This article is part of a six-part series on the operational impacts of India's DPDPA. The full series can be accessed here.
Published: September 2023
Navigate by topic
India's Digital Personal Data Protection Act, 2023 creates a new framework for the protection of digital personal data. The act offers four broad rights to "data principals," those individuals to whom personal data relates, while "data fiduciaries," those who determine the purposes and means of processing personal data, are tasked with primary compliance and are responsible for giving effect to data principals' rights.
The right to access information about personal data
The act permits a data principal to seek the following information from a data fiduciary:
- A summary of personal data being processed, and the processing activities being undertaken by the data fiduciary.
- The identities of all third parties with whom the data fiduciary has shared such personal data, with a description of the personal data that has been shared.
India's government may prescribe additional information that data fiduciaries will be obliged to share with data principals upon an exercise of their access rights.
The act does not prescribe the granularity of the information data fiduciaries must make available to data principals, nor does it prescribe the modalities of making such information available. At this stage, it is unclear whether data fiduciaries will be required to offer data principals copies of the information or whether a central portal that enables data principals to view information about the processing of their personal data would suffice. Broadly, data fiduciaries will require data inventories that map how a data principal's personal data is stored within their organizations, details of each third-party data is shared with and purposes for processing.
Unfortunately, the way this right to access has been structured under the act is narrow. Effectively, a data principal can only exercise this right if the data fiduciaries rely on their consent to process personal data.
While consent is the primary grounds to process personal data under the act, and most businesses do rely on consent for day-to-day data processing in business operations, the act offers additional grounds for the processing of personal data. For instance, data fiduciaries may process personal data for employment purposes or to comply with judgments, decrees and court orders. In such cases, where consent is not the grounds for processing personal data, data principals will have no access rights, thereby limiting the usefulness of this right.
The act also exempts data fiduciaries from sharing about personal data that may be transferred to other data fiduciaries, including the government and state agencies, for purposes relating to the prevention, detection, or investigation of offences or cybersecurity incidents. From an EU-India and U.K.-India data-transfer perspective, data principals will not be notified of or have the legal right to confirm that their personal data is subject to interception or is being transferred to government bodies. This limits their ability to challenge such interception or access, raises concerns about an effective grievance redressal process in India, and challenges EU and U.K. standards of data protection. Effectively, data transfers to India post-'Schrems II' remain challenging and will require additional safeguards.
The right to correction and erasure of personal data
Data principals have the right to correct inaccurate or misleading personal data that data fiduciaries may process about them, complete any incomplete personal data and update personal data. Correspondingly, where data fiduciaries choose to use personal data to make decisions about data principals or otherwise share personal data with third party data fiduciaries, they have an obligation to ensure the personal data they process is complete, accurate and consistent.
Data principals also have the right to seek the erasure of their personal data. In such instances, as well as in cases where data principals withdraw consent initially provided for the processing of their personal data, data fiduciaries will be obliged to erase such personal data, unless retention is necessary for the specified purpose for which it was processed or for compliance with applicable laws. At this stage, the law is silent on whether personal data may be retained after an exercise of the right to erasure for the establishment, exercise or defense of legal claims.
Practically, data fiduciaries have a three-fold responsibility. First, data fiduciaries must employ systems that enable data accuracy principles, like offering data principals verification mechanisms to recheck and confirm data sets where data is sourced directly from individuals. Second, they must use technical tools that enable effective correction, completion, updating or erasure of personal data. These tools should permit data fiduciaries to ensure parties with which such personal data has shared comply with such requests, as well. Finally, data fiduciaries must evolve complex data-retention strategies that can demonstrate adequate justifications for data retention.
As with the right to access information about personal data, the rights to correction and erasure of personal data only apply if a data fiduciary relies on consent as a basis of processing personal data. India's government is expected to expand the scope of rights available to data principals where data fiduciaries rely on grounds other than consent to process personal data. Separately, the government will prescribe the modalities of exercising such rights.
The right of grievance redressal
Data principals have the right of grievance redressal in relation to a businesses' processing of their personal data. From an enforcement perspective, aggrieved data principals will be required to extinguish all grievance redressal processes before approaching the Data Protection Board of India, established under the act, to file complaints.
Data fiduciaries, therefore, have an opportunity to create effective and tiered redressal mechanisms. As a part of this process, such entities will be required to appoint grievance-redressal officers to front-end relationships with aggrieved individuals and adopt internal standard operating procedures for resolution, escalation and workflows.
The right to nominate
Data principals have the right to nominate other individuals to act on their behalf in the event of their death or incapacity. An incapacity can include any unsoundness of mind or body. The act does not permit an individual to exercise rights on behalf of another individual in any other case besides death or incapacity.
As with most aspects of the law, the modalities of how this right will be exercised and implemented, including questions on whether powers of attorney will suffice, paperwork and verification processes for nominees, will be prescribed by the government.
Right to withdraw consent
Where consent is the grounds for processing personal data, the right to withdraw consent must be provided to data principals. The way consent-withdrawal processes are structured should be as simple as the way consent requests are made available to data principals.
The manner of withdrawal of consent must also be communicated to data principals in the privacy notice accompanying consent requests. Upon withdrawing consent, all data processing occurring on the basis of such withdrawn consent must cease, unless processing is permitted on another grounds under the act or under the provisions of another law.
The act is also clear that any consequences resulting from the withdrawal of consent must be borne by the data principal — indicating businesses may stop offering goods and services to individuals once consent is withdrawn.
Where a data principal is below the age of 18, the act includes their parent or guardian within the definition of the term "data principal." It is unclear whether a minor data principal will be permitted to exercise rights under the act or whether their parent or guardian will have to act on their behalf.
The mechanisms data fiduciaries will have to adopt to establish the identities of parents or guardians and verify their relationships with the minor data principal, as well as the question of whether both parents can act on behalf of a child and, if so, processes for resolutions in the event of conflicting exercises of rights, are also unclear. However, the government is expected to prescribe detailed rules on how children's personal data will be treated under the act.
The act offers sweeping exceptions, which may dilute a data principal's ability to effectively exercise their rights. Data principals have no rights regarding the processing of personal data they choose to make publicly available, as well as personal data processed for research, archival or statistical purposes that are not used to make decisions specific to data principals.
Data principals may, therefore, find it almost impossible to exercise rights in respect to large-scale data mining and processing for the training of artificial intelligence and machine learning tools.
Employees will be unable to exercise rights against employers to seek information, correction or erasure of their personal data. Most state-based processing is also exempt from the act's provisions.
Separately, the act applies extraterritorially. While a data fiduciary that undertakes any processing in India is subject to the law, certain exemptions apply regarding processing undertaken by Indian companies involving non-Indian data principals on the basis of contracts with non-Indian persons. Practically, these non-Indian data principals would be unable to exercise rights with regards to such Indian companies.
Additionally, data fiduciaries are under no obligation to recognize data principals' rights where the underlying processing is for:
- Enforcement of a legal right or claim.
- Prevention, detection, investigation or prosecution of any offense.
- Mergers, amalgamations or restructuring approved by relevant courts in India.
- Ascertaining financial information of individuals who are loan defaulters.
Data principal duties
In a first, data principals are subject to certain duties. For example, they are obligated to comply with the act, not impersonate other data principals, not suppress material information while providing personal information for government identifiers and other documents issued by the state or its agencies, not register false or frivolous complaints, and provide only verifiably authentic information when exercising the right to correction or erasure. Penalties for noncompliance include fines of up to INR10,000. It appears duties were imposed on data principals to mitigate vexatious complaints.
The act, a welcome introduction into the Indian privacy sphere, has paved the road for the creation of a concrete system of data principal rights. While the availability of these rights is not absolute, further guidance is expected from the government on the exact modalities of offering these rights to data principals. Data principals can also approach the Data Protection Board of India in the event businesses do not facilitate data principal rights.
Businesses should begin implementing policies and mechanisms to offer required rights to data principals. A grievance officer or a data protection officer ought to be appointed to handle data principal rights requests and act as a single point of contact for resolution. Businesses, therefore, must begin their compliance journeys and implement principles and standards to handle data principal rights requests raised by individuals.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.