India's Digital Personal Data Protection Act (DPDPA), 2023

Introduction

In 2017, the Indian Supreme Court’s decision in Justice K.S. Puttaswamy vs. Union of India recognized a Right to Privacy as a fundamental right. Six years later, this Right to Privacy is now enshrined in law: the Digital Personal Data Protection Act of 2023 (DPDP Act). As the country’s first comprehensive privacy framework, the Act amends and adds to the existing legislation concerning the use and operations of personal data, including the Information Technology Act of 2000 and its 2008 Amendment, as well as the Information Technology Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules of 2011 (SPDI). However, Section 43A of the IT Act and the subsequent SPDI rules which formed India’s existing data protection framework will be repealed and replaced by the DPDP Act.

This new model shifts legal focus from information security to data, and for the first time names the rights and responsibilities of data actors. The Act has not yet come into force, and the Central Government has yet to set an enactment date. However, here’s what you need to know about this landmark law.

Covered Data

The Act applies only to:

Personal data in digital form, or
Non-digitized personal data that is digitized subsequently.

Personal data is any data that can be identified with or is related to a Data Principal. This definition is a departure from the previous distinction made in the SPDI Rules, which distinguished between “personal information” and “'sensitive personal data or information”. The DPDP Act treats all forms of personal data uniformly and does not replicate this distinction.

The Act does not apply to:

Personal data processed by an individual for “personal or domestic use”
Personal data that is made public either by the Data Principal that relates to the data, or by any other person under obligation of Indian law that must make this personal data publicly available.

The Act applies requirements to both:

digital personal data collected and processed within India, and
digital personal data processed outside of the territory of India, “if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India”

However, there is an exemption for Data Principals not within India, whose personal data can be processed pursuant to “any contract entered into with any person outside the territory of India by any person based in India.” The Central Government also retains the right to, by notification, restrict a Data Fiduciary from transferring personal data to a country or territory outside of India.

Defining Key Data Actors

The first half of the DPDP Act is largely dedicated to defining the roles and responsibilities of different data actors. Data protection is centered on the relationship between Data Principals and Data Fiduciaries, with some recognition of other data actors that function as intermediaries in this relationship. The central tension of this Act is between the established rights of the Data Principal and the responsibilities of the Data Fiduciary.

Data Fiduciaries

The DPDP Act defines a Data Fiduciary as “any person who alone or in conjunction with other persons determines the purposes and means of processing of personal data.” This function is comparable to the GDPR’s “Data Controller.” This role is distinct from Significant Data Fiduciaries, and Data Processors, both of which are defined below.

A Data Fiduciary must comply with several requirements under the Act:

1) Notice Requirements:

Notices must include: Information about the personal data being collected and its purpose; the manner by which the Data Principal can request data be accessed, updated, corrected; inform the Data Principal of their other rights, including the right of grievance redressal and the right of the Data Principal to make a complaint to the Data Protection Board.

2) Consent Requirements:

Consent must be “freely given, specific, informed and unambiguous indication of the Data Principal's wishes.”

The primary means by which Fiduciaries can process Principal data is according to “the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.” This specified purpose is critical language in the Act and is defined as the purpose that the Data Fiduciary gives to the Data Principal via the required Notice.

Upon receiving consent, the Data Fiduciary “may continue to process the personal data until and unless the Data Principal withdraws her consent.” This consent can be withdrawn at any time, and the DPDP Act requires that it be able to be withdrawn “with the ease of doing so being comparable to the ease with which such consent was given.” Consent can be reviewed and removed through a Consent Manager, actors registered with the Data Protection Board who are accountable to the Data Principal and act on her behalf.

There are exemptions for the consent requirement. The Act describes categories of “Legitimate Uses” of data, where there is no specific consent from the Data Principal required for the Data Fiduciary to process their information. Examples of these Legitimate Uses include, but are not limited to, medical emergencies, legal obligations, and ensuring safety during disaster.

3) Children’s Data Protection Requirements

A Data Fiduciary requires verifiable parental consent (or consent of the lawful guardian) for processing the data of a child, which the Act defines as being anyone under the age of 18.

Data Fiduciaries may not engage in tracking or behavioral monitoring of children or targeted advertising directed at children. There are available exemptions as provided by the government, if found that the Fiduciary has “ensured its processing of personal data of children is done in a manner that is verifiably safe” they may be exempted from any or all of the requirements which apply particularly to children

4) Other Requirements for Data Fiduciaries

Data Fiduciaries are required to make “reasonable efforts” to ensure that personal data is accurate and complete, applies to data that is processed by or on behalf of the Data Fiduciary.

Data Fiduciaries must take undertake reasonable security safeguards against personal data breaches.

There are updated required limits on data retentions. Unless otherwise necessary under other laws in force, a Data Fiduciary has to erase personal data either (1) upon request or (2) “as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.” These purposes are no longer served when either (1) the Data Principal “does not approach the Fiduciary for the performance of the specified purpose and (2) exercise any of her rights in relation to such processing.

Significant Data Fiduciaries

If a Data Fiduciary meets the specifications covered in the Act, they may qualify as a “Significant Data Fiduciary” and can expected to be notified of their status by the Central Government.

A Significant Data Fiduciary is distinguished by the volume and sensitivity of the data processed, the risk of harm, the impact on the “sovereignty and integrity” of India, and the risk posed to electoral democracy and public order.

In addition to the requirements of a Data Fiduciary, the Significant Data Fiduciary must also appoint a Data Protection Officer, appoint an Independent Data Auditor, and undertake periodic DPIAs as defined by the Act.

Data Principals

As defined by the Act, a Data Principal is the individual to whom personal data relates. When the Principal is a child, this includes the child’s parent or guardian. Similarly, when the Data Principal is a disabled person, this includes their legal guardian. Definitionally, “Data Principal” is comparable to a “Data Subject” under the GDPR. One of the cornerstones of the DPDP Act is defining and enshrining four primary rights of the Data Principal in law.

(1) Right to Information

This right includes a confirmation of whether a principal’s data has been or is being processed, access to summaries of the personal data that is being or has been processed, and access to identities of other Data Fiduciaries which the Data Principal’s personal data has been shared with

(2) Right to Correction and Erasure

This right prompts Data Fiduciary responsibilities after receiving a request from a data Principal. The Data Fiduciary must correct, complete, update, or erase data upon request.

(3) Right to Grievance Redressal

(4) Right to Nominate a Person to Exercise Rights in Case of Death or Incapacity

Data Processors

Under the DPDP Act, a data processor is “any person who processes personal data on behalf of a data fiduciary.” Data processing is broadly defined by the Act, including but not limited to operations such as collection, storage, retrieval, adaptation, erasure, dissemination, and destruction. Processors can only intervene in the relationship between a Data Principal and Data Fiduciary under valid contract with the Data Fiduciary.

The Fiduciary still has an obligation to protect Principal data, even " in respect of any processing undertaken by it or on its behalf by a Data Processor” by ensuring that there is no personal data breach. There is also a retention obligation for Data Processors, a Data Fiduciary shall cause its Data Processors to erase any personal data that the Fiduciary shared with the Processor for its own purposes under the instances where the Data Fiduciary itself cannot retain the data.

Conclusion

Organizations that are already compliant under existing Indian IT laws will have to a new system of definitions and requirements. Many entities that deal with data in some form will qualify under the laws criteria for a “Data Fiduciary”, or at minimum, a “Data Processor.” Both come with newly updated responsibilities. There are several critical steps to take to move towards compliance if an organization qualifies as a Data Fiduciary under the DPDP Act. Data Fiduciaries should focus on improving both their data mapping and consent mechanisms, enabling the enumerated rights of Data Principals (including the provisions for children), and ensuring additional security measures against data breaches.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with various global regulations by taking a data centric approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify data inventory, data mapping, data minimization, and securely delete data in enterprises to reduce legal and financial liability.

Legal Disclaimer: The information provided in this blog is not intended to, and does not constitute, legal advice. All content is provided for general informational purposes only. Access to and use of the materials provided do not create an attorney-client relationship. Readers and users should consult with their individual attorneys for advice about their specific legal concerns.