India: The Digital Personal Data Protection Act, 2023: A Deep Dive

INTRODUCTION: THE BASIC TENETS

Over the years, India has seen various iterations of a draft data protection law. In August 2023, the Digital Personal Data Protection Act, 2023 ("DPDPA") was passed by the Indian parliament. It is expected to come into effect in a phased manner.

Applicability and Exemptions

• The DPDPA regulates the processing of personal data in India that is either collected in digital form or personal data that is collected in a non-digital form but is later digitised.
• It also applies extraterritorially if processing occurs outside India in connection with the offering of goods or services to data principals in India.
• It exempts processing (a) of publicly available data that is made available by the data principal to whom such data relates or any other person who is under an obligation under any law to make such data publicly available, (b) of non-digital personal data, (c) by individuals for personal or domestic purposes, (d) by state instrumentalities identified by the Indian government for public interest purposes, and (e) for research and statistical purposes.

Additionally, certain types of activities are exempt from specific provisions under the DPDPA. For instance, processing of personal data (a) for enforcement of legal rights or claims, (b) by courts, (c) in connection with investigation of offences, (d) in connection with mergers and acquisitions or corporate restructuring purposes, and (e) of non-resident Indians pursuant to a contract entered into with any person outside India by a person within India, is exempt from requirements on cross-border transfers, obligations in connection with data principals' rights, and certain data fiduciary obligations.

The Defined Actors

The DPDPA regulates "data fiduciaries", "data processors", and "data principals". A "data fiduciary" is any person who either alone or in conjunction with others determines the purpose and means of processing personal data. A "data processor" is any person who processes personal data on behalf of a data fiduciary and a "data principal" is the natural person to whom personal data relates. There are no direct statutory obligations imposed by the DPDPA on data processors.

The Indian Government also has the power to create sub-categories of data fiduciaries, called "significant data fiduciaries", based on factors such as the volume and sensitivity of the personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. Significant data fiduciaries will be subject to enhanced compliance obligations under the law.

The Indian Government will set up a "Data Protection Board of India" (the "Board"), an authority that is tasked with ensuring compliance of the law and enforcement. The Board is intended to function as an independent body; however, the Indian Government has the right to prescribe its composition, selection, and conditions of appointment of its members.

Separately, the DPDPA introduces the concept of "consent managers". They are entities registered with the Board that act on behalf of data principals to manage their consent preferences.

GROUNDS FOR PROCESSING

Scope

Consent is the primary ground for processing personal data. Personal data may also be processed for the following legitimate uses:

• the data principal voluntarily provides personal data to a data fiduciary, and there is a reasonable expectation that the data principal would provide such data;
• the processing is necessary for the performance of any State function or the provision by the State of any service or benefit;
• the processing is necessary for compliance with directions or orders issued by courts;
• the processing is necessary for responding to a medical emergency that involves a threat to the data principal or any other individual;
• the processing is necessary for the provision of medical treatment or health services during an epidemic, outbreak of disease, or other threat to public health;
• the processing is necessary during a disaster or a breakdown of public order;
• the processing is necessary for employment- related purposes.

The traditional carve-outs generally seen across international data protection laws, such as processing (a) for compliance with legal obligations, (b) for the performance of contract, and (c) legitimate business interests are grounds excluded under the DPDPA. This will require businesses to rehaul global data protection compliances, and create India-specific architectures.

Consent, Notices, Translations

When personal data is processed on grounds of consent, it must be freely given, specific, informed, and an unambiguous indication of a data principal's wishes. It must be in the form of a clear affirmative action and must be capable of being withdrawn. Consent must be preceded by the provision of a privacy notice that must be available in English and the 22 languages set out in the Eighth Schedule of the Constitution. The Indian government will further prescribe the manner in which such notices must be provided and consent obtained.

Managing Pre-Law Personal Data and Ongoing Processing Activities

If data fiduciaries have relied on consent for processing prior to the commencement of the law (as would be the case for almost all businesses in India, in line with the existing data protection framework under the Information Technology Act, 2000), they are obliged to provide the multiple- language privacy notices to data principals as soon as reasonably practicable in formats that will be prescribed by the Indian government.

OBLIGATIONS UNDER THE LAW

Children's Data

Data fiduciaries are prohibited from processing personal data that is likely to cause any detrimental effect on the well-being of a child, tracking, undertaking behavioural monitoring on, or directing targeted advertisements towards children. However, the Indian government may create exemptions to these prohibitions.

The processing of personal data of individuals below the age of eighteen requires the consent of their parents or guardians, and the term "data principal" would, in relation to such an individual, include their parent or guardian. The consent obtained in this regard must be verifiable and in a manner that will be prescribed by the Indian government.

Further, if the Indian government is satisfied that a data fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, it may notify the age above which the data fiduciary may be exempt from applicability of certain obligations with respect to processing of children's data.

Localisation

Cross-border data transfers are permissible with the exception of restricted notified by the Indian government. If any other law that is in force provides for a higher degree of protection or restriction on transfer of personal data, such law will have an overriding effect. Accordingly, existing sector localisation restrictions are unlikely to change.

Security Safeguards and Data Breaches

Data fiduciaries must implement technical and organisational measures to ensure compliance with the DPDPA and implement security safeguards to prevent personal data breaches. They must notify the Board and affected data subjects of personal data breaches. Modalities of reporting requirements will be prescribed by the government. A failure to implement security safeguards is punishable with fines of up to INR 2,500,000,000, and a failure to report incidents with fines of up to INR 2,000,000,000, which are among the highest penalties proposed under this law. Existing breach notification reporting obligations to the Indian Computer Emergency Team will, at this stage, continue to apply.

Additional Obligations

Data fiduciaries are primarily responsible and liable and responsible for compliance with the DPDPA and should therefore ought to be able to demonstrate compliance.

General obligations imposed on data fiduciaries include entering into valid agreements with data processors to process personal data on their behalf, ensuring accuracy and completeness of data being processed, as well as erasure of personal data upon withdrawal of consent or as soon as purpose for processing of personal data has been completed, and implementing an effective grievance redressal mechanism and appointing personnel in this regard. Significant data fiduciaries are subject to marginally more complex obligations, including appointing a data protection officer located in India, appointing an independent data auditor to evaluate their compliance with the law, and undertaking data protection impact assessments and audits. Details and formats of these additional obligations will be prescribed by the Indian government.

Data Principal Rights and Duties

Data principals that have provided consent to process their personal data have a right to obtain a summary of personal data processed and the corresponding processing activity, identities of the data fiduciaries with whom personal data has been shared together with the categories of data, together with additional information that may be prescribed by the government. Data principals that have provided consent to process their personal data also have a right to correct and erase their personal data. All data principals, regardless of the grounds on which their personal data is processed, have a right to readily available means of grievance redressal and the right to nominate another individual to exercise their rights in the event of death or incapacity.

Data principals are subject to certain duties under the DPDPA. For example, data principals cannot register false or frivolous grievances with the Board (which has a corresponding ability to impose costs in such cases) and furnish false information, suppress information, or impersonate another person while exercising their rights. Fines for non-compliance may extend to INR 10,000.

Process of Enforcement

The Board is tasked with the enforcement of the DPDPA. Enforcement proceedings may arise out of a complaint made by a data principal, a reference by the Central or any State Government, directions issued by courts, or what appears to be a suo moto ability to take action against data principals who fail to comply with their obligations under the proposed law.

The Board will determine if there are sufficient grounds to undertake an inquiry. If maintainable, inquiries must be conducted in accordance with the principles of natural justice. Enabled with the powers of a civil court, the Board has the ability to issue interim orders during proceedings, seek the assistance of the police and government officials, impose financial penalties, and where appropriate, direct complaints to be resolved by a Board- approved mediation or another alternate dispute resolution process. Appeals against any decision of the Board may be brought before the Telecom Disputes Settlement and Appellate Tribunal ("TDSAT") within sixty days from the date of receipt of the order or direction appealed against in a manner that will be prescribed by the Indian Government. Appeals against TDSAT's decisions may be brought before the Indian Supreme Court.

Voluntary Undertakings – A New Form of Compounding?

The DPDPA permits data fiduciaries to submit "voluntary undertakings". These are expected to be commitment by entities to undertake certain actions, refrain from other actions, or publicise their commitments. When submitted to and accepted by the Board, an undertaking acts as a bar on any proceedings before the Board that are connected with its subject matter.

Penalties

The financial penalties prescribed under the proposed law are among the larger fines prescribed by existing Indian laws and may extend to INR 2,500,000,000. The DPDPA also allows for the possibility for the Indian government, in the interest of the general public, to order intermediaries to block access to information processed in any computer resource that enables a data fiduciary to provide goods and services to data principals based in India.

ENFORCEMENT AND PENALTIES

Penalties may be further be amended by notification by the Indian government to twice the amount specified under the DPDPA. The table below provides a reference to the general obligations under the DPDPA with the corresponding penalties that may be imposed.

A BALANCING ACT

The forthcoming law, on the verge of implementation, appears to be a simple and practical trigger towards a privacy compliant future in India.

To establish a foothold before notification of the DPDPA, companies should begin internally effecting comprehensive data inventories, restructuring their current data processes by evaluating the grounds on which the types of personal data are processed, escalating processes to ensure adequate security practices, and internally streamlining and appointing personnel to manage data subject requests. More practically, albeit a longer process towards compliance, companies must actively begin putting together notices, engaging translators to be in compliance with notice requirements, and rethink specific purposes for the use of personal data.

We also expect rules prescribed under the DPDPA will address any major ambiguities currently present under the draft.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.