Stephen Mathias from Kochhar & Co. reports that in early August 2023, the Indian Parliament passed the Digital Personal Data Protection Act (the “Act”), bringing to a close a 5-year process to enact an omnibus data privacy law in India. The Act was ratified by the President of India and will come into effect once notified by the Government. The Act significantly updates a previous draft, and departs substantially from the GDPR model of privacy laws.
The Government has announced that it would implement the Act within 10 months, but has not yet set an effective date. The Act may be brought into effect in stages, as has been the case with other legislation. The Act does not provide a grace period for compliance.
The Act applies only to personal data that is maintained in digital form, and applies to the processing of personal data outside of India only if such processing is “in connection with an activity related to offering goods or services to data principals [(i.e., data subjects)] within the territory of India.”
Grounds for Collection and Processing
Consent continues to be the primary legal ground for the processing of personal data. Consent must be “freely given,” “’specific,” “informed,” “unconditional,” an “unambiguous indication of consent” through a “clear affirmative action,” and must able to be withdrawn. The Act permits a data principal to use a consent manager to manage the consent process.
The Act provides additional grounds for processing personal data without consent, including for “legitimate uses,” such as compliance with law and court orders, as well as in connection with medical emergencies, epidemics and public safety matters. Additionally, processing personal data for certain employment purposes or to protect an employer from liability each constitutes a legitimate use under the Act for which consent is not required.
Another legitimate use is where the data principal voluntarily provides her personal data to the data fiduciary (i.e., data controller) for a specified purpose (e.g., where a person visits a pharmacy and provides her personal data).
As in previous drafts of the law, the Act does not provide a “legitimate interest” ground for data processing as set forth in the GDPR. Except for the limited “legitimate use” grounds, consent appears to be the sole ground on which to rely for the processing of personal data.
A data fiduciary must provide notice to data principals regarding the personal data to be processed and the purpose(s) of processing. Data principals also must be informed of their right to withdraw consent and the grievance redressal procedure made available by the data fiduciary. Such notice must be made accessible in English and in all 22 languages specified in the Eighth Schedule of the Constitution.
Applicability to Children
The Act defines a child as an individual under the age of 18. Verifiable parental consent is required for the collection of children’s personal data. The Act also prohibits targeted advertising to children and processing activities that may have a detrimental effect on the well-being of a child. The Government does, however, have the power to exempt certain of these restrictions through a notification.
Rights and Duties of Data Principals
The Act grants several rights to data principals, including the right to know what personal data is processed, the right to data deletion (with certain exceptions), and the right to correct or update inaccurate personal data. These rights exist only when personal data is provided voluntarily or with consent. The Act also imposes on data principals the duty to not provide false information and to not lodge frivolous or false grievances against data fiduciaries.
Integrity, Deletion and Protection of Personal Data
The Act requires data fiduciaries to ensure the completeness, accuracy, and consistency of personal data where the data is used to make a decision that affects a data principal, or where the data is disclosed to another data fiduciary. This may have implications for the use of personal data in connection with AI. A data fiduciary must delete personal data when the specified purpose for which it was collected has been served unless retention is required to comply with applicable law. Data fiduciaries also must use reasonable security measures to prevent personal data breaches.
Personal Data Breach
The Act defines a “personal data breach” as any unauthorized processing or accidental disclosure, use, alteration or destruction of personal data that compromises its confidentiality, integrity or availability. In the event of a personal data breach, the data fiduciary must inform both the Data Protection Board of India (“DPBI”) and affected data principals in a manner prescribed by the Government. The broad definition of a personal data breach would cover any breach, regardless of the number of individuals affected.
Significant Data Fiduciary
The Act retains the concept of a Significant Data Fiduciary (“SDF”), which is a data fiduciary that fulfills the criteria set forth by the Government. In determining who would be a SDF, the Government will consider factors such as the volume of data processed by the data fiduciary and potential risks to the rights of data principals. Notably, such factors include the “potential impact on the integrity and sovereignty of India” and the “risk to electoral democracy.” An SDF must appoint a Data Protection Officer who reports to the Board of the company. An SDF must also appoint an independent data auditor to audit compliance with the Act and conduct privacy impact assessments.
Data Protection Officer
Only an SDF is required to appoint a Data Protection Officer. However, every data fiduciary must appoint a person (a “grievance officer”) to act as the point of contact for data principals who wish to raise issues with the data fiduciary. The contact details of the Data Protection Officer and the grievance officer must be published.
The Act requires data fiduciaries to execute data processing agreements with its data processors. Data fiduciaries are responsible for their data processors’ compliance with the Act.
Data Localization and Data Transfers
The Act empowers the Government to create a “negative list” of countries to whom personal data cannot be transferred. Personal data transfers generally are permitted to jurisdictions that are not on this list or the subject of a Government notification. The Act does not contain an adequacy requirement, nor does it require data fiduciaries to retain copies of personal data in India. Further, other means of transferring personal data to blacklisted countries, such as standard contractual clauses, explicit consent or inter-group transfers, are not covered in the Act. The Act does, however, permit sectoral data localization regulations such as the one that exists in the payments sector.
The Act grants the power to the Government to exempt itself and its agencies from most requirements of the Act on certain grounds (e.g., sovereignty and integrity of India, security of the State) that are taken from the Constitution of India and are cited by the Supreme Court of India as grounds on which privacy rights can be restricted. These grounds are quite broad, and proportionality and reasonableness are not required. These are also grounds of legitimate use for which processing of personal data by the government does not require consent.
The Government has the power to exempt certain data fiduciaries, including startups, from certain provisions of the Act (e.g., right to access, notice requirement, data retention limitations).
The Act grants the Government the power to block public access to any information processed within India that is deemed to be in the “interests of the general public,” upon receiving a reference from the DPBI. While the Government has similar powers under the Information Technology Act of 2000, such powers do not relate directly to the protection of personal data.
The Act prescribes penalties for non-compliance, and sets forth maximum penalties for specific violations. For example, the failure to take reasonable security safeguards to prevent a personal data breach may result in a penalty of up to Rs. 2.5 billion (approx. USD $30 million). The Act does not contain a provision for awarding compensation to affected data subjects.
Applicability. Because most businesses will store some personal data, especially payment information, in digital form, almost all of Indian industry will be covered by the Act. In this context, the fact that the Act imposes fewer obligations than the GDPR and similar laws is a positive factor for businesses subject to the law.
Notice. The requirement to make the notice accessible in English and in 22 other languages may be too onerous for most data fiduciaries and may not serve its purpose, since most digital services and related documentation are available exclusively in English. The Government may be clarify that it would be sufficient for data fiduciaries to provide the notice in English and the most appropriate language among the list of 22 languages.
Legitimate Interests. The Government has stuck to its original stance that “legitimate interests,” as it is understood in the EU under the GDPR, will not be a part of the Act. As mentioned above, the Act provides certain limited “legitimate uses” (e.g., statutory necessity), but these are standard and fairly narrow grounds.
Consent. The main ground for processing personal data under the Act is consent. The language defining consent is identical to the GDPR, which raises the question of whether India will require consent using the GDPR’s standards. The addition of the word “unconditional” for the collection of personal data sets a potentially higher standard for obtaining consent than under the GDPR.
Voluntary Provision of Personal Data. The provision of the Act that permits the processing of personal data that is shared “voluntarily” is poorly drafted, as a data fiduciary may list various specified purposes for which the data principal “voluntarily” provides her personal data. While the Government may have meant to reference a situation where the personal data is provided at the data principal’s own initiative, this is not clear within the text of the Act. Additionally, the reference to “specified purpose” may be confusing in a situation where personal data is given automatically as part of a transaction and no notice of specified purpose is given.
Purpose Limitation. The Act’s language on purpose limitation is not well defined. The Act does not clearly prohibit data fiduciaries from providing a laundry list of “specified purposes,” may can be interpreted to mean that as long as the personal data is processed for the specified purpose mentioned in the notice, such processing is permitted. The Act does not appear to require that the stated purpose of processing be legitimate. It is possible that certain use restrictions will be implemented, in line with EU jurisprudence on free consent.
Government Exemption. The Act contains provisions that exempt the Government from certain aspects of its applicability, directly and indirectly. The exception granted to the judiciary has been expanded to include bodies that have regulatory or supervisory powers, which would directly exclude vast sections of the government. The Act does not, however, set forth standards for such exemptions, such as reasonableness and proportionality. Such criteria may be supplied by the judiciary, as the jurisprudence is already developed through past judgments.
Foreign Personal Data. The Act largely does not apply to foreign personal data processed in India. This is somewhat counterproductive, as one of the reasons for having an omnibus privacy law is to assure the world that it is safe to send personal data to India. It also means that the legislation will fail to obtain an adequacy ruling from the EU. Because India lacks independent oversight over Government surveillance, Indian law does not fully comply with Schrems II. The extraordinary powers and exemptions granted to the Government under the Act would also make that seemingly impossible.
Data Breach Notification. The requirement to notify both the DPBI and affected data principals in every case is contrary to global data breach notification standards. This is one of the instances in which the Act is stricter than the GDPR. Added to that is the existing and infeasible 6 hour breach notification requirement to the CERT-In, the deadline of which appears to be observed mostly in the breach.
Powers of the DPBI. The most disappointing aspect of the Act is the lack of powers given to the DPBI. All powers of delegated legislation rest with the Government alone, with the DPBI acting purely as an adjudication body. The DPBI is a tech-savvy and nimble organization that is equipped to issue clarifications, discuss matters with stakeholders, issue consultation and recommendation papers and guidance notes. None of these powers have been granted to the DPBI. The nature of personal data and the ever-evolving technology world requires privacy law to be as dynamic as possible, which is unlikely to be achieved with the Government having the sole power to pass legislation.
Privacy v. Right to Information. Finally, the Act amends the Right to Information Act. Whereas previously, a senior government officer would determine whether public interest outweighed the need to protect personal data, the new legal position would be that personal data can never be disclosed as part of a right to information request.