In the digital era, where personal data has become an invaluable asset, ensuring compliance with data protection and privacy laws is of utmost importance. Like many other countries, India has recognised the need for robust legislation to safeguard individuals' personal information. Complying with data protection and privacy laws in India helps organisations build trust with their customers and mitigates the risk of regulatory penalties and reputational damage. By understanding the legal requirements, implementing appropriate measures, and fostering a privacy-aware culture, organisations can effectively safeguard personal data and demonstrate their commitment to data protection in compliance with Indian laws.
II. Overview of the data protection and privacy landscape in India- Digital Personal Data Protection Act, 2023
India is on the brink of witnessing a major change in the realm of privacy, marked by the enactment of the new Digital Personal Data Protection Act, 2023 ("DPDPA"). DPDPA is a by-product of the landmarkPuttaswamy Judgementwhich made the right to privacy a Fundamental Right for all Indian citizens1. It is expected that the DPDPA will enhance the data protection compliance regime in the country and will empower users to agitate this Fundamental Right better once enacted. In our analysis, we have meticulously outlined the pivotal compliance measures that must be diligently observed by all relevant stakeholders in accordance with the DPDPA. This article aims to provide a clear and structured overview of the key obligations and responsibilities imposed by the DPDPA, facilitating a deeper understanding and effective implementation of these crucial compliance standards.
III. Compliances under the DPDPA
This section highlights the compliances required from data fiduciaries2 ("Fiduciary(ies)") and data processors3 ("Processor(s)") towards a data principal4 ("Principal(s)") under the DPDPA. In doing so, this section discusses the scope and applicability of the DPDPA, the role of consent and notice for data processing in India, obligations mandated by the DPDPA for Fiduciaries, rights of the Principal, applicable penalties for all involved stakeholders and cross border transfer.
Scope and applicability of the DPDPA
The DPDPA applies to (i) the processing of personal data in digital format or nondigitized format which is digitalized subsequently; and (ii) the processing of digital personal data beyond India if such processing relates to any activity connected with goods or services being offered to the Principal within India,5 but does not apply to data processed for any domestic or personal purpose and publicly available personal data.
Role of consent and notice for data processing
The DPDPA stresses on Principal's "consent" as a means of personal data collection. This implies the following:
- Consent-based processing: The Fiduciary shall request the Principal's free, specific, informed, unconditional and unambiguous consent6. To fulfil this requirement, the required consent must be granted through affirmative action, indicating the Principal's approval for the processing of his/her ("her") personal data.
- Notice: A notice must either accompany or precede each request for consent from the Fiduciary informing the Principal of (i) the personal data being processed and the purpose behind its processing, (ii) the prescribed procedure for the Principal to assert her rights, and (iii) the established procedure for the Principal to lodge a complaint with the Data Protection Board7 ("Board") against the Fiduciary in clear and plain language8 for the specified purpose.
- Withdrawal of consent: The Principal possesses the right to revoke her consent at any time and this withdrawal process should be as convenient as the initial consent process,9 and the Fiduciary can continue processing the Principal's data until the Principal chooses to revoke her consent.10
- Consent managers11 ("Manager(s)"): The DPDPA allows a Principal to give, manage, review, or withdraw their consent to the Fiduciary through a Manager (who shall be registered with the Board) who is accountable to the Principal.
- Legitimate use: A Fiduciary has the authority to utilise a Principal's personal data for various purposes. This includes using the data for the initially specified purpose12 ("Purpose") when it was voluntarily provided, unless the Principal objects. Additionally, the data can be used by the State and its agencies to offer specified benefits and services, contingent upon consent or data availability in accordance with government policies or applicable laws. Moreover, data processing is permissible to facilitate the State's functions in line with Indian laws, safeguarding India's sovereignty, integrity, and security. Furthermore, data can be processed to fulfill legal obligations concerning data disclosure as outlined in relevant laws. It can also be employed to adhere to judgments, orders, or decrees, whether under Indian or foreign laws, particularly for contractual or civil claims. Furthermore, data may be utilised in responding to life-threatening medical emergencies, providing medical care during epidemics, and ensuring safety, assistance, or services during disasters or disruptions in public order.
Obligations of Fiduciary
General Obligations13: The DPDPA outlines several key obligations and responsibilities of a Fiduciary. It establishes that a Fiduciary is responsible for complying with the DPDPA's provisions, regardless of any agreements or failures by the Principal. The Fiduciary can engage a data processor under a valid contract for data processing related to offering goods or services to Principals. When personal data might impact a Principal or be disclosed to another Fiduciary, the Fiduciary must ensure its completeness, accuracy and consistency.
In furtherance, the Fiduciary must implement technical and organisational measures for compliance, protect personal data with security safeguards and report breaches to the Board and affected Principals. They must also delete personal data when consent is withdrawn or when the specified purpose is no longer served. Additionally, the Fiduciary must publish contact information for a Data Protection Officer14 ("DPO"), or a representative who can address Principal inquiries and establish a mechanism for addressing Principal grievances.
Processing of personal data of children and person with disability15: The fiduciary must ensure that whilst processing the personal data of children and people with disabilities, the Fiduciary must seek the consent of the parent or the lawful guardian. The DPDPA forbids tracking or behavioural monitoring of children, as well as targeted advertising to children and the processing of children's data that might have a negative impact on a child's wellbeing.
Additional obligations of significant data Fiduciaries16: Under the DPDPA, the Significant Data Fiduciary17 is required to fulfill several key responsibilities. Firstly, they must designate a DPO who will serve as their representative and must be located in India. The DPO will be accountable to the company's Board of Directors or a similar governing body and will also serve as the primary point of contact for addressing grievances related to data protection. Additionally, the Significant Data Fiduciary must engage an independent data auditor responsible for evaluating their compliance with data protection regulations. Furthermore, they are obliged to conduct periodic Data Protection Impact Assessments, regular audits, and any other measures stipulated by the Data Protection and Privacy Authority (DPDPA) to ensure the safeguarding of data. These obligations aim to strengthen data protection practices within the organization and enhance the overall privacy framework
Rights of Principals
The DPDPA bestows specific rights upon Principals. These rights include the ability to access information about their personal data, including a summary of its processing, associated activities, and any prescribed details. Furthermore, Principals have the right to discover the identities of all Fiduciaries and data processors with whom their data has been shared. They also possess the right to rectify and delete their personal data and can designate a representative to act on their behalf in case of incapacitation or demise. Under the DPDPA, Fiduciaries are obligated to provide easily accessible mechanisms for data principals to address their grievances. In this context, Principals must explore all available avenues for resolving complaints before approaching the Board for assistance.
The DPDPA's schedule establishes a range of penalties, in cases of violations of the DPDPA provisions. These penalties can vary from INR Ten Thousand to INR Two Hundred and Fifty Crores. For instance, a breach of the obligation of a Fiduciary to implement reasonable security measures to prevent personal data breaches would fall under this penalty framework.
Under the DPDPA, a Fiduciary can generally send personal data to any other country or territory for processing, unless the Central Government specifically restricts such transfers to certain countries. However, it's important to note that the DPDPA also makes it clear that if there's any other law or sector-specific regulation that offers higher levels of protection or imposes more restrictions on the transfer of personal data outside India, whether it's related to certain types of personal data or specific categories of data fiduciaries, that law or regulation takes precedence and will apply.
Thus, in accordance with the DPDPA, this note has outlined the compliances expected from Fiduciaries towards Principals. The note also covers the DPDPA's reach and applicability, the significance of consent for future data processing in India, the responsibilities of Fiduciaries under the DPDPA, and applicable sanctions for all parties involved.
1. Justice K.S.Puttaswamy (Retd) vs Union Of India, 574, WP(Civil) No. 494 of 2012.
2. Section 2(a)(i), the Digital Personal Data Protection Act, 2023.
3. Section 2(a)(k), the Digital Personal Data Protection Act, 2023.
4. Section 2(a)(j), the Digital Personal Data Protection Act, 2023.
5. Section 3, the Digital Personal Data Protection Act, 2023.
6. Section 6, the Digital Personal Data Protection Act, 2023.
7. Section 18, the Digital Personal Data Protection Act, 2023.
8.Section 6(3), the Digital Personal Data Protection Act, 2023.
9. Section 6(4), the Digital Personal Data Protection Act, 2023.
10. Section 5(2)(b), the Digital Personal Data Protection Act, 2023.
11. Section 2(g), the Digital Personal Data Protection Act, 2023.
12. Section 2(za), the Digital Personal Data Protection Act, 2023.
13. Section 8, the Digital Personal Data Protection Act, 2023.
14. Section 2(l), the Digital Personal Data Protection Act, 2023. "Data Protection Officer" means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10.
15. Section 9, the Digital Personal Data Protection Act, 2023.
16. Section 10, the Digital Personal Data Protection Act, 2023. The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including (a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order.
17. Section 2(z), the Digital Personal Data Protection Act, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.