With the development of technology at an unprecedented rate, the Digital Personal Data Protection Act (DPDPA) marks a necessary advancement in technology and data privacy laws in India. However, the DPDPA is lean, covering only the substantive requirements, with significant details e.g., restriction on cross-border transfers, details surrounding a data breach notice, and time period for grievance redressal, being left open to rule making. For now, it seems that the law will evolve further only after additional rules are officially notified.
The DPDPA received presidential assent and was published in the official gazette on 11 August 2023, less than a week after it was passed by the lower house of Parliament, marking a watershed moment for data privacy in India. The enactment of the DPDPA is a culmination of India’s ongoing efforts to enact a data protection regime starting from 2017, after the Justice KS Puttaswamy vs Union of India judgment identified privacy as a fundamental right in India.
While the DPDPA has been enacted, it has not come into effect yet. Although the DPDPA does not stipulate a transition period, it grants the Union government the discretion to notify different dates for the enactment of different provisions thereby adopting a phased approach to implementation. Until the DPDPA is brought into force, the existing laws pertaining to data privacy i.e., the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the applicable provisions of the Information Technology Act, 2000 (IT Act) will continue to apply.
Here is an overview of the key provisions of the DPDPA and its implications on businesses looking to develop and implement comprehensive privacy compliance programmes in India.
SCOPE & APPLICABILITY
Scope
The DPDPA defines personal data to mean data regarding an individual that can be used to identify such an individual either by or in relation to such data. This means that non-personal data (such as anonymised data) will not be regulated by the DPDPA.
Further, the DPDPA only applies to the processing of digital personal data which is personal data either collected in digital form or collected using other traditional non-electronic methods and digitised subsequently. This means that data of any nature in analogue form remains outside the scope of the DPDPA.
Territorial applicability
The DPDPA applies to all processing of digital personal data within India. It also applies to the processing of such data outside of India if the processing is in relation to any activity related to the offering of goods and services to data principals in India.
Notably, the definition of data principals is broad and contains no restrictions based either on residence or citizenship. This means that the processing of digital personal data of a foreigner residing in India will be covered by the provisions of the DPDPA.
Exemptions
The DPDPA does not apply to personal data which is processed for personal or domestic use, or that is made publicly available either by the data principal to whom such information relates or by a third-party where required by law.
Additionally, the DPDPA does not apply to the processing of personal data for research, archiving, or statistical purposes subject to such data not being used to make decisions specific to a data principal and being carried out in line with the standards that may be prescribed by the Union government.
The Union government has the power to exempt a) certain government instrumentalities for certain specific purposes including in the interest of the sovereignty and integrity of India, security of the state, and maintaining public order; and b) certain data fiduciaries, including start-ups from the applicability of specific provisions.
GROUNDS FOR PROCESSING PERSONAL DATA
Under the DPDPA, data fiduciaries are responsible for processing personal data for a lawful purpose, and only if the data principal has provided consent, or if it pertains to a legitimate use of such data.
Consent
The DPDPA requires consent to be:
a) Free, specific, informed, unconditional, and unambiguous;
b) Provided through a clear affirmative action signifying an agreement; and
c) Limited to personal data necessary for the specified purpose.
This signifies that, similar to GDPR, the DPDPA imposes a purpose limitation on collected data i.e., the data may only be used for the specified purpose pursuant to which it was collected, and separate consent must be obtained to process data for a new purpose.
Notice
In order to obtain consent, the data fiduciary must provide a notice to the data principal either prior to or at the time of collection of personal data. Such notice must state the data being collected and the purpose of collection, rights of a data principal, and grievance redressal measures.
Legacy data
The DPDPA seeks to address the issue of regulation of data collected prior to its enactment (legacy data). In respect of such legacy data, the data fiduciary is required to provide a notice to the data principal in the same manner set forth above. A data fiduciary may continue processing legacy data until the data principal withdraws consent in respect of such data.
Burden of proof
Where consent forms the basis for collection of data, the burden to prove that valid consent was obtained from a data principal lies on the data fiduciary.
Legitimate uses
In addition to consent, the DPDPA classifies other lawful grounds for processing personal data as a legitimate use. This includes data shared during a medical emergency, or for providing medical treatments or health services, disaster relief, or for compliance with a legal order.
The state has been granted broad powers in respect of processing personal data for carrying out any function required by law, including for providing benefits or subsidies, and in the interest of sovereignty and integrity of the country.
Voluntary sharing
A data fiduciary may also process personal data that is shared by a data principal voluntarily (presumably, without the need to obtain consent) and without any indication of objection to such processing, subject to purpose limitation. An example of such sharing enumerated in the DPDPA is where one provides their phone number to acknowledge receipt of payment at a store.
Employment purposes
Employers generally collect vast amounts of personal data such as Aadhaar number, PAN details, and bank account details in the course of employment. A data fiduciary may process data for employment purposes, or to protect employers from loss or liability – without the need to obtain specific consent.
OBLIGATIONS OF DATA FIDUCIARY
Accountability
A data fiduciary is principally accountable for compliance with DPDPA, and any rules made thereunder by itself and any data processors (who have no direct responsibility under the DPDPA) it engages, including the implementation of any technical or organisational measures, and security safeguards, and ensuring completeness, accuracy, and consistency of data.
Grievance redressal
The DPDPA requires a data fiduciary to establish a grievance redressal mechanism; however, it does not specify any time period to respond to and resolve such grievances, thus, leaving it open to rule making. It specifies that the data protection board (Board) may only be approached by a data principal after exercising the remedy available through a data fiduciary’s grievance redressal mechanism.
Notice of breach
In case of a data breach, a data fiduciary must notify the Board and each data principal affected by such breach. The specifications of such notice – including the time period and content will be set out in the rules.
Data retention
Unless otherwise required by law, a data fiduciary must delete personal data as soon as the purpose for which it was collected is served, or upon withdrawal of consent by the data principal.
Significant data fiduciaries
The Central government has the power to designate significant data fiduciaries, who have additional obligations including carrying out periodic data protection impact assessments, audits, and any other measures set out in the implementing rules.
SPECIAL CATEGORIES OF DATA
The DPDPA creates significant obligations in connection with processing personal data of children or persons with disabilities. A data fiduciary is required to obtain verifiable consent from a parent or lawful guardian prior to processing such data.
It also prohibits data fiduciaries from engaging in processing of personal data to undertake tracking, behavioural monitoring, or for the provision of targeted advertisements to children.
RIGHTS AND DUTIES OF DATA PRINCIPALS
A data principal has the right to access the personal data being processed by the data fiduciary, identities of all data fiduciaries and processors with whom the personal data is being shared, and any other information as may be prescribed by the rules. A data principal must be allowed to correct, erase, or update the personal data she provides, and has the right to withdraw consent at any time. In such a case, the data fiduciary must ensure that the process to withdraw consent is as straightforward as that of obtaining consent. A data principal may exercise these rights through a consent manager, who must be accountable to the data principal.
Notably, the rights available to data principals under the DPDPA seem to be rather narrow – it doesn’t allow the data principal to object to processing based on grounds other than consent. In fact, it imposes duties on the data principal which include ensuring compliance with the Act, not registering false complaints, and only furnishing authentic information. Failure to comply with such duties may result in a fine of up to Rs10,000.
CROSS BORDER TRANSFERS
At present, the DPDPA does not restrict cross-border transfer of personal data except to such countries that the Union government may notify through implementing rules. However, it does not prevent any other law from prescribing a higher threshold of data protection, such as the data localisation requirements in relation to payments data imposed by the Reserve Bank of India (RBI).
OVERSIGHT
The Board, established under the DPDPA, will oversee its implementation from the date of its notification by the Union government, and it shall have all the powers of a civil court. Data principals will be allowed to approach the Board for grievance redressal in line with the requirements of the DPDPA and any subsequent rules to that effect. Civil courts are not allowed to entertain suits or take any action under the DPDPA, although certain remedies, such as writs (where applicable) may be allowed. Any person aggrieved by an order of the Board may appeal to the appellate tribunal. The Board shall also have the power to refer the parties in dispute to mediation.
PENALTIES
The DPDPA prescribes varying amounts of penalties based on the contraventions under the Act. A data fiduciary may be fined up to Rs250 crore for failure to implement security safeguards, up to Rs200 crore for failure to provide notice of data breach, and failure to comply with the requirements for processing children’s data. Significant data fiduciaries may be fined up to Rs150 crore for failure to meet the additional obligations imposed on them, and a penalty of up to Rs50 crore has been prescribed for a breach of any other provision of the DPDPA or any rule issued under it.
The DPDPA also sets out general parameters that may be considered to determine the quantum of penalty such as the nature, gravity and duration of the contravention, types of personal data affected, implications of the contravention and mitigating measures adopted by the contravening party.
Damages?
Under section 43A of the IT Act, a company breaching its obligations in respect of personal data was liable to pay compensation to the person affected by such a breach. While the DPDPA effectively repeals the applicability of the IT Act in relation to matters governing personal data, it does not make any provisions to ensure compensation for the data principals who may suffer from non-compliance of a data fiduciary.
Although the Board has been granted extensive powers to issue any directions it considers necessary to effectively discharge its functions under the DPDPA, it is unclear whether such powers would extend to grant of compensation to data principals.
(Shantanu Mukherjee is the founder of Ronin Legal, a boutique tech and life sciences law firm with offices in Dubai and Bangalore. He holds an LL.M from Columbia Law School, New York, and a BA, LL B (with a gold medal in Intellectual Property law) from National Law School of India, Bangalore, and has worked in India, New York, Singapore, Hong Kong, and the UAE, with leading international law firms including Linklaters and White & Case, and as in-house counsel. Anushka Iyer is an associate at Ronin Legal, with a BA, LL B (Hons) from Symbiosis Law School, Pune. Her practice focuses on complex issues at the intersection of technology, AI, healthcare and life sciences, data, and intellectual property.)