India enacted its new privacy law—the Digital Personal Data Protection Act, 2023 (DPDP Act) on August 11. Once in effect, the DPDP Act will replace the relevant provisions of the Information Technology Act, 2000, Information Technology (Amendment) Act, 2008, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The law will come into effect on a date to be decided by the central government, which is authorized to determine different dates for entry into force of various provisions of the legislation. The central government is also entitled to enact separate rules to give effect to various provisions of the DPDP Act. Only when these rules are issued will we be able to understand the full scope of this new law.
In the interim period, businesses will have to ensure that their data systems and practices continue to comply with the provisions of current laws, while also preparing for the entry into force of the DPDP Act.
KEY FEATURES
Digital Personal Data
The DPDP Act applies to the processing of digital personal data, which is broadly defined as data in digital form (whether collected in digital form, or in non-digital form and then digitized) about an individual, who is identifiable by such data.
Extra-Territorial Application
The DPDP Act applies to the processing of digital personal data in India, and also outside India if such processing is in connection with offering goods or services to data subjects who reside in India.
Obligations of Data Controllers
The DPDP Act imposes various obligations on data controllers (or “data fiduciaries” as defined by the DPDP Act) processing digital personal data of data subjects (“data principals” as defined by the DPDP Act) in India, including the following:
- Consent: Data controllers require the consent of data subjects in order to process their digital personal data, subject to certain “legitimate use” exceptions (e.g., the voluntary provision of data, to avail of government benefits, in case of medical emergencies, or employment-related data). Such consent should be “free, specific, informed, unconditional and unambiguous” and should be communicated through clear affirmative action signifying agreement to the processing of the data subject’s personal data for the specified purpose, and shall be limited to only such personal data as is necessary for such specified purpose. Such consent may also be withdrawn by the data subject. Unlike the GDPR, the DPDP Act envisages a “consent manager” who should be registered with the Data Protection Board of India, and who would act as a point of contact to enable a data subject to give, manage, review, and withdraw their consent.
- Notice: In order to obtain consent, data controllers should provide the data subjects with a notice specifying what personal data is to be collected, the purposes for which such data will be processed, how the data subjects can exercise their rights in respect of such data and the contact details of the relevant data protection officer or other responsible person at the data controller who will be responsible for responding to data subjects’ request to exercise their rights.
- Recordkeeping: Data controllers will have to demonstrate that notice and consent requirements were met and will need to maintain relevant records.
- Data Transfers: Digital personal data may be transferred outside of India, except to countries restricted by Indian authorities. The list of restricted countries will be released later by the central government. In addition, business process outsourcing providers are exempted from the DPDP Act for processing personal data of data subjects not within the territory of India, if this is pursuant to any contract entered into with any person outside the territory of India by any person based in India. However, certain provisions of the DPDP Act would still apply, such as the obligation to implement “reasonable security safeguards to prevent [a] personal data breach.”
- Data Breaches: Data controllers are required to report personal data breaches (which includes unauthorized data processing, disclosure, alteration, loss, or actions compromising data confidentiality, integrity, or availability) to the affected data subjects and to the Data Protection Board of India. The form and manner of such reporting is to be prescribed in rules to be issued by the central government. The reporting obligations under the DPDP Act are in addition to the existing reporting obligations under India’s Computer Emergency Response Team rules.
- Data of Children and Persons with Disabilities: Before processing personal data of a child or a person with disabilities who has a lawful guardian, data controllers are required to obtain verifiable consent of the parent or guardian. Certain forms of processing involving children’s data (such as online tracking, behavioral/targeted advertising) are strictly prohibited.
- Exemptions: Data controllers have been granted exemptions, in certain specified circumstances, from specific obligations, such as the requirement for notice and consent. These include instances where the processing of digital personal data is essential for the enforcement of legal rights or claims; processing by Indian courts, tribunals, or other regulatory agencies; processing in the interest of preventing, detecting, investigating or prosecuting offenses or violations of law; processing necessary for merger/amalgamation arrangements approved by competent courts, tribunals, or authorities; and exemptions granted by the central government in specific circumstances, such as state security or the maintenance of public order.
Rights of Data Subjects
The DPDP Act provides for various rights of data subjects, including the right of access, data correction, deletion, and grievance redressal.
Regulatory Authority
The DPDP Act provides for the establishment of an independent body—the Data Protection Board of India (DP Board)—to oversee compliance, impose penalties, address data breaches, conduct investigations, and resolve grievances. The timeframe for its establishment is not specified, however. As part of a dispute resolution process, the DP Board may direct parties to a dispute to try and resolve such dispute through mediation. Appeals may be made to the Telecom Disputes Settlement and Appellate Tribunal.
Penalties
The DPDP Act prescribes penalties for noncompliance of up to 250 crore rupees ($30 million).
NEXT STEPS
Businesses processing personal data of Indian residents should assess their current state of compliance with the DPDP Act’s requirements and prepare an action plan to ensure they are able to comply with these requirements as soon as they are brought into force. In order to do this, they may have to, among other things:
- identify how all digital personal data is being collected—whether directly from data subjects or from other data controllers;
- identify third parties who are storing or processing digital personal data on their behalf;
- review current data privacy policies and processes, including data retention periods;
- design and implement consent mechanisms;
- establish processes to address various rights of data subjects; and
- establish processes for data privacy breach management.
This article is prepared for the general information of interested persons. It is not comprehensive in nature and should not be regarded as legal advice. We are not permitted to advise on the laws of India, and should such advice be required we would work alongside an Indian law firm.