icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
SCROLL
TOP
Publications
Newsletters

India’s New Digital Personal Data Protection Law – The Digital Personal Data Protection Act, 2023

NO&T Asia Legal Review

Author
Shejal Verma
Publisher
Nagashima Ohno & Tsunematsu
Journal /
Book
NO&T Asia Legal Review No.69 (September, 2023)
Reference
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

Background

In August 2023, India passed its first long awaited comprehensive data protection regime, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The move to introduce a comprehensive data protection regime started after the Supreme Court of India recognized right to privacy as a fundamental right in 2017. The DPDP Act is substantially based on the draft presented for public comments in November 2022 (the “2022 Bill”), which we had covered in the NO&T Asia Legal Review No. 55 (January 2023). The effective date of the DPDP Act is yet to be notified. The Central Government has been empowered to appoint different dates of effectiveness for different provisions of the DPDP Act. Once effective, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which currently regulate data protection, will no longer be applicable.

The key provisions of the DPDP Act are as follows:

Applicability of the DPDP Act

The DPDP Act applies to the processing of digital personal data within the territory of India, where the personal data is collected in digital form, or in non-digital form and digitized subsequently. The DPDP Act is also applicable to the processing of personal data outside the territory of India if such processing is in connection with offering goods / services to individuals in India, i.e., the DPDP Act has extra-territorial application to some extent.

Key Terms under the DPDP Act

It is worth noting certain key terms defined by the DPDP Act:

  • Data Fiduciary – means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
  • Data Principal – means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes their lawful guardian, acting on their behalf.
  • Data – means representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
  • Personal Data – means any data about an individual who is identifiable by or in relation to such data.
  • Processing – in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment, or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

Obligations of Data Fiduciaries

The DPDP Act imposes various obligations on data fiduciaries:

  • Grounds for processing personal data: Data fiduciaries can process personal data of data principals for a lawful purpose for which the data principal has provided consent or for “certain legitimate uses”. Instances comprising “certain legitimate uses” are limited and include purpose for which the data principal has voluntarily provided their personal data to the data fiduciary, use for fulfilling any obligation under Indian law, and use for compliance with any judgement, decree, or order issued under any Indian law.
  • Notice and consent: Consent must be in a manner that is free, specific, informed, unconditional and unambiguous with a clear affirmative action, and that signifies an agreement to the processing of personal data for the specified purpose and limited to such personal data as is necessary for such specified purpose. The concept of “deemed consent” which was included in the 2022 Bill has been substituted with consent for “certain legitimate uses” in the DPDP Act.

    In order to obtain consent, data fiduciaries are required to provide notice to the relevant data principals. The notice must meet certain minimum requirements, i.e., informing the data principals the personal data collected and the purpose for which it is to be processed, the manner in which they can withdraw consent at any time, means of grievance redressal and the manner in which the data principals may make a complaint to the Data Protection Board. The notice must also be sent to data principals who have given their consent before the commencement of the DPDP Act.

  • Processing of personal data of children and persons with disability: Personal data of a child or a person with disability who has a lawful guardian may be processed only after obtaining verifiable consent of the parent (or lawful guardian, where applicable) of such child or the lawful guardian of such person with disability. Restrictions have been imposed on processing of personal data that is likely to cause any detrimental effect on the well-being of a child, as well as tracking or behavioural monitoring of children or targeted advertising directed at children.
  • Protection of personal data and breach: A data fiduciary must protect personal data in its possession or under its control, including in case of any processing undertaken by it or on its behalf, by taking reasonable security safeguards to prevent personal data breach. In the event of a personal data breach, the data fiduciary is required to provide intimation of such breach to the Data Protection Board and each affected data principal.
  • Erasure of personal data: A data fiduciary is required to cease retention of data as soon as it is reasonable to assume that the specified purpose for which such data was collected is no longer being served. Data must also be erased upon the data principal withdrawing consent.

Significant Data Fiduciaries

The Central Government has the powers to notify any or a class of data fiduciaries as “Significant Data Fiduciaries” considering relevant factors, including the volume and sensitivity of personal data processed, risk of harm to the data principal, potential impact on the sovereignty and integrity of India, and public order. A significant data fiduciary is subject to additional obligations, such as appointing a “Data Protection Officer” based in India, who shall be the point of contact for the grievance redressal mechanism under the provisions of DPDP Act, and represent the significant data fiduciary, and appointing an “Independent Data Auditor” who shall evaluate the compliance of the significant data fiduciary and undertake other measures as may be prescribed.

Rights and Duties of Data Principals

The DPDP Act sets forth a number of rights of data principals including the right to access their personal data and the right to correct and request for erasure of personal data that is no longer necessary for the purpose for which it was processed. The DPDP Act also sets forth certain duties for data principals, such as complying with all applicable laws while exercising their rights, not to impersonate another person while providing personal data and not providing false particulars or registering a false or frivolous grievance or complaint.

Cross-Border Transfer

Cross-border transfer of personal data by a data fiduciary is permitted except to countries or territories outside India which the Central Government may by notification prescribe. The DPDP Act deviates from the 2022 Bill as the previous Bill permitted the transfer of personal data only to countries and territories outside of India specifically notified by the Central Government.

Penalties

The DPDP Act prescribes penalties for various non-compliances. However, unlike the 2022 Bill, which prescribed penalties of up to INR 5 billion in certain cases, the DPDP Act prescribes penalties of up to INR 2.5 billion. The Data Protection Board has powers to accept voluntary undertaking from a person facing any proceeding under the DPDP Act which may include an undertaking to (i) take such action within such time as may be determined by the Data Protection Board, or (ii) refrain from taking an action, and/or (iii) publicising such undertaking. The acceptance of the voluntary undertaking by the Data Protection Board shall constitute a bar on proceedings under the DPDP Act as regards the contents of the voluntary undertaking, except in case the voluntary undertaking is breached.

Data Protection Board

The DPDP Act empowers the Central Government to establish a Data Protection Board empowered to adjudicate on non-compliance with the provisions of the DPDP Act impose penalty on any breach.

Conclusion

The DPDP Act is a positive development which was long due since the Supreme Court’s recognition of right to privacy as a fundamental right. The DPDP Act is worded in simple and plain English and includes various illustrations to help readers grasp its principles. The scope and practical implementation of the DPDP Act, however, remains to be seen because it leaves a lot to the Central Government to clarify and expand certain aspects of the DPDP Act through delegated legislation. Businesses should start considering how to streamline procedures in order to comply with the DPDP Act while also getting ready for the DPDP Act’s implementation.

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

India Related Publications

Apply Select Practice Areas
Apply