This article is part of a series on the operational impacts of India's DPDPA. The full series can be accessed here.

Published: October 2023

Navigate by topic

India's soon-to-be enforced Digital Personal Data Protection Act seeks to balance individual privacy and the country's emerging digital economy.

Unlike global data laws, the DPDPA applies only to digital personal data, excluding non-digital personal data unless subsequently digitized. Perhaps inspired by Singapore's Personal Data Protection Act, the DPDPA creates a broad exception for personal data made public either by an individual or a law. Contrary to the EU General Data Protection Regulation, the act does not exclude processing pursuant to journalistic purposes from its scope.

The DPDPA treats all personal data uniformly, without imposing heightened obligations for sensitive personal data. Entities that determine the means and purposes of processing personal data are termed "data fiduciaries," instead of "data controllers." Individuals identifiable by or in relation to any data are termed "data principals," rather than "data subjects" — implying a fiduciary relationship of trust in India's digital economy. Notably, in relation to children and persons with disabilities, the act includes parents or lawful guardians under its definition of data principals, raising questions on how overlapping rights between such data principals may be reconciled.

The act additionally allows data principals to provide or withdraw consent through consent managers, data-blind entities that facilitate interoperable data sharing, to enable seamless sharing of data inter alia within India's digital public infrastructure. Consent managers will be accountable to data principals under the act, a requirement that exists perhaps to address a potential conflict of interest, such as in case of monetary dependence on data fiduciaries. Consent managers may be subject to additional obligations notified through forthcoming rules.

Unlike the GDPR and the California Consumer Privacy Act, which apply certain obligations to data processors directly, the DPDPA applies only to data fiduciaries, requiring them to execute valid contracts with data processors. The nature of contractual protections that should be passed on to data processors is not specified.

India DPDPA 2023 – Comparative analysis with GDPR

  • expand_more

    Scope and Application

  • expand_more

    Lawfulness of processing

  • expand_more

    Protections for children

  • expand_more

    Individual rights

  • expand_more

    Accountability requirements

  • expand_more

    Security and breach notification

  • expand_more

    International data transfers

  • expand_more

    Enforcement

  • expand_more

    Miscellaneous provisions

Data protection principles

Instead of listing out data protection principles, the DPDPA internalizes principles of lawfulness, purpose limitation, storage limitation, integrity and confidentiality, and accountability through its various provisions.

However, the principle of purpose limitation only applies when consent or voluntary use is the basis for processing personal data. Similarly, the requirement of data minimisation — collecting only as much information as is necessary for a specified purpose — only applies where consent is the basis for processing personal data.

Notably, the DPDPA does not impose a general obligation to comply with the principle of fairness in processing personal data, as required under the GDPR.

Lawful bases

The DPDPA excludes contractual necessity and legitimate interest as grounds for processing personal data. Consent remains the primary basis for processing, except for certain legitimate uses, where obtaining consent may not be possible. Such situations include complying with legal obligations, performance of state functions, complying with judicial orders, responding to medical emergencies, and maintaining public safety and order.

The act recognizes processing for broadly defined employment purposes as an independent basis. It also envisions the use of personal data voluntarily provided by a data principal for a specified purpose, where the data principal does not object to such use. Voluntary use as a basis is possibly inspired by the deemed consent ground under Singapore's PDPA, where a notice and consent mechanism may not be practical in transactional settings.

However, the voluntary use basis is much narrower than the legitimate interest grounds for processing, which is flexible and can be relied on beyond specified purposes, considering broader commercial interests of the data controller, as long as the individual can reasonably expect such processing.

Classification of data fiduciaries

Unlike the GDPR, which requires all entities to carry out data protection impact assessments under specific circumstances, for instance when high-risk processing is involved, the DPDPA only imposes this requirement on specific data fiduciaries classified as "significant data fiduciaries." The government may classify data fiduciaries as significant considering the volume and extent of personal data processed and risks posed to data principals, electoral democracy, national security and public order.

The GDPR, by default, requires all public bodies and entities carrying out large-scale processing of sensitive data and systematic monitoring of individuals as their core activity to appoint a data protection officer. The DPDPA, meanwhile, imposes the requirement to appoint an India-based DPO only on data fiduciaries that are classified as significant through rules — likely to include global businesses collecting significant volumes of personal data. While the GDPR requires the DPO to act independently, the DPDPA requires the DPO to be responsible to the board of directors or similar governing body of the significant data fiduciary. The act allows the government to notify additional obligations on significant data fiduciaries, the nature of which remains unclear.

Scope of rights

While the GDPR and CCPA allow individuals to exercise a broader array of rights, under the DPDPA, the rights available to data principals are limited to the rights of access, correction, completion, nomination (such as of a representative to exercise rights in case of death or incapacity), erasure, consent withdrawal and grievance redressal. Further, rights to access, correction, completion, and erasure can only be exercised where consent or voluntary use is the basis for processing personal data.

While the act does not explicitly provide for a right to be forgotten, it is possible the withdrawal of consent, where consent is the basis for processing, would require the data fiduciary to delete the personal data collected. The requirement to provide a notice to data principals only applies when consent is the basis for processing personal data.

Crucially, the right to data portability and the right against solely automated decision-making are excluded. However, the act does require personal data used to make a decision about a data principal to be accurate, complete and consistent — which may make it difficult for data fiduciaries to implement solely automated decision-making processes that could result in inaccurate or discriminatory results.

Duties of a data principal

Unlike most data laws, the act imposes duties on data principals, against raising frivolous complaints, impersonating another person and suppressing material information in identifying oneself, such as during age-verification measures. Additionally, the act requires data principals to comply with applicable laws.

International data transfers

Unlike the GDPR, which generally restricts data transfers unless a country is deemed adequate, the DPDPA generally allows data transfers, unless the government restricts such transfers to specific countries. While the nature of these restrictions remains unclear, they could mean a stringent ban against transfers to blacklisted countries or soft obligations akin to adequacy-like arrangements, such as binding corporate rules or standard contractual clauses, for specific countries. Additionally, sector-specific restrictions on data transfers to regulated entities — banking and finance, insurance, etc. —may apply as relevant.

Exemptions

The act allows the government to exempt classes of data fiduciaries from its scope, considering the nature and volume of personal data processed, including startups. This addresses the long-standing criticism of the GDPR for imposing excessive regulatory costs on small businesses.

The act also exempts processing pursuant to research, archival or statistical purposes, when carried out in accordance with standards prescribed by the government.

Additionally, except data security requirements, the act exempts data processing carried out under unique conditions, such as: to ascertain the assets and liabilities of persons who may have defaulted in payment due on account of a loan or advance taken from a financial institution (enabling financial institutions and fintech businesses to conduct their business); processing where it is necessary in the context of mergers and acquisitions approved by a competent authority in certain circumstances; and, in the context of outsourcing, where the data relates only to foreign residents and is processed by an Indian data processor on behalf of a foreign data fiduciary, allowing India to retain its prowess as an outsourcing hub.

Powers of the board

Notably, the Data Protection Board of India, the regulatory body to be formed under the act, has powers including the ability to carry out inquiries and direct urgent or remedial measures.

However, unlike national supervisory authorities under the GDPR, the board does not have the power to initiate a proceeding on its own. Similarly, unlike EU supervisory authorities, the board cannot issue recommendations or codes of conduct, and such prescriptive powers are retained by the government. While the board is required to act independently, unlike the structural and functional independence with which EU supervisory authorities operate, the government exercises considerable control over its composition, powers and functions. This could have been India's opportunity to further strengthen its adequacy status under the GDPR.

Perhaps again inspired by Singapore’s PDPA, the act allows the board to accept voluntary undertaking to address any alleged noncompliance by data fiduciaries and bar associated legal proceedings against such data fiduciaries. Such a provision for voluntary undertaking is absent from most global data laws.

Significantly, the board can recommend the government exercise blocking powers against noncompliant data fiduciaries, restricting access to the data fiduciary's online goods or services, which could lead to a virtual sales stop.

Enforcement and sanctions

While the GDPR allows member states to impose criminal penalties for certain noncompliance with data protection law, the act does not impose any criminal penalties. The sanctions are monetary penalties which, unlike the turnover-based penalties under the GDPR, may extend to INR250 crores, USD30 million, in some cases.

The DPDPA only provides for the imposition of penalties for non-compliances that are "significant" in nature. In determining the monetary penalty in case of a significant non-compliance, instead of the turnover of the business, relevant factors to consider include the nature, gravity and duration of the breach, type and nature of personal data affected by the breach, and the repetitive nature of the breach, as well as mitigation measures undertaken by the data fiduciary.

Notably, composite penalties may be imposed under the act for more than one instance of noncompliance. For example, penalties for failing to undertake reasonable security safeguards to prevent a personal data breach could add up to the penalty for being noncompliant with child-related processing obligations.

Notably, the act does not provide for a right to compensation to data principals in case of a noncompliance with the act.

Contrary to global data laws, the act only applies monetary penalties in case of significant breaches, but the threshold of what constitutes a "significant" breach remains unclear.

Key takeaways

  • Structural resonance
    The structure of the DPDPA is comparable to the GDPR in terms of definitions, grounds, exceptions, rights and obligations. However, compared to global laws, the scope of these aspects is limited, concerning perhaps that this is India's first step toward introducing an omnibus data protection law.
  • Ease of compliance
    As a continuing theme, the act seeks to ease compliance for businesses in India's emerging digital economy, to retain its competitive advantage among preferred offshore locations globally.
  • An evolving law for emerging challenges
    Flexibility in introducing regulatory requirements through swifty exercisable rule-making powers — the ability to impose additional obligations for significant data fiduciaries, the manner of reporting data breaches, the accountability framework for consent managers, the manner of providing notice and the restrictions on international data transfers — provides the act with an evolving character. It can reshape itself and expeditiously adapt to unprecedented and unique challenges posed by India's rapidly transforming digital economy through situation-specific and need-based regulation.
  • Proportionate regulation
    The act's elasticity gives India the regulatory flexibility to ensure proportionate regulation from the perspective of doing business, with graded obligations for startups compared to significant data fiduciaries, providing India's startup economy with a competitive advantage in the global tech landscape.

The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.

Top 10 operational impacts of India’s DPDPA

The overview page for the full series can be accessed here.

Published

Coming Soon

  • Part 7: Consent management
  • Part 8: Data principle rights
  • Part 9: Data audits for significant fiduciaries
  • Part 10: Data protection impact assessments


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 3

Submit for CPEs