In August, India passed its long-awaited Digital Personal Data Protection Act, 2023 ("the Act"). Initially introduced in 2019, the draft bill went through several iterations before being approved by India's Union Cabinet earlier this year. Although the Act shares many similarities to other privacy legislation, such as the EU's GDPR and the United Kingdom's UK GDPR, there are a few notable distinctions. While no official effective date for the law has been announced, companies should start familiarizing themselves with this new privacy law and its requirements. Here is a breakdown of what you should know.
Unlike some of the U.S. data protection laws, which implement processing or revenue thresholds for applicability (i.e., the CCPA's $25 million gross annual revenue threshold or the VCDPA's 100,000 VA residents processing threshold), the Act is widely applicable to entities doing business in India. The Act applies to all persons and entities that:
- process personal data within the territory of India; or
- outside the territory of India if such processing is in connection with any activity related to offering goods or services to Data Principals (individuals to whom the personal data relates) within India.
Under the Act, "personal data" is defined as "any data about an individual who is identifiable by or in relation to such data." This term includes digitized and non-digitized data. Personal data does not include information processed by an individual for any personal or domestic purposes or publicly available information.
All individuals and entities subject to the Act primarily fall under three categories: (i) "Data Fiduciary" (often called Data Controllers under other data protection laws); (ii) "Data Processors" (i.e., any person who processes personal data on behalf of a Data Fiduciary); and (iii) "Significant Data Fiduciary."
Significant Data Fiduciary. The "Significant Data Fiduciary" category is a label given by the Indian government (i.e., Central Government) and is based on information included as part of a Data Protection Impact Assessment (DPIA) discussed below.
Significant Data Fiduciaries are required to (i) appoint a Data Protection Officer who is based in India; (ii) appoint an independent auditor who must carry out data audits to evaluate the fiduciary's compliance under the Act; and (iii) periodically conduct DPIAs, audits, and other measures prescribed under the Act.
Exempt Entities. Some Data Fiduciaries are exempt from certain obligations under the Act when engaging in processing for the following purposes: (i) enforcing any legal right or claim; (ii) performance of any judicial or quasi-judicial function by any Indian court or tribunal; (iii) processing of Data Principals outside India, under any contract entered into with any person outside the territory of India by any person based in India; (iv) necessary to complete a merger or similar arrangement approved by a court; (v) preventing, detecting, investigating or prosecuting of any crime or offense within India; or (vi) ascertaining financial information, assets and liabilities of any person who has defaulted on a loan or advance taken from a financial institution.
The third exemption bolded above is a critical component of the law. What this means is that outsourced Indian service providers processing foreign personal data (e.g., personal data of non-Indian residents) are exempt under the Act. To illustrate, if Company A, a California company, outsourced IT services to an India-based company, all personal data collected by the IT service provider (e.g., email addresses, phone numbers, etc.), would not be subject to the Act, even if it processed a high volume of U.S. personal data. Exempting outsourcing companies from the Act has a huge impact, especially given how massive India's outsourcing industry is. Private companies across the globe, but especially in the U.S., heavily rely on tech-based service providers in India. According to EY, IT and Business Process Outsourcing services makeup over 60% of India's service exports – the largest component of the country's exports.
Data Fiduciary Obligations
Data Fiduciaries have several obligations under the Act, but their primary duties include:
- providing clear, concise and comprehensive notice to Data
- The Act requires Fiduciaries to provide notice in 22 Indian languages in addition to English.
- obtaining verifiable parental consent before processing children's data and avoiding prohibited conduct when processing such data;
- implementing technical and organizational measures to safeguard personal data;
- executing valid contracts when engaging a Data Processor to process personal data on the fiduciary's behalf;
- deleting (and requiring retained Data Processors to delete) data as soon as the use of the data has been accomplished;
- honoring Data Principals' rights; and
- reporting Personal Data Breaches to the Data Protection Board and Data Principals.
Data Principal Rights
Under the Act, Data Principals have four core rights, which include:
- Right to Information – similar to the
right to access principal under the GDPR, Principals have the right
to request information on how their data is being processed.
Fiduciaries must make this information available to the Principal
in a manner that is clear and understandable. Specifically under
this right, a Principal may request:
- a summary of personal data being processed by the Fiduciary
- the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data shared; and
- any other information related to their data and its processing, as may be prescribed by regulators or the Act.
- Right to Correction and Erasure – a common right under existing data protection laws, this right empowers individuals to (i) correct inaccurate data about themselves; (ii) complete incomplete personal data retained by the Fiduciary; (iii) update their personal data; and (iv) request that their data be deleted.
- Right to Grievance/Redress– under this right, a Data Fiduciary must provide Principals with readily available means to register a grievance or complaint. The Act does require Principals to exhaust their redress right with the Data Fiduciary before approaching the Data Protection Board to file a formal complaint.
- Right to Nominate – a Principal may nominate any other individual who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal under the Act – meaning that an individual's rights to their personal data rights do not necessarily expire upon death.
The Act does not provide a timeline to respond to requests made by Data Principals, so this will likely be outlined by the government at a later date.
Personal Data Breaches
Under the Act, Data Fiduciaries are required to safeguard personal data that it controls and processes (including data undertaken by a Data Processor). The Act defines "Personal Data Breach" broadly to include "any [unauthorized] processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data."
The content and timing of the notice is currently unknown. Unlike the GDPR and UK GDPR, which have a 72-hour reporting window, the Act does not establish a specific timeline to report a breach. Upon formation of the Data Protection Board (discussed in the Enforcement section below), more details about the methods and process of notification will likely be created.
Unlike other privacy laws which define a "child" as an individual under the age of 13, "child" under the Act means any individual under the age of 18. Data Fiduciaries must obtain a Parent/Guardian's consent to process Children's Data. Additionally, Data Fiduciaries are prohibited from (i) processing data that is likely to cause any detrimental effect on the well-being of a child; and (ii) undertaking tracking or targeted advertising directed at children.
Under the Act, India's Central Government shall appoint and establish the Data Protection Board (the "Board") consisting of one chairperson and other members who are appointed by the Central Government. The Board is responsible for enforcing Data Principals' rights, issuing guidance, overseeing mediations to resolve disputes under the Act and sanctioning monetary penalties. Penalties under the Act vary based on the type of the violation. However, each category of penalty is capped as follows:
|Failure to Honor a Data Principal's Right
|Up to 10,000 rupees (over 120 USD)
|Failure to Honor Obligations related to children and children's personal data
|Up to 200 crore (million) rupees (over 24 million USD)
|Breach of Significant Data Fiduciary Obligations
|Up to 150 crore (million) rupees (over 18 million USD)
|Failure to Give Notice of a Personal Data Breach
|Up to 200 crore (million) rupees (over 24 million USD)
|A Data Fiduciary's Failure to take reasonable security safeguards to prevent personal data breaches
|Up to 250 crore (million) rupees (over 30 million USD)
|Any other Noncompliance under the Act
|Up to 50 crore (million) rupees (over 6 million USD)
|Beach of any guidance/direction accepted by the Board
|Penalty to be set by the Board
Other Notable Features of the Act
- Contract Requirements. As outlined above, the Act requires a contract to be entered into between Data Fiduciaries and Data Processors. However, what must be included in the contract is not listed in the Act.
- DPIAs. As discussed above, the Indian government will
conduct an initial DPIA analysis to determine whether an entity is
a "Significant Data Fiduciary." The Central Government
- the volume and sensitivity of personal data processed;risk to the rights of Data Principal (discussed below);potential impact on the sovereignty and integrity of India;risk to electoral democracy;security of the State; and
- public order.
- Data Transfers. The Act permits the Central Government to restrict the transfer of personal data outside India. The Central Government will provide a no-transfer list identifying the countries where transfers are prohibited. The Act does not outline any procedure on appropriate data transfer mechanisms, such as Standard Contractual Clauses.
Looking Ahead. The Act is something all companies should have on their radar. The broad applicability to entities inside and outside India to virtually any type of personal data means companies should:
- determine whether the Act applies to your company;
- Is your company doing business in India and collecting personal data of individuals who reside in the country; or
- Is your company processing data on behalf of a client who does business in India?
- identify the amount and type of personal data subject to the Act in the company's possession and where such data is located;
- outline existing technical safeguards in place;
- develop a process for Data Principals to exercise their rights under the Act, if no such process exists or update existing privacy notices to include Data Principal Rights (e.g., right to nominate);
- determine how to offer privacy policies in various Indian languages; and
- consult outside privacy counsel.
There are still many questions surrounding the Act. We will continue to monitor updates and guidance on India's new privacy law and most importantly, the Act's effective date.