granular consent must be obtained for each purpose of processing after providing data subjects a clear and unambiguous notice detailing the proposed processing activities. However, in the absence of other lawful grounds under the DPDPA, it remains to be seen whether the pre-requisites for obtaining valid consent under the law will be interpreted in the same manner as that under other laws such as the GDPR.
The DPDPA however permits processing without consent for certain ‘legitimate uses’ of personal data. These include among others, processing for purposes related to employment and to prevent loss or liability to an employer; processing in case of medical emergencies, breakdown of public order, disaster management, or for performance of statement functions; and processing where a data subject voluntarily provides personal data to a data controller on his/ her own initiative (“Voluntary Provision”).
Privacy Notice
The DPDPA requires a data controller to provide a privacy notice where personal data is processed based on consent or in case of Voluntary Provision. In addition to the categories of personal data collected and purposes of processing, the law requires a privacy notice to include the manner in which consent can be withdrawn, data subject grievances can be redressed, and data subjects can make complaints to the Data Protection Board of India (“DPBI”) – the adjudicatory authority proposed to be established under the DPDPA.
It is important to note that the law requires a data controller to provide an option to data subjects to access a privacy notice in English or in 22 other languages listed under the Indian Constitution.
Children’s Personal Data
The DPDPA prescribes additional obligations and safeguards for processing children’s personal data. A child is defined under the DPDPA to mean a person aged less than 18 years. Unless exempted by the government, a data controller is obligated to obtain prior verifiable parental consent for processing children’s personal data and is prohibited from engaging in targeted advertising and behavioral monitoring of children.
Rights and Duties of Data Subjects
The law includes typical rights of data subjects such as the right to access, right to correction, updating and deletion of personal data, and right to grievance redressal. The DPDPA however does not include rights such as right to data portability, and right to not be subjected to automated decision making.
It is interesting to note that the DPDPA prescribes duties for data subjects. These include duties to comply with applicable laws while exercising rights under the DPDPA, not register false or frivolous grievances with a data controller or the DPBI, and to furnish only authentic information while exercising right to correction or deletion.
Data Security Safeguards and Data Breach Notifications
The DPDPA obligates data controllers to implement reasonable security safeguards to prevent a personal data breach, and to put in place appropriate technical and organizational measures to comply with their obligations under the DPDPA. The law, however, does not prescribe any such specific safeguards or measures.
A personal data breach is broadly defined under the DPDPA to mean any unauthorized processing or accidental disclosure, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability. The DPDPA does not prescribe any impact thresholds for reporting data breaches and requires all breaches to be reported to affected data subjects and the DPBI.
Data Localization
There are no data localization restrictions prescribed under the DPDPA. The government is, however, empowered to notify a blacklist of countries to which data transfers would be restricted. It is possible that countries with which India shares a hostile bilateral relationship could be included in such blacklist.
The DPDPA clarifies that it will not limit the applicability of any other Indian law that provides for a greater degree of protection for personal data, or restrictions on cross-border data transfers from India. It is relevant to note in this regard that India has data localization restrictions under various sector specific laws that apply to regulated entities operating in sectors such as payments, digital lending, telecom, securities, and insurance.
Data Processors
There are no specific obligations on data processors, and all compliance requirements under the DPDPA apply to data controllers. The law also requires data controllers to ensure their data processors’ compliance with the law and requires execution of a data processing agreement.
Significant Data Fiduciaries (SDFs)
SDFs are a special category of data controllers to be notified as such by the government based on factors such as volume and sensitivity of personal data processed, potential risks to data subject rights or to sovereignty, integrity and security of India due to such processing, etc. The list of SDFs to be notified by the government could likely include social media companies, large media platforms, e-commerce marketplaces, telecom service providers, etc., having a large number of customers / subscribers in India.
The DPDPA mandates certain additional compliance requirements for SDFs. These include undertaking periodic data protection impact assessments, data audits, and appointment of a data protection officer based in India.
Penalties
The DPDPA prescribes hefty monetary penalties for non-compliance. For instance, a penalty of up to INR 2.5 billion (approximately USD 30 million) is prescribed for failure to implement reasonable security safeguards to prevent a data breach. There is however no provision under the law that enables payment of compensation to data subjects affected by a violation of the law.
Way Forward
The DPDPA does not prescribe any timelines for implementation or a gestation period for organizations to ensure compliance and empowers the government to do so. The government has not, however, provided any official guidance in this regard.
It is anticipated that the DPDPA and the rules implementing the DPDPA will come into force within the next 6-8 months. Given that India presently has minimal data privacy laws and low privacy standards in general, it is also expected that the government will provide organizations a reasonable timeframe to ensure compliance with the new law. Nonetheless, it may be prudent for organizations to start taking measures to align with the DPDPA to the extent possible.
Conclusion
The enactment of the DPDPA is a step in the right direction in terms of enforcing a data protection law in India, which is today, the fifth largest economy in the world. The law is simpler and less prescriptive than GDPR, and that is also a welcome move. However, the law appears to require a GDPR standard of consent to be obtained without providing separately for a principles-based ground like “legitimate interest”. The law also requires data breaches to be reported to both the DPBI and the data subjects in every case, without any prescribed threshold. There are other provisions that are not so business friendly such as the need for privacy impact assessments and audits for SDF’s, powers of the government to call for information, exceptions to the government and restrictions on the use of personal data of children. In some senses, the DPDPA is more restrictive than global standards on data privacy law. It is hoped that in time, through delegated legislation and guidance from the DPBI, some of these requirements will be liberalized.