India - Data Protection Overview
1. Governing Texts
The Digital Personal Data Protection Act, 2023 ('the Act') received presidential assent on August 2023, and will be implemented once notified by the Indian Government ('Government'). Once effective, it will be the governing law on personal data protection in the country.
The Act will be the primary statute governing the processing of individuals' digital personal data. Prior to the Act, there was no general data protection law in the country. The Indian data protection landscape previously comprised of rules on sensitive personal data (i.e., Information Technology Act, 2000 ('the IT Act'), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules')), along with various sectoral regulations under regimes such as banking, telecom, insurance, and consumer protection. While the Act will repeal the operation of the SPDI Rules, the sectoral regulations will continue to remain effective in consonance with the Act. In the event of a conflict, the Act will prevail, with certain exceptions, for example, sectoral localization requirements would override the Act.
There are presently no rules or guidelines issued under the Act. Nevertheless, guidance from the Government is expected on a number of provisions, such as notice obligations, consent managers' duties, data breach reporting, collection of verifiable parental consent in case of processing of children's personal data, classification of significant data fiduciaries and the scope of their obligations, data principal requests, and the constitution of the Data Protection Board of India ('Board').
1.3. Case law
Pending its implementation, there has been no litigation under the Act yet. However, the Act itself, along with a plethora of jurisprudence on data protection in India, emanates from the decision by the Supreme Court of India ('Supreme Court') in Justice K S Puttaswamy and Anr v. Union of India and Ors [Writ Petition (Civil) No. 494 of 2012] ('Puttaswamy'). In this case, a nine-judge bench was constituted to adjudicate on the existence of a fundamental right to privacy. Prior to this, Indian legal jurisprudence on the matter consisted of years of conflicting precedent on whether a right to privacy was a fundamental right.
In Puttaswamy, the Supreme Court unanimously held the right to privacy to be an intrinsic element of the right to life and personal liberty protected under Article 21 of the Constitution of India ('the Constitution'), which included, at its core, a negative obligation to not violate the right to privacy as well as a positive obligation to take all actions necessary to protect this right. Puttaswamy changed the contours of Indian privacy law, the interpretation of the existing privacy rules, and raised the specter of a robust common law tort of violation of privacy, independent of statutory rules.
The Supreme Court went on to clarify that any law that encroached upon the right to privacy would be subject to constitutional scrutiny and would have to meet the three-fold requirement of:
- necessity; and
State exceptions contemplated by the Act will consequently need to pass constitutional muster under this judicial test.
2. Scope of Application
The Act is not applicable to processing of personal data by individuals for personal or domestic purposes.
The Act applies to the relevant processing of personal data within India. It applies to the processing of digital personal data outside India if the processing is in connection with the offering of goods or services to individuals within India.
The Act applies to processing of personal data collected either in digital form or in non-digital form but digitised subsequently.
Certain exemptions exist. For instance, processing by notified state instrumentalities and processing for research, archiving, or statistical purposes where no decision specific to a data principal is taken are exempted from most of the Act's scope. The Act does not apply to publicly available data, where such data has been disclosed by the individual themselves, or by any other person under a legal obligation.
3.1. Main regulator for data protection
The Act provides for the establishment of the Board, which is envisaged to have multiple roles, including maintaining a register of consent managers, conducting inquiries, issuing directions, and enforcement.
3.2. Main powers, duties and responsibilities
The Board's primary duty is to ensure compliance with the Act and protect the interests of data principals. The functions of the Board include:
- responding to complaints by data principals;
- responding to references by the central or state governments;
- directing any urgent remedial or mitigation measures in the event of a personal data breach;
- conducting inquiries into breaches of any provisions of the Act;
- issuing binding directions; and
- imposing penalties.
For the purposes of discharging its functions under the Act, the Board shall have the same powers as are vested in a civil court, in respect of matters relating to:
- summoning and enforcing the attendance of any person and examining them on oath;
- receiving evidence of affidavits requiring the discovery and production of documents;
- inspecting any data, book, document, register, books of account, or any other document; and
- such other matters as may be prescribed.
4. Key Definitions
Data subject: The Act refers to 'data principal' as the individual to whom the personal data relates, and in case of a child or a person with disability, includes their parent or lawful guardian.
Significant data fiduciary: Any data fiduciary or class of data fiduciaries as may be notified by the Government, on the basis of an assessment of such relevant factors as it may determine, including:
- the volume and sensitivity of personal data processed;
- the risk to rights of data principals;
- the potential impact on the sovereignty and integrity of India;
- the risk to electoral democracy;
- the security of the State; and
- public order.
Consent manager: A person registered with the Board, who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.
5. Legal Bases
The Act primarily provides for a consent-centric approach to processing personal data. Other than consent, the Act provides for processing based only on the ground of 'certain legitimate uses,' which include:
- the specified purposes for which a data principal voluntarily provides data, given that the data principal has not indicated denial of consent for such processing;
- processing by the State to provide or issue a subsidy, benefit, service, certificate, license, or permit;
- performance of any legal functions of the State;
- fulfilling any legal obligation to disclose data to the State;
- compliance with orders or judgments, either under any Indian law, or under any foreign law when relating to claims of a contractual or civil nature;
- responding to a medical emergency involving a threat to life or immediate threat to health;
- providing medical treatment or health services during any threat to public health;
- ensuring safety or providing assistance or services during any disaster or breakdown of public order; and
- for purposes related to employment or safeguarding employers from loss or liability.
Consent is the primary legal basis for processing personal data under the Act. To be valid, consent must be free, informed, specific, unconditional, unambiguous with a clear affirmative action, capable of being withdrawn, for a specified purpose, and limited to such personal data as is necessary for such specified purpose.
While there is no ground of processing for compliance with any legal obligation in general, under the ground of 'certain legitimate uses,' processing is permitted for fulfilling any obligation under any Indian law to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law.
Additionally, processing is permitted for compliance with any judgment, decree, or order issued under any Indian law, or any judgment or order relating to claims of a contractual or civil nature under any foreign law.
As part of the legitimate uses ground, processing is permitted for the performance of any function by the State or any of its instrumentalities under any Indian law or in the interest of sovereignty and integrity of India or security of the State, as well as for the provision or issuance of a subsidy, benefit, service, certificate, license, or permit by the State.
Additionally, processing is permitted for responding to a medical emergency involving a threat to life or immediate threat to health, providing medical treatment or health services during any threat to public health, and ensuring safety or providing assistance or services during any disaster or breakdown of public order.
Further, the following processing operations are largely exempted from provisions on data fiduciary obligations, data principal rights, and cross-border transfer requirements:
- processing that is in the interest of prevention, detection, investigation, or prosecution of any offence or contravention of any Indian law; and
- processing to ascertain the financial information and assets and liabilities of any person who has defaulted in payment due on a loan or advance taken from a financial institution.
Lastly, processing by certain notified instrumentalities of the State, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Government of any personal data that such an instrumentality may furnish to it, is exempted from the Act.
Other grounds contemplated by the DPDPA are:
- processing for the specified purpose for which the data principal has voluntarily provided their personal data to the data fiduciary, and in respect of which they have not indicated to the data fiduciary that they do not consent to the use of their personal data; and
- processing of personal data that is necessary for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, or provision of any service or benefit sought by a data principal who is an employee.
Further, the following processing activities are largely exempted from provisions on data fiduciary obligations, data principal rights, and cross-border transfer requirements:
- when necessary for enforcing any legal right or claim;
- when necessary for the performance of any judicial, quasi-judicial, regulatory, or supervisory function under the law by any court or tribunal or any other body in India;
- when personal data of data principals outside India is processed pursuant to any contract entered into with any person outside India, by any person based in India; and
- when necessary for a merger, amalgamation, scheme of compromise or arrangement, reconstruction, transfer of undertaking, or division of companies, approved by a court or other competent authority.
The Act imposes certain obligations, detailed in the section on controller and processor obligations below, on data fiduciaries, who must comply with these obligations as well as be able to demonstrate such compliance.
- Data fiduciaries are responsible for compliance with the Act with respect to any processing undertaken by them or on their behalf, irrespective of any agreement to the contrary.
- Processing should only be for a lawful purpose, i.e., any purpose which is not expressly forbidden by law;
- Personal data should be processed only on the grounds detailed in the Act;
- Data fiduciaries should provide the data principal with adequate notice when relying on consent for processing;
- Data fiduciaries should implement appropriate technical and organizational measures to ensure compliance with the Act;
- Data fiduciaries should implement reasonable security safeguards to prevent a personal data breach in order to protect personal data in their possession or under their control;
- Data fiduciaries should ensure that the personal data being processed is complete, accurate, and consistent, when such data is likely to be disclosed to another data fiduciary or used to make a decision that affects the data principal; and
- Personal data should only be retained for as long as consent remains valid or as long as is necessary to satisfy the purpose for which it is processed, whichever is earlier, and thereafter such personal data should be deleted.
7. Controller and Processor Obligations
Under the Act, controllers are referred to as 'data fiduciaries.'
The Act also creates a class of data fiduciaries called 'significant data fiduciaries.' The Government will have the right to categorize actors as significant data fiduciaries depending, among other factors, on the volume and sensitivity of personal data they process, the risk to rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.
Separately, the Act also introduces a class of entities termed 'consent managers,' to be registered with the Board, who will act as a single point of contact to enable a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.
In addition to complying with the principles of data processing described in the section on principles above, data fiduciaries should involve a data processor only under a valid contract in case of any activity related to offering of goods or services to data principals, report data breaches to data principals as well as the Board, establish effective grievance redressal mechanisms, and publish the details of such person who may answer data principals, on behalf of the data fiduciary, regarding the processing of personal data.
The Act imposes the following enhanced obligations on significant data fiduciaries:
- appointing a data protection officer (DPO);
- appointing an independent data auditor to carry out data audits, who shall evaluate the compliance of the significant data fiduciary in accordance with the Act;
- undertaking periodic Data Protection Impact Assessments ('DPIA');
- undertaking periodic audits; and
- undertaking such other measures as may be prescribed.
Data processors have no direct obligations under the Act. Data fiduciaries are responsible for compliance by data processors processing personal data on their behalf.
Under the Act, personal data may be transferred to third countries, provided that the transfer is not prohibited by the Government. The Government will notify a list of jurisdictions that personal data may not be transferred to. However, any stricter localization requirements imposed under other Indian laws will continue to apply.
Under the Act, significant data fiduciaries are required to carry out periodic DPIA, which shall be a process comprising of a description of the rights of data principals and the purpose of processing their personal data, assessment, and management of the risk to the rights of the data principals, and such other matters regarding such process as may be prescribed by the Government.
The Act requires significant data fiduciaries to appoint a DPO, based in India, to be the point of contact for the grievance redressal mechanism under the Act. The DPO will represent the significant data fiduciary and is responsible to the board of directors of such significant data fiduciary.
A data fiduciary is required to appoint a person authorized to respond to communications from the data principals for exercising their rights under the Act. Such person, unlike a DPO, need not be based within India or report directly to the board of directors of the data fiduciary.
In the event of a personal data breach, the data fiduciary shall provide the Board, and each affected data principal, intimation of such breach in such form and manner as may be prescribed by the Government.
The Act does not prescribe retention periods; however, data should be erased as soon as it is reasonable to assume that the specified purpose of processing is no longer being served, or upon withdrawal of the data principal's consent, whichever is earlier.
Additionally, the Government may prescribe retention periods for different classes of data fiduciaries and for different purposes of processing.
The Act defines a 'child' as an individual who has not completed eighteen years of age. Data fiduciaries may not undertake processing of personal data that is likely to cause any detrimental effect on the well-being of a child.
Before processing any personal data of a child (or a person with a disability who has a lawful guardian), data fiduciaries must obtain verifiable consent of the parent or lawful guardian of such child or person with a disability, in a manner as may be prescribed by the Government. Additionally, data fiduciaries cannot undertake any tracking or behavioral monitoring of children, or targeted advertising directed at children. However, certain classes of data fiduciaries or processing for certain purposes may be exempted from these requirements by the Government. Additionally, with respect to compliance with these requirements, the age threshold may be lowered for certain data fiduciaries, if the Government is satisfied that the processing is 'verifiably safe.'
Under the Act, a data fiduciary may engage, appoint, use, or otherwise involve a data processor only under a valid contract, for processing concerning any activity related to offering of goods or services to data principals.
8. Data Subject Rights
The Act does not provide for an explicit right to be informed to the data subject. However, when processing is based on consent, data fiduciaries must inform the data principal of:
- the personal data and the purpose for which it will be processed;
- the manner in which the data principals may withdraw their consent;
- the data fiduciary's grievance redressal mechanism; and
- the manner in which the data principals may make a complaint to the Board.
Such notice should either accompany or precede every request for consent. When consent has been collected prior to the implementation of the Act, such notice should be provided as soon as is reasonably practicable.
In case of processing reliant on voluntarily provided personal data, the specified purposes of processing should be provided before or at the time of provision of such personal data.
When processing is on the basis of consent or voluntary provision of data, the Act allows data principals to seek from a data fiduciary:
- a summary of the personal data and processing activities undertaken with respect to such personal data;
- the identities of all other data fiduciaries and data processors with whom the personal data has been shared, along with a description of such personal data; and
- any other information related to the personal data of such data principal and its processing, as may be prescribed by the Government.
The right to access with respect to seeking the identities of data fiduciaries and any other information related to the personal data of data principals will not apply to sharing of personal data with a data fiduciary authorized by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such data fiduciary for the purpose of prevention, detection, or investigation of offences or cyber incidents, or for prosecution or punishment of offences.
When processing is on the basis of consent or voluntary provision of data, data principals have the right to correction of inaccurate or misleading personal data, completion of incomplete personal data, and updating their personal data, in accordance with any requirement or procedure under any law. Data fiduciaries are consequently obligated to correct, complete, and update personal data pursuant to data principals' requests.
When processing is on the basis of consent or voluntary provision of data, data principals have the right to erasure of their personal data, in accordance with any requirement or procedure under any law. A data principal may make an erasure request to a data fiduciary in such manner as may be prescribed by the Government, and upon receipt of such a request, the data fiduciary is obligated to erase the personal data, unless its retention is necessary for the specified purpose of processing or for compliance with any law.
In case of processing based on consent, data principals have the right to withdraw their consent to processing of their personal data.
Right of grievance redressal
A data principal has the right to have readily available means of grievance redressal provided by a data fiduciary or consent manager, regarding the performance of obligations under the Act. The data fiduciary or consent manager must respond to any grievances within such period as may be prescribed by the Government.
The data principal must exhaust the opportunity of redressing their grievance with the data fiduciary or consent manager before approaching the Board.
Right to nominate
A data principal shall have the right to nominate any other individual who shall, in the event of death or incapacity of the data principal, exercise the rights of the data principal under the Act. 'Incapacity', in this context, means the inability to exercise data principals' rights under the Act due to unsoundness of mind or infirmity of body.
Data principals' duties
The Act imposes certain duties on data principals, including obligations to comply with the Act, to not impersonate other data principals, to not suppress material information while providing personal information for government identifiers and other documents issued by the State or its instrumentalities, to not register false or frivolous complaints, and to provide only verifiably authentic information when exercising the right to correction or erasure.
The Board may impose penalties for non-compliance with the Act. The following are the statutory penalties for various contraventions:
- for breach of the obligation to take reasonable security safeguards to prevent personal data breach: up to INR 2.5 billion (approx. $30 million);
- for breach of the obligation to report a personal data breach to the Board or affected data principal(s): up to INR 2 billion (approx. $24 million);
- for breach of additional obligations in relation to children: up to INR 2 billion (approx. $24 million);
- for breach of additional obligations of significant data fiduciaries: up to INR 1.5 billion (approx. $18 million);
- for breach of a voluntary undertaking accepted by the Board: up to the extent applicable for the breach in respect of which the proceedings were instituted;
- for breach of data principals' duties: up to INR 10,000 (approx. $120); and
- for any other breach under the Act: up to INR 500 million (approx. $6 million).
Further, the Government has the power to amend the penalties to twice the amounts provided under the Act.
There have been no enforcement decisions under the Act yet.