India’s Digital Personal Data Protection Act, 2023: Data Privacy Compliance
After receiving approval from both houses of Parliament and obtaining the President’s assent, the Digital Personal Data Protection Bill of 2022 has officially become the Digital Personal Data Protection (DPDP) Act of 2023. The DPDP Act will be enforced once the central government issues a notification. Upon coming into effect, it will regulate the processing of digital personal data in India, regardless of whether the data was originally collected in a digital or non-digital format and subsequently digitized. The legislation aims to enhance data protection and accountability for entities such as internet companies, mobile apps, and businesses that handle citizens’ data. Additionally, the DPDP Act will impact India’s trade negotiations with other nations, aligning with global data protection standards and drawing inspiration from models like the EU’s GDPR and China’s PIPL.
India’s rapidly evolving technology landscape may have reached a significant milestone with the introduction and subsequent enactment of the Digital Personal Data Protection (DPDP) Bill, 2022. The Union Cabinet approved this pivotal legislation on July 5, and it was presented during the ongoing Monsoon Session of Parliament, which commenced on July 20, 2023. It swiftly passed through the legislative process, receiving approval in the lower house (Lok Sabha) on August 7 and in the upper house (Rajya Sabha) on August 9. The DPDP Bill, 2022, officially became the Digital Personal Data Protection Act after receiving the President’s assent on August 11, 2023 (official Gazette notification by the Government of India—DPDP Act). It awaits a notification from the central government to officially come into force.
This Act now stands as a crucial component alongside the Digital India Bill and the draft Indian Telecommunication Bill, 2022, addressing the governance of personal data in India. Collectively, these legislative efforts represent a significant stride towards bolstering data protection in the country’s swiftly evolving digital landscape.
At its core, the DPDP Act aims to establish a higher level of accountability and responsibility for entities operating within India, including internet companies, mobile apps, and businesses involved in the collection, storage, and processing of citizens’ data. With a strong emphasis on the “Right to Privacy,” this legislation seeks to ensure that these entities operate transparently and are answerable when it comes to handling personal data, thus prioritizing the privacy and data protection rights of Indian citizens.
The DPDP Act’s scope extends beyond the borders of India, encompassing digital personal data processing activities abroad. This extension applies specifically to organizations offering goods or services to individuals in India or engaging in the profiling of Indian citizens. In doing so, the Act fortifies data protection measures not only within India but also concerning Indian citizens’ data handled abroad.
India’s Digital Personal Data Protection Act, 2023: Key provisions
Initially introduced in 2019, the Digital Personal Data Protection Act holds considerable importance as a legislative measure aimed at safeguarding individuals’ privacy rights. Its primary focus lies in regulating the collection, storage, processing, and transfer of personal data in the digital landscape. The DPDP Bill underwent 81 amendments after its initial introduction, resulting in a comprehensive overhaul to its present form.
By prioritizing privacy and security, the DPDP Act strives to create a robust framework that addresses the challenges posed by data handling in the digital age. Key provisions of the DPDP Act, 2023 are as follows:
- Definitions: Although many concepts in the DPDP Act closely resemble those found in the EU’s General Data Protection Regulation (GDPR), framework, there are differences in how terminology is used.
a) Data fiduciary: This refers to the entity that, either independently or in collaboration with others, establishes both the purpose and the methods for processing personal data (similar to a data controller). The government can classify any data fiduciary or a specific group of data fiduciaries as ‘significant data fiduciaries’ (SDFs). The criteria for this classification as an SDF includes he nature of processing activities (such as the volume and sensitivity of personal data involved and the potential impact on data principals’ rights) to broader societal and national concerns (such as the potential effects on India’s sovereignty and integrity, electoral democracy, state security, and public order). The designation of SDF comes with heightened compliance obligations as explained below.
b) Data processor: This is an entity responsible for processing digital personal data on behalf of a data fiduciary.
c) Data principal: These are individuals whose personal data is gathered and processed (equivalent to a data subject).
d) Consent manager: A person registered with the Data Protection Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent, and interoperable platform. - Applicability: The DPDP Act applies to all data, whether originally online or offline and later digitized, in India. Additionally, the Act applies to the processing of digital personal data beyond India’s borders, particularly when it encompasses the provision of goods or services to individuals within the Indian territory.
Age verification mechanisms will be necessary for all companies in India (telcos, banks, e-commerce, etc.) under the new DPDP law, per reporting from The Economic Times. The compliance requirement is not just limited to social media platforms. This is essential to record the verifiable consent of users per legal experts.
- Personal data breach: This means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.
- Individual consent to use data and data principal rights: Under the new legislation, personal data will be included and processed only with explicit consent from the individual, unless specific circumstances pertaining to national security, law, and order require otherwise.
Under data principal rights, individuals also have the right to information, right to correction and erasure, right to grievance redressal, and right to nominate any other person to exercise these rights in the event of the individual’s death or incapacity. Currently, there is no specified timeline for the implementation of grievance redressal and data principal rights. - Additional obligations of SDFs: Depending on the quantity and sensitivity of the data they manage—data fiduciaries deemed as SDF are subject to additional obligations under the DPDP Act. Every significant data fiduciary is required to appoint a Data Protection Officer (DPO) responsible for addressing the inquiries and concerns of data principals—those individuals whose data is collected and processed. Regarding international data transfers, the DPDP Act permits data fiduciaries to transfer personal data for processing to any country or territory outside India. However, the central government can impose restrictions through notifications. These restrictions will be determined after assessing relevant factors and establishing necessary terms and conditions to ensure the maintenance of data protection standards during international processing.
- Establishment of a Data Protection Board: The Data Protection Board will function as an impartial adjudicatory body responsible for resolving privacy-related grievances and disputes between relevant parties. As an independent regulator, it will possess the authority to ascertain instances of non-compliance with the Act’s provisions and impose penalties accordingly. The appointment of the chief executive and board members of the Data Protection Board will be carried out by the central government, ensuring a fair and transparent selection process. To provide an avenue for customers to challenge decisions made by the Data Protection Board, the government will establish an appellate body. This appellate body may be assigned to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which will be responsible for adjudicating disputes related to data protection and hearing appeals against the decisions made by the Data Protection Board.
- Voluntary undertaking: Under this provision, the Data Protection Board has the authority to accept a voluntary commitment related to compliance with the DPDP Act’s provisions from any data fiduciary at any stage of complaint proceedings. This voluntary undertaking may entail specific actions to be taken or refrained from by the concerned party. Furthermore, the terms of the voluntary undertaking can be modified by the Board if necessary. The voluntary undertaking serves as a legal barrier to proceedings concerning the subject matter of the commitment, unless the data fiduciary fails to adhere to its terms. In the event of non-compliance, such a breach is considered a violation of the DPDP Act, and the Board is authorized to impose penalties for this infringement. Additionally, the Board has the discretion to require the undertaking to be made public.
- Alternate disclosure mechanism: This mechanism will allow two parties to settle their complaints with the help of a mediator.
- Offence and penalties: Data fiduciaries can face penalties of up to INR 2.5 billion for failing to comply with the provisions. These include: penalties of up to INR 10,000 for breach of the duty towards data principals; penalty up to INR 2.5 billion for failing to take reasonable security safeguards to prevent breach of personal data; fines up to INR 2 billion for failure to notify the Data Protection Board and affected data principals in case of a personal data breach; penalties of up to INR 2 billion for violation of additional obligations related to children’s data; penalty of INR 1.5 billion for failure to comply with additional obligations of significant data fiduciary; penalty of INR 500 million for breach of any other provision of the DPDP Act, 2023 and rules made thereunder.
- Conflict with existing laws: The provisions of the DPDP Act will be in addition to and not supersede any other law currently in effect. However, in case of any conflict between a provision of this Act and a provision of any other law currently in effect, the provision of this Act shall take precedence to the extent of such conflict.
Exemptions under the DPDP Act
The exemptions provided in the DPDP Act are as follows:
- For notified agencies, in the interest of security, sovereignty, public order, etc.
- For research, archiving, or statistical purposes.
- For start-ups or other notified categories of data fiduciaries.
- To enforce legal rights and claims.
- To perform judicial or regulatory functions.
- To prevent, detect, investigate, or prosecute offences.
- To process in India personal data of non-residents under foreign contract.
- For approved merger, demerger, etc.
- To locate defaulters and their financial assets etc.
How can companies prepare for compliance under the Digital Personal Data Protection Act
By following the below steps, companies can prepare for compliance with India’s DPDP Act and protect personal data in line with regulatory guidelines.
Assess and build data privacy:
– Evaluate current compliance status.
– Create a phased action plan covering governance, technology, people, and processes.
– Establish a privacy organization with defined roles, including the DPO, especially if your entity’s status is an SDF.
Inventory personal data systems:
– Identify critical data storage and processing systems.
Identify data processors:
– List third parties handling personal data.
– Update agreements and communicate responsibilities.
Draft DPDP Act-compliant documents:
– Create approved data privacy policies and processes.
– Update necessary documents.
– Develop privacy notices, consent forms, and standard contract clauses.
Design consent mechanisms:
– Define consent types.
– Develop user-friendly consent processes.
– Implement efficient consent management tools.
Establish data principal rights handling:
– Set up processes for addressing data principal rights.
– Develop procedures for request handling.
– Use tools for efficient rights management.
Implement data breach response:
– Create breach management processes.
– Integrate with incident management.
Define data retention periods:
– Categorize data and align retention periods with requirements.
Evaluate and implement privacy technologies:
– Choose suitable tech solutions.
– Assess compatibility and scalability.
– Implement chosen solutions.
Conduct communication and awareness programs:
– Develop plans and materials.
– Launch awareness initiatives.
– Provide training to stakeholders.
Monitor government notifications:
– Stay updated on Central Government notifications and any forthcoming rules under the Act.
– Take necessary actions based on government directives.
Global data protection models
- European Union (EU) model: The EU’s GDPR imposes stringent requirements on organizations to ensure the careful safeguarding of personal data and demands evidence of such protection. The regulation establishes rigorous standards for obtaining consent, empowering customers to exercise control over how their data is handled and protected. Widely acknowledged as a ground-breaking and crucial legislative framework, the GDPR offers valuable guidance to countries in defining the fundamental rights and responsibilities that should be integrated into their own data protection laws. Its primary objective is to effectively respond to the challenges posed by our increasingly digital and interconnected world.
- United States (US) model: The US model emphasizes safeguarding an individual’s personal privacy from government intrusion. It permits the collection of personal information, provided that the individual is made aware of such data collection and its intended use. Unlike some other countries, the US does not have a singular data protection regulation; instead, it has a combination of laws at both the federal and state levels that are designed to protect the data of its residents.
- China model: The Personal Information Protection Law (PIPL) introduces enhanced rights for data principals in China, aiming to curb the improper usage of personal data. The law encompasses key notions, such as personal information, sensitive personal information, and processing. Notably, it explicitly defines its jurisdiction beyond national borders. The PIPL incorporates fundamental elements of data protection, including principles governing the processing of personal information, provisions for consent and non-consent-based grounds for processing, mechanisms for cross-border data transfers, and the rights of data subjects.
About Us
India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Readers may write to india@dezshira.com for support on doing business in India. For a complimentary subscription to India Briefing’s content products, please click here.
Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.
- Previous Article India’s Data Center Sector: Market Outlook and Regulatory Frameworks
- Next Article India Approves Viability Gap Funding Scheme for Battery Energy Storage Systems