The Digital Personal Data Protection Act (Act) received the assent of the President of India on 11 August 2023 and was subsequently published in the official gazette. The introduction of the Act is a significant milestone in India’s rapid digital transformation process. The Act is expected to be brought in force in phases, with the Central Government (CG) commencing enforcement by notifying relevant provisions in due course. While the Act sets out the key rights and obligations of each element involved i.e. data principals (individuals to whom personal data relates), data fiduciaries (entities collecting personal data) and data processors (entities processing personal data) along with conceptual provisions relating to enforcement of such rights and obligations, the use of the expression ‘as may be prescribed’ in various provisions indicates that the detailed procedures and implementation guidelines are yet to be formalised by the government in the form of rules/ regulations which will support the enforcement of the provisions of the Act. It is thus likely that the relevant provisions of the Act will be notified as when the CG is ready to roll out the supporting rules/ regulations for its effective enforcement.
Upon its enforcement, the Act will repeal Section 43A (compensation for failure to protect sensitive personal data) of the Information Technology Act, 2000 (IT Act) and rules thereunder i.e., the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Furthermore, the Act has introduced an amendment to Section 14(c) of the Telecom Regulatory Authority of India Act, 1997 (TRAI Act) which originally empowered the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) to exercise jurisdiction, powers, and authority conferred on appellate tribunals under the IT Act and the Airports Economic Regulatory Authority of India Act, 2008. The TRAI Act now includes the appellate tribunal established under the Act in this list of tribunals over which the TDSAT can exercise its jurisdiction, powers, and authority. Under the proviso to Section 81 of the IT Act which discusses its overriding effect on other laws, the Act has now been inserted as an exemption, meaning that the provisions of the IT Act do not restrict any person from exercising their rights under the Act. Furthermore, the Act is set to replace Section 8(1)(j) of the Right to Information Act, 2005, which addresses the exemption of personal information from disclosure based on specific grounds, with a broader exemption encompassing all personal information, irrespective of its potential connection with public activity or interest.
Scope and Applicability
The Act encompasses the processing of digital personal data in India1. This includes data collected from data principals either online or offline that is later digitized. For processing of data outside India, the Act only applies to a limited extent, i.e., when an organization outside India processes the personal data of data principals located in India, in order to offer any goods or services to them in India2. Further, certain provision of the Act will not be applicable where personal data of data principals located outside India is processed by a person in India pursuant to a contract between such data principal and a person located outside India.
The Act further does not apply to data which is: (i) processed for personal or domestic use; and (ii) made publicly available by a data principal or an individual because of a legal obligation3.
Data Fiduciary
Per the Act, a data fiduciary is any person who determines the purpose and means of processing personal data4. Data fiduciaries are permitted to subcontract the processing of personal data to data processors5 on their behalf, under a valid contract6, but in such cases the accountability, in case of a data breach, lies with the data fiduciary only. Hence, the data fiduciary should ensure that all reasonable security safeguards are present to prevent data breach, including any data breach undertaken on its behalf by data processors7. Data fiduciaries also have a duty to implement appropriate technical and organisational measures to ensure effective adherence of the provisions of the Act8.
The Act has imposed certain obligations on data fiduciaries in the form of safeguards for the protection of data principals and the same have been highlighted below.
Notice and Consent: When a data fiduciary seeks consent from a data principal to process his or her personal data, it must send a notice to such data principal. In cases where a data principal had previously granted consent before the initiation of the Act, the data fiduciary is required to provide the same notification using the same method as outlined above, as soon as possible9. It is important to note that the Act is not retrospective in this regard, and it does not specify a timeframe within which this notice must be delivered to the data principals concerned.
Consent sought from the data principals should be free, specific, informed, unconditional and unambiguous with a clear affirmative action, signifying an agreement for the data of the said data principal to be processed for a specified purpose10. Hence, a data fiduciary is only permitted to process such personal data of a data principal for the explicit purpose for which consent was initially sought, and not for any other purpose. For example, if a website requests an individual’s consent to collect his/her email address for sending newsletters, his/her consent to the same should be freely given, informed, and explicit, indicating his/her willingness for his/her data to be used solely for newsletter distribution, and the data fiduciary cannot use it for any other purposes without obtaining a separate specific consent. Data principals are permitted to withdraw their consent freely, but the legality of previous data processing based on their initial consent, prior to such withdrawal, in such case will remain intact11.
Legitimate Uses: The Act has also introduced the concept of ‘certain legitimate uses’. In this regard, the data fiduciary is authorized to process data principal’s personal data without requiring explicit consent, as long as it serves legitimate purposes such as fulfilling legal obligations, safeguarding the employer from any loss or liability, responding to medical emergencies involving a threat to life or immediate threat to the health of the data principal, taking measures to provide health services or medical treatment during an epidemic, outbreak of disease or any other threat to public health, among others. While such exemptions for legitimate uses are imperative, the enforcement of this provision would require a stricter lens by the government to ensure that the data fiduciaries do not process unnecessary data under the garb of ‘legitimate use’.
Collection of children’s personal data and persons with disability: Data fiduciaries are required to obtain verifiable parental consent (VPC) before processing any personal data of a child12 or a person with disability from lawful guardians13. Additionally, a data fiduciary is not allowed to engage in any data processing activities that could negatively impact the well-being of a child14. The CG has the authority to exempt certain data fiduciaries from adhering to these requirements by lowering the age limit for parental consent, provided that the data processing is being conducted in a verifiably safe manner. The Act, however, is silent on what will classify as VPC. It also does not explicitly specify the criteria for a person to be considered as ‘person with disability’.
Data retention: The Act enforces a firm requirement to not retain and delete (and ensure data processors also delete) personal data, except if it is mandated by law. This deletion is mandated when consent is withdrawn or when the original purpose for retaining the data is no longer relevant15.
Grievance Redressal Mechanism: Data fiduciaries are required to establish an effective and accessible grievance redressal mechanism to address the grievances of data principals16. This obligation follows the right of a data principal to have readily available means of grievance redressal17.
Significant Data Fiduciaries
The CG may notify any data fiduciary or a class of data fiduciaries as a “Significant Data Fiduciary”18 (SDF) at its discretion after an assessment of some relevant factors. These factors include volume and sensitivity of personal data processed, risks to the rights of the data principals, impact on sovereignty and integrity of India, public interest, etc. SDFs, once notified, will be required to: (i) appoint a data protection officer based in India;19 (ii) appoint an independent data auditor to assess the SDF’s compliance with the Act;20 and (iii) undertake data protection impact assessments and periodic compliance audits as outlined in the Act.21
Exemptions
The Act grants discretionary powers to the CG to exempt certain data fiduciaries or classes of data fiduciaries, including startups and any ’instrumentality of the state’ from certain provisions.22 Additionally, the Act allows the CG to exempt any data fiduciaries or classes of data fiduciaries (other than startups and instrumentality of state’) from complying with any provision of the Act, within 5 (five) years from the commencement of the Act, for such a period as the CG may specify.23
The Act also exempts certain identified data fiduciaries from their obligations while processing personal data. However, such data fiduciaries are nevertheless required to implement reasonable security safeguards to protect personal data.
Cross border transfer of data
A data fiduciary is allowed to transfer personal data to any foreign country or region for processing. However, the CG has powers to notify certain specific countries where data cannot be transferred.
Essentially, the Act follows a blacklisting strategy, meaning that personal data can generally be transferred without restrictions unless the destination country is designated as ‘blacklisted’ by the CG.24 However, the Act does not provide any guidance on the handling of data already processed in a country that is subsequently blacklisted. The specific procedures and consequences in this regard may likely be determined through further delegated legislation in the form of rules enacted under the Act.
Data Principal
The Act accords various rights and duties to data principals, including access to information about personal data25, right to correction and erasure of personal data26 and withdrawal of consent.27 It also allows a data principal to nominate a representative who may exercise the rights on her behalf in case of death or incapacity of such data principal.28 The Act uses the phrase ‘as may be prescribed’ leaving the implementation and specifics of these rights to be determined through further delegated legislation in the form of rules enacted under the Act.
Administrative Procedures (Data Protection Board)
The Act envisages the formation of an independent enforcement authority called the Data Protection Board (DPB).29 Data principals are permitted to report contravention of the provisions of the Act to the DPB only after they have exhausted the remedy available under the grievance redressal mechanism as described above. The DPB has been armed with various powers, including the ability to promptly address and mitigate personal data breaches, inquire into such breaches and impose penalties for violations.30 In case any individual is disgruntled with a DPB decision, he or she can appeal to the TDSAT in a manner prescribed under the Act.31
Personal Data Breach
A data fiduciary is required to protect personal data in its possession, including in respect of any processing undertaken by it or on its behalf by a data processor, by taking reasonable security safeguards to prevent personal data breach.32 If however, there is a breach of personal data, the data fiduciary is obligated to notify the DPB and the concerned data principal of such breach in a manner as will be prescribed by the CG.33 Once the DPB receives the intimation of any personal data breach, it will issue an inquiry into such breach and may direct any remedial measures, and/or impose a penalty, as deemed appropriate by it.34
Conclusion
The Act will exert an influence on various sectors, including financial services and information technology dominant businesses such as social networking websites, where the processing of personal data is prevalent. Therefore, the Act has perpetuated a need for organizations present in these sectors
to develop comprehensive strategies and programs that safeguard the confidentiality and security of individuals’ personal data, aligning their practices with the stipulations set forth by the Act. However, the Act in its present form comes with certain limitations as well. The CG has been granted the authority to exempt a data fiduciary or a class of data fiduciaries from certain obligations.35 However, the rationale behind these exemptions remains unclear. Such broad exemptions can be misused for surveillance purposes, potentially undermining individual privacy rights in favour of state interests. Additionally, concerns linger among stakeholders regarding the autonomy of the DPB, particularly given that the CG has the power to appoint or remove DPB’s chairperson and members.36
1 Section 2(t) of the Act defines personal data as any data about an individual who is identifiable by or in relation to such data.
2 Section 3 of the Act.
3 Section 3(b) of the Act.
4 Section 2(i) of the Act defines data fiduciary as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
5 Section 2(k) of the Act defines data processor as any person who processes personal data on behalf of a data fiduciary.
6 Section 8(2) of the Act.
7 Section 8(5) of the Act.
8 Section 8(4) of the Act.
9 Section 5 of the Act.
10 Section 6(1) of the Act.
11 Section 6(6) of the Act.
12 Section 2(f) of the Act defines a child as any individual below the age of 18 years.
13 Section 9(1) of the Act.
14 Section 9(2) of the Act.
15 Section 8(7) of the Act.
16 Section 8(10) of the Act.
17 Section 13(1) of the Act.
18 Section 10 of the Act.
19 Section 10(2)(a) of the Act.
20 Section 10(2)(b) of the Act.
21 Section 10(2)(c) of the Act.
22 Section 17(3) of the Act.
23 Section 17(5) of the Act.
24 Section 16 of the Act.
25 Section 11 of the Act.
26 Section 12 of the Act.
27 Section 6(4) of the Act.
28 Section 14 of the Act.
29 Section 18 of the Act.
30 Section 27 of the Act.
31 Section 29 of the Act.
32 Section 8(5) of the Act.
33 Section 8(6) of the Act.
34 Section 27(1) of the Act.
35 Section 17 of the Act.
36 Section 19 & Section 21 of the Act.
Written by Nidhi Arora (Partner) and Amiya Krishna Upadhayay (Associate)