6 Things You Need to Know About India’s Digital Personal Data Protection Bill of 2023
by: Max Landaw
On August 11, India’s Digital Personal Data Protection Bill, 2023 (DPDP) received presidential assent after passing both houses of India’s legislature. While the law has been published, there has been no official slated implementation date, though various Indian politicians have indicated that the DPDP will be fully implemented within 10 months. This would mean that the likely date of enforcement will be around June or July of 2024. Like many new comprehensive privacy laws, the DPDP is modeled after the European Union’s General Data Protection Regulation (GDPR) and for companies that have gone through compliance with GDPR, many of the new requirements look very similar. Below we will discuss 6 aspects of the DPDP about which companies should know.
1. Extraterritorial Scope and Data Subject Rights
Similar to Article 3 of GDPR, the DPDP has an extraterritorial scope. This means that the law applies to personal data processed within India and personal data outside the territory of India if such processing is in connection with any activity related to offering of goods or services to data subjects (called Data Principals under the DPDP) within India. Note that also like GDPR and unlike the current US state comprehensive privacy laws except California’s CCPA/CPRA, there are no exemptions in DPDP for employee or business to business contact personal data.
This has far reaching practical consequences for companies based outside India. On one hand, offering goods and services to Indian consumers will require compliance with the new law. However, what many companies are likely thinking about is that many company operations are regularly outsourced to India, including handling support requests and software development. The implication here is that data subjects outside of India whose personal data is processed within India will have certain rights with respect to the DPDP.
Data subjects who have rights under DPDP will have the rights of access, correction, and erasure. These rights are not new for companies that must comply with modern privacy laws and the rights under DPDP are not as explicated as under other such modern laws such as GDPR. However, this means that DPDP gives another avenue for data subjects making privacy related requests.
2. Bases For Processing (Consent and Other Bases)
One of the striking features about DPDP is that the main basis for processing is consent. This is different from GDPR which provides numerous other avenues other than consent for the processing of personal data such as legitimate interests and for the performance of a contract. While Section 7 of DPDP allows processing based on “certain legitimate uses” outside consent, those uses appear more narrow in scope such as using personal data for a specified purpose which the Data Principal has voluntarily provided their personal data, fulfilling legal obligations, for responding to medical emergencies, and for purposes of employment.
In practice, and unless we get guidance to the contrary from the Data Protection Board of India, this means that consent will be required for the vast majority of processing of consumer personal data. With other laws such as GDPR, companies typically look to avoid using consent as a basis for processing if possible because 1) consent can always be withdrawn and 2) it can be difficult to manage consents en masse to a large consumer base. It is possible that the “specified purpose” basis can be expanded to a limited version of legitimate interests if such purposes are outlined in the privacy notice, but that analysis may be tenuous and likely needs clarification from the Data Protection Board of India.
3. International Transfers
Another stark distinction between GDPR and DPDP is with regard to international transfers. DPDP as enacted permits transfers of personal data outside India except to countries restricted by the Indian government. Any company that has had to comply with GDPR knows how difficult transfers have been, especially transfers from the EU to the United States before the EU granted adequacy to the United States. DPDP does not require standard contractual clauses or transfer impact assessments, or other enumerated safeguards for international transfers, and the Indian government has not yet provided a list of countries where transfers are restricted. Earlier versions of the DPDP required much more restrictive localization requirements and the finalized language within the law represents the Indian legislature’s response to the international outcry against India’s originally proposed strict localization. In practice, this will likely mean that transferring personal data outside of India will be much easier than transferring personal data outside the EU.
4. Significant Data Fiduciaries
The DPDP introduces the concept of a Significant Data Fiduciary (a Data Fiduciary is the equivalent of a controller under GDPR). The Indian government may designate any Data Fiduciary as a Significant Data Fiduciary based on an assessment of such factors as:
The volume and sensitivity of personal data processed (note that DPDP does not define sensitive data or enumerate special categories of data such as in Article 9 of GDPR);
Risks and right of data subjects;
Potential impact on the sovereignty and integrity of India;
Risk to electoral democracy;
Indian security; and
Public order.
Any Data Fiduciary designated as a Significant Data Fiduciary must, at a minimum, appoint a data protection officer based in India, appoint an independent data auditor, and conduct periodic data protection impact assessments.
The concept of a Significant Data Fiduciary appears similar to concepts under the Chinese privacy regulatory regime, in particular the concept of a Critical Information Infrastructure Operator (CIIO) under the 2016 Cybersecurity Law. If applied similarly, DPDP gives broad latitude for the Indian government to designate many different companies as Significant Data Fiduciaries including relevant Chinese analogues within the definition of CIIO’s such as financial services companies and public communications and information services which could include social media companies.
5. Processing of a Child’s Personal Data
As opposed to US state comprehensive privacy laws and GDPR, India firmly sets the definition of a child as an individual who is younger than 18 years old. The DPDP unsurprisingly requires Data Fiduciaries to receive the consent of the parent or lawful guardian before processing the child’s personal data, and requires a Data Fiduciary to not undertake processing of a child’s personal data that is likely to cause any detrimental effect on the well-being of a child.
There is an additional restriction that explicitly states that the tracking, behavioral monitoring, or targeted advertising of a child is explicitly prohibited. This is somewhat of a novelty and follows the age appropriate design codes of such jurisdictions as the UK and California. However, existing design codes typically do not place flat out bans on tracking or behavioral advertising the way DPDP does.
Note, however, that DPDP allows the Indian government to create exemptions for certain classes of Data Fiduciaries or purposes related to the processing of a child’s personal data.
6. Penalties
Unlike GDPR, penalties for violations of the DPDP are not dependent on a company’s revenue and the law sets out maximum penalties based on the type of offense. Interestingly, DPDP places duties on data subjects, namely that they:
Comply with the provisions of applicable laws;
Ensure not to impersonate another person;
Ensure not to suppress material information while providing personal data;
Not register a false or frivolous grievance or complaint; and
Furnish only authenticated information while exercising a data subject right.
Penalties within DPDP range from 10,000 rupees (roughly equivalent to $120 USD) for a data subject violation of his or her duties as listed above to 250 crore rupees (roughly equivalent to $30,000,000 USD) for a Data Fiduciary’s breach of its obligations related to taking reasonable security safeguards to prevent a personal data breach.
Companies, however, need to keep in mind that these are maximum penalties per violation. If a company commits numerous violations, the Data Protection Board of India could theoretically impose much higher fines.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.