This article is part of a six-part series on the operational impacts of India's DPDPA. The full series can be accessed here.
Published: October 2023
India's data privacy law, the Digital Personal Data Protection Act, is unique in that it eschews the EU General Data Protection Regulation's model of data privacy legislation in favor of a simpler, less prescriptive law.
Consequently, the DPDPA leaves out several concepts found in the European regulation, including some details that make the GDPR more comprehensive legislation.
One area in the DPDPA where we see little regulation relates to data processors, with only a handful of provisions on the topic. The act defines a data processor as anyone who processes personal information on behalf of a data fiduciary, the term used under the law to refer to a data controller. Correspondingly, a data fiduciary is defined as any person who "alone or in conjunction with other persons determines the purpose and means of processing of personal data."
The law is focused almost entirely on data fiduciaries, including fulfilling rights of data principals related to access, correction and deletion of personal information. Provisions related to special protections for personal data of children, implementing a procedure for addressing grievances of data principals and several other provisions are applicable to data fiduciaries.
The act requires a valid contract to be in place under which personal information is transferred to a data processor. Significantly, the data fiduciary is responsible for ensuring the data processor's compliance with the act. As such, it may be interpreted that the act does not cast an obligation directly on data processors but instead on the data fiduciary.
This means if there is a violation of the act by the data processor, it is possible only the data fiduciary will be held liable. However, this is not entirely clear. In the schedule for penalties, only two provisions refer specifically to the obligation of the data fiduciary, including the requirement to maintain reasonable security safeguards. The penalty provision refers to a "person," rather than a data fiduciary. Though individual data principals can also be held liable for failure to observe their obligations under the law, these provisions create some doubt about liability being imposed only on the data fiduciary.
The data fiduciary should be extra cautious in negotiating contracts with data processors, as the data fiduciary must assume they will be held liable for any violation by the data processor. As such, the data fiduciary will want to include an indemnity clause holding the data processor liable for any penalties paid by the data fiduciary due to violations of the act by the data processor.
Significantly, this means the data fiduciary will initially be liable for violations by data processors. Moreover, the Data Protection Board of India or the appellate authority may conclude a violation has occurred, but may not allocate the degree of blame between the two relevant parties — the data fiduciary and the data processor — requiring litigation before Indian courts in the absence of an arbitration clause. This could potentially involve substantial evidentiary proceedings to determine who was responsible and to what extent.
It should also be highlighted the act does not deal specifically with situations of multiple data fiduciaries or joint data fiduciaries as the GDPR does. Going by the definition of a data fiduciary , multiple data fiduciaries may exist if multiple entities determine the means and purpose of data processing. In this case, a party that processes personal data on behalf of a data fiduciary may be a data fiduciary, not a data processor, and would be directly liable. This normally occurs when the concerned entity determines the purpose and means of processing independently from the data fiduciary.
In India, where data privacy compliance is still relatively nascent, data fiduciaries may have a heightened sense of fear about the likely consequences of privacy law violations by the data processor. Liability aside, it may be more important for data fiduciaries to ensure data processors simply do not violates the act. Hence, data fiduciaries may need to impose strict standards on data processors, including periodic audits. This could also increase the costs of outsourcing.
A global impact
India plays a key role in the digital economy with is its huge outsourcing and offshore industry. The country processes a significant part of the world’s data. So how does the DPDPA apply to data processors in India?
One of the act's provisions exempts most personal data of people outside India that are processed in India under a cross-border contract. This means most of the law does not apply to personal data of people outside India that is processed in India.
This may initially raise eyebrows — after all, one of the reasons for having a data privacy law is to ensure personal data is protected in India. However, when personal data is collected in the country of the data subject, it is done so under that country's laws. Applying the law of the processor would lead to confusion, especially where the laws of the data processor are substantially different.
To illustrate, given the varying bases for collecting personal data under the GDPR and the DPDPA, a controller in the EU may collect and process personal data under legitimate interest whereas, under India’s law, the same controller would need to obtain consent. A key provision in this regard is the requirement that the data fiduciary ensure reasonable security safeguards are in place to protect personal data. Consequently, if there is negligence in safeguarding personal data, the legal system of the data processor is well-placed to hold the data processor responsible.
Some clarification may still be necessary with respect to the web of provisions related to the personal information of people outside India. Two provisions of the act impose important obligations on the data fiduciary: mandating compliance with the act, including involving processing on its behalf by a data processor, and requiring the establishment of reasonable security safeguards. Whether an Indian data processor's failure to maintain reasonable security safeguards could result in liability on the foreign data fiduciary rather than on the processor remains to be seen.
EU controllers need to consider issues arising from the 'Schrems II' judgment, while allowing processing of personal information in India. This has not been a serious challenge so far, though there are some concerns, chiefly the lack of independent oversight of government surveillance. The lack of specificity could also mean it can call for large databases of personal information if it so pleases. The act gives the government very broad power to call for any information from a data fiduciary or intermediary, although this power may be limited by language that suggests such power is to be exercised only for the purposes of the act. Moreover, even though the law does not apply directly to the data processor in India, and the data fiduciary is very likely to be a customer outside India, a data processor could be considered to be an intermediary and still be subject to the exercise of this power.
Further, protections relating to government surveillance under existing telecommunications and information technology laws are not replicated in the act. Once the law comes into force and Indian industry faces challenges relating to its interpretation, these issues will hopefully be sorted out. There is some concern, though, that India's apparent data protection authority, the Data Protection Board of India, is merely an adjudication body without regulatory powers, to issue guidance notes for example, as the European Data Protection Board does. This may hamper India's ability to develop its own jurisprudence around the new legislation concerning these and other issues.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.