NO&T Asia Legal Review
In August 2023, India passed its first long awaited comprehensive data protection regime, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The move to introduce a comprehensive data protection regime started after the Supreme Court of India recognized right to privacy as a fundamental right in 2017. The DPDP Act is substantially based on the draft presented for public comments in November 2022 (the “2022 Bill”), which we had covered in the NO&T Asia Legal Review No. 55 (January 2023). The effective date of the DPDP Act is yet to be notified. The Central Government has been empowered to appoint different dates of effectiveness for different provisions of the DPDP Act. Once effective, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which currently regulate data protection, will no longer be applicable.
The key provisions of the DPDP Act are as follows:
The DPDP Act applies to the processing of digital personal data within the territory of India, where the personal data is collected in digital form, or in non-digital form and digitized subsequently. The DPDP Act is also applicable to the processing of personal data outside the territory of India if such processing is in connection with offering goods / services to individuals in India, i.e., the DPDP Act has extra-territorial application to some extent.
It is worth noting certain key terms defined by the DPDP Act:
The DPDP Act imposes various obligations on data fiduciaries:
Notice and consent: Consent must be in a manner that is free, specific, informed, unconditional and unambiguous with a clear affirmative action, and that signifies an agreement to the processing of personal data for the specified purpose and limited to such personal data as is necessary for such specified purpose. The concept of “deemed consent” which was included in the 2022 Bill has been substituted with consent for “certain legitimate uses” in the DPDP Act.
In order to obtain consent, data fiduciaries are required to provide notice to the relevant data principals. The notice must meet certain minimum requirements, i.e., informing the data principals the personal data collected and the purpose for which it is to be processed, the manner in which they can withdraw consent at any time, means of grievance redressal and the manner in which the data principals may make a complaint to the Data Protection Board. The notice must also be sent to data principals who have given their consent before the commencement of the DPDP Act.
The Central Government has the powers to notify any or a class of data fiduciaries as “Significant Data Fiduciaries” considering relevant factors, including the volume and sensitivity of personal data processed, risk of harm to the data principal, potential impact on the sovereignty and integrity of India, and public order. A significant data fiduciary is subject to additional obligations, such as appointing a “Data Protection Officer” based in India, who shall be the point of contact for the grievance redressal mechanism under the provisions of DPDP Act, and represent the significant data fiduciary, and appointing an “Independent Data Auditor” who shall evaluate the compliance of the significant data fiduciary and undertake other measures as may be prescribed.
The DPDP Act sets forth a number of rights of data principals including the right to access their personal data and the right to correct and request for erasure of personal data that is no longer necessary for the purpose for which it was processed. The DPDP Act also sets forth certain duties for data principals, such as complying with all applicable laws while exercising their rights, not to impersonate another person while providing personal data and not providing false particulars or registering a false or frivolous grievance or complaint.
Cross-border transfer of personal data by a data fiduciary is permitted except to countries or territories outside India which the Central Government may by notification prescribe. The DPDP Act deviates from the 2022 Bill as the previous Bill permitted the transfer of personal data only to countries and territories outside of India specifically notified by the Central Government.
The DPDP Act prescribes penalties for various non-compliances. However, unlike the 2022 Bill, which prescribed penalties of up to INR 5 billion in certain cases, the DPDP Act prescribes penalties of up to INR 2.5 billion. The Data Protection Board has powers to accept voluntary undertaking from a person facing any proceeding under the DPDP Act which may include an undertaking to (i) take such action within such time as may be determined by the Data Protection Board, or (ii) refrain from taking an action, and/or (iii) publicising such undertaking. The acceptance of the voluntary undertaking by the Data Protection Board shall constitute a bar on proceedings under the DPDP Act as regards the contents of the voluntary undertaking, except in case the voluntary undertaking is breached.
The DPDP Act empowers the Central Government to establish a Data Protection Board empowered to adjudicate on non-compliance with the provisions of the DPDP Act impose penalty on any breach.
The DPDP Act is a positive development which was long due since the Supreme Court’s recognition of right to privacy as a fundamental right. The DPDP Act is worded in simple and plain English and includes various illustrations to help readers grasp its principles. The scope and practical implementation of the DPDP Act, however, remains to be seen because it leaves a lot to the Central Government to clarify and expand certain aspects of the DPDP Act through delegated legislation. Businesses should start considering how to streamline procedures in order to comply with the DPDP Act while also getting ready for the DPDP Act’s implementation.
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
(November 2024)
Keiji Tonomura, Masaki Mizukoshi, Uchu Takehara, Hitomi Kono (Co-author)
(September 2024)
Oki Mori, Takeshi Hayakawa (Co-author)
(October 2024)
Yasushi Kudo, Tsubasa Watanabe, Hayato Maruta (Co-author)
Yuan Yao Lee
Salin Kongpakpaisarn, Pundaree Tanapathong (Co-author)
Hoai Tran
Axel Kuhlmann, Makoto Ohnuma, Shejal Verma (Co-author)
Kyohei Mizukoshi, Natsumi Tada (Co-author)
Salin Kongpakpaisarn, Pundaree Tanapathong (Co-author)
Hoai Tran
Luciana Fransiska
Shejal Verma
Shejal Verma
Rashmi Grover
Shejal Verma, Rashmi Grover (Co-author)
Tadashi Yamamoto, Shejal Verma (Co-author)