On August 11, 2023, India enacted the Digital Personal Data Protection Act, 2023 (“DPDP Act“). The DPDP Act is a result of the fifth iteration of the proposed personal data protection legislation and appears to be based on the draft Bill released by the Ministry of Electronics and Information Technology on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which was open for public consultations. The DPDP Act focuses on digital personal data and does not apply to non-personal data. Once provisions of the DPDP Act are brought into force, the DPDP Act will replace Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011. The DPDP Act is proposed to come into force in a phased manner, i.e., as and when the Central Government notifies the provisions of the DPDP Act, from time to time.
- Only Applies to Digital Personal Data – The DPDP Act, 2023 only applies to personal data, whether collected in digital form or non-digital data, which is digitised subsequently.
- Overseas Applicability – The DPDP Act applies to digital personal data that is processed outside India, only if such processing is in connection with any activity related to offering of goods or services to data principals (data subjects) in India.
- Exclusions – The DPDP Act does not apply to: (i) personal data processed by an individual for any personal or domestic purpose; or (ii) personal data made publicly available by the data principal herself or any other person under a legal obligation.
ii. Data Protection Principles: The DPDP Act encapsulates the following essential principles:
- Purpose Limitation – Personal data should only be processed for a lawful purpose for which the data principal has given her consent and in accordance with the DPDP Act; and
- Collection Limitation – Only such personal data should be collected which is necessary.
iii. No Sub-classification of Personal Data: The provisions of the DPDP Act apply to all kinds of personal data and does not envisage sub-categories of personal data, such as sensitive personal data or critical personal data. Accordingly, the requirements of the DPDP Act will be applicable equally to all forms of personal data, agnostic of the nature or type of the personal data. This approach deviates from the current Indian data protection law contained under the the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011, which make a distinction between ‘personal information‘ and ‘sensitive personal data or information‘ and prescribes incremental compliance requirements for processing of sensitive personal data or information.
iv. Consent & Notice:
- Affirmative Consent – Consent is the underlying basis for processing personal data and needs to be free, specific, informed, unconditional and unambiguous. Such consent has to be provided by a clear affirmative action, and signify the data principal’s agreement for processing of her personal data for the specified purpose.
- Withdrawal of Consent – The data principal has the right to withdraw consent at any time with same level of ease with which she gave her consent. Such withdrawal of consent will not affect the legality of processing of the personal data based on consent before its withdrawal.
- Notice – A notice needs to be provided to the data principal, along with or preceding every request for consent, informing the data principal about the personal data and the proposed purpose of processing; and the manner in which she may exercise her rights to withdraw consent, avail the grievance redressal mechanism and make a complaint to the Data Protection Board (‘DPB’). Where the data principal has given consent for processing her personal data before the law comes into force, a similar notice needs to be provided to her, as soon as it is reasonably practicable and the data fiduciary may continue processing the data principal’s data, till such time that they withdraw the prevalent consent in response to the aforesaid notice.
- Notice & Consent in Multiple Languages – The data principal should have the option to view the notice and consent form in English or in any other language specified in the Eighth Schedule of the Constitution of India (which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, etc.).
- Legitimate Uses (for processing without consent) – The DPDP Act has rechristened the concept of ‘deemed consent’, which was envisaged in the draft Bill released in 2022 for processing of personal data for certain special use cases without the consent of the data principal and now termed it as ‘legitimate uses’. The legitimate uses for which a data fiduciary may process personal data of a data principal without obtaining her consent include specified purposes for which the data principal has voluntarily shared personal information without objecting to such processing, processing for purposes of employment, for responding to medical emergencies, for performing any function under law or the State providing any service or benefit to the data principal, for compliance with any judgment or order issued under any law, etc.
v. Obligations of Data Fiduciary: Data fiduciaries are responsible for compliance with the DPDP Act, including for processing of personal data undertaken by a data processor on their behalf. Where the data fiduciaries are processing personal data that is likely to be used to make a decision that affects the data principal or is to be shared with another data fiduciary, they are required to ensure accuracy and completeness of such personal data. Data fiduciaries are also required to delete personal data, if the data principal withdraws her consent or if it is reasonable to assume that the specified purpose is no longer being served, unless such retention is necessary for compliance with law.
vi. Notification of Personal Data Breach: Personal data breaches need to be intimated by the data fiduciary to the DPB and each affected data principal in such manner as may be prescribed.
vii. Cross-border Transfer of Personal Data: Personal data can be transferred by a data fiduciary to any other country or territory for processing, unless the Central Government restricts such transfer to any notified countries. In other words, the DPDP Act adopts a blacklisting approach which implies that personal data is freely transferable unless the transfer is proposed to be made to a territory or a country which is ‘blacklisted’ by the Central Government. That said, the DPDP Act clarifies that if there is any other law or sectoral regulation, which provides for a higher degree of protection for, or restriction on, transfer of personal data outside India, whether it is in relation to certain personal data or a class of data fiduciaries, such law or regulation will apply.
viii. Significant Data Fiduciaries: The Central Government may notify any or a class of data fiduciaries as significant data fiduciaries taking into account multiple factors (such as volume and sensitivity of personal data processed, risk to the rights of the data principal, security of state, etc.). Significant data fiduciaries need to comply with additional requirements such as – appoint an individual as a data protection officer based in India, appoint an independent data auditor for evaluating compliance with the DPDP Act, conducting periodic audit and data protection impact assessment, and undertake other measures including periodic data protection impact assessments.
ix. Data of Children and Persons with Disability: Verifiable consent of parent/ lawful guardian is required to process personal data of children and persons with disabilities. The DPDP Act prohibits tracking or behavioral monitoring of, and targeted advertising directed at, children, and processing of children’s data that is likely to cause any detrimental effect on the well-being of a child. Notably, the DPDP Act provides an enablement for the Central Government to exempt classes of data fiduciaries and processing for certain purposes from the requirement of obtaining parental consent and prohibiting behavioral monitoring. It also empowers the Central Government to exempt data fiduciaries for processing data of children above a certain age but under 18 years in certain situations without the specific obligations attached to processing children’s data.
x. Rights of Data Principals: The DPDP Act provides certain rights to data principals, which include right to access information about personal data, including a summary of personal data being processed, the underlying processing activities and any other information as prescribed, and identities of all data fiduciaries and data principals with whom such data was shared; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc. As per the DPDP Act, the data fiduciaries need to offer readily available grievance redressal mechanisms to data principals. In this regard, the data principal must exhaust all options for grievance redressal before approaching the DPB.
xi. Data Protection Board of India: The DPDP Act contemplates the establishment of a DPB, as an enforcement body, which will have powers, inter alia, to direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal data breach, inquire into such breach, impose penalties for non-compliances, inspect any document, summon and enforce attendance of any person etc. An appeal may be preferred against an order of the DPB before the Telecom Disputes Settlement and Appellate Tribunal (‘TDSAT’) established under the Telecom Regulatory Authority of India Act, 1997 within specified timelines, and in the prescribed manner. An appeal against the order of the TDSAT may be preferred before the Supreme Court of India.
xii. Power to Call for Information and Block Access: The DPDP Act empowers the Central Government to call for any information from the DPB, the data fiduciary or any intermediary. Where the Central Government receives a reference from the DPB that it has imposed monetary penalties on a data fiduciary in two or more instances and advises blocking of access by public to any information transmitted on any computer resource, it may by way of a written order, direct blocking of access by public to such information on the grounds of public interest. This order has to be passed in writing and after giving the data fiduciary an opportunity to be heard.
xiii. Penalties :
- Monetary Penalties for Breach – Depending on the nature of contravention, monetary penalties up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, and whether as a result of a breach, the defaulting person has realized a gain or avoided any loss etc.
- No Compensation – The DPDP Act does not provide for payment of compensation to data principals whose personal data has been compromised. This is a deviation from the Information Technology Act, 2000 which allows affected data principals to claim compensation from a data fiduciary who failed to implement reasonable security safeguards and as a consequence, have caused wrongful loss or gain. That said, the DPDP Act casts certain duties on the data principals, amongst others, to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB, etc. For any breach in observance of such duties, the data principals may be penalized up to INR 10,000.
xiv. Voluntary Undertaking: The DPDP Act also allows the DPB to accept from a person facing action for non-observance under the law a voluntary undertaking, which may include a commitment: (a) to take action within a time frame as determined by the DPB; or (b) to refrain from taking specified action; and/ or (c) to publicise the voluntary undertaking. Once such voluntary undertaking is accepted by the DPB, it will constitute a bar on proceedings under the law as far as it relates to the contents of the voluntary undertaking.
xv. Exemptions: The DPDP Act exempts from applicability, (a) all of its provisions, in case of processing by certain notified instrumentalities of State, in the interests of sovereignty and integrity of India, maintenance of public order, etc.; and (b) some of its provisions, in case processing is necessary for enforcement of a legal right or claim, merger or amalgamation, investigation or prosecution of an offence, etc. The DPDP Act also provides an enablement for the Central Government to exempt by notification certain data fiduciaries including startups from specified obligations such as notice and retention requirements, those applicable to significant data fiduciaries, etc.