1. Introduction
A Brief Background of Privacy Laws in India
Before analyzing the obligations brought forward by the Digital Personal Data Protection Act 2023, let's understand the history of India's data privacy law landscape.
1.1 Personal Data Protection Bill 2019
In December 2019, India introduced the Personal Data Protection Bill (“PDPB 2019”), following the example of many other significant data privacy laws being introduced worldwide. India was one the first South Asian regions to introduce such a bill and inspired other countries in the region to work towards developing privacy regimes.
PDPB 2019 aimed to reform India's legal system and establish standards for cross-border data transfers, the accountability of entities processing personal data, and remedies for unauthorized and harmful personal data processing.
PDPB 2019 faced significant criticisms, especially regarding the regulation of social media platforms and requirements of data localization, which raised concerns for potential violation of fundamental rights of the citizens of India as well as being non-friendly for businesses and platforms to operate in India. Therefore, significant amendments were proposed in 2021 that aimed to clarify and rework the criticized provisions.
1.2 Data Protection Bill 2021 & 2022
Data Protection Bill 2021 (“DPB 2021”) made key revisions to the previous bill. This included the addition of personal as well as non-personal data and also imposing strict guidelines for reporting data breaches. DPB 2021 was thought to be passed and become an official part of India's legislature as the Data Protection Act 2021.
However, the bill was withdrawn altogether in August 2022 by the Indian government - after three years of discussion and 90 sittings - because it failed to meet international standards and upcoming challenges. After the much-awaited DPB 2021 was withdrawn, all eyes were on the Indian government and Parliament for an update on the new bill.
On 18th November 2022, the Indian Government released a draft for the Digital Personal Data Protection Bill 2022 (“DPDP 2022 ”), which was open for public comments and consultations until 02 January 2023. The bill, after much deliberations, was set to be tabled in the Parliament in the monsoon session.
1.3 Digital Personal Data Protection Act 2023
After much deliberation, the updated version of DPDP 2022 was tweaked, and the new version of the Bill, i.e. DPDP Act 2023, was presented in the Indian Parliament on 3rd August 2023. It was passed by the Parliament on 9th August and gazetted on 12th August 2023, officially becoming the DPDP Act.
The DPDP Act’s objective is to provide standards for handling digital personal data in a way that respects both people's rights to privacy protection and the need to handle personal data legally. It outlines the duty of data fiduciaries (data handlers/controllers), the rights of the principals (data subjects), and the consequences of non-compliance.
2. Who Needs to Comply with India's DPDP Act
2.1 Material Scope
The DPDP Act applies to processing personal data collected in digital or non-digital form and then subsequently digitized. DPDP Act does not apply to the processing of data for personal or domestic purposes. In addition, it also does not apply to any personal data that is made or caused to be made publicly available by either the data subject or by an individual under legal authority to do so.
2.2 Territorial Scope
DPDP Act has extraterritorial application if the processing of digital personal data is in connection with any activity of offering goods or services to data principals within India.
DPDP Act prescribes that the Central Government of India may exempt certain data fiduciaries or classes of data fiduciaries from the applicability of certain provisions of the DPDP Act based on the volume and nature of personal data they process.
3. Definitions of Key Terms
3.1 Person
According to DPDP Act, person means any of the following entities:
- an individual;
- a Hindu undivided family;
- a company;
- a firm;
- an association of persons or a body of individuals, whether incorporated or not;
- the State; and
- every artificial juristic person.
3.2 Data Fiduciary
DPDP Act refers to data controllers as “Data Fiduciaries.” A data fiduciary is any person or group of persons who determine the purposes and means of processing the personal data of individuals.
3.3 Data Principal
“Data Principals” are essentially data subjects to whom the personal data relates or belongs. If a data principal is a child (an individual under the age of 18 years) or a person with a disability, then the parents or lawful guardian of such a child/individual becomes the data principal.
3.4 Personal Data
Personal data means any data about an individual who is identifiable by or in relation to such data.
3.5 Consent Manager
Any individual that is registered with the Data Protection Board of India who acts as a single point of contact to enable the data subject to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
3.6 Significant Data Fiduciary
Any data fiduciary or class of data fiduciaries may be designated by the Central Government as a “Significant Data Fiduciary” after taking into account the volume and sensitivity of personal data processed, risk of harm to the data principal or electoral democracy, impact on national sovereignty and security, and public order.
3.7 Personal Data Breach
Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
3.8 Board
Board means the Data Protection Board of India established by the Central Government for the purposes of the DPDP Act.
3.9 Child
DPDP Act defines a child as an individual who has not yet completed 18 years of age.
4. Obligations for Data Fiduciaries Under India’s DPDP Act
4.1 Grounds for Processing Requirements
Digital personal data may only be processed for a lawful purpose for which the data principal has given consent or for legitimate uses. Among these "legitimate uses," the most pertinent for processing personal data outside of government, emergency, or public health situations are the "voluntary sharing" of personal data and processing for "employment purposes."
4.2 Consent Requirements
DPDP Act requires consent to be specific, informed, unconditional, and unambiguous, which clearly indicates the data principal's intentions to the processing of her/his personal data for the specified purpose. Whenever a data fiduciary requests for the data principal’s consent, such a request must be made in clear, plain language and include the contact information of a data protection officer or the designated focal person. Any such person will be responsible for communication between the data fiduciary and data principal to exercise their rights under the DPDP Act.
Moreover, the data fiduciary must provide the data principal with the option of viewing the consent request in either English or any other language listed in the Eighth Schedule of the Indian Constitution.
The data principal can withdraw their consent at any time and will be responsible for bearing the costs associated with such withdrawal. The data principal can also grant, manage, evaluate, or revoke her consent via a Consent Manager.
Consent Managers are independent entities that will act as agents to data subjects enabling them to manage, review and withdraw their consent preferences. These are platforms/entities that allow data subjects to view and manage their consent preferences and consent interactions with data controllers comprehensively and through accessible, transparent, and interoperable platforms. The Consent Manager will be accountable to the data subject and shall act on their behalf as may be prescribed.
4.2.1 Legitimate Uses
In addition to the data subject’s consent, the DPDP Act stipulates the conditions under which the data fiduciary can process the personal data of the data principals. These include:
- the data principal voluntarily provides his/her personal data without expressed objection to the use of their personal data and without the fiduciary seeking explicit consent;
- for providing subsidies, benefits, services, certificates, licenses, or permits to the data principal, based on his/her prior consent or if the data is available in state-maintained records as specified by the Central Government;
- for state-related functions under current Indian laws or for the purpose of upholding India's sovereignty, integrity, and state security;
- to meet legal obligations requiring individuals to share information with the state or its entities, as long as this processing aligns with existing laws regarding information disclosure;
- for compliance with any judgment or order issued under any law;
- to address medical emergencies endangering the data principal's or others' lives, as well as to provide medical care during epidemics or public health threats;
- for taking measures to ensure the safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order; and
- purposes related to employment, prevention of corporate espionage, maintenance of confidentiality (trade secrets, intellectual property, classified information, etc.), recruitment, termination of employment, and provision of any service or benefit sought by the data principal who is also an employee.
4.3 Notice Requirements
When seeking consent from a data principal or after obtaining such consent, the data fiduciary is required to provide a notice to the data principal. This notice should include details such as the specific personal data being processed and the intended purpose of the processing.
Additionally, it should outline the process through which the data principal can exercise their rights to withdraw consent and inform about the procedure for making a complaint to the data fiduciary and the Board. The data fiduciary is obligated to ensure that the notice is accessible to the data principal, offering the option to access its contents in either English or any other language specified under Schedule 8 of the Indian Constitution.
4.4 Security & Data Breach Notification Requirements
A data fiduciary must put in place the necessary organizational and technical safeguards to protect personal data and ensure compliance with the DPDP Act. Each data fiduciary and data processor is required to take reasonable security precautions to secure any personal data that is in their possession or under their control to prevent any breach of the personal data of the data principal. In case of a data breach, the data fiduciary or data processor must inform the Board and each affected data principal.
4.5 Data Protection Officer Requirement
The Significant Data Fiduciary is responsible for appointing a Data Protection Officer (DPO) to act as its representative and ensure compliance with DPDP Act’s requirements. The DPO must be located within India and is accountable to the company's Board of Directors or a similar governing body. One of the primary functions of the DPO is to serve as the point of contact for the grievance redressal mechanism established under the DPDP Act.
4.6 Data Processor Requirement
The data fiduciary may only engage, appoint, use, or involve a data processor to process personal data on its behalf. This should only be done when an arrangement between the data processor and data fiduciary has been made under a valid legal contract.
4.7 Children and Disabled Individual’s Data Processing Requirement
Prior to processing personal data belonging to children or disabled individuals, a data fiduciary is required to obtain verifiable consent from the parent or the legal guardian of the child or individual. Additionally, the data fiduciary must not undertake tracking or behavioral monitoring of children or targeted advertising directed at children. The Central Government may notify the data fiduciary - after ensuring that the data fiduciary processes children’s data safely - the age at which the data fiduciary is exempt from children’s personal data processing obligations.
4.8 Additional Obligations of Significant Data Fiduciary
Any data fiduciary or class of data fiduciaries may be designated by the Central Government of India as a ‘Significant Data Fiduciary’ based on an evaluation of cases it is important, such as:
- the volume and sensitivity of personal data processed;
- risk of harm to the Data Principal;
- potential impact on the sovereignty and integrity of India;
- risk to electoral democracy;
- security of the State;
- public order; and
- such other factors as it may consider necessary.
A Significant Data Fiduciary is also responsible for designating an independent data auditor who will assess whether the Significant Data Fiduciary complies with the DPDP Act's requirements and implement additional safeguards, such as conducting Data Protection Impact Assessments and periodic audits.
4.9 Cross-Border Data Transfer Requirements
DPDP Act does not expressly prohibit cross-border data transfers or prescribe any specific compliance requirements (like obliging with standard contractual clauses, transfer impact assessments, etc.) for the transfer of personal data outside India.
However, the Central Government of India may specify the nations or territories outside of India to which a data fiduciary may not transfer data.
5. Data Subject Rights
The data subjects, or data principals, as they're referred to under India’s DPDP Act 2023, have the following rights:
The data principal has the right to ask the data fiduciary for information in relation to his/her personal data. This entails finding out whether the data fiduciary is or has processed the data principal's personal information, a list of the personal information being or that has been processed, the names of all data fiduciaries with whom the personal information has been shared, as well as the categories of personal information shared.
5.2 Right to Correction & Erasure
A data principal shall have the right to correct and erasure their personal data. Upon receiving a request for such correction of the personal data from a data principal, a data fiduciary is required to correct any inaccuracies, complete any incomplete information, and update a data principal's personal data in the systems accordingly.In addition, the data fiduciary must also erase the personal data upon recieving such request from the data subject unless data retention is required by law.
5.3 Right to Grievance Redressal
A data principal has the right to lodge a grievance with a data fiduciary or the Consent Manager. The data principal is required to exhaust this right before approaching the Board for any grievance redressal.
5.4 Right to Nominate
In the event of the data principal's death or incapacity, the data principal shall have the right to choose another person in the manner that may be prescribed to act on the data principal's behalf in accordance with the provisions of the DPDP Act. Incapacitation means the data principal’s inability to exercise the rights under this Act due to unsoundness of mind or infirmity of body.
6. Obligations of Data Principal
A data principal is required to abide by all other laws whilst exercising any rights under the DPDP Act. The DPDP Act also prohibits data principals from registering any false or frivolous grievance or complaint with a data fiduciary or the Board or impersonating any person whilst providing personal data for any specified purpose. Additionally, the data principal must also ensure not to suppress any material information while providing his/her personal data for any document, unique identifier, proof of identity, or proof of address issued by the state or relevant authorities.
7. Data protection Authority
The Data Protection Board (DPB) under the DPDP Act will serve primarily as an adjudicating body rather than a comprehensive regulatory authority. While it will handle grievance adjudication and penalizing data breaches, its scope does not extend to broader regulatory functions such as cross-border data transfer regulation or rulemaking for data fiduciaries' obligations. Instead, these responsibilities remain with the Central Government.
8. Penalties for Non-compliance
Under the DPDP Act, if a data fiduciary or data processor fails to take reasonable security safeguards to prevent a personal data breach, they would be liable to a fine of 250 crore Indian Rupees. In addition, any failure to notify the Board and the data principal regarding the data breach and non-fulfillment of any obligations for processing of children's data would attract a fine of 200 croreIndian Rupees.
If a data principal fails to comply with his /her duties under the Act, he/she will be liable to a fine of 10 Thousand Indian Rupees.
9. How Can Organizations Operationalize India’s DPDP Act
Few steps that organizations can undertake to operationalize the DPDP Act into practice:
- Conduct data mapping assessments, analyze data inventories, and categorize data storage that contains digital personal data about Indians;
- Have a compliant consent mechanism in place to capture consent and deemed consent;
- Maintain proper channels of communication, allowing the data subjects to exercise their rights;
- Put in place the necessary organizational and technical safeguards;
- Identify cross-border data transfer and fulfill data transfer requirements;
- Properly educate the employees and the workforce on data processing methods;
- Have an easy-to-read privacy policy that clearly communicates all the data subjects' rights without leaving any room for ambiguity;
- Have a breach response plan, including breach notification in place; and
- Conduct regular data protection impact assessments to analyze processing activity risks and vulnerabilities and ensure maximum efficiency in compliance efforts.
10. How Can Securiti Help
India's Digital Personal Data Protection Act 2023 is a welcome endeavor in the legislative privacy landscape, especially in light of recent technological advancements and the need for a comprehensive data privacy framework in India.
In the modern digital economy, it is past time for businesses to acknowledge data privacy as a human right, not just a consumer right, and to ensure their data processing procedures comply with all applicable data privacy requirements. To operationalize compliance and avoid falling behind in a constantly evolving technology and data privacy landscape, businesses must use robotic automation to expedite compliance.
Securiti Data Command Center leverages contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform, enabling organizations to comply with India's Digital Personal Data Protection Act 2023.
Securiti can assist you in complying with India's Digital Personal Data Protection Act 2023 and other privacy and security standards worldwide.
Examine how it functions. Request a demo right now.