On August 9, 2023, India passed a data protection law that will govern how entities who process users’ personal data. The Digital Personal Data Protection Act (“the Act”) will establish guardrails for how organizations should handle personal data and offers citizens control over the personal data gathered for them.
The Act will make it mandatory for entities collecting user data to obtain express user consent before processing the data, with some exceptions. Other provisions include designations of certain entities as “Significant Data Fiduciaries” and imposing heightened compliance measures on them given the nature and volume of personal data they process. The Act also prohibits behavioral monitoring of and targeted advertising directed at minors, as well as establishes the Personal Data Protection Board (“the Board”), who will investigate data breaches and handle consumer inquiries about the processing of their personal data. Potential violations of the Act can lead to fines of up to 2.5 billion rupees ($30 million).
The passing of the Act is significant because it could have large effects on US-based companies that offer their services to the large Indian market. Notably, the Act applies to the handling of digital personal information even if it takes place outside of India as long as it relates to providing goods or services to Indian residents. The Indian Government may also restrict the transfer of personal data by a data fiduciary for processing outside of India. Given that India has over 750 million active internet users, the effect of the Act for companies processing Indian users’ data could be extensive.
We have outlined history and the key provisions of the Act. We are happy to answer any questions about how the Act might affect your privacy compliance program.
The Act has been seven years in the making and is the Indian government’s third attempt to pass a privacy bill. In 2017, India’s Supreme Court reaffirmed privacy as a fundamental right. In that monumental decision, the Supreme Court of India noted that the nation lacked a comprehensive privacy law and that existing regulations had limitations in the data privacy context. Following that decision, the Indian government drafted privacy legislation. The first several versions of the privacy bill were rejected in 2019 and 2022. In the 2022 iteration, technology companies expressed concern about the bill’s broad exceptions for government entities, limitations on protecting user data, and restrictions over data exports. This current version was subject to a November 2022 public consultation that received more than 20,000 stakeholder comments for lawmakers to evaluate before completing a final draft.
Data, Data Principals, and Data Fiduciaries
- Data - The Act defines data broadly as “a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.” Personal data refers to “any data about an individual who is identifiable by or in relation to such data.”
- Processing - The Act defines processing as “a wholly or partly automated operation or set of operations performed on digital personal data,” including operations such as “collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”
- Data fiduciaries – Under the Act, a data fiduciary is any person who determines the purpose and means of processing personal data. For simplicity, this article will use ‘company’ and ‘entity’ interchangeably with ‘data fiduciary.’
- Data principals – Under the Act, a data principal is the individual to whom the personal data relates. This article will use ‘user’ and ‘consumer’ will be used interchangeably with ‘data principal.’
The Act has consequences for US-based and other non-Indian companies given its extra-territorial application and the authority of the government to prohibit international data transfers.
- Extra-territoriality - The Act not only applies to the processing of digital personal data within India, but also extra-territorially to the processing of digital personal data outside the India if it is in connection to data principals within the territory of India. This means that U.S.-based companies must comply with the law in processing data of Indian users.
- International data transfers – Under the Act, the Indian Government may restrict the transfer of personal data by a data fiduciary for processing outside of India. Previous iterations of the bill had allowed data transfers to only a specific set of countries, so this provision is modified to be more relaxed.
The Act mandates that companies may only process users’ personal data with the user’s consent or for certain legitimate uses.
- Notice – User requests for consent must be accompanied or preceded by a notice that notifies users of the personal data to be processed and the purpose of such processing. The notice must also include the way users can exercise their opt-out rights and make a complaint to the Board. Users who have provided consent before the commencement of the Act must also receive such a notice, but a fiduciary may continue to process personal data until and unless the user withdraws consent.
- Limited consent for a specific purpose - A user’s consent the processing of her personal data is limited to the specified purpose and is limited to only the personal data as is necessary for that specified purpose. The Act contains an illustrative example: if a telemedicine app requests a user’s consent for the processing of her personal data to make telemedicine services available and to access her cell phone contacts list, even if the user gives her consent to both, the consent is limited to the processing of her personal data to make telemedicine services available because her phone contact list is not necessary for this purpose.
- Right to withdraw consent - Users have the right to withdraw consent at any time. If a user withdraws consent, a company is required to, within a reasonable time, cease and cause its data processors to cease processing that user’s personal data.
- Exception for voluntary consent - There are certain legitimate uses for which companies may process users’ personal data without obtaining prior express consent. When a user has voluntarily provided her personal data for a specific purpose, such as providing a phone number to a pharmacy in order to receive a digital SMS receipt of payment for goods, the company may process that personal data for that purpose.
General Data Fiduciary Obligations
- Responsibility for third party processors - A data fiduciary may involve a third-party data processor to process personal data on its behalf and must ensure completeness, accuracy, and consistency when personal data is being disclosed to another fiduciary.
- Implementing safeguard measures - Data fiduciaries must also take reasonable technical and organizational measures and implement reasonable safety safeguards to prevent personal data breaches. In the case of a breach, the data fiduciary must give the Board and each affected user notice of the breach.
- Establishing a point of contact – Data fiduciaries must publish the business contact information of a Data Protection Officer or a person who can answer on behalf of the entity if users have questions about the processing of their personal data.
Significant Data Fiduciaries
The government may designate certain data fiduciaries as “Significant Data Fiduciaries,” considering factors such as the volume and sensitivity of personal data processed, risks to the rights of users, security of the nation, and public order. Significant data fiduciaries have heightened obligations under the Act.
- Appointing a Data Protection Officer - Significant data fiduciaries are obligated to appoint a Data Protection Officer based in India who will be responsible to the Board of Directors and will be the point of contact for user grievances under the Act.
- Appointing an Independent Data Auditor - Significant data fiduciaries must also appoint independent data auditors who will evaluate the entity’s compliance. In addition, significant data fiduciaries must undertake periodic Data Protection Impact assessments which include assessing the rights of users and the management of risks related to processing their personal data.
Processing of data of children and individuals with disabilities
- Necessary parental/guardian consent - All data fiduciaries must obtain parental or guardian consent before processing the data of children under the age of 18 or of individuals with disabilities who have a lawful guardian.
- Prohibition on behavioral monitoring/targeted advertising – Data fiduciaries may not process personal data when it “is likely to cause any detrimental effect on the wellbeing of a child.” Data fiduciaries are also prohibited from tracking or conducting behavioral monitoring or targeted advertising directed at children. This provision will affect the marketing and advertising practices of US-based media companies whose consumer base comprises of Indian minors. Companies will need to ensure that they are not using the personal data of Indian minors for behavioral monitoring or target advertising purposes.
Rights and Duties of Users
- Right to know - Users have the right to request a summary of their personal data being processed by a data fiduciary, the identity of all other data fiduciaries and data processors with whom the personal data has been shared, and any other information related to their personal data.
- Right to correct - Users also have the right to correct, complete, update, and erase their personal data for the processing of which they previously gave consent. Upon receiving such a request, a data fiduciary must correct, complete, or update the personal data as requested.
- User duties - Users also have certain duties, including to not suppress any material information in providing their personal data and to not register frivolous complaints or grievances.
The Data Protection Board
- Establishment of the Board - The Act establishes the Data Protection Board of India, a government body whose members will possess knowledge of or experience in fields such as and relating to data governance, consumer protection laws, information and communication technology, and digital economy.
- Incident response mitigation and consumer complaints - The Board will oversee mitigation measures in the event of a personal data breach and will handle consumer complaints/grievances related to the processing of their personal data. The Board will conduct investigations into incidents and complaints and has the authority to impose monetary penalties when appropriate. Monetary penalties for violations and non-compliance are up to the amount 2.5 billion rupees, or $30 million.
- Power to block information from data fiduciaries - When a data fiduciary has been subjected to financial penalties on two or more occasions, the Board may advise blocking public access to information generated, stored, received, or hosted in the fiduciary’s specific computer resources or platforms.