Authors: Carolyn Bigg, Gwyneth To and Rachel De Souza
Start preparing now to comply with India’s new data protection law. While there are similarities with EU/UK GDPR – and sufficient harmonisation with data protection laws across APAC to continue a regional data compliance in Asia – the practicalities of implementation and compliance should not be underestimated.
On 11 August 2023, India’s long-awaited law governing data protection – the Digital Personal Data Protection Act, 2023 (DPDP Act) – received the President’s assent and was published in the official gazette the following day. The DPDP Act is India’s first comprehensive law on the protection of personal data and comes six years after the Supreme Court of India first declared a fundamental right to privacy in the Puttaswarmy case in 2017. The DPDP Act will replace India’s current data protection framework, which includes relevant provisions of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The majority of the requirements in the DPDP Act are not yet operative – the Central Government of India can determine different dates for entry into force of different provisions within the DPDP Act. Therefore, as well as preparing for the new DPDP Act, organisations will need to continue to ensure compliance with existing rules and regulations under the current Indian data protection regime. It is anticipated that subordinate legislation will follow to clarify and give effect to the provisions of the DPDP Act. Rumours are that there will be a grace period for organisations to comply, but it may be as short as six months.
Summary of key requirements under the DPDP Act
- Scope of the DPDP Act: The DPDP Act is applicable to the processing of “digital personal data”, which includes personal data collected either digitally, or collected in a non-digitised form and subsequently converted into digital form. In contrast to the current position in India and the EU/UK GDPR, the DPDP Act makes no distinction between personal data and sensitive personal data, but this is quite similar to many other Asia data protection laws. The DPDP Act does not apply to personal data used by individuals for personal or domestic purposes, or publicly accessible data.
- Extra-territorial effect: The DPDP Act applies both to: (i) Indian entities which engage in the processing of personal data; and (ii) foreign entities processing personal data as part of offering goods and services to data principals (i.e. data subjects, using the GDPR terminology) located within India. Unlike the EU/UK GDPR, the DPDP Act does not apply to entities outside India that monitor the behaviour of India data subjects.
- Consent and notice: Similar to the general position with other Asia data protection laws, consent of the individual is required to process personal data, although there are a number of ‘legitimate use’ exceptions to the consent requirement (e.g. fulfilment of any legal/judicial obligations, employment and medical emergencies and health services). Consent must be “free, specific, informed, unconditional and unambiguous” and must be obtained through clear affirmative action (e.g. opt-in). In order to obtain consent, organisations must provide a clear notice to individuals, which includes (inter alia): (i) information on the personal data to be collected and the purpose of its processing; and (ii) a description of the data principal’s (i.e. data subject’s) rights, including correction, withdrawal of consent, and the procedure for filing complaints with the Data Protection Board. Importantly, the notice and request for consent must be made available in English and in all the 22 languages mentioned in the 8th schedule of the Indian Constitution – this translation time/cost must be factored into organisations’ implementation plan.
- Data Fiduciaries and Significant Data Fiduciaries: the DPDP Act introduces a number of changes in relation to the obligations of ‘data fiduciaries’ (defined as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data, under the DPDP Act) – i.e. a data controller using the GDPR terminology. These include a requirement to implement technical and organizational measures, record keeping requirements, obligations in relation to the appointment of data processors and reporting “Personal Data Beaches” to the Data Protection Board and data principals (see below).
The DPDP Act also introduces the concept of ‘significant data fidiciaries’, which imposes more stringent compliance requirements on those data fiduciaries (or classes of them) which are classified by the Central Government of India as ‘significant data fiduciaries’. Non-compliance with these additional obligations can result in substantial penalties The designation of significant data fiduciary status is dependent on a range of factors (e.g. volume and sensitivity of personal data, risk posed to rights of data principals, impact of processing on the sovereignty and integrity of India, national security and public order etc). Additional compliance requirements include:
- designation of a Data Protection Officer (DPO);
- appointment of an independent data auditor to assess data protection compliance; and
- undertaking data protection impact assessments, periodic audits and other measures required by the authorities.
- Data Protection Officer (DPO): organisations must appoint a contact person / representative to address data principals’ queries on the processing of their personal data. Where an organisation is considered a ‘significant data fiduciary (see above), the organisation must appoint a DPO and publish the business contact information of that DPO.
- Data breach notification: All types of personal data breaches (which includes unauthorised data processing, disclosure, alteration, loss, or actions compromising data confidentiality, integrity, or availability), regardless of scope and impact, are reportable to affected data principals and the authorities. This follows the recent trend in India of mandatory reporting for virtually all cyber incidents, and is a significant uplift on data breach notifications under EU/UK GDPR and data protection laws elsewhere in Asia. The form and timeline for reporting data breaches is not set out in the DPDP Act, and will be prescribed in rules to be issued by the Central Government. The reporting obligations under the DPDP Act apply in addition to the existing reporting obligations under India’s Computer Emergency Response Team (CERT-In) rules, imposing potentially duplicate reporting requirements on organisations.
- Data Principal Rights: Data principals have a number of rights under the DPDP Act, including a right of access information, the right to correction of personal data, the right of erasure, the right to withdraw consent and the right of grievance redressal. The DPDP Act also imposes obligations on data principals, including an obligations to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, and not to register a false or frivolous grievance or complaint with a data fiduciary or the Data Protection Board. The DPDP Act includes financial penalties for breach of these obligations.
- Cross-border data transfers: Under the DPDP Act, the cross-border transfer of personal data for processing is permitted, except to blacklisted countries as specified by the Government of India (list to be published in due course). That said, there remains to be sector-specific restrictions on the transfer of personal data (e.g. payments, insurance etc). The removal of previous data localisation provisions under previous drafts of data protection laws in India have been widely welcomed by multinational businesses, and in practice aligns India with general international principles and practices for cross-border data transfers.
- Penalties: Whilst the previous data protection framework in India laid down both civil and criminal penalties, under the DPDP Act only fines ranging from INR 5 Crores (approximately €559,875) to INR 250 Crores (approximately € 27,993,712) have been prescribed.
What next – practical steps
As a priority, businesses should map out and understand personal data flows and processes with respect to Indian personal data, in order to remediate any gaps or inconsistencies with the DPDP Act in existing data privacy programmes. In particular, businesses should prioritise the following:
- Identify what digital personal data is being collected and the purposes of processing, as well as understanding whether any third party processors are used to process the digital personal data.
- Ensuring existing notice and consent approaches (if any) are adequate. Otherwise, roll out notice and consent mechanisms for data principals.
- Putting in place procedures and policies for response and reporting of personal data breaches, given the significant uplift in obligations in comparison to the general requirements across all other data protection laws.