The Digital Personal Data Protection Act, 2023 ("DPDP Act" or "Act"), enacted on August 11, 2023, finds its genesis in the recognition of privacy as a fundamental right under Article 21 of the Constitution by the Hon'ble Supreme Court's judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India.1 Following this decision, a Committee of Experts was set up under the Chairmanship of Justice B.N. Srikrishna, to submit a detailed report on privacy and draft the Personal Data Protection Bill, which was released by the committee in 2018 ("2018 Bill").2 Several stakeholder consultations and revised iterations of the 2018 Bill culminated into the DPDP Act. The DPDP Act will likely come into force in a phased manner3 and shall apply to processing of all 'digital personal data' within India.4
While the DPDP Act translates into a wide range of implications cutting across numerous sectors, we will delve into its potential impact on mergers & acquisitions ("M&A") and investment transactions.
A Data Fiduciary is someone who determines the purpose and means of processing of personal data.5 The Act provides for extensive obligations of a Data Fiduciary, including specifying the grounds on which the personal data of a Data Principal6 can be collected, which is where the Data Principal has given her 'consent', or for certain 'legitimate purposes', in each case, for lawful purposes only, and setting out the contours of 'consent' of the Data Principal required for processing of any personal data. Under the scheme of the DPDP Act, Data Fiduciaries only have access to two major grounds for processing personal data of Data Principals, the first being on the basis of 'consent' sought for processing from the relevant Data Principal and the second being for certain 'specified legitimate uses' not requiring the consent of the Data Principal. In each instance, such processing shall be carried out for lawful purposes only.7 Where 'consent' is the primary ground for processing, such consent provided by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.8 Certain specified legitimate uses may include a situation wherein all details are provided by an employee and personal data is processed in relation to such employment. These principles are broadly aligned with those contained within the General Data Protection Regulation ("GDPR"). However, one critical ground for processing of personal data without consent, which is included in the GDPR but is missing from the DPDP Act, is the processing of personal data for 'legitimate interests of the Data Controller' pertaining more to the discretionary meaning of what may be construed as 'legitimate interests' in this context. It is important to note that this is distinct from the 'legitimate uses' which are provided for in the Act relating to specific circumstances and shall not be covered under what may otherwise be construed as 'legitimate' by way of a pure interpretation of the term's dictionary meaning, unlike in the GDPR.9
1 2017 (10) SCALE 1.
2 O.M. No. 3(6)j2017-CLES dated 31st July 2017 issued by Government of India, Ministry of Electronics and Information Technology.
3 S. 1(2) of the DPDP Act.
4. S. 3 of the DPDP Act.
5 "Processing" in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction. S. 2(i) of the DPDP Act.
6 "Data Principal" means the individual to whom the personal data relates, and where such individual is (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf. S. 2(j) of the DPDP Act.
7 Ss. 4 and 6 of the DPDP Act.
8 S. 6 of the DPDP Act.
9 Art. 5 of the GDPR
Please click here to read the full report.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.