India: Key features of the Digital Personal Data Protection Act, 2023
On August 11, 2023 the Digital Personal Data Protection Act, 2023 (the Act) received the assent of the President of India and was published in the Official Gazette, representing a landmark in India's long journey towards the adoption of a comprehensive privacy framework. In particular, the Act aims to regulate the processing of digital personal data in a manner that balances the need to lawfully process data with the rights of individuals regarding the protection of their personal data.
In this Insight article, OneTrust DataGuidance Research provides an overview of the Act, highlighting its key requirements.
The Act represents the latest in a long line of proposed privacy legislation in India dating back to 2018 when the first comprehensive act was introduced. Compared to the previous drafts, the Act's provisions tend to be more high-level while also providing the Central Government with significant powers to make subordinate legislation in order to establish the details.
The Act employs a distinctive vocabulary, some of which can still be compared with common key terms used within other global laws, such as the General Data Protection Regulation (GDPR). Specifically, Clause 2 of the Act outlines several definitions, some of which are illustrated below.
Data principal: Under the Act, a 'data principal' is the individual to whom the personal data relates and is akin to the term 'data subject' used in other global data protection legislation. This definition stretches to parents or lawful guardians in cases concerning a child (an individual under the age of 18) and lawful guardians acting on behalf of individuals with disabilities.
Data fiduciary: The Act identifies two types of data fiduciaries:
- a 'data fiduciary' signifies any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data, and is similar in nature to the concept of a 'data controller' used in other legislation; and
- on the other hand, a 'significant data fiduciary' is defined as any data fiduciary or class of data fiduciaries which can be selected by the Central Government based on an assessment of the factors listed under Clause 10(1) of the Act. The Act establishes additional obligations for significant data fiduciaries (see more on this below).
Data processor: As with other data protection laws, the Act makes a distinction between the entity determining the purpose of processing and the processor. Hence it defines a 'data processor' as any person who processes personal data on behalf of a data fiduciary is defined by the Act as 'data processor.'
Data: Notably, among its key definitions, the Act features the following tripartition in relation to different types of data:
- 'data' refers to any representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means;
- 'personal data' is further defined to signify any data about an individual who is identifiable by or in relation to such data; and
- 'digital personal data' refers to personal data in digital form.
Scope of application
Further to the above clarifications, the Act confirms that it only applies to digital personal data. Specifically, it applies to:
- the processing of digital personal data within the territory of India, where the personal data is collected either in digital form or in non-digital form and subsequently digitized; and
- the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India.
Clause 3 of the Act excludes from its scope of application the processing of personal data by an individual for any personal or domestic purpose, and personal data that is made or caused to be made publicly available by the data principal to whom such personal data relates, or by any other person who is under an obligation to make such personal data publicly available under any law in force in India.
The Act further exempts from applicability some of its provisions in certain circumstances, for example, if personal data is processed for investigating offenses, detecting financial frauds, the processing is necessary for a merger/demerger, and for the purpose of ascertaining the financial information of an individual who has defaulted on a payment to a financial institution.
Interestingly, the Act also exempts from its scope, the personal data of data principals, located outside the territory of India, which is processed pursuant to a contract with another person outside India, by any person based in India.
Additionally, the Central Government may notify certain data fiduciaries, including start-ups, that are exempt from certain provisions of the Act, based on the volume and nature of the personal data they process.
Lastly, the Central Government can exempt the application of the Act altogether for notified state entities in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, and maintenance of public order, among other reasons.
Grounds for processing personal data
In terms of grounds for processing personal data, the Act establishes two main categories and moves away from the concept of 'deemed consent' featured in the previous draft data protection law. Instead, the Act clarifies that personal data of a data principal may only be processed in cases where:
- the data principal has given their consent; or
- for certain legitimate uses.
To assist with understanding and implementation, the Act provides several practical illustrations throughout, particularly in relation to lawful bases.
Consent of the data principal
Pursuant to Clause 6(1) of the Act, 'consent given by the data principal' signifies an agreement to the processing of their personal data for the specified purpose, limited to such personal data as is necessary for the same purpose. Additionally, consent must be free, specific, informed, unconditional, and unambiguously signified with clear affirmative action.
Importantly, the data principal has the right to withdraw their consent at any time and with the same facility with which such consent was initially given. When consent is withdrawn, the Act specifies that the data fiduciary must, within a reasonable time, cease, and cause its data processors to cease, processing the personal data, unless such processing is required or authorized under the Act, the rules made thereunder, or any other law in India.
Notably, the Act abandons the requirement to provide 'itemized notice' featured in the previous draft data protection law. As such, the Act establishes that every request for consent made to a data principal must be accompanied or preceded by a notice, provided by the data fiduciary, informing the data principal about:
- the personal data which is proposed to be processed, and for which purpose;
- how the data principal may withdraw their consent and exercise their right of grievance redressal; and
- how the data principal may submit a complaint to the Data Protection Board of India (the Board).
When seeking consent from a data principal the Act highlights that this must be clear and in plain language, with the contact details of a data protection officer (DPO), where applicable, or of any other person authorized by the data fiduciary to respond to any communication from the data principal included.
Lastly, the data fiduciary must be able to prove that a privacy notice was issued to the data principal and that their consent was obtained.
A noteworthy aspect of the Act relates to the concept of a 'consent manager'; an individual to whom the data principal may give, manage, review, or withdraw their consent.' Consent managers must be registered with the Board and thereafter have the ability to act as a single point of contact to enable the data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. However, the Act emphasizes that the consent manager must be accountable to the data principal and act on their behalf.
Interestingly, Clause 4(1) of the Act establishes that the personal data of a data principal may be processed for certain legitimate uses listed under Clause 7, including for the specified purpose for which the data principal has voluntarily provided their personal data to the data fiduciary, and in respect of which they have not indicated to the same data fiduciary that they do not consent to the use of their personal data. The Act provides the following illustration in relation to this scenario, in which information has been provided by the data principal who has also not objected to its processing:
' X, an individual, makes a purchase at Y, a pharmacy. X voluntarily provides Y with their personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to their mobile phone. Y may process the personal data of X for the purpose of sending the receipt.'
Other legitimate uses outlined in the Act include:
- for the State and any of its instrumentalities to provide or issue to the data principal such subsidy, benefit, service, certificate, license, or permit as may be prescribed, under certain conditions;
- subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for the governance of personal data;
- for the performance by the State or any of its instrumentalities of any function under any law in force in India, or in the interest of sovereignty and integrity of India or the security of the State;
- for fulfilling any obligation under any law in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing is in accordance with the provisions regarding disclosure of such information in any other law;
- for compliance with any judgment or decree or order issued under any law in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law outside India;
- for responding to a medical emergency involving a threat to the life or immediate threat to the health of the data principal or any other individual;
- for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;
- for taking measures to ensure the safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order; and
- for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a data principal who is an employee.
Obligations of data fiduciaries
Clause 8 of the Act lays down obligations on data fiduciaries. Namely, data fiduciaries must, among other things:
- be responsible for complying with the provisions of the Act and its implementing rules in respect of any processing undertaken by it or by a data processor on its behalf;
- only engage, appoint, use, or otherwise involve a data processor to process personal data on its behalf for any activity related to the offering of goods or services to data principals under a valid contract;
- ensure the completeness, accuracy, and consistency of the personal data its processes, where such personal data is likely to be;
- used to make a decision that affects the data principal; or
- disclosed to another data fiduciary;
- implement appropriate technical and organizational measures to ensure effective observance of the provisions of the Act and its implementing rules;
- take reasonable security safeguards to prevent personal data breaches, to protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor;
- notify, in the event of a personal data breach, the Board and each affected data principal of such breach in the form and manner that are to be prescribed by implementing rules issued by the Central Government;
- unless retention is necessary for compliance with any law:
- erase personal data, upon the data principal withdrawing their consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
- cause its data processor to erase any personal data that was made available by the data fiduciary for processing to such data processor;
- publish the contact information of the DPO, if applicable, or the person who, on behalf of the data fiduciary, is able to answer the questions raised by the data principal about the processing of their personal data; and
- establish an effective mechanism to redress the grievances of data principals.
Additional obligations for significant data fiduciaries
As noted, the Central Government may deem certain data fiduciaries as being 'significant' based on various factors, these include the volume and sensitivity of personal data processed, the risk to the rights of data principals, and the potential impact on the sovereignty and integrity of India.
Such a designation entails the requirement to comply with additional obligations under the Act, as significant data fiduciaries must:
- appoint a DPO, who must represent the significant fata fiduciary and be based in India, among other things;
- appoint an independent data auditor to carry out audits for evaluating compliance of the significant data fiduciary with the Act; and
- undertake periodic Data Protection Impact Assessments (DPIAs), periodic audits, and other measures which may be prescribed by implementing rules to be issued under the Act.
Processing of personal data of children
Specific obligations are defined under Clause 9 of the Act in relation to the processing of personal data of children.
As a starting point, the Act mandates data fiduciaries to obtain 'verifiable' parental consent before processing the personal data of children. Regardless, a data fiduciary must not process such data if this is likely to determine any detrimental effect on the well-being of the child, nor undertake tracking or behavioral monitoring of children or targeted advertising directed at them.
The Act does, however, establish a broad exception, as it states that Clause 9(1) and Clause 9(3) are not applicable by such classes of data fiduciaries, or for such purposes as may be prescribed. Furthermore, the Act confers power to the Central Government to potentially lower the age threshold for data fiduciaries in cases where it can be ensured that the processing of personal data of children is done in a manner that is 'verifiably safe.'
Rights and duties of data principals
Pursuant to the Act, data principals may exercise certain rights with respect to their personal data.
Right to access information about personal data
The Act grants data principals the right to request, in a way that is to be prescribed by implementing rules to be issued under the Act, the following information from the data fiduciary to whom they had previously given consent to process their personal data:
- a summary of the personal data that is processed by the data fiduciary and the processing activities undertaken by them with respect to the same personal data;
- the identities of all other data fiduciaries and data processors with whom the personal data has been shared by the data fiduciary, along with a description of the personal data that was shared; and
- any other information related to the personal data of the data principal and its processing, as may be prescribed by implementing rules to be issued under the Act.
Right to correction and erasure of personal data
Data principals have the right to correction, completion, update, and erasure of their personal data, for the processing of which they had previously given consent. In turn, upon receiving a request to exercise such a right from the data principal, the data fiduciary has the obligation to complete, update, or correct the personal data.
With specific regard to requests for obtaining the erasure of their personal data, the Act states that data principals may submit, in a way to be prescribed by implementing rules to be issued under the Act, a request to the data fiduciary. In turn, the data fiduciary must, upon receipt of the request, erase the personal data, unless retention of the same is necessary for the specified purpose for processing or for compliance with any law.
Right of grievance redressal
Clause 13 of the Act entitles data principals to the right to register a grievance with the data fiduciary or consent manager, and to escalate the complaint to the Board in case of lack of response or unsatisfactory response from the same data fiduciary or consent manager.
Right to nominate
A data principal has the right to nominate, in a manner to be prescribed by implementing rules to be issued under the Act, any other individual so that, in the event of death or incapacity of the data principal, the nominees may exercise the rights of the data principal on their behalf.
Duties of data principals
Similar to the previous draft privacy law, but nonetheless a unique feature in comparison to other global privacy laws, the Act not only sets out the rights of the data principal, but it also imposes on them certain duties. As an example, data principals must comply with the provisions of all applicable laws in force while exercising their rights under the Act, ensure not to register a false or frivolous grievance or complaint with the data fiduciary or the Board, and ensure not to impersonate another person while providing personal data for a specified purpose.
International data transfers
Another important novelty introduced by the Act pertains to its cross-border data transfers regime. In contrast to the previous draft data protection laws, which featured either data localization obligations or a 'white-list' approach, the Act generally allows outward data transfers based on a 'black-list' approach.
Indeed, the Act laconically stipulates that the Central Government may restrict through notification the transfer of personal data to specific foreign countries or territories. However, no criteria under which such countries will be selected are specified.
On the other hand, the Act leaves room for stricter sectoral restrictions on data transfers outside of India. This means that existing localization mandates are not affected by the Act.
Powers of the Central Government
The Act leaves many operational details to be specified by delegated legislation, giving the Central Government power to shape its requirements. In particular, the Act confers upon the Central Government the authority to make subordinate legislation on many aspects of the Act, including:
- how the data fiduciary must inform the data principal with the notice accompanying the request for consent;
- accountability, obligations, and registration of consent managers;
- how to notify the Board of a personal data breach;
- how to publish the business contact information of the DPO;
- how to obtain verifiable parental consent;
- the 'other matters' which must comprise DPIAs;
- the 'other measures' that significant data fiduciaries must undertake as part of their additional obligations compared to other data fiduciaries;
- how data principals can submit their requests; and
- the timeline within which data fiduciaries and consent managers must respond to the grievances of a data principal.
Data Protection Board of India
The Act proposes the establishment of a Board, which would function mainly as an enforcement body with respect to the rights and obligations provided under the Act. More specifically, the Board is to be established by the Central Government, which, in line with the above, is given broad powers in regard to the composition of the Board and the qualification for appointment of its members.
Pursuant to the Act, the Board can exercise and perform several powers and functions, including:
- to direct any urgent remedial or mitigation measures in the event of a personal data breach, inquire into such personal data breach, and impose penalties; and
- to inquire into a data fiduciary's breach of its obligations in relation to the processing of personal data, or in relation to the rights afforded by the Act to data principals, based on a complaint made by the data principal.
Any person aggrieved by an order or direction made by the Board may file an appeal before the Appellate Tribunal, identified with the Telecom Disputes Settlement and Appellate Tribunal established under Section 14 of the Telecom Regulatory Authority of India Act.
Importantly, the Act provides the Board with the power to prescribe financial penalties in case of non-compliance. Specifically, the Act stipulates that the Board may impose monetary penalties of up to INR 250 crore (approx. $30 million) if it determines that the breach of its provisions is significant.
Next steps and entry into force
In regard to the next steps, on August 9, 2023, the Act was passed by the Upper House of the Parliament and is currently awaiting formal assent from the President of India, following which it will be published in the Official Gazette and enacted as the Digital Personal Data Protection Act, 2023.
The Act provides no specific timelines for the entry into force of its provisions. Indeed, then it would come into force on a date to be established by the Central Government via notification in the Official Gazette.
Francesco Saturnino Privacy Analyst