In a significant development for data privacy in India, the Digital Personal Data Protection Act (DPDP) has received Presidential assent. The bill was published in the Official Gazette on August 14, making it a binding law. This milestone comes after multiple previous attempts at enacting comprehensive privacy legislation in India.
The regulatory oversight of the Act is entrusted to the Data Protection Board of India, empowered to exercise a range of functions including rectifying data breaches and investigating individual complaints. Penalties for breaches vary from INR 10,000 (approximately $120) for non-compliance with individual requests to a substantial INR 250 Crore (around $30 million) for data breach violations.
In this report, we delve into the core aspects of the new law and its principal requirements.
Scope and Applicability of the Digital Personal Data Protection Act
The DPDP’s reach extends to the processing of digital personal data within India, whether or not this data was originally collected in digital form. The law also applies to data processing conducted outside of India, if the data processing is connected to activities linked to offering goods or services within the country.
However, the DPDP excludes personal data processed for personal or domestic purposes. Data that has been voluntarily made public by an authorized individual is also excluded.
India Privacy Law: Key Definitions and Concepts
The DPDP introduces several new definitions into Indian law, most notably:
- “Data fiduciary”: an individual or entity that determines the purpose and manner of personal data processing (the GDPR refers to this position as a “data controller”)
- “Significant data fiduciary”: an entity processing large amounts of sensitive data. Relevant criteria also include processing children’s data, impact on rights, and potential implications for governmental integrity and public order. Significant data fiduciaries are subject to further obligations, including data protection impact assessments, audits, and the appointment of a Data Protection Officer.
- “Data principal”: any individual whose data is being collected or processed (known as a “data subject” under the GDPR)
- “Consent manager”: an organization registered with the Data Protection Board. The Board is required to provide a centralized platform to allow individuals to manage, review, and retract their data as they wish.
India Privacy Law: Highlights
The Digital Personal Data Protection Act echoes the GDPR and other established privacy laws in its legal requirements. Highlights include:
- Privacy notices: Organizations are mandated to provide data principals with privacy notices before asking for consent. These notices must clearly explain the nature of personal data being collected, processing purposes, avenues for exercising rights, and how to submit complaints to the Data Protection Board.
- Valid consent: The Act emphasizes that consent must be voluntary, informed, specific, unambiguous, and unconditional. Consent must be obtained through a clear, affirmative action, and is only valid for the designated purpose. Data principals may revoke consent at any time, and data fiduciaries are required to make the process of revoking consent as straightforward as the process of granting it. Data fiduciaries are also obligated to inform downstream vendors and third parties of consent withdrawals.
- Role of consent managers: The aforementioned consent managers must be registered with the Data Protection Board and are responsible for managing individuals’ consents on their behalf. These managers are accountable to the data principals.
- Data principal rights: The law outlines several rights for data principals, including but not limited to:
- The right to personal data summaries
- The right to be informed of data processing activities
- The right to be informed of all third-party recipients of data
- The right to nominate a representative for situations where the data principal cannot advocate for themselves (for instance, if the individual is incapacitated or deceased)
Unlike other privacy laws, the Digital Personal Data Protection Act doesn’t explicitly restrict data fiduciaries from transferring data across international borders. Instead, the law grants the central government discretionary authority over imposing such restrictions.
Even as questions remain about what the Digital Personal Data Protection Act will look like in practice, it’s hard to deny that its passing is significant. The law’s adoption makes India the most recent democracy in the world to adopt a sweeping privacy law. It also means that companies with Indian clients or contacts have another set of rules to track.