Get Ready for India’s New Data Privacy Law

After more than five years of debate and legislative proposals, India has finally enacted an omnibus data privacy law. The Digital Personal Data Protection Act, 2023 (the “Act”) establishes a high-level legal framework that regulates the processing of personal data in India and processing outside India that is related to offering goods or services to individuals in India. Implementing regulations will be issued in the next few months and provide more specifics on how the obligations under the Act must be implemented. The government has not yet announced the date that the law will take effect but, based on recent public statements by government officials, the government would like the law to take effect within six months. Once the Act takes effect, the current privacy rules issued under Section 43A of the Information Technology Act will no longer be in effect. 

While the Act imposes the key privacy obligations commonly found in data privacy laws around the world, some of these obligations are limited to certain data controllers, referred to as “Data Fiduciaries” or classes of Data Fiduciaries. There are other aspects of the law that set it apart from other data privacy laws, including the EU’s General Data Protection Regulation (GDPR). In particular, the Act does not restrict cross-border transfers of personal data; although it does provide the government with the ability to do so in the future. 

More significantly, like the Philippine data protection law, it specifically protects the Indian outsourcing industry by ensuring that foreign personal data sent to outsourcing providers in India for data processing are not subject to multiple and potentially conflicting data privacy requirements.

In the coming months, companies that process personal data of individuals located in India will need to ensure that their privacy practices conform to the new Indian requirements. Enforcement will begin after the implementing regulations are issued.

The following provides an overview of the Act’s key requirements.

Overview of the Digital Personal Data Protection Act, 2023

Application. The provisions of the Digital Personal Data Protection Act apply to the processing of digital personal data:

• In India where:
• The personal data are collected in digital form; or
• The personal data are collected in non-digital form and digitized subsequently; and
• Outside India, if such processing is connected to any activity related to the offering of goods or services to individuals in India.

The Act does not apply to personal data processed by an individual for any personal or domestic purpose and personal data that are made or caused to be made publicly available by the individual or any other person who is under any obligation under any law in force in India to make such personal data publicly available. Personal data are defined as any data about an individual who is identifiable by or in relation to such data.

Outsourcing. Processing of personal data of individuals not located in India that is pursuant to a contract entered into with any entity outside India by an entity based in India is not subject to the obligations under the Act imposed on Data Fiduciaries (including Significant Data Fiduciaries), the cross-border transfer rules, or individual rights obligations; however, the security provisions do apply.

Data Fiduciaries. The Act imposes obligations on Data Fiduciaries, individuals, or entities that determine the purposes and means of processing personal data. In addition, the government, by way of a notification, may designate any Data Fiduciary or class of Data Fiduciaries as a “Significant Data Fiduciary” on the basis of an assessment of factors, including:

• Volume and sensitivity of personal data processed;
• Risk of harm to the individual;
• Potential impact on the sovereignty and integrity of India;
• Risk to electoral democracy;
• Security of the State;
• Public order; and
• Other factors that it may consider necessary.

Legal Bases for Processing. Data Fiduciaries may process the personal data of individuals for a lawful purpose (defined as any purpose which is not expressly forbidden by law) for which individuals have consented or for certain “legitimate purposes.” Legitimate purposes include uses such as for:

• The specified purpose for which individuals have voluntarily provided their personal data to the Data Fiduciary and where the individuals have not indicated to the Data Fiduciary that they do not consent to the use of their personal data;
• Fulfilling any obligation under any law in force in India on any entity to disclose any information to the government;
• Compliance with any judgment or decree or order issued under any law in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law in force outside India; or
• Responding to a medical emergency involving a threat to the life or immediate threat to the health of the individual or any other individual.

Consent is defined as being free, specific, informed, unconditional, and unambiguous with a clear affirmative action that signifies an agreement to the processing of personal data for the specified purpose and limited to such personal data as are necessary for such specified purpose. Individuals have the right to withdraw consent at any time, with an ease similar to that with which such consent was given. Individuals may give, manage, review, or withdraw consent through a “Consent Manager” (an entity that is accountable to the individuals and acts on their behalf). Every Consent Manager must be registered with the Data Protection Board, the data protection authority of India.

Notice. At the time of or prior to requesting consent from individuals, a Data Fiduciary must provide to individuals an itemized notice in clear and plain language containing a description of the types of personal data to be collected, the purposes for the processing, and the manner in which individuals may exercise their rights. Where individuals have consented to the processing of their personal data prior to the commencement of the Act, the Data Fiduciary must give a similar notice to them as soon as reasonably practicable. The Data Fiduciary must give individuals the option to access the contents of the notice in English or any of the 22 languages specified in the Eighth Schedule to the Indian Constitution.[1]

Individual Rights. Access, correction, and erasure rights must be provided. The Act does not prescribe a timeframe for responding to rights requests or provide exceptions for provision of access or correction. In connection with erasure requests, individuals may request erasure of their data where they are no longer necessary for the purpose for which they were processed unless retention is required for a legal purpose. Individuals also have the right to a readily available redress mechanism provided by the Data Fiduciary or the Consent Manager.

Security. Data Fiduciaries must implement appropriate technical and organizational measures to ensure effective adherence to the provisions of the Act. Every Data Fiduciary must protect personal data in its possession and under its control, including in respect of any processing undertaken by it or on its behalf by a processor, by taking reasonable security safeguards to prevent personal data breaches.

Data Breach Notification. In the event of a personal data breach, the Data Fiduciary must notify the data protection authority and affected individuals. The Act does not specify the notification trigger or the reporting timeframe.

Disclosures to Processors. A Data Fiduciary may only engage a processor to process personal data on its behalf for any activity related to offering of goods or services to individuals under a valid contract.

Cross-Border Transfers. The government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to a country or territory outside India. In addition, the Act does not restrict the applicability of any law in force in India that provides for a higher degree of protection for or restriction on the transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or classes of Data Fiduciaries.

Additional Obligations Imposed on Significant Data Fiduciaries. Significant Data Fiduciaries must:

• Appoint a Data Protection Officer (DPO), based in India, who will represent the company. The DPO must be an individual who is responsible to the Board of Directors or a similar governing body of the company. The DPO will be the point of contact for the dispute resolution mechanism;
• Appoint an Independent Data Auditor who will evaluate the company’s compliance with provisions of this Act; and
• Undertake other measures including Data Protection Impact Assessments and periodic audits in relation to the objectives of this Act, as may be prescribed in the implementing regulations. 

Data Retention. Unless retention is necessary for compliance with any law in force, a Data Fiduciary must erase personal data when the individual withdraws consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, and require the processor to erase any personal data provided to it by the Data Fiduciary for processing.

Complaint Resolution. Every Data Fiduciary must have in place a procedure and effective mechanism to address the grievances of individuals.

Processing Personal Data of a Child. Before processing the personal data of a child (e.g., any individual under the age of 18), the Data Fiduciary must obtain verifiable parental consent. A Data Fiduciary must not undertake processing of personal data that is likely to cause harm to a child and must not undertake tracking or behavioral monitoring of children or targeted advertising directed at children.

Exceptions. In addition to outsourcing, certain other processing activities are exempted from all but the security provisions of the Act, such as processing in the interest of prevention, detection, investigation, or prosecution of any offense or contravention of any law, processing that is necessary to enforce a legal right or claim, or processing that is necessary for a corporate merger or sale

Data Protection Board/Penalties. The Act provides for the creation of the Data Protection Board of India, an independent body responsible for enforcement of the Act. The Board will have the authority to impose financial penalties ranging from INR 10,000 to 2.5 billion (USD 1,200 to 30.2 million). In particular, failure of a Data Fiduciary to take reasonable security safeguards to prevent a personal data breach is punishable by a penalty up to USD 30.2 million (250 crore); failure to notify the Data Protection Board and affected individuals of a personal data breach is punishable by a penalty up to USD 24 million (200 crore).

[1] The 22 languages are: Assamese, Bengali, Bodo, Dogri, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Maithili, Malayalam, Manipuri, Marathi, Nepali, Odia, Punjabi, Sanskrit, Santhali, Sindhi, Tamil, Telugu, and Urdu.