As the data economy of India expanded, it struggled with regulation to keep up with the vast amounts of data that Indians share daily when registering on hundreds of platforms, whether for social media, online banking, or grocery shopping.
The difficult task is protecting the privacy of India’s billion-plus citizens while ensuring that laws do not hinder the innovation driving the nation’s data economy.
To serve this purpose of protecting the data of its citizens, India passed a new privacy law on August 11, named the Digital Personal Data Protection Act, 2023 (DPDP Act).
The Information Technology Act, 2000, Information Technology (Amendment) Act, 2008, and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, will all be replaced by the DPDP Act once it goes into effect, the date for the same is yet to be notified by the Central Government.
Businesses looking to serve the Indian market should familiarize themselves with the Digital Personal Data Protection Act (DPDPA) since it provides 1.4 billion people with data privacy protections they did not previously have.
In this article, we’ll go over every detail of the DPDPA, including what makes it unique, what rights and obligations it places on individuals and businesses, and more.
Highlights of the DPDP Act
- The Bill will apply to the processing of digital personal data in India, whether the data is digitalized after being collected offline or online. If such processing is done outside of India to supply goods or services in India, it will also be covered.
- Personal data may be processed only with an individual’s consent and for a valid purpose. Lawful uses, such as an individual’s voluntary data sharing or the State’s data processing for licenses, permits, benefits, and services, may not require consent.
- Data fiduciaries must ensure data accuracy, store data securely, and erase it after it has served its purpose.
- Individuals are given specific rights under the Bill, such as access to information, request deletion and correction, and filing grievances.
- The central government may exempt the Bill’s obligations for government entities for specific reasons, such as maintaining public order, state security, or crime prevention.
- The central government will establish the Data Protection Board of India to make decisions regarding non-compliance with the Bill’s requirements.
What is the Digital Personal Data Protection Act, DPDPA?
The result of efforts to address privacy and data protection issues in India is the DPDPA.
Generally, DPDPA rules and ideas are similar to those of the EU’s GDPR for businesses.
These include a requirement for consent, data subject rights (or, more accurately, data principal rights), and more.
Although the DPDPA and GDPR are similar, they differ in several important ways.
This law is unique from others in that it is distinct in its language, requirements, history, and principles.
When the DPDP goes into effect, it will control how a wide range of businesses in the Indian market—the world’s fifth-largest economy—process personal data.
Although the DPDP offers India an extensive framework for data protection, the Central Government will eventually establish regulations on 25 specified topics that will go alongside it.
The Central Government has proposed a phased approach to enforcement, stating that different provisions of the DPDP will take effect on different dates, possibly in response to the uncertainty surrounding the final form of rules.
Applicability of DPDPA
All digital personal data processing in India is subject to the DPDP, regardless of whether the data was initially obtained in a non-digitized manner and later converted to a digital format.
According to the DPDP, “personal data” refers to any information about an individual that can be identified from or through that information.
Additionally, a definition of “digital personal data,” which is defined as personal data in digital form, is introduced by the DPDP.
Personal data processed by persons for domestic or private purposes or made publicly available is not covered by the DPDP.
Additionally, the DPDP is applicable extraterritorial, meaning that it covers processing personal data outside of India if it is related to providing goods and services to individuals within India.
The DPDP covers employee business-to-business and consumer data, as do many international data privacy regulations.
Exemptions
The DPDPA’s broad list of exclusions is one of its controversial features.
Several government agencies are exempt, and the central government may decide to exclude specific groups of organizations (like startups) in the future.
Processing personal data readily available to the public, processing data for research purposes, and, in some instances, processing data belonging to non-Indian citizens are also exempt.
In contrast to the GDPR, some of the DPDP’s rules do not apply to Indian processors who handle people’s personal data outside of India due to agreements with other non-Indian businesses (such as outsourcing agreements).
Consent and Notice
The person whose personal information is collected and processed is the “Data Principal” under the DPDP.
For the collecting entity (Data Fiduciary) to lawfully collect and process data, notice to and consent from the relevant Data Principal must be given on or before the processing of personal data.
A request for consent must be accompanied by a notice that notifies the data principal of the following:
- The personal data that will be processed and why.
- How Data Principals can use the DPDP in exercising their rights.
- The process for the Data Principal to file a complaint with the Board.
Furthermore, the Data Fiduciary is still required to send out a notice with the information mentioned above “as soon as it is reasonably practicable,” even when a Data Principal consented to processing their personal data before the DPDP started.
Consent can be withdrawn at any point during the data processing period.
Except in some situations when there is a “legitimate use” of the personal data, consent must always be obtained.
For example, the DPDP does not require consent for situations involving medical emergencies, threats to public safety, when it is necessary to carry out legal obligations or comply with a court order when it comes to employment-related matters or protecting the employer from liability or loss, such as preventing business spying, or when the data principal voluntarily discloses the personal data.
Rights and Duties of Data Principals
The following rights will be granted to the person whose data is being processed (the data principal):
- The right to be informed about the types of personal data that a data fiduciary is processing, the actions taken about those data, and the names (and not simply the categories) of all other data fiduciaries and data processors with whom the data has been shared.
- The right to update, rectify, complete (i.e., finish any missing data), and erase personal information processed with the data principal’s prior consent.
- The right to complain and redress for any action or inaction on the part of the Data Fiduciary in carrying out its duties regarding the personal information of the Data Principal.
Significant Data Fiduciaries and its Obligations
Any Data Fiduciary or more significant class of Data Fiduciaries may get a notice from the Central Government that they have been designated “Significant Data Fiduciary.”
The designation of a Data Fiduciary comes with several obligations, which are as follows:
- Designating a Data Protection Office that serves as the (1) Significant Data Fiduciary’s representative; (2) based in India; (3) responsible for the Significant Data Fiduciary’s governing body; and (4) serves as the grievance coordinator.
- Designating a third party (independent data auditor) to conduct data audits following the DPDP.
- Conducting a periodic audit.
A Data Fiduciary may be designated as “significant” by the Central Government upon evaluating relevant factors, such as the volume and sensitivity of processed personal data, national security, public order, and the risk to Data Principals’ rights.
The Central Government has broad discretion to designate any Data Fiduciary as “Significant,” should it choose.
Although these factors offer some guidance as to what activities may lead to a business being deemed a Significant Data Fiduciary, the Central Government may consider any additional factors that it finds relevant.
Data Breaches
“Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data” is what the DPDP calls a “personal data breach.”
To prevent a breach of personal data, a data fiduciary must take appropriate security precautions.
In the unlikely event of a breach, the Data Fiduciary is required by law to notify the Board and each impacted Data Principal of the breach in a format and way that the Central Government has yet to decide upon.
Data Protection Board of India
The central government will establish the Data Protection Board of India.
The Board’s primary responsibilities include:
- Imposing penalties and keeping an eye on compliance.
- Instructing data fiduciaries on what steps to take in a data breach.
- Receiving complaints from those who are affected.
Members of the Board may be reappointed after their initial two-year term.
The central government will set details like the Board’s membership count and the selection procedure. TDSAT will hear appeals on the Board’s rulings.
Penalties
Undoubtedly, avoiding the fines and penalties connected with non-compliance is one of the main reasons any business would want to comply with the DPDPA.
The DPDPA gives the government the authority to establish an enforcement-focused board.
Depending on the type of violation, the Board has a predetermined list of fines that it may apply.
These vary from INR 10,000 (about USD 120) to INR 250 Crores (about USD 30M).
How did India get here?
In India, the regulation of data privacy has been a long process. This is an overview that shows how far the journey has come.
- 2017: The Indian Supreme Court’s nine-judge panel acknowledged privacy as a fundamental right that required protection.
- 2019: In response to the need for legislation to protect privacy rights following their constitutional recognition, the Indian Parliament introduced a privacy bill. But the initial Bill was later withdrawn. Due to alleged limitations, prohibitions, data localization clauses, policy concerns, and government exemptions, the original privacy bill received opposition from several sources, including Silicon Valley corporations.
- 2019–2021: The conversation around privacy and data protection has persisted over time, addressing the broad and complex aspects of the initial Bill.
- 2023: The DPDPA saw rapid legislative progress, getting permission from the president, clearing both houses of Parliament in less than a week, and being published in the Official Gazette.
- 2024: The DPDPA is expected to go into effect in 2024, with a brief implementation period considered. The exact implementation date has yet to be announced as of this writing.
The DPDPA, in particular, and data privacy laws have generated controversy in India. As the legislation progresses, rules and regulations will likely be adjusted to accommodate various interests.
Conclusion
While there are many similarities between the DPDPA and other data protection rules implemented in other countries, organizations doing business in India or entering into contracts with firms should carefully review the changes in the DPDP to make sure they modify how they process and collect personal data.
To ensure that operations and procedures comply with the DPDP’s changing requirements, businesses will also need to continuously check the regulations established by the Central Government.
A summary of some of the critical DPDP components is discussed above.
Get in touch with experts at PrivacyPillar and comply with DPDPA regulations today.
