Companies subject to India’s new data protection law should assess practical implications.
The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:
- an independent agency responsible for enforcing the DPDPA — the Data Protection Board of India (the Data Protection Board) — is established; and
- the Indian government has framed the subordinate rules (which are expected to provide interpretative guidance on procedural steps and enforcement methodology).
The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.
The DPDPA is triggered when digital personal data is processed within India. The law also has an extraterritorial effect in that it applies to digital personal data processing outside of India if such processing relates to the offering of goods or services to individuals (known as “data principals”, which are equivalent to “data subjects” under the EU and UK General Data Protection Regulations (the GDPR)) within India.
The DPDPA follows broadly similar principles to those set out in the GDPR and specifies rules for data fiduciaries (equivalent to “controllers” under the GDPR) and data processors, and rights for data principals (equivalent to “data subjects” under the GDPR). Penalties for non-compliance under the DPDPA range from INR500 million (€5.7 million) to INR2.5 billion (€28 million). The Data Protection Board is also empowered to impose urgent remedial or mitigation measures in the event of a personal data breach.
Practical Impact on Existing Privacy Compliance Programmes
The DPDPA signals a major change in the way personal data is processed in India. Organisations operating in or targeting individuals in India should consider preemptive steps to bring their privacy compliance in line with the DPDPA, including as regards data collection and consent mapping practices. Key differences between the DPDPA and the GDPR include:
- Scope: The DPDPA regulates the processing of digital personal data, i.e., personal data collected in digital form, or collected in non-digital form and subsequently digitised. Whilst the DPDPA’s personal data definition is similar to that provided under the GDPR, it excludes from its scope personal data made publicly available by the data principal or by any other person under a legal obligation to make that data publicly available.
- Legal basis for processing of personal data: The DPDPA provides that data fiduciaries may lawfully process personal data only with the consent of the data principals or for certain specified “legitimate uses”. Such legitimate uses include: processing of personal data voluntarily shared by the data principal for a specified purpose (provided that the data principal does not object); processing to comply with the law or court orders; for employment purposes; or to respond to medical emergencies, epidemics, or disasters. The DPDPA’s consent standard is similar to that of the GDPR, requiring consent to be “free, specific, informed, unconditional and unambiguous with a clear affirmative action” and, unlike the GDPR, it does not permit processing under the lawful bases of contractual necessity or legitimate interests.
- Data principal rights: Whilst data principals will have certain rights similar to those under the GDPR for data subjects (i.e., rights of access, correction, or erasure), they will also benefit from a number of new rights which are unique to the DPDPA, i.e., the right to a readily available and effective means of grievance redressal (e.g., via a grievance redressal officer), and the right to nominate an individual who will be able to exercise the rights of the data principal in the event of death or incapacity of the data principal.
- Cross-border data transfers: The DPDPA permits cross-border data transfers to jurisdictions outside of India other than those jurisdictions specifically identified by the Indian government on its list of countries to which data transfers are restricted (to be published); otherwise, the DPDPA does not require the implementation of a transfer mechanism.
- Data breach notification: Data fiduciaries are required to notify personal data breaches to the newly created Data Protection Board and to impacted data subjects, regardless of the magnitude of the breach or risk of harm. Further, the DPDPA does not prescribe specific deadlines for reporting.
- Significant data fiduciaries: The Indian government will have the power to classify certain data fiduciaries as significant data fiduciaries based on factors such as the sensitivity and volume of data processed, the impact of processing on the rights of data principals, and the impact on the sovereignty, security, and integrity of India. These significant data fiduciaries will have additional obligations, including the appointment of an independent auditor and undertaking data protection impact assessments.
This table compares the requirements of the GDPR and the DPDPA in further detail, highlighting potential gaps in GDPR-based compliance programmes and outlining possible steps to uplift such programmes for DPDPA compliance purposes. As additional rules to supplement the DPDPA provisions are issued, organisations may need to adjust their compliance approaches accordingly.
The authors would like to thank Akash Karmakar and Ridhima Khurana at the Law Offices of Panag & Babu for their contributions to this article.
[i] Indian’s current data protection rules are made up of Section 43A and 87(2)(ob) of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.