India’s New Digital Personal Data Protection Act, 2023 – An Overview
Suvarna Mandal and Jasman Dhanoa of Saikrishna & Associates discuss the key features of the new Digital Personal Data Protection Act 2023, which will replace the current data-protection regulations in India.
Suvarna Mandal
Contact authorJasman Dhanoa
Contact authorIntroduction
The journey of enacting a comprehensive data protection law in India has been long and winding, with several iterations of a draft bill. Finally, on 13 August 2023, the Digital Personal Data Protection Act, 2023(the “Act”) received the President’s assent, after passage in both houses of the Parliament, and has now become law.
The Act will replace the current regulation on data protection – ie, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, and will provide the framework for processing of ‘digital’ personal data.
The Act has not come into force yet, since it will be implemented in phases through separate notifications by the central government. Further, several provisions will be operationalised via delegated legislation.
Key features
Applicability
- Processing of personal data – applies to “processing” (ie, wholly/partly automated operation/set of operations performed on digital personal data, and includes, inter alia, the collection, storage, use, sharing, erasure and destruction) of “personal data” in digital form, or in non-digital form and digitised subsequently.
- Exclusion – doesn’t apply to:
- non-personal data;
- offline personal data;
- personal data processed by individuals for personal/domestic purpose; and
- publicly available personal data. This will ensure availability of sizeable volumes of data for AI research.
Further, there is no sub-categorisation of personal data into sensitive personal data under the Act.
Exemptions from certain provisions of the Act are also granted where processing is necessary for/by enforcement of legal rights; court/tribunal/quasi-judicial authority; prevention, detection, investigation or prosecution of any offence, etc.
- Territorial scope – applicable to processing of digital personal data within India and outside India in relation to any activity related to the offering of goods or services to data principals within India. Hence, offshore entities offering goods/services to data principals in India and processing their digital personal data must comply with the Act.
- Relevant entities– the relevant entities under this Act are:
- data principals – the individual to whom the personal data relates;
- data fiduciaries – any entity/person that determines the purpose and means of processing; and
- data processors – any entity/person that processes personal data on behalf of a data fiduciary.
- Significant data fiduciaries – the central government will designate certain data fiduciaries as “significant data fiduciaries” (SDF) based on factors like volume and sensitivity of personal data processed, etc. Such SDFs have enhanced obligations like appointing a resident data protection officer, independent data auditor, undertaking a data protection impact assessment, periodic audit, etc. It is likely that large technology companies will be categorised as SDFs and any breach of their obligations may lead to penalties up to INR1.5 billion.
Grounds for processing
Processing can only be carried out for a lawful purpose based on:
- consent; or
- certain legitimate uses, such as non-consent-based processing on identified grounds like voluntary disclosure for specified purpose, employment purposes, legal obligations, compliance with judgment/order, medical treatment, health services, disaster relief, etc.
Notice and consent requirements
- Consent – consent should be free, specific, informed, unconditional, and unambiguous in a clear affirmative action (pre-ticked checkboxes cannot be used).
- Purpose limitation – consent should be limited to a specified purpose only.
- Language requirements – notice and request for consent to data principals (including contact details of a data protection officer/person authorised by data fiduciary) in English/any of the 22 languages specified in the Eighth Schedule of the Indian Constitution.
- Notice requirements – a notice should specify:
- personal data and purpose of processing;
- manner of exercising rights under the Act; and
- manner of making a complaint to the Data Protection Board (the “Board”).
- Records – for processing of personal data based on consent, data fiduciaries are obligated to keep a record of all notices and consent form.
- Ease of transition – notices must also be provided to data principals, as soon as reasonably practicable, whose consent for processing of their personal data was obtained before the commencement of the Act.
Rights of data principals
- Access information – data principals can request:
- a summary of personal data processed and the associated processing activities from the data fiduciary; and
- the identities of data fiduciaries and data processors with whom personal data has been shared along with a description of such personal data and any other information related to its personal data.
- Correction, updating and erasure – data principals have the right to correction, completion, updating and erasure of their personal data for the processing of which they had previously given consent.
- Grievance redressal – readily available means of grievance redressal to be provided by a data fiduciary.
- Nominate – a data principal can nominate any other individual to exercise their rights in case of any death/incapacity.
- Withdraw consent – a data principal should be able to withdraw consent as easily as it was given. Upon withdrawal, the data fiduciary (and its data processors) should cease processing of personal data of the data principal within a reasonable period unless such processing is required under the Act or any other law. Consequences of such withdrawal will be borne by the data principal.
Obligations of data fiduciaries
- Ensure completeness, accuracy and consistency of personal data (if such data is used to make a decision that affects a data principal or disclosed to another data fiduciary).
- Implement appropriate technical, organisational measures for compliance and reasonable security safeguards to prevent personal data breach. No guidance has been provided with respect to how this can be implemented. Failure to take reasonable security safeguards can lead to imposition of penalties of up to INR2.5 billion.
- Notify the board and the affected data principals in case of a personal data breach – non-conformance can lead to imposition of penalties up to INR2 billion.
- Appoint a person authorised to answer questions posed by data principals and publish their contact information.
- Establish an effective grievance redressal mechanism.
- Erase personal data upon withdrawal of consent by data principal, or where the specified purpose of retention is no longer being served (except for compliance with law).
- Ensure that data processors comply with the provisions of the Act and are engaged only under a valid contract.
Personal data of children
A “child” has been defined as an individual who has not completed 18 years of age. Special obligations for processing children’s personal data are:
- secure “verifiable consent” of parent/guardian before processing personal data of children;
- not undertake processing of personal data of children that has a detrimental effect on the child; and
- not undertake tracking/behavioural monitoring of children or targeted advertising directed at children.
Non-conformance can lead to can lead to imposition of penalties up to INR2 billion.
Cross-border transfer
Cross-border transfer of data will be based on a negative list notified by the central government with restrictions. No principles have been prescribed for assessing/identifying countries that may be restricted.
If there is a higher degree of restriction on transfer of personal data outside India in any other law, then the same must be followed. Accordingly, sectoral laws (like RBI’s localisation mandate for payment system data) will continue to be applicable.
Way forward
The ambiguity in implementation timelines, given the phase-wise notification of the Act, raises uncertainty. There are media statements by ministers which allude to an industry consultation, after which timelines for enforcement will be introduced, however they will be shorter than those provided for GDPR (ie, less than two years). Reportedly, a longer lead time will be provided for startups and MSMEs in comparison to large technology companies.
An additional element of ambiguity is due to the fact that the operationalisation and definitive scope of several key provisions of the Act (such as transfer of data outside India, notice and consent requirements, notifying significant data fiduciaries, etc) would be contingent on subsequent delegated legislation which must first be laid before the Parliament for its approval.
Given the above, this field is now part of an evolving landscape, and clarity will be available once the phased implementation of the Act is complete, and the corresponding delegated legislation is passed by Parliament and subsequently notified.
Saikrishna & Associates
2 ranked departments and 2 ranked lawyers
Learn more about the firm's ranking in Chambers Asia-Pacific Guide
View firm profile