The Indian Central Government (Central Government) enacted a broad and significant privacy law, the Digital Personal Data Protection Act (the DPDP), on August 11. The DPDP, when effective (as per dates to be notified by the Central Government), will govern the personal data processing activities of a broad range of organizations in the Indian market (the fifth largest global economy). The DPDP provides a comprehensive data protection framework for India but will be supplemented by rules to be issued by the Central Government in due course (on 25 prescribed subjects). The Data Protection Board of India (Board) also will be established as the adjudicatory body with the power to determine non-compliance with the DPDP and impose penalties. Only when the rules are issued, and the Board is established and starts to interpret the various provisions of the DPDP will we be able to understand the full scope of this new law. In the interim period, businesses should begin considering the actions they will need to take to comply with the DPDP.
Perhaps in line with the lack of certainty regarding the final form of rules, the Central Government has suggested that different provisions of the DPDP will come into force at different dates, suggesting a phased approach to enforcement.
To align with global standards, the DPDP looked to the European Union and, specifically, the General Data Protection Regulation (GDPR) and the data protection laws of Singapore and Australia. Once in effect, the DPDP will replace current Indian law regarding information technology.
The DPDP applies to the processing of all digital personal data in India, whether collected in digital form or collected in a non-digitized format and later digitized. The DPDP defines “personal data” broadly to include any data about an individual who is identifiable by or in relation to such data. The DPDP also introduces a definition of “digital personal data,” defined to mean personal data in digital form. The DPDP does not apply to personal data processed for domestic or personal purposes by individuals or personal data that is made publicly available.
The DPDP also has an extra-territorial application, i.e., it applies to the processing of personal data outside of India so long as the processing activity relates to the offering of goods and services to individuals within India. However, unlike the GDPR, certain provisions of the DPDP do not apply to processors in India that process personal data of individuals outside of India pursuant to any contract entered into with companies also located outside of India (e.g., in outsourcing arrangements). As such, any companies outside of India using third-party vendors within India (e.g., for customer support) may not be subject to the DPDP with regard to their customer data but would be subject to the law when handling business contact information of Indian residents.
Like many foreign data privacy laws, the DPDP applies not only to consumer data but also to employee data as well as business-to-business data. The DPDP breadth of applicability is broad, as it appears to be fairly easy to unintentionally become subject to its requirements. For example, a business that collects personal data from individuals in India in connection with the online sale of goods or services is likely subject to the DPDP. Likewise, the business contact information of individuals within a vendor organization located in India could be subject to the statute, even for non-India-based companies.
Notice and Consent
Under the DPDP, the individual whose personal data is being collected and processed is deemed the “Data Principal.” To lawfully collect and process data, the collecting entity (Data Fiduciary) must provide notice to and obtain consent from the applicable Data Principal on or before the processing of personal data. The notice accompanying a request for consent must inform the Data Principal of: (1) the personal data to be processed and the purpose of such processing; (2) the manner in which Data Principals may exercise their rights under the DPDP; and (3) the manner in which the Data Principal may make a complaint to the Board. Notably, if a Data Principal has given consent to the processing of their personal data prior to the commencement of the DPDP, the Data Fiduciary must still provide a notice containing the above details “as soon as it is reasonably practicable.”
Consent must always be collected except in certain circumstances where there is a “legitimate use” of the personal data. For example, the DPDP does not require consent for medical emergencies, threats to public safety, as required to perform functions under the law or to comply with a legal judgment, for purposes related to employment or for safeguarding the employer from loss or liability such as prevention of corporate espionage, or when the personal data is voluntarily disclosed by the Data Principal.
Any required consent must be freely given, specific, informed and unambiguous, with clear affirmative action. The DPDP states that the consent requested must be limited to such personal data as is necessary for the specific purpose of the request for consent. Based on this specific restriction, Data Fiduciaries should be prepared to justify specific purposes for data processing. The DPDP is not clear on whether broadly worded consent notices may justify multiple grounds for processing. For example, obtaining consent for “providing a service” without specifying the purpose and use of each item of personal data collected toward providing the service may not satisfy the requirement of specific consent and specified purpose. It also is unclear whether consent to provide certain ancillary services (such as marketing services in relation to the primary purpose) may qualify as a purpose for which data processing may be justified. Hopefully, some of these ambiguities are worked out in the rulemaking process.
The Data Fiduciary is required to give the Data Principal the option to access the information in the notice in the English language OR in any of the 22 official languages of the Republic of India (as specified in the Eighth Schedule to the Constitution of India). This requirement may be difficult for some entities, such as online platforms that only support the English language.
Data Principals – Rights and Obligations
The DPDP provides Data Principals with a number of rights, including:
- The right to know what personal data is being processed by a Data Fiduciary, the processing activities undertaken with respect to such personal data, and the identities (and not just categories) of all other Data Fiduciaries and data processors to whom the personal data has been shared.
- The right to correction, completion (i.e., complete any incomplete data), updating, and erasure of personal data for the processing of which the Data Principal has previously given consent.
- The right of grievance and redress for any act or omission of the Data Fiduciary regarding the performance of its obligations relating to the Data Principal’s personal data.
- The right to nominate any other individual to exercise the Data Principal’s rights in the event of death or incapacity.
Significant Data Fiduciaries
The Central Government may notify any Data Fiduciary, or larger class of Data Fiduciaries, that they are deemed a “Significant Data Fiduciary.” Such designation comes with a series of additional, heightened obligations, including:
- Appointing a Data Protection Office who: (1) represents the Significant Data Fiduciary; (2) is based in India; (3) is responsible to a governing body of the Significant Data Fiduciary; and (4) shall be the point of contact for addressing grievances.
- Appointing an independent data auditor to carry out data audits under the DPDP.
- Undertaking a periodic audit.
The Central Government may designate a Data Fiduciary as “significant” based on an assessment of relevant factors, including the volume and sensitivity of personal data processed, the security of the country, public order, and the risk to the rights of Data Principals. While these factors provide some guidance as to what activities may result in a business being deemed a Significant Data Fiduciary, the Central Government may consider any additional factors that it considers relevant, which provides the Central Government with broad discretion to deem any Data Fiduciary as “Significant” if so desired.
The DPDP defines a “personal data breach” as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data.” A Data Fiduciary must take reasonable security safeguards to prevent a personal data breach (the DPDP does not prescribe or recommend the standards that should be implemented). If a breach does occur, the Data Fiduciary must give the Board and every affected Data Principal information of such breach in a form and manner that has yet to be determined by the Central Government.
The Central Government granted itself broad rulemaking power to create any rule “not inconsistent” with the provisions of the DPDP. As many aspects of the DPDP remain subject to further development and detail, this provides the Central Government with significant discretion and scope with respect to this rulemaking ability. The DPDP provides specific examples of what these rules might cover, including the manner of obtaining verifiable consent, the manner in which Data Principals may make requests for erasure and access to their personal data, and the means and manner by which privacy notices must be given to Data Principals.
Furthermore, the Central Government has the power to determine the dates that specific provisions of the DPDP go into force. There is no requirement that it provide any significant time period leading up to those dates or provide any cure periods, so businesses may find themselves facing short time frames to comply with the DPDP and its rules.
If the Board, upon completing an inquiry into a person’s compliance with the DPDP or the rules later promulgated thereunder, determines that such person has committed a significant breach of the DPDP or the rules, the Board may impose a monetary penalty after first giving the person an opportunity to be heard and respond to the alleged breach. In determining the amount of the penalty, the Board must consider a series of relevant factors, including: the nature, gravity, and duration of the breach; whether the person took any actions to mitigate the effects of the breach; and whether the penalty is proportionate and effective. The DPDP contains a schedule prescribing maximum penalties based on the nature of the applicable breach, with the largest maximum penalty set at approximately $30 million USD for the failure of a Data Fiduciary to take reasonable security safeguards to prevent a data breach. The penalty for any breach of the DPDP or its rules that is not expressly listed on the schedule is capped at a maximum of approximately $6 million USD. The Central Government has the power to amend the schedule to increase penalty maximums, provided such maximums do not increase above twice the original prescribed amounts.
While the DPDP shares many similarities with data protection frameworks enacted in other countries, entities doing business or contracting with companies, in India should carefully examine the DPDP’s differences to ensure that they adapt their current processing and collection of personal data. Businesses also will need to continually monitor the rules created by the Central Government to ensure that operations and practices continue to comply with the DPDP’s changing requirements.
The above is a high-level overview of some of the material aspects of the DPDP. If you are concerned that the DPDP may apply to your business and are interested in learning more about how to ensure your business can comply with the DPDP’s requirements, please reach out to the authors.