A Guide to India's Data Protection Law: What to Expect from DPDP
As of August 2023, India officially has a data protection law in place, having passed the Digital Personal Data Protection Act (DPDP) through both houses of parliament within a week.
This concludes a six-year journey for the world’s largest democracy to pass data protection regulation, as the landmark Supreme Court case Puttaswamy v Union of India in August 2017 recognized a constitutional right to privacy, including informational privacy. This put enormous pressure on Parliament to pass a regulation akin to the EU’s GDPR, which had been passed several months earlier.
The idea of DPDP floated around for years, with failed drafts hitting Parliament in 2019 and again in 2022. Even this passing version of the bill had significant pushback from opposition parties in Parliament, with many worried about broad government exemptions that might lead to state surveillance of citizens.
Those concerns may linger as the DPDP finds its footing and goes through its early stages of enforcement, but as of now the bill does India a lot of good, replacing Section 43A of the Information Technology Act, which was stretched as the nation’s main data protection regulation, with a true comprehensive law.
Of note, there is not yet an official enactment date for DPDP, as the government will determine and publicize when each section of the bill will take effect.
DPDP Key Definitions
While many of its ideas and provisions mirror the GDPR, the language India’s data privacy law uses does not always align with other worldwide regulations.
Instead of the somewhat standard “data subject” terminology Europe and the United States use, India’s bill refers to individual people as “data principals.”
Likewise, instead of using the GDPR’s “data processors” and “data controllers” terminology, it refers to organizations as “data fiduciaries” and “significant data fiduciaries” (SDF).
Another big deviation from most of the regulations coming out around the globe is that DPDP does not distinguish between levels of personal data. There is no concept of “Sensitive data” that typically carries extra protections in other laws, instead offering blanket protection for personal data, which is defined as “any data about an individual who is identifiable by or in relation to such data.”
The new law’s applicability threshold covers the processing of digital personal data within India as well as the extraterritorial processing of digital personal data outside India if the processing is connected to activities related “to offering of goods or services to data principals within India.” It makes no distinction between public and private entities, meaning both will be covered equally.
It is also important to note that the wording of neither definition refers to residents of citizens, which has some interpreting this as the law covering foreigners within India as well. This would be similar to the GDPR’s extraterritorial coverage.
Unlike the GDPR, India’s data privacy law does not restrict data flows to other countries at all. This is in stark contrast to the vast majority of current data privacy regulations, which usually have language noting only countries with adequate protection measures in place can receive data transfers.
DPDP covers only digital data as well as data that has been digitized (i.e. personal data that was written down initially but later typed up and saved in some way online).
The regulation does not have a revenue threshold or list a quantity of processed data or processed data on a certain number of people, meaning if a company processes personal data within India or related to the offering of goods there and is not explicitly exempt, it will need to comply with DPDP.
Publicly available information is exempt from compliance as long as the information was made available by the individual themselves or an entity with a legal obligation to do so.
The Bill also has an exemption for the processing of personal data necessary for research or statistical purposes, as long as that data is not used to make decisions about specific individuals.
While some entities (startups, per data privacy experts within India) can be deemed exempt from the law by the government, the majority of listed exemptions revolve around government entities and processes.
- For notified agencies, in the interest of security, sovereignty, public order, etc.;
- To enforce legal rights and claims;
- To perform judicial or regulatory functions;
- To prevent, detect, investigate or prosecute offenses;
- To process in India personal data of non-residents under foreign contract;
- For approved merger, demerger, etc.;
It was these wide-ranging government exemptions that critics of the bill took issue with, but there were no last-minute changes made and now the onus is on the Indian government to not abuse the loopholes within the law.
DPDP Data Rights
The second most vocal criticism of the DPDP was that the set of privacy rights given to people was not as robust as those granted by the GDPR.
India’s data privacy law offers these data rights:
- The right to access information about personal data processed;
- The right to correction and erasure of data;
- The right to withdraw consent at any time;
- The right to grievance redressal; and
- The right to nominate a person to exercise rights in case of death or incapacity.
The language here, such as “grievance redressal,” is unique to this law, and several key rights are conspicuously absent.
The right to data portability, the right to object to processing based on grounds other than consent, and the right not to be subject to solely automated decision-making are not provided.
Protections against targeted advertising and automated decision-making are only extended to children, defined as anyone under the age of 18 here (as compared to the 16 year old definition in the GDPR). Like in other privacy laws, parental consent is necessary before processing a known child’s data. India is currently setting up a cloud mechanism to govern parental consent you can read about here.
The right to private action is available, though not in as direct a form as in the GDPR.
That’s where the last two listed rights, grievance redressal, and the right to nominate a proxy, come into play. Individuals–again, referred to as data principals–cannot pursue official complaints against a company until they have exhausted the full process of contacting said company.
Oddly enough, this is listed as data principal obligations within the regulation, which include:
- A duty not to impersonate someone else while providing personal data for a specified purpose,
- A duty not to suppress any material information while providing personal data for any document issued by the Government,
- A duty not to register a false or frivolous grievance or complaint.
If an individual is found to have violated their obligations, the government can fine them (someone not seen in other data privacy laws)!
Unfortunately, even the rights given are limited in scope due to the legal grounds India’s data privacy law sets for data processing.
Instead of the six possible lawful grounds the GDPR sets for data processing, the DPDP only sets 2: consent and “legitimate use.” (This is despite the bill having the same seven principles as the GDPR, meaning more theory behind the regulation as opposed to action.)
The rights of access, erasure and correction are strictly limited to personal data processing based on individual consent or voluntary disclosure, meaning the broadly defined “legitimate uses” grounds do not need to respond to these DSRs.
Likewise, there is no timetable set for DSR (aka grievance redressal here) response yet, meaning the early years might feature quite a low number of individual requests.
DPDP Compliance Requirements
Data fiduciaries have several obligations, although SDFs have more extensive compliance requirements.
Seeing as one of the core tenets of the regulation is consent, most requirements revolve around either that or data security, in some fashion.
The requirements for data fiduciaries are as follows:
- To have security safeguards to prevent personal data breach;
- The need to inform individuals and the nation’s Data Protection Board about data breaches that have compromised personal data;
- To erase personal data when it is no longer needed for the specified purpose;
- To erase personal data upon withdrawal of consent;
- To put grievance redressal systems and a Data Protection Officer in place to respond to address requests from Data Principals; and
- To follow all other specified obligations required of Data Fiduciaries classified as Significant Data Fiduciaries, including appointing an independent data auditor and conducting periodic Data Protection Impact Assessment
Likewise, when gaining consent from individuals, data fiduciaries must inform them about what personal data is being collected and why it’s being collected, similar to GDPR requirements. There is no language however indicating that data fiduciaries have to disclose any third parties they may share personal data with.
Criteria to classify organizations as SDFs do exist, even in a vague sense, such as:
- The characteristics of the data processing operations (such as the volume and sensitivity of personal data processed and the inherent risk),
- Broader societal (or national security) concerns connected to the data processing operations
As there is no quantifiable threshold on the criteria for when a data fiduciary becomes a significant data fiduciary, which means many organizations, especially international ones operating in India, should err on the side of caution and comply with SDF-specific requirements regardless.
Regardless, data breach notification requirements, needing to conduct data protection impact assessments, appointing a DPO and setting a clear and accessible way for people to submit grievances (DSRs) all align with other global data privacy regulations.
Even if it is currently unclear where the distinction will be drawn between what constitutes a data fiduciary versus a significant data fiduciary, any GDPR-compliant organization will not need to significantly alter its privacy program to comply with DPDP.
To enforce the Digital Personal Data Protection Act, India has created the Data Protection Board of India (DPB). While the DPB will not have legislative authority to amend the regulation, it will have the power to issue fines to both data fiduciaries and data principals.
While data privacy experts within India do not expect the DPB to hand out fines in the near future as the Board begins to take shape, the lack of a concrete enforcement date complicates the situation.
The range of fines is also quite wide. As of now, fines for noncompliance with the DPDP range between $120 USD and roughly $30 million USD.
There is some classification on the type of violation and the resulting fine, with the biggest fines attached to “the failure to deploy reasonable security safeguards” that results in a data breach, with up to a $30 million penalty.
One other thing to note about enforcement is how data principals (aka individuals) will be regulated. The grievance redressal system and appointing of a DPO are key here, since there is strict language that notes individuals must “exhaust the opportunity of [redressal]” through the data fiduciary/business before they can bring an official complaint to the DPB.
As noted above, without a set time period for businesses to address these DSR-esque grievances, how the process actually plays out and how likely it is that any single grievance works its way up to the DPB remains to be seen.
While India initially set out its data protection law to closely follow GDPR, the end result six years later has several major deviations and quite unique language in the world of data privacy regulations.
It will likely to months for the DPB to be assembled and for clarifications to be issued on several aspects of the DPDP, but the fact that it passed and India, the world’s largest democracy, now has a comprehensive data protection law, is a major victory and harbinger for things to come both in the data protection sphere and in the evolution of India’s data economy.
Standard data protection practices like automated DSR tools and advanced data mapping will certainly help organizations get a clearer picture of their data processing within India, as well as satisfy DPIAs, but we strongly encourage any organization doing business in India not only to explore data protection solutions, but also to seek local legal expertise there to determine if they need to comply and any operational changes that may be required.