This article is part of a six-part series on the operational impacts of India's DPDPA. The full series can be accessed here.
Published: September 2023
Navigate by topic
Since the Supreme Court of India declared the "right to privacy" as a fundamental right in a landmark 2017 judgment and urged the national government to establish a data protection regime, policymakers have worked toward passing central legislation to protect privacy. And on 11 Aug., India finally achieved this goal with the enactment of the Digital Personal Data Protection Act.
The DPDPA replaces a set of rules made under section 43A of the Information Technology Act, 2000 — which superficially resemble a data protection law, with a nonfunctioning enforcement system and no reported cases to date.
In crafting the DPDPA, the Indian government reviewed established privacy frameworks in other countries including the EU General Data Protection Regulation, whose influence is evident through some of the legal concepts in the act. That said, while individual data privacy and consumer rights lie at the heart of the GDPR, and similar data protection laws elsewhere, the DPDPA appears to have also been driven by India's concerns around national security and other political issues. This may explain the unique and distinct features of the act that depart from the GDPR and similar data privacy regimes.
The DPDPA covers any entity that processes digital personal data within Indian territory. Data in nondigitized forms are excluded. The act also imposes extraterritorial jurisdiction and covers data processed outside of India, if done with the intent to offer goods and services to individuals within India.
However, the act differs from the GDPR by excluding from its purview the profiling of data subjects from outside the territory of India if not in connection to providing any good or service to the data subject. For instance, profiling from outside of individuals located in India for statistical purposes may not trigger any obligations of data processing entities under the act.
"Data fiduciary" is defined as any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. This concept is directly borrowed from the GDPR.
"Data principal" is an individual to whom personal data relates. Where such an individual is a child, the term includes their parent or lawful guardian. Where the individual is disabled, it includes their lawful guardian acting on their behalf.
"Data processor" is defined as any person who processes personal data on behalf of a data fiduciary. Notably, unlike the GDPR, the act does not impose such obligations directly on the data processor. The act instead expects data fiduciaries to ensure compliance by data processors they engage through data processing agreements.
Special category of data and the significant data fiduciary
In a clear departure from the GDPR and the previous rules, which both categorize data based on sensitivity, the DPDPA applies uniformly to all types of personal data — defined as "any data about an individual who is identifiable by or in relation to such data."
In what might come as good news to covered entities, the DPDPA does not impose additional obligations on data processing entities that process sensitive personal data (as identified under the rules) or critical personal data, as was proposed in an earlier draft of the law. Neither does it refer to any special category of data expressly mentioned in the GDPR, such as racial or ethnic origin, political opinions, or sexual orientation, which require heightened protection under the European regulation.
However, companies do need to consider whether they are a "significant data fiduciary," as these data processing entities have a higher compliance burden. Significant data fiduciaries are classified as such based on volume and sensitivity of the personal data and other prescribed criteria. This means companies routinely dealing with sensitive or large volumes of personal data are likely to be classified as such, and so, should particularly focus on reviewing their data privacy practices ensuring compliance with the act.
Who and what is exempted?
Besides excluding from its application the processing by an individual for personal or domestic purposes, the DPDPA also specifically excludes most publicly available personal data, as long as it was made public: by the data principal (for example, views made public by a social media user); or by someone else under a legal obligation to publish the data (such as personal data of directors that regulated companies must publicly disclose by law). The first form of publicly available information appears to permit external companies to scrape the data from social networks and process it.
The act also exempts the processing of personal data necessary for research or statistical purposes, which is an extremely broad exception. But the act will still apply to such processing if research or statistical activity is used to make "any decision specific to the data principal."
Moreover, the act provides broad exceptions for government entities, while also exempting processing for specific purposes, such as activities that are in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, and the prevention of incitement to commit crimes. But these subsequent exceptions require notice to the government to be available.
Finally, in a provision appearing to promote new businesses, the DPDPA's Section 17(3) empowers the government to exempt any category of data fiduciaries from certain or all compliance obligations under the act, while categorically referring to "startups" as one such class or business which may be exempted.
Grounds for processing
The DPDPA hinges on consent as grounds for processing personal data, although additional narrowly defined or situation-based lawful grounds are also available. These are defined as "certain legitimate uses" listed under Section 7, and among the most likely to be relevant to the private sector are: specified purposes for which the data principal has voluntarily provided her/his personal data, and has not indicated their objection to use such personal data for that purpose; fulfilment of any legal/judicial obligations of a specified nature; medical emergencies and health services, breakdown of public order; and employment.
Notably, the act does not include "contractual necessity" and "legitimate interests," which appear in the GDPR and developed data protection laws elsewhere as legal grounds for data processing — and are probably the most common grounds for processing utilized by organizations today, particularly global companies that treat the GDPR as the gold standard to process personal data. The lack of these as express grounds for processing may pose a serious challenge to businesses, especially large organizations already relying on these grounds to process personal data for routine or necessary business operations.
Consent and notice
Like the GDPR, the DPDPA requires that consent for processing of personal data must be "free, specific, informed, unambiguous and unconditional with a clear affirmative action." Further, the consent should be limited to such personal data as is necessary for the specified purpose in the request for consent. In practice, this may mean that data fiduciaries cannot not rely on "bundled consent."
The notice for consent must inform the data principal of the personal data to be processed and the purpose for which such data is to be processed; the manner in which the individual may exercise their rights under the act; and the manner in which the data principal may make a complaint to the data protection board of India. Importantly from an operational perspective, where a data principal has given consent to processing prior to the act, the data fiduciary needs to provide notice with the said details "as soon as it is reasonably practicable."
In what is perhaps one of the most important rights from the perspective of data subjects, similar to the GDPR, data principals have a right to withdraw their consent at any time and data fiduciaries are required to ensure that withdrawing consent is as easy as giving consent. Once consent is withdrawn, personal data must be deleted unless a legal obligation to retain data applies. Additionally, data fiduciaries must ask any processors to stop processing the data for which consent has been withdrawn.
The DPDPA aims to eliminate a confusing framework of existing rules while promoting innovation, regulatory certainty and protecting individual privacy in ways that may seem to mimic the GDPR and earlier drafts of the law. But it tries to do so in a more practical way that is sensitive to the context of India’s business and cultural attitudes to data and emerging technologies. Therefore, companies may find it necessary to localize their compliance programs, while also enabling themselves to seize opportunities to do more with their personal data within the framework of the act.
Although there is no official grace period for organizations to be compliant with the act, the Business Standard reports the government anticipates implementation within 10 months. Lastly, the DPDPA will be supplemented by government-issued rules, meaning its effect will be clear only when such rules are official.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.