India's soon-to-be enforced Digital Personal Data Protection Act seeks to balance individual privacy and the country's emerging digital economy.
Unlike global data laws, the DPDPA applies only to digital personal data, excluding non-digital personal data unless subsequently digitized. Perhaps inspired by Singapore's Personal Data Protection Act, the DPDPA creates a broad exception for personal data made public either by an individual or a law. Contrary to the EU General Data Protection Regulation, the act does not exclude processing pursuant to journalistic purposes from its scope.
The DPDPA treats all personal data uniformly, without imposing heightened obligations for sensitive personal data. Entities that determine the means and purposes of processing personal data are termed "data fiduciaries," instead of "data controllers." Individuals identifiable by or in relation to any data are termed "data principals," rather than "data subjects" — implying a fiduciary relationship of trust in India's digital economy. Notably, in relation to children and persons with disabilities, the act includes parents or lawful guardians under its definition of data principals, raising questions on how overlapping rights between such data principals may be reconciled.
The act additionally allows data principals to provide or withdraw consent through consent managers, data-blind entities that facilitate interoperable data sharing, to enable seamless sharing of data inter alia within India's digital public infrastructure. Consent managers will be accountable to data principals under the act, a requirement that exists perhaps to address a potential conflict of interest, such as in case of monetary dependence on data fiduciaries. Consent managers may be subject to additional obligations notified through forthcoming rules.
Unlike the GDPR and the California Consumer Privacy Act, which apply certain obligations to data processors directly, the DPDPA applies only to data fiduciaries, requiring them to execute valid contracts with data processors. The nature of contractual protections that should be passed on to data processors is not specified.
India DPDPA 2023 – Comparative analysis with GDPR
Scope and Application
• Organizations that have an establishment in the EU and process personal data "in the context of" the EU establishment.
• Organizations that are not established in the EU but process personal data related to either offering goods or services in the EU or monitoring the behavior of individuals in the EU.
Applies to digital personal data processed:
• Within the territory of India.
• Outside India, in connection with the offering of goods or services in India.
Except data security requirements, offshore entities in India are exempt from the DPDPA when:
• The offshore entity processes personal data on behalf of a foreign data fiduciary.
• The personal data only relates to foreign data principals.
• Personal data.
• Automated processing or nonautomated processing where personal data forms part of a filing system.
Does not apply to:
• Anonymous data.
• Personal data processed by natural persons for purely personal or household purposes.
• Processing by law enforcement and national security agencies.
• Automated and nonautomated processing of digital personal data.
• Automated and nonautomated processing of nondigitized personal data that is subsequently digitized.
Does not apply to:
• Anonymous personal data implicitly, since applicability is limited to personal data.
• Personal data processed by an individual for purely personal or domestic purposes.
• Personal data made publicly available, either by a data principal or another person, under an obligation of Indian law to publicize such data.
Except data security requirements, does not apply to processing pursuant to:
• Enforcing a legal right or claim.
• The performance of a judicial, regulatory or supervisory function.
• Prevention, detection or investigation of offences.
• Processing by an Indian data processor on behalf of a foreign data fiduciary, where the personal data only relates to foreign data principals.
• Certain mergers and acquisitions approved by a competent authority.
• Ascertaining the assets and liabilities of any person who has defaulted in payment of a loan or advance taken from a financial institution.
Also allows the government to additionally exempt from its scope:
• Classes of data fiduciaries, including startups, considering the nature and volume of personal data processed.
• Government agencies in the interest of national security, public order, investigation of offences, etc.
Definition of personal data
Defines personal data as any information related to an identified or identifiable natural person, the data subject. An identifiable natural person is one who can be identified, directly or indirectly, taking "all of the means reasonably likely to be used" into account.
Defines personal data as information about a natural person identifiable by or in relation to such data.
Definition of sensitive personal data
Defines "special categories of personal data" as personal data revealing:
• Racial or ethnic origin.
• Political opinions, religion or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data, for the purpose of uniquely identifying a natural person.
• Sex life or sexual orientation.
Personal data related to criminal convictions and offenses, while not special category data, is subject to distinct rules defined by EU or member state law.
Treats all personal data uniformly, without separately classifying special or sensitive categories of personal data.
Controller: The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Data subject: An identified or identifiable natural person.
Data fiduciary: Any individual, company or juristic entity that alone, or in conjunction with another, determines the means and purposes of processing personal data.
Data processor: Any state, company, juristic entity or individual who processes personal data on behalf of a data fiduciary.
Data principal: The natural person to whom the personal data relates. In relation to children and persons with disabilities, the definition includes the parent or lawful guardian.
Consent manager: The DPDPA allows data principals to give, manage, review, or withdraw their consent through a "consent manager." Consent managers are accountable to the data principal and are to act on their behalf in such manner as is prescribed through rules.
Significant data fiduciaries: Classes of data fiduciaries notified by the government as considering certain factors. These include the nature and volume of personal data processed, the risk posed to data principals from their processing activities, risk to electoral democracy, threat to the country's sovereignty and integrity, and security of state. Significant data fiduciaries are subject to additional obligations under the DPDPA.
Lawfulness of processing
Sets out seven principles in Article 5:
• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimization.
• Storage limitation.
• Integrity and confidentiality.
Reflects the following commonly accepted data protection principles in its various requirements:
Lawfulness: Personal data may be processed only pursuant to a lawful purpose.
Fairness: Consent must be free, specific, informed, unconditional and unambiguous. Consent should be provided through a clear affirmative act of the data principal, signifying an agreement to such processing.
Data minimisation: Where consent is the basis for processing, personal data collected should be limited to what is necessary for a specified purpose. Storage limitation: Data collected should be retained only until necessary for the specified purpose unless further retention is required by an Indian law.
Purpose limitation: Where consent or voluntarily provided personal data is the basis for processing, personal data should only be processed pursuant to specified purposes. Integrity: Where personal data is likely to be disclosed to another data fiduciary or used to make decisions about a data principal, the data fiduciary must ensure the processing of such personal data ensures its completeness, accuracy and consistency.
Confidentiality: Data fiduciaries are required to protect the personal data in their possession, or control and implement reasonable security safeguards to prevent a personal data breach. Data fiduciaries are also required to implement appropriate technical and organisational measures.
Accountability: Data fiduciaries are required to, irrespective of an agreement to the contrary, ensure compliance with DPDPA provisions.
Significant data fiduciaries are required to carry out periodic audits through an independent data auditor, data protection impact assessments in accordance with the DPDPA and rules prescribed, etc.
Legal basis for processing personal data
Includes six lawful bases for processing personal data, subject to additions by member states:
• Performance of a contract.
• Legal obligation.
• Legitimate interests.
• Life protection and vital interests.
• Public interest.
Prescribes nine additional grounds for processing personal data beyond consent, defined as legitimate uses, including the following:
• Use of voluntarily provided data by the data principal for a specified purpose, where the data principal has not objected to such use.
• Performance of a state function.
• Performance of legal obligation, or in the interests of the sovereignty and integrity of India.
• To fulfil any legal obligation.
• To comply with a judicial order.
• To respond to medical emergencies involving a threat to an individual's life.
• During a threat to public health.
• For undertaking measures to ensure public safety or provide assistance during a disaster or public order breakdown.
• For employment purposes, or to safeguard the employer from loss or liability such as corporate espionage, to maintain confidentiality of proprietary information or to provide any service or benefit sought by an employee.
Imposes a number of requirements for obtaining valid consent:
• Consent must be freely given, specific and informed.
• It must be granted by an unambiguous affirmative action.
• Generally, the provision of a service cannot be made conditional on obtaining consent for processing that is not necessary for the service.
• A request for consent must be distinct from any other terms and conditions.
• Consent for separate processing purposes must be provided separately.
• Individuals have the right to withdraw consent at any time "without detriment" and it should be as easy to withdraw consent as it was to give it.
Requires consent to be:
• Freely given, specific and informed.
• Unconditional. This possibly implies the provision of a service cannot be conditioned on providing consent for collecting any unnecessary data.
• Capable of being withdrawn with comparable ease to which consent was given.
• In clear and plain language.
• Accessible in English as well as in all the official languages as prescribed in the Indian Constitution.
Processing is permitted without consent where it is necessary for the controller's or a third party's legitimate interests, provided such interests are not overridden by the rights and interests of the data subject.
It is the controller's responsibility to determine whether the interests it pursues under this basis are legitimate and proportionate. Controllers are expected to document these assessments.
Conditions for processing sensitive data
Includes 10 lawful bases for processing sensitive data, subject to additions by member states:
• Explicit consent.
• Compliance with obligations and exercising rights in the employment and social security context.
• Life protection and vital interests.
• Legitimate activities by foundation, associations or other not-for-profit bodies with political, philosophical, religious or trade union aims that process data about members.
• Establishment, exercise or defense in legal claims.
• Manifestly made public by the individual.
• Substantial public interest defined by law.
• Preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, and the provision of health or social care or treatment.
• Substantial public interest in health.
• Archiving, scientific or historical research purposes.
Treats all personal data uniformly, without creating special categories of personal data, so the grounds for processing all personal data remain the same.
Protections for children
Imposes additional obligations when collecting consent from children under age 16 or at an age set between 13 and 16 by member state law.
Where providing certain electronic services at a distance, i.e., "information society services," directly to a child and where the processing is based on consent, consent must be provided by a parent or guardian.
Processing personal data of children is pertinent to other GDPR requirements, so notices must be tailored to children. The fact that data subjects are children could tip the balance of the legitimate interest test or trigger a DPIA.
One recital states significant automated decisions should not be taken concerning children.
Defines a child as an individual under age 18.
There is a general obligation to obtain "verifiable consent" from the parent or lawful guardian of children and persons with disabilities. The government can notify rules specifying the manner of obtaining such verifiable parental consent.
Data fiduciaries are prohibited from undertaking processing that:
• Is likely to have a detrimental effect on the wellbeing of a child.
• Involves tracking, behavioral monitoring of children or targeted advertising directed at children.
These restrictions would not apply for certain classes of data fiduciaries, or for certain purposes as prescribed through rules by the government.
The government may notify classes of data fiduciaries exempt from these restrictions upon satisfaction that their processing activities are verifiably safe.
Requires information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Where personal data is collected directly from the individual, notice must be provided at or before the time of collection.
For personal data collected indirectly, i.e., from another source), notice must be provided within one month or upon first contact with the individual, if earlier, unless providing notice would be impossible or require disproportionate effort.
Detailed requirements for the content that must be included in notices.
Requires consent to be obtained using clear and plain language.
Requires a notice to be provided before or at the time of personal data collection, disclosing:
• Personal data processed and the purpose for such processing.
• The manner in which data principals may exercise the rights available under the DPDPA.
• The manner in which the data principal can make a complaint to the Data Protection Board of India in such manner as prescribed.
Requires the consent language to be accessible in English as well as all official languages set out in the Indian Constitution.
Data fiduciaries are required to publish the business contact information of a point of contact, and a data protection officer in the case of significant data fiduciaries, to answer data principals' questions regarding personal data processing.
Right of access
Gives individuals the right to receive information about how their personal data is processed and a copy of their personal data.
Personal data must be provided:
• Free of charge, except where requests are manifestly unfounded, excessive or for additional copies.
• In electronic form whe requested.
• Within one month unless an extension applies.
Exceptions apply when providing the information would adversely affect the rights and freedoms of others, including intellectual property rights.
Where consent or voluntary use is the basis for processing personal data, gives the data principal the right of access in the manner prescribed to:
• A summary of personal data processed by the data fiduciary and the processing activities undertaken by that data fiduciary with respect to such personal data.
• The identities of all other data fiduciaries and data processors with whom personal data has been shared, with a description of the personal data.
• Any other information related to the their personal data and its processing, as may be prescribed.
Right to correct and update
• Grants data subjects the right to: Correct inaccurate personal data.
• Complete incomplete personal data.
When personal data is updated, it must be communicated to each recipient to which it was disclosed, unless this would involve disproportionate effort.
The controller must restrict processing where the accuracy of the data is disputed for the time needed to verify the request.
When consent or voluntary use is the basis for processing personal data, grants data principals the right to:
• Correct inaccurate or misleading personal data.
• Complete incomplete personal data.
• Update outdated personal data.
Right to be forgotten
Grants data subjects the right to request the deletion of personal data processed by the controller, when the data is no longer needed for the purpose of processing, when the data subject withdraws consent or objects, and when processing is unlawful or deletion is required by law.
If the controller grants a request for the deletion of data that was previously made public, the controller needs to "take reasonable steps" to inform any third parties that may be processing the data of the data subject's request.
There is also an obligation to communicate the request directly to any known recipients of the data unless it would be impossible or would require disproportionate effort.
Controllers may rely on a number of exceptions, including establishing, exercising or defending legal claims, conducting research that meets certain conditions, and other compelling legitimate interests to override a request.
Does not expressly recognize a right to be forgotten.
However, it allows data principals to withdraw their consent related to personal data processing.
Where consent is the basis for processing personal data, and such consent is withdrawn, the data fiduciary would be required to cease the processing of personal data, including its retention or public disclosure, within a reasonable time, unless the data is required to be retained under an Indian law. Additionally, the data principal may exercise the right to erasure of their personal data where its further retention is not necessary for the specified purpose, and is not required by law.
Rights related to Profiling
Gives data subjects the right not to be subject to solely automated decisions, including profiling, that produce legal or significant effects, unless certain conditions are met.
Where such decisions are permitted, data subjects have a right to obtain human intervention and contest the decision.
Controllers must also provide meaningful information about the logic of decisions and take reasonable steps to prevent bias, error or discrimination.
Does not include an overarching right not to be subject to profiling or significant decisions, except the restriction against behavioral monitoring, tracking or offering targeted ads to children.
Appointment of a data protection officer
Requires controllers and processors not established in the EU, that are subject to the GDPR, to appoint a representative in the EU, except if processing is occasional and does not involve large scale processing of sensitive data. Requires private entities to appoint a DPO only when a "core activity" of the controller or processor involves either the regular and systematic monitoring of data subjects on a large scale or the large-scale processing of sensitive data.
The DPO must have sufficient independence and skill to carry out its functions and must be able to report to the highest levels of management within the organization.
DPOs may be outsourced.
Guidance from EU regulators recommend DPOs should be based in the EU.
Requires all significant data fiduciaries to appoint DPOs based out of India. Significant data fiduciaries are classes of data fiduciaries notified by the government considering the nature and volume of personal data processed, the risk posed to the rights of data principals, risk to electoral democracy, potential impact on the sovereignty and integrity of India, security of the state, etc.
The DPO must represent the significant data fiduciary and be accountable to the board of directors or governing body of the significant data fiduciary.
There are no express skill requirements for DPOs. Guidance on terms for appointing DPOs may be provided through rules under the DPDPA.
Record of processing
Requires controllers and processors to retain detailed records of their processing activities unless very narrow exceptions apply.
Does not require data fiduciaries to maintain a record of processing activities. However, data fiduciaries may practically be required to maintain records of their processing activities when demonstrating compliance with the DPDPA.
Notably, during any proceeding, the data fiduciary should be able to prove a notice was given to the data principal and consent was obtained in accordance with DPDPA provisions
Data protection impact assessment
Requires controllers to conduct a DPIA for certain "high risk" activities, including:
• Systematic and extensive profiling.
• Large-scale processing of sensitive data.
• Systematic monitoring of a publicly accessible area on a large scale.
In cases where the risks cannot be mitigated, the controller must consult with the data protection authority before engaging in the processing.
Requires significant data fiduciaries to carry out DPIAs. Such assessment should consider the impact of processing on data principals' rights, the purpose of processing, the assessment and management of risks to data principals' rights, and other prescribed matters.
Privacy by design
Includes a requirement to implement appropriate compliance processes through the lifecycle of any product, service or activity.
By default, only personal data necessary for a purpose should be processed and personal data should not be publicly disclosed without an individual's affirmative action.
Notably, does not require data fiduciaries to implement privacy by design.
Where consent or voluntary use is the basis for processing personal data, ensuring personal data collected is limited to what is necessary for a specified purpose is required.
Like the GDPR, the DPDPA requires all data fiduciaries to implement appropriate technical and organizational measures.
Does not include audit requirement that are applicable to controllers.
Processors must agree to audit provisions in contracts with controllers.
Requires significant data fiduciaries to appoint an independent data auditor and carry out periodic audits.
Appointment of Processors
Subjects processing by processors to detailed contracts, with requirements set out in Article 28.
Requires data fiduciaries to be responsible for compliance, without any provision being applicable directly to data processors. However, data fiduciaries are required to engage data processors only pursuant to a valid contract.
Security and breach notification
Requires controllers and processors to implement appropriate technical and organizational measures to protect the security of personal data.
Requires data fiduciaries to protect the personal data under their control or possession, including involving any processing undertaken by or on its behalf, and implement necessary security safeguards to prevent a personal data breach. This requirement is likely to be passed on to data processors.
Requires controllers to notify the DPA of a breach within 72 hours unless the breach is unlikely to result in a risk to individuals.
Notification may be made in stages as information becomes available.
Controllers must notify individuals of a breach without undue delay only if it is likely to result in a "high risk" to individuals.
Processors must notify a controller of a breach without undue delay.
Requires data fiduciaries to notify the board and the affected data principals in the event of a personal data breach, in a manner prescribed through rules.
The time period for notifying breaches may be established by rules.
International data transfers
Data localization requirements
Does not require localization unless international data transfer requirements are not met.
Does not generally require data localization. However, the government may impose restrictions on transfers of personal data to specific countries through notification. Additionally, any stricter law such as sector-specific data localization requirements, e.g., in respect of payment data, insurance data, or telecommunications subscriber data, will continue to apply.
International data transfers
Only permits the transfer of personal data outside the European Economic Area when:
• The recipient is in a territory considered by the European Commission to offer an adequate level of protection for personal data after an assessment of its privacy laws and law enforcement access regime.
• Appropriate safeguards are put in place, such as European Commission-approved standard contractual clauses or binding corporate rules approved by DPAs.
• A derogation applies, such as where data subjects provide explicit consent, the transfer is necessary to fulfil a contract, or there is a public interest founded in EU or member state law, among others.
Generally permits international data transfers. The government may restrict transfers of personal data to specific countries notified through rules under the act. The rules will also specify the nature of such restrictions.
Does not stipulate criminal liability, but permits member states to impose criminal penalties for violations of the regulation and applicable national rules.
Administrative fines up to 20 million euros or 4% of annual global revenue.
DPAs may also issue injunctive penalties, which include the ability to block processing, restrict international transfers and require the deletion of personal data.
Individuals may bring claims in court for compensation and mechanisms exist for representative actions on behalf of a class of individuals.
Does not impose any criminal penalties, but imposes monetary penalties for "significant" breaches. In calculating the amount of penalty, relevant factors to be considered include:
• The nature, gravity and duration of the breach.
• The type and nature of personal data affected by the breach.
• The repetitive nature of the breach.
• Whether, as a result of the breach, the data fiduciary realized a gain or avoided any loss.
• Whether the monetary penalty imposed is proportionate and effective.
• The likely impact of the imposition of the monetary penalty on such data fiduciary.
During any stage of a proceeding for compliance with the DPDPA, the board may accept a voluntary undertaking by a data fiduciary. This may include a commitment to take appropriate action within a stipulated timeframe determined by the board. The board's acceptance would bar all proceedings under the DPDPA against the data fiduciary.
In addition to monetary penalties, the Central Government may direct any of its agencies or any online intermediary to block access to any information which enables a data fiduciary to offer goods or services in India, based on a written reference from the board intimating that the data fiduciary has been subject to a monetary penalty in two or more cases, and advising the Central Government that blocking access to the data fiduciary's offerings is in the public's general interests.
Does not define anonymous data, which cannot identify an individual by means reasonably likely to be used, falls outside of the scope of the law (reasonable steps to re-identify). In practice, anonymization is a high standard to meet.
Does not define anonymized personal data.
Exemptions for research
Permits a number of exemptions for scientific or historical research, archiving in the public interest, and statistical purposes, including:
• Further processing for such purposes may be considered "compatible."
• EU or member state law may permit controllers to process sensitive data for such purposes.
• EU or member state law may provide derogations from certain individual rights.
For the research exemptions to apply, controllers must implement appropriate safeguards, which may be specified by law, such as pseudonymization.
Does not apply its provisions of to the processing personal data for research, archiving or statistical purposes, if such processing is:
• Not used to make a decision about a data principal.
• Carried out in accordance with the standards prescribed by the government.
Gives rulemaking authority to national DPAs and the EU Data Protection Board to issue nonbinding guidance clarifying the application of its provisions.
Some limited areas are left to national law, such as clarifying the conditions for processing criminal-record data or adopting additional derogations from certain provisions.
Either permits the Central Government to promulgate additional rules or regulations that may clarify its requirements and/or specifies additional requirements.
Application to public authorities
Applies to public entities, subject to narrow exemptions:
• Law enforcement and other "competent authorities" are subject to a separate, but similar framework when they proces personal data for law enforcement purposes.
• EU institutions are subject to a separate but similar framework.
• Activities that fall outside the scope of EU law, such as national security and intelligence services, are subject only to national law.
Generally applies to public agencies, as well as private parties.
However, the Central Government has the broad authority to exempt any government agency from any or all provisions in the interest of sovereignty, security, public order, integrity of the state and friendly relations with foreign states, or for preventing incitement of identifiable offenses.
Data protection principles
Instead of listing out data protection principles, the DPDPA internalizes principles of lawfulness, purpose limitation, storage limitation, integrity and confidentiality, and accountability through its various provisions.
However, the principle of purpose limitation only applies when consent or voluntary use is the basis for processing personal data. Similarly, the requirement of data minimisation — collecting only as much information as is necessary for a specified purpose — only applies where consent is the basis for processing personal data.
Notably, the DPDPA does not impose a general obligation to comply with the principle of fairness in processing personal data, as required under the GDPR.
The DPDPA excludes contractual necessity and legitimate interest as grounds for processing personal data. Consent remains the primary basis for processing, except for certain legitimate uses, where obtaining consent may not be possible. Such situations include complying with legal obligations, performance of state functions, complying with judicial orders, responding to medical emergencies, and maintaining public safety and order.
The act recognizes processing for broadly defined employment purposes as an independent basis. It also envisions the use of personal data voluntarily provided by a data principal for a specified purpose, where the data principal does not object to such use. Voluntary use as a basis is possibly inspired by the deemed consent ground under Singapore's PDPA, where a notice and consent mechanism may not be practical in transactional settings.
However, the voluntary use basis is much narrower than the legitimate interest grounds for processing, which is flexible and can be relied on beyond specified purposes, considering broader commercial interests of the data controller, as long as the individual can reasonably expect such processing.
Classification of data fiduciaries
Unlike the GDPR, which requires all entities to carry out data protection impact assessments under specific circumstances, for instance when high-risk processing is involved, the DPDPA only imposes this requirement on specific data fiduciaries classified as "significant data fiduciaries." The government may classify data fiduciaries as significant considering the volume and extent of personal data processed and risks posed to data principals, electoral democracy, national security and public order.
The GDPR, by default, requires all public bodies and entities carrying out large-scale processing of sensitive data and systematic monitoring of individuals as their core activity to appoint a data protection officer. The DPDPA, meanwhile, imposes the requirement to appoint an India-based DPO only on data fiduciaries that are classified as significant through rules — likely to include global businesses collecting significant volumes of personal data. While the GDPR requires the DPO to act independently, the DPDPA requires the DPO to be responsible to the board of directors or similar governing body of the significant data fiduciary. The act allows the government to notify additional obligations on significant data fiduciaries, the nature of which remains unclear.
Scope of rights
While the GDPR and CCPA allow individuals to exercise a broader array of rights, under the DPDPA, the rights available to data principals are limited to the rights of access, correction, completion, nomination (such as of a representative to exercise rights in case of death or incapacity), erasure, consent withdrawal and grievance redressal. Further, rights to access, correction, completion, and erasure can only be exercised where consent or voluntary use is the basis for processing personal data.
While the act does not explicitly provide for a right to be forgotten, it is possible the withdrawal of consent, where consent is the basis for processing, would require the data fiduciary to delete the personal data collected. The requirement to provide a notice to data principals only applies when consent is the basis for processing personal data.
Crucially, the right to data portability and the right against solely automated decision-making are excluded. However, the act does require personal data used to make a decision about a data principal to be accurate, complete and consistent — which may make it difficult for data fiduciaries to implement solely automated decision-making processes that could result in inaccurate or discriminatory results.
Duties of a data principal
Unlike most data laws, the act imposes duties on data principals, against raising frivolous complaints, impersonating another person and suppressing material information in identifying oneself, such as during age-verification measures. Additionally, the act requires data principals to comply with applicable laws.
International data transfers
Unlike the GDPR, which generally restricts data transfers unless a country is deemed adequate, the DPDPA generally allows data transfers, unless the government restricts such transfers to specific countries. While the nature of these restrictions remains unclear, they could mean a stringent ban against transfers to blacklisted countries or soft obligations akin to adequacy-like arrangements, such as binding corporate rules or standard contractual clauses, for specific countries. Additionally, sector-specific restrictions on data transfers to regulated entities — banking and finance, insurance, etc. —may apply as relevant.
The act allows the government to exempt classes of data fiduciaries from its scope, considering the nature and volume of personal data processed, including startups. This addresses the long-standing criticism of the GDPR for imposing excessive regulatory costs on small businesses.
The act also exempts processing pursuant to research, archival or statistical purposes, when carried out in accordance with standards prescribed by the government.
Additionally, except data security requirements, the act exempts data processing carried out under unique conditions, such as: to ascertain the assets and liabilities of persons who may have defaulted in payment due on account of a loan or advance taken from a financial institution (enabling financial institutions and fintech businesses to conduct their business); processing where it is necessary in the context of mergers and acquisitions approved by a competent authority in certain circumstances; and, in the context of outsourcing, where the data relates only to foreign residents and is processed by an Indian data processor on behalf of a foreign data fiduciary, allowing India to retain its prowess as an outsourcing hub.
Powers of the board
Notably, the Data Protection Board of India, the regulatory body to be formed under the act, has powers including the ability to carry out inquiries and direct urgent or remedial measures.
However, unlike national supervisory authorities under the GDPR, the board does not have the power to initiate a proceeding on its own. Similarly, unlike EU supervisory authorities, the board cannot issue recommendations or codes of conduct, and such prescriptive powers are retained by the government. While the board is required to act independently, unlike the structural and functional independence with which EU supervisory authorities operate, the government exercises considerable control over its composition, powers and functions. This could have been India's opportunity to further strengthen its adequacy status under the GDPR.
Perhaps again inspired by Singapore’s PDPA, the act allows the board to accept voluntary undertaking to address any alleged noncompliance by data fiduciaries and bar associated legal proceedings against such data fiduciaries. Such a provision for voluntary undertaking is absent from most global data laws.
Significantly, the board can recommend the government exercise blocking powers against noncompliant data fiduciaries, restricting access to the data fiduciary's online goods or services, which could lead to a virtual sales stop.
Enforcement and sanctions
While the GDPR allows member states to impose criminal penalties for certain noncompliance with data protection law, the act does not impose any criminal penalties. The sanctions are monetary penalties which, unlike the turnover-based penalties under the GDPR, may extend to INR250 crores, USD30 million, in some cases.
The DPDPA only provides for the imposition of penalties for non-compliances that are "significant" in nature. In determining the monetary penalty in case of a significant non-compliance, instead of the turnover of the business, relevant factors to consider include the nature, gravity and duration of the breach, type and nature of personal data affected by the breach, and the repetitive nature of the breach, as well as mitigation measures undertaken by the data fiduciary.
Notably, composite penalties may be imposed under the act for more than one instance of noncompliance. For example, penalties for failing to undertake reasonable security safeguards to prevent a personal data breach could add up to the penalty for being noncompliant with child-related processing obligations.
Notably, the act does not provide for a right to compensation to data principals in case of a noncompliance with the act.
Contrary to global data laws, the act only applies monetary penalties in case of significant breaches, but the threshold of what constitutes a "significant" breach remains unclear.
Structural resonance The structure of the DPDPA is comparable to the GDPR in terms of definitions, grounds, exceptions, rights and obligations. However, compared to global laws, the scope of these aspects is limited, concerning perhaps that this is India's first step toward introducing an omnibus data protection law.
Ease of compliance As a continuing theme, the act seeks to ease compliance for businesses in India's emerging digital economy, to retain its competitive advantage among preferred offshore locations globally.
An evolving law for emerging challenges Flexibility in introducing regulatory requirements through swifty exercisable rule-making powers — the ability to impose additional obligations for significant data fiduciaries, the manner of reporting data breaches, the accountability framework for consent managers, the manner of providing notice and the restrictions on international data transfers — provides the act with an evolving character. It can reshape itself and expeditiously adapt to unprecedented and unique challenges posed by India's rapidly transforming digital economy through situation-specific and need-based regulation.
Proportionate regulation The act's elasticity gives India the regulatory flexibility to ensure proportionate regulation from the perspective of doing business, with graded obligations for startups compared to significant data fiduciaries, providing India's startup economy with a competitive advantage in the global tech landscape.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.
India Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the government will finalize Data Protection Board appointments and Digital Personal Data Protection Act rules within 30 days, MoneyControl reports. Now in force, the bill will likely have a one-year grace p...
India's Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the government may give the tech industry approximately six months to comply with the Digital Personal Data Protection Act, The Economic Times of India reports. Chandrasekhar said the exact transition peri...
India's Minister of Electronics and Information Technology Ashwini Vaishnaw said rulemaking under the Digital Personal Data Protection Act will be "very simple, very straightforward, very easy to implement," Moneycontrol reports. He added the rulemaking will be "consultative" and there will be no de...
As elements India's Digital Personal Data Protection Act enter into force, "organizations should start evaluating their exposure to get a head start on compliance strategy development," DoorDash Head of Technical Privacy and Governance Nandita Rao Narla, CIPP/US, CIPM, CIPT, FIP, writes. Narla outli...