On 11th August 2023, the Draft Digital Personal Data Protection Bill, 2023 received President of India’s assent after passage in both the Houses of the Parliament and became a law i.e. the Data Protection Act, 2023 (“DPDP Act”). The DPDP Act has been notified by the Government. This Act provides a framework for processing of digital personal data in a manner that recognises the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
By way of brief background, in 2017, a Committee of Experts headed by Justice B.N. Srikrishna (Retd.) (“Srikrishna Committee”) was constituted to identify key data protection issues and provide a legislative framework for data protection in the country. The Srikrishna Committee submitted its report in 2018 along with a draft of the Personal Data Protection Bill, 2018. Thereafter, the Personal Data Protection Bill, 2019 (“2019 PDP Bill”) was tabled before the Parliament and later referred to the Joint Parliamentary Committee (“JPC”) which published its report in 2021 along with a draft Data Protection Bill, 2021. However, on 3rd August 2022, the Government of India withdrew the 2019 PDP Bill from the Parliament. Later that year, on 18th November 2022, the Ministry of Electronics and Information Technology (“MeitY”) released the Digital Personal Data Protection Bill 2022 (“Draft DPDP Bill 2022”) for stakeholder consultations. Finally, in the 2023 Monsoon Session of the Parliament, the Draft Digital Personal Data Protection Bill, 2023 was tabled before the Parliament which, after going through the Parliamentary procedure, has now become the law in India. The DPDP Act is the first consolidated legislation governing personal data protection and privacy in India.
Brief Overview of the DPDP Act
- Key Definitions:
- Personal Data – Any data about an individual who is identifiable by or in relation to such data.
- Processing – Wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
- Data Fiduciary – Entity/person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
- Data Principal – The individual to whom the personal data relates and includes the parent of a child and lawful guardian of a person with disability.
- Consent Managers – Entity/person registered with the Data Protection Board of India, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform.
- Data Processor – Entity/person who processes personal data on behalf of a Data Fiduciary.
- Appellate Tribunal – Telecom Disputes Settlement and Appellate Tribunal
- Applicability: The DPDP Act applies to the processing of digital personal data within India when the data is collected in digital form or non-digital form but digitised subsequently. It also applies to processing of digital personal data outside India if such processing is in connection with any activity related to offering of goods or services to Data Principals within India. However, the DPDP Act does not apply to digital personal data processed for personal/domestic purpose and digital personal data that is made or caused to be made publicly available by the Data Principal or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
- Grounds for processing: The personal data of a Data Principal can only be processed for lawful purpose for which consent has been provided or for “certain legitimate uses”.
- Notice: Data Fiduciaries are required to provide a notice, providing the description of the personal data collected, the purpose of processing of such data, manner of exercising right to withdraw consent and the manner of exercising the right to grievance redressal, prior to or at the time of obtaining consent from Data Principals. In cases where the consent had been obtained prior to the commencement of the DPDP Act, a fresh notice will have to be given to the Data Principal as soon as it is reasonably practicable. Data Fiduciaries are also required to provide notice in English or in any of the 22 languages specified in the Eighth Schedule of the Constitution of India at the option of the Data Principal. As per the DPDP Act, Data Fiduciaries can process personal data until consent is withdrawn by the Data Principal.
- Consent: Consent must be freely given, specific, informed, unconditional and should be an unambiguous indication of the Data Principal’s wishes, through a clear affirmative action signifying agreement to the processing of her personal data for the specified purposes and that the processing be limited to such personal data necessary for such specified purpose. Every request for obtaining consent must be in clear and plain language and the Data Principal should be given the option to access such request in English or in any of the 22 languages specified in the Eighth Schedule of the Constitution of India. While consent may be withdrawn at any point, the consequences of such consent withdrawal will have to be borne by the Data Principal and once consent has been withdrawn, the Data Fiduciary will be required, within a reasonable time, to cease processing of personal data of the Data Principal unless such processing is required or authorised under law.
- Consent Managers: Data Principals can give, manage, review or withdraw their consent through a consent manager. A consent manager is required to be registered with the Board and would be accountable to Data Principals.
- Certain Legitimate Uses: The Data Fiduciary can process personal data without providing a notice and request for consent for, inter alia, the following purposes –
- Specified purpose for which the Data Principal voluntarily provides their personal data to the Data Fiduciary and does not indicate that she does not consent to the use of her personal data
- Performance of any function under any law by the State or any instrumentality of the State, or in the interest of sovereignty and integrity of India or security of the State
- Compliance with any judgment or order
- Purposes related to employment or those related to safeguarding the employer from loss or liability including prevention of corporate espionage, maintenance of trade secrets and intellectual property, etc.
- Obligations of the Data Fiduciary: A Data Fiduciary has certain obligations under the DPDP Act, including, inter alia, the following:
- Ensure completeness, accuracy and consistency of the personal data if it is to be used to make a decision that affects a Data Principal or if it is to be disclosed to another Data Fiduciary
- Implement technical safeguards and reasonable security measures for complying with the provisions of the DPDP Act
- Notify the Board and each affected Data Fiduciary about a personal data breach
- Publish details of a Data Protection Officer (in case of a Significant Data Fiduciary or “SDF”) or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data
- Erase the data of a Data Principal upon withdrawal of consent
- Establish a grievance redressal mechanism
- May engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf under a valid contract
- Additional Obligations of SDF: Any Data Fiduciary or a class of Data Fiduciaries can be notified by the Central Government as SDF, based on the assessment of factors including, inter alia, the volume and sensitivity of personal data processed, risk of harm to Data Principals, risk to electoral democracy, public order. Further, SDF is required to appoint a Data Protection Officer (“DPO”), to represent the SDF and act as the point of contact for grievance redressal mechanism. SDF is also required to undertake periodic Data Protection Impact Assessment (“DPIA”), periodic audit and such other measures as may be prescribed.
- Processing of Personal Data of Children: Data Fiduciaries will have to obtain “verifiable consent” of a parent/lawful guardian before processing any personal data of a child or a person with disability who has a lawful guardian. The Data Fiduciary can neither process any personal data that is likely to cause detrimental effect on the well-being of a child nor undertake tracking or behavioural monitoring of children or targeted advertisement directed at children. Further, the Central Government can, if it is satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations in respect of processing by that Data Fiduciary as the notification may specify.
- Rights of Data Principals: The DPDP Act confers the following rights on Data Principals:
- Right to seek a summary of personal data which is being processed and processing activities undertaken by a Data Fiduciary, identities of all Data Fiduciaries and Data Processors with whom personal data has been shared with description of personal data so shared, any other information related to personal data as prescribed
- Right to correction, completion, updating and erasure of personal data
- Right of grievance redressal (a Data Principal is required to exhaust the opportunity of grievance redressal before approaching the Board)
- Right to nominate another individual to exercise rights of the Data Principal, in the event of death or incapacity of the Data Principal
- Duties of Data Principals: The DPDP Act also imposes duties on Data Principals requiring them to, inter alia, comply with the provisions of all applicable laws, not to impersonate another person, not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities, not to register a false/frivolous grievance.
- Processing of Personal Data outside India: The Central Government can notify countries to which the transfer of personal data by a Data Fiduciary for processing would be restricted. However, the DPDP Act does not restrict the applicability of any law in India that provides for a higher degree of protection/restriction on the transfer of personal data outside India.
- Exemptions for Data Fiduciaries including startups: Under the DPDP Act, the requirements of providing notice and obtaining consent need not be met with where, inter alia,:
- the processing of personal data is necessary for enforcing any legal right or claim;
- where processing of personal data by any court/tribunal/any other body is necessary for performing any judicial/quasi-judicial function;
- personal data is processed for prevention, detection, investigation or prosecution of any offence/contravention of any law;
- personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.
- personal data to be processed by the State/any instrumentality of the State, in the interest of inter alia, sovereignty and integrity of India, security of the State, maintenance of public order etc.
- processing of personal data by the State/any instrumentality of the State where the processing is for a purpose that does not include the making of a decision affecting a Data Principal.
- Data Protection Board (“Board”): A Board will be established to inter alia, determine non-compliance, impose penalties, conduct inquiry in respect of a complaint, and perform any other function as may be assigned by the Central Government.
- Appeal to Appellate Tribunal: Any person aggrieved by an order/direction made by the Board can prefer an appeal before the Appellate Tribunal.
- Voluntary Undertaking: At any stage of proceeding before the Board, the Board can accept a voluntary undertaking in respect of any matter related to observance of the DPDP Act from any person. The voluntary undertaking may state the specific action that the person seeks to take within a specified time or an action they shall refrain from pursuing. After accepting the voluntary undertaking, the Board may with the agreement of the person, vary the terms included in such undertaking. The acceptance of the undertaking shall lead to a bar on the proceedings before the Board.
- Penalties: Financial penalties have been introduced for non-compliance with the provisions of the DPDP Act. The DPDP Act also imposes a penalty on a Data Principal for non-compliance with its duties.
- Power to Call for Information: The Central Government can require the Board and any Data Fiduciary or intermediary to furnish information called for by the Central Government.
- Power of Central Government to Issue Directions: Upon receipt of a reference in writing from the Board regarding imposition of penalty by the Board on Data Fiduciaries in 2 or more instances and in the “interest of general public”, the DPDP Act allows the Central Government, to direct any agency of the Central Government or an intermediary to block access to information, where it is satisfied that it is necessary or expedient to do so after giving an opportunity of being heard to the Data Fiduciary. Every intermediary who receives such direction is bound to comply with such direction.
- Overriding Effect: Once enacted, the DPDP Act will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) that provides the right to seek compensation from a body corporate that is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain while possessing, dealing or handling any sensitive personal data or information. Consequently, the DPDP Act will also replace the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Additionally, the DPDP Act also seeks to amend the Right to Information Act, 2005 and as per the amendment, there is no requirement to disclose any “information which relates to personal information”.
The operationalization of the DPDP Act would be contingent on various rules/notifications issued by the Government of India and the DPDP Act will be implemented in phases through separate notifications.
|Cross border data transfer
|Codifies cross-border transfer of data and allows for transfer of personal data to a third country basis the adequacy test or the specified safeguards (i.e., Standard Contractual Clauses).
|Cross-border transfer of data will be based on a negative list. No provision of any principles for assessing adequacy of countries that may be barred/restricted by the Central Government. Further, if there is a higher degree of restriction on transfer of personal data outside India in any other law, then the same must be followed. This would mean that sectoral laws like RBI’s localisation mandate for payment system data will continue to be applicable.
|The GDPR requires providing information in the notice relating to the recipients or categories of recipients of the personal data, the period of retention of such data, and transfer of data.
|The Notice requirements have been stripped down significantly in the DPDP Act and corresponding requirements of notice are not present. Information relating to relating to processing activities and recipients can be accessed by the Data Principal upon request.
|Personal Data Breach Notification
|Data Controllers required to notify affected individuals without undue delay only if it is likely to result in a “high risk” to individuals.
|Data Fiduciaries are required to notify affected Data Principals for any breach of personal data without any guidance on scale or severity of such breach.
|Each Member State is required to establish an ‘independent’ public authority responsible for monitoring the application of the GDPR.
|While the Board is required to be an independent body, in practise it may not enjoy ‘independence’ from the Central Government as the appointment of employees in the Board will be subject to Government approval and also their conditions of service, etc. will be prescribed by such Government.
|Right to be forgotten
|The GDPR specifically caters to the Right to be Forgotten when personal data has been published and requires that a Controller, in response to a request for the deletion of data that was previously made public, would need to “take reasonable steps” to inform any third parties that may be processing the data of the Data Subject who has requested deletion. There is also an obligation under the GDPR to communicate the deletion request directly to any known recipients of the data unless it would be impossible or would require disproportionate effort.
|While the DPDP Act provides a right to erasure and a Data Fiduciary on receipt of such a request must erase the personal data of the Data Principal, it does not have any obligation to erase personal data that has been published by the Data Fiduciary or by its Data Processors that have been provided this data by the Data Fiduciary.
|Age of consent
|The GDPR imposes additional obligations when collecting consent from children under the age of 16 (or, at an age set between 13 and 16 by Member State law).
|The DPDP Act defines a child as an individual under 18 years of age. The Central Government can notify a lower age for processing of children’s data if it is satisfied that the Data Fiduciary has ensured that processing of personal data of children is in a “verifiably safe” manner. Such Data Fiduciaries would be exempt from the applicability of all or any of the special obligations relating to child’s data.
By notifying the DPDP Act, the Government has taken a significant step towards introducing a comprehensive stand-alone legislation governing data protection and privacy in India. While the DPDP Act is largely based on the GDPR, there are significant departures from the GDPR. For instance, GDPR codifies cross-border transfer of data provisions and allows for transfer of personal data to a third country basis the adequacy test or specified safeguards. However, the DPDP Act does not provide any such threshold for cross-border transfer of personal data. Further, while the GDPR provides for the right to be forgotten, the DPDP Act does not specifically provide such right.
There are many concerns with the provisions of the DPDP Act. Notably, many terms used in the DPDP Act, such as “verifiable consent”, “detrimental effect on the well-being” of a child, “as soon as reasonably practicable” (for providing notice to Data Principals who had provided consent before commencement of the Act), have not been defined, leaving such terms open to interpretation. Further, the Central Government has broad powers, under the DPDP Act, to prescribe rules, regulations, and notifications in various areas, such as notice, data breach reporting, children’s digital personal data, list of countries for cross-border transfer etc. thereby giving excessive power to the government to notify the nuances of such provisions which would be critical in the effective implementation and compliance of the DPDP Act.
The DPDP Act also confers excessive powers to the Central Government allowing it to call for any information from a Data Fiduciary/Intermediary. The DPDP Act does not provide any guidance or safeguards in respect of the information that can be called for by the Government. Moreover, in addition to the Section 69A of the IT Act, the Central Government is also empowered under the DPDP Act to issue directions to an intermediary (albeit upon satisfaction of certain conditions) to block access, if it is in the ‘interest of the general public’, to information identified by the government.
Moreover, unlike the IT Act, the DPDP Act does not provide the right to seek compensation to the affected person in the event of any negligence on the part of the Data Fiduciary in implementing and maintaining reasonable security practices and procedures leading to a wrongful loss or wrongful gain while possessing, dealing or handling any sensitive personal data or information. To seek compensation from the erring Data Fiduciary, a Data Principal who suffers a civil wrong can invoke legal liability as a claimant against the person committing such wrongful act for compensatory damages, under tort law.
Furthermore, the compliance costs are likely to increase in light of the requirements, inter alia, to provide the option to access the contents of the notice and request for consent in English or any of 22 languages mentioned in the Eighth Schedule of the Indian Constitution. Further, the DPDP Act imposes a mandate of reporting data breaches to the Board and affected Data Principals. This would be in addition to the mandate of reporting cyber incidents to the Indian Computer Emergency Response Team as per the IT Act and rules and directions issued therein.
The DPDP Act prescribes hefty penalties (upto INR 250 crores, depending on the nature of the breach) for any non-compliance with its provisions on not only the Data Fiduciary but also the Data Principal.
While the DPDP Act codifies the rights and duties of Data Fiduciaries and Data Principals, Government’s approach in notifying various provisions of the DPDP Act and the timelines it seeks to provide to entities for transitioning and making appropriate administrative changes in a way that do not disrupt ongoing operations of businesses would be pivotal in the compliance and implementation of the DPDP Act.
This area of law in India is now an evolving landscape, and complete clarity will be available once the phased implementation of the DPDP Act is complete, and the corresponding delegated legislation passed by Parliament and notified.