A Dawn Of A New Era For Data Protection In India: An In-depth Analysis Of The Digital Personal Data Protection Act, 2023 - Data Protection - India (2023)

Introduction

India has ushered in a new era in the context of dataprotection. Thus far, we have had to rely on the InformationTechnology Act, 2000 ("IT Act") andInformation Technology (Reasonable security practices andprocedures and sensitive personal data or information) Rules, 2011("SPDI Rules") as the only legislationsfor the interpretation of all things data-related. However, therewere various limitations to these laws, and in a digital age whereconcerns about one's personal data are on the rise, the arrivalof the Digital Personal Data Protection Act, 2023 provides muchrelief.

While 2017 gave a glimpse of what the future of privacy lookedlike with the historic Justice K. S. Puttaswamy v. Union of Indiacase decided by the Supreme Court of India,¹ the countrylacked a comprehensive and updated legislation that could be reliedupon for interpreting cases involving data protection. What Indiadid not have, and sorely missed, was an equivalent to the GeneralData Protection Regulation ("GDPR") ofthe European Union.

Since 2018, there have been efforts made by the IndianGovernment to introduce and implement a central legislation thatcould prove to be the successor to the SPDI Rules, and act as astandalone data protection law. After releasing multiple drafts ofthe proposed data protection bill over the years, 2023 finally sawthe latest iteration of the legislation, titled the 'DigitalPersonal Data Protection Bill, 2023' ("DPDPBill"), approved by the Lok Sabha on August 3, 2023.This was followed by the Rajya Sabha passing the DPDP Bill onAugust 9, 2023. Finally, on August 11, 2023, the President of Indiagranted her assent to the same, and the Digital Personal DataProtection Act, 2023 ("DPDPAct") was notified and published in theOfficial Gazette of India.

Analysis

Building upon previous versions:

The DPDP Act builds upon its predecessor, which was the'Digital Personal Data Protection Bill, 2022' released inNovember, 2022 ("2022 Bill"). Whilepreserving its core concepts, the DPDP Act introduces strategicadjustments, some of which are minor, yet others are moresubstantial.

The DPDP Act introduces robust provisions concerning notice andconsent obligations, delineates the permissible 'legitimateuses' for processing personal data without explicit consent,establishes an 'Appellate Tribunal' for grievanceredressal, and imposes enhanced responsibilities upon datafiduciaries when handling the data of children, among otherchanges.

It is also noteworthy that the DPDP Act's focus has beendeliberately narrowed to the safeguarding of 'digital'personal data, reflecting an evolution from its earlier scope inthe 2022 Bill.

Government interface with existing data protectionframework:

At the outset, it seems as if the DPDP Act establishes a mutualconnection with the Government of India's broader informationtechnology regulations. The dimension of information solicitationreflects an interface with the IT Act² and theInformation Technology (Intermediary Guidelines and Digital MediaEthics Code) Rules, 2021, empowering the Central Government torequest information from the Data Protection Board("Board"), fiduciaries, orintermediaries.³ However, the absence of specificdetails indicates an exploration into the scope, purpose, andsafeguards associated with this information solicitation,necessitating alignment with the legal principles elucidated in thePuttaswamy judgment.

Furthermore, there seems to be evidence of interlinking betweenthe DPDP Act and the Information Technology (Procedure andSafeguards for Blocking for Access of Information by Public) Rules,2009, converging data protection concerns with the regulation ofaccess to computer resources. This arrangement appears as thegovernment, following due process and the right to beheard,⁴ gains authority to instruct agencies orintermediaries to block information, safeguarding publicinterests.⁵ This confluence of mechanisms offers arobust avenue to mitigate risks linked to non-compliance, whilewarranting a detailed roadmap for operational execution.

Key Provisions

1. Applicability and Scope:

The DPDP Act governs the processing of digital personal datawithin India in two scenarios: (i) when such data is collected fromdata principals in digital format; or (ii) when initially collectedin non-digital form and subsequently digitized. Thus, the DPDP Actshall not apply to processing of personal data in non-digitizedform. It is clearer and narrower than the 2022 Bill, which did notapply to 'non-automated' processing and 'offline'data.

Moreover, the scope of the law has been extended. It now has anextra-territorial application, to encompass the processing ofdigital personal data beyond India's borders if it pertains tothe provision of goods or services to data principals locatedwithin India. Notably, the DPDP Act does not explicitly addresswhether its provisions are applicable to the processing of personaldata belonging to data principals situated outside India.

Unlike the GDPR, which confines its applicability to theprocessing of personal information of individuals physicallypresent within the European Union or EU citizens, the DPDP Actadopts a broader approach. It does not limit the definition of'data principal' to individuals within India'sboundaries or solely to Indian citizens. This could potentiallylead to ambiguity regarding the full scope of the DPDP Act'sjurisdiction. The resolution of this ambiguity concerning the DPDPAct's extraterritorial application hinges on the interpretationthat the Central Government eventually provides, most likely in therules that would be framed under the DPDP Act.

2. Exemptions for Startups and TransitoryProvisions:

Within the outlines of the DPDP Act, a distinct focus emerges onaccommodating the dynamic landscape of startups. In addition toexemptions granted to the state, its instrumentalities, research,and statistical purposes, the DPDP Act introduces a tailoredapproach, proposing certain provisions for potential exemption forstartups.⁶ This strategic measure recognizes thedistinct challenges and evolving nature of startups, with theintent to nurture innovation while upholding robust data protectionprinciples.

3. Personal Data:

A novel term, 'digital personal data,' has beenintroduced within the DPDP Act, signifying 'personal data'presented in a 'digital form.'⁷ This helpsclarify the scope of the impending Act to be passed, anddistinguishes it from personal data that is otherwise defined.

The DPDP Act confines its coverage to the processing of'personal data,' defined as 'any data pertaining to anidentifiable individual.' Notably, the distinction between'sensitive personal data' and 'critical personaldata,' present in all prior iterations of the draft bills up tothe 2022 version, has been discarded in the DPDP Act. This shiftsignifies a departure from the previous framework and merits closeexamination in terms of its implications for data protection andprivacy concerns.

An obligation has been placed on data fiduciaries by the DPDPAct to safeguard the personal data in their possession byimplementing 'reasonable security measures' to preventbreaches. In the event of a data breach, the data fiduciary ismandated to notify both the Board and the affected data principals.However, the specific manner of notification is left to beprescribed.⁸

It is worth noting that the DPDP Act does not specify the exactstandard for 'reasonable security measures,' whichalthough, is currently covered under the SPDI Rules and Section 43Aof the IT Act. Despite this, significant penalties are imposed fornon-compliance resulting in a personal data breach.

4. Processing of Personal Data:

The DPDP Act meticulously outlines the scope of'processing' by denoting it as a 'wholly or partlyautomated operation or a series of operations conducted on digitalpersonal data'. This encompassing definition encompassesvarious actions, including collection, recording, organization,structuring, storage, adaptation, retrieval, utilization,alignment, combination, indexing, sharing, and disclosure throughtransmission or other means. Furthermore, the concept extends toencompass operations such as restriction, erasure, or destructionof data.

When it comes to processing the personal data of a child, theDPDP Act requires verifiable parental consent, although itdoesn't explicitly define 'verifiable' consent. TheCentral Government has the authority to exempt certain datafiduciaries from this requirement by lowering the age limit forparental consent, provided that the processing is considered safe.Additionally, data fiduciaries must avoid processing personal datalikely to have a detrimental impact on a child'swell-being.

The transfer of personal data to countries outside India is alsopermitted under the DPDP Act, unless explicitly restricted by theCentral Government.⁹

It is noteworthy that the definition of 'processing'closely mirrors the definition of 'processing' outlined inthe GDPR. However, a subtle divergence exists in the fact thatwhile the GDPR's definition encapsulates both automated andspecific non-automated operations, the DPDP Act confines the scopeof processing exclusively to 'automated' operations. Thisdistinction, while seemingly subtle, could have consequentialramifications for the data processing landscape, necessitating acomprehensive analysis of the potential effects in practice.

The 2022 Bill outlined certain categories of personal dataprocessing exempt from its purview. In contrast, the DPDP Acteliminates most exemptions introduced by the 2022 Bill, save forthe exemption related to personal data processed by an individualfor personal or domestic purposes. Furthermore, the DPDP Actintroduces an additional exemption, excluding from its scopepersonal data that has been publicly disclosed by the dataprincipal or any other party obligated by Indian law to make suchpersonal data accessible to the public.

5. Data Principal:

The concept of 'data principal' has undergone asubstantial expansion. It not only encompasses individuals but alsoincludes parents or lawful guardians of children to whom thepersonal data pertains. Moreover, the definition has been extendedto incorporate lawful guardians of 'persons withdisabilities'.

While the term 'person with disability' lacks a preciseexplication within the DPDPB, it is notable that the Rights ofPersons with Disabilities Act, 2016, forms the foundationallegislation in India for recognizing the entitlements ofindividuals with disabilities. Under it, a 'person withdisability' is defined as someone possessing enduring physical,mental, intellectual, or sensory impairments that, when compoundedby societal barriers, impede their equitable participation insociety, akin to their peers.¹⁰

Under the DPDP Act, certain rights of data principals may behighlighted: (i) Right to Information about Personal Data; (ii)Right to Correction and Erasure; (iii) Right of GrievanceRedressal; and (iv) Right to Nominate. As such, data principalshave the right to know a summary of the personal data processed,the identities of entities with whom their data has been shared,and the categories of personal data shared. Additionally, dataprincipals can request correction, completion, updating, or erasureof their personal data processed by a data fiduciary.

The data fiduciary must make necessary corrections and updates.Erasure can be denied if retention is required by law. The DPDP Actalso casts responsibility on the data principal to not impersonateanother person or suppress information when applying for anydocument or proof from the state, and to provide only authenticinformation while exercising their right to data erasure.

Data principals shall have the right to have readily availablemeans of grievance redressal provided by a data fiduciary inrespect of any act or omission of such data fiduciary, regardingthe performance of its obligations in relation to the personal dataof such data principal or the exercise of her rights.¹¹They can also nominate an individual to exercise their rights upontheir death or incapacity.

6. Data Fiduciary:

Data fiduciaries are defined as any person who alone or inconjunction with other persons determines the purpose and means ofprocessing personal data, under the DPDP Act.

The DPDP Act outlines specific 'legitimate uses' thatpermit data fiduciaries to process personal data without explicitconsent. One instance is when a data principal voluntarily providespersonal data while availing or seeking a service and has notindicated non-consent. Legitimate use also extends to processingdata to comply with Indian laws or foreign laws in cases involvingcontractual or civil claims.

Data fiduciaries are also required to cease retaining personaldata when it becomes reasonable to assume that the purpose forwhich the data was collected is no longer being served, and itsretention is no longer necessary for legal or business reasons.

The DPDP Act prohibits data fiduciaries from engaging intracking, behavioural monitoring of children, or targetedadvertising directed at children. Originally applying only to'guardian' data fiduciaries, this prohibition now extendsto all types of data fiduciaries. This measure safeguardschildren's privacy and prevents their exploitation forcommercial gain, emphasizing the DPDP Act's dedication toprotecting children's digital well-being.

7. Significant Data Fiduciaries:

The DPDP Act allows the Central Government to have the authorityto classify certain data fiduciaries or classes of them as'significant data fiduciaries.'¹² Thisclassification is based on factors such as data volume,sensitivity, risk to data principals, electoral democracy, andstate security. The 2022 Bill allowed the government to alsoconsider 'other factors', but this has been removed

Significant data fiduciaries must fulfil 'additional'obligations, including appointing a data protection officer basedin India, engaging an independent data auditor for complianceevaluation, conducting data protection impact assessments, andundergoing periodic compliance audits.¹³ Non-compliancewith these obligations can result in substantial penalties,extending up to INR 250 crore.

8. Consent:

a. Data fiduciary

Data fiduciaries are authorized to process personal data onlyfor lawful purposes, contingent upon obtaining consent. Thisconsent must be characterized by being free, specific, informed,unconditional, and unambiguous. It necessitates a clear affirmativeaction on the part of the data principal to signify agreement forthe processing of their personal data for the specified andnecessary purpose.¹⁴

The request for consent must adhere to the followingcriteria:

• It must be presented in a clear and understandable manner,providing the option to access the request in English or any of the22 languages listed in the Eighth Schedule to the IndianConstitution.¹⁵
• The request must include contact details for the dataprotection officer or an authorized representative to handlecommunications from the data principal.

Additionally, a data fiduciary must provide a detailed notice tothe data principal either during or before seeking consent. Thisnotice should encompass several key elements: (i) Explanation ofthe personal data to be collected and the purpose of itsprocessing; (ii) Description of the data principal's rights,including correction, withdrawal of consent, and the procedure forfiling complaints with the Board; and (iii) Clarity on how acomplaint can be lodged with the Board.

In cases where consent was given prior to the DPDP Act'senactment, the data fiduciary must furnish such notice "assoon as it is reasonably practicable." The notice must bepresented in straightforward language, through a separate document,electronically, or in a manner as prescribed.

b. Data principals

When it comes to data principals, the DPDP Act mandates thatthey can provide, manage, review, or withdraw their consent througha 'consent manager.'¹⁶ These consent managers,registered with the Board, facilitate accessible, transparent, andinteroperable platforms for managing consent. However, the exactrole and obligations of consent managers remain unclear, includingwhether all data fiduciaries are required to engage with them forseeking consent and the mechanisms they employ for performing theirfunctions.

Data principals also retain the right to withdraw consent at anytime. Such withdrawal does not impact the legality of prior dataprocessing based on consent. Upon withdrawal, the data fiduciaryand its processors must erase and cease processing the personaldata, unless retention is required by applicablelaws.¹⁷

c. Parental consent

It is also noteworthy that the DPDP Act introduces the conceptof 'consent of the parent,' which encompasses the consentof a lawful guardian where applicable.

9. Data Protection Board:

Among the notable changes in the DPDP Act, the most significantpertains to the establishment and composition of the Board. In the2022 Bill, the formation of the Board was contingent upon futureregulations prescribed by the Central Government. However, in thisrecent rendition, the framework for the Board's constitution isexplicitly outlined. Additionally, the authority of the CentralGovernment to establish rules, as well as the specific scenariosunder which entities can be exempted from complying with thebill's provisions, have undergone significant alteration.

10. Evolving Dispute Adjudication:

The DPDP Act aids in a paradigm shift in the arena of disputeresolution, reflecting a nuanced interplay between the legislativeframework and established legal mechanisms.

A noteworthy departure lies in the empowerment of the Board tolevy monetary penalties as specified in the Schedule. It omits aprior reference to a maximum penalty ceiling of Rs. 500 crores,which was present in the 2022 Bill,¹⁸ signifying adeliberate recalibration in penalty imposition. This recalibrationhighlights a meticulous approach that brings into line penaltieswith the gravity of breaches, embodying a principle ofproportionality.

The appellate process, too, witnesses a transformative shift asit finds its recourse in the Telecom Disputes Settlement andAppellate Tribunal.¹⁹ This change instils the processwith efficiency, outlining a defined window of 60 days²⁰for appeals from the Board's decisions.

11. Penalties:

Penalties of up to INR 250 crore can be imposed for certainoffenses, including failure to prevent a personal data breach. TheDPDP Act removed the INR 500 crore cap on penalties for a singleinstance. Unlike the previous drafts, the DPDP Act does not enableaffected data principals to seek compensation for breaches by datafiduciaries. Instead, the Board can now levy penalties of up to INR10,000 for data principals not fulfilling theirduties.²¹

Concerns

While there has been praise reserved for the DPDP Act in termsof acting as an able standalone data protection framework, noteverything is as rosy as it seems. Concerns arise from the factthat several provisions within the DPDP Act are still subject todeterminations made by the Central Government. This aspect raisesvalid concerns about the potential for unchecked and arbitraryrule-making, which could lead to uncertainties and potential gapsin the regulatory framework. Furthermore, for a legislation that isintended to protect the rights of data principals, it seems ironicthat the DPDP Act imposes duties on data principals.

Similar to the 2022 Bill, the DPDP Act also possesses thecapability to provide exemptions to the Central Government.However, in this iteration, these exemptions have been extendedeven more, perpetuating the absence of substantial criteria tocounter excessive surveillance practices. The Central Governmentalso retains the provision to exempt certain fiduciaries or classesof data fiduciaries from particular provisions, specificallyincluding start-ups. The Act defines startup to mean "aprivate limited company or a partnership firm or a limitedliability partnership incorporated in India, which is eligible tobe and is recognised as such in accordance with the criteria andprocess notified by the department to which matters relating tostartups are allocated in the CentralGovernment."²²

The 2022 Bill allowed the Central Government to assume theconsent of data principals in certain situations, with no way forthem to opt-out through its deemed consent clause. The DPDP Act hasretained this provision, rebranding it to "certain legitimateuses."

The introduction of a transition period is vital to facilitate asmooth adaptation for businesses. The DPDP Act introduces new andstringent obligations, which could require significant adjustmentsfrom data fiduciaries. Implementing the DPDP Act without atransition period could lead to widespread non-compliance.Providing an ample transition window allows businesses the timeneeded to align processes and adhere to DPDP Act requirements,mitigating potential disruptions and ensuring a seamless transitionto the new data protection landscape.

Conclusion

The DPDP Act marks a distinctive approach by India to safeguardpersonal data, reflecting the culmination of thorough discussionsafter its initial draft. This data protection law represents acrucial step in safeguarding personal data, addressing longstandingneeds in the context of increasing internet users, data generation,and cross-border trade.

In its entirety, the DPDP Act signifies India's uniquestance on modern data protection, enriched by extensive post-draftconsultations. While its provisions are less detailed thanstandards like GDPR, it mandates a significant shift in how Indianbusinesses approach privacy and personal data.

However, the DPDP Act is not immune from criticism. Some argueit could hinder innovation due to perceived strictness, whileothers contend that it might not go far enough to ensure individualprivacy, primarily considering the discretionary power granted tothe Central Government in personal data processing. The forthcomingrules through delegated legislation will play a vital role inshaping these aspects. A standardized process for rule release,coupled with industry consultations as seen in amendments toInformation Technology Rules for online gaming, would establish arobust data protection framework benefiting entire technologysector in India.

Footnotes

1. Justice K. S. Puttaswamy v. Union of India,(2017) 10 SCC 1.

2. Section 2(1)(w), Information Technology Act,2000.

3. Section 36, Digital Personal Data Protection Act,2023.

4. Section 37, Digital Personal Data Protection Act,2023.

5. Section 37(2), Digital Personal Data Protection Act,2023.

6. Explanation to Clause 17(3), Digital Personal DataProtection Bill, 2022.

7. Section 2(n), Digital Personal Data Protection Act,2023.

8. Schedule 2, Digital Personal Data Protection Act,2023.

9. Section 16(1), Digital Personal Data Protection Act,2023.

10. Section 2(s), The Rights of Persons with DisabilitiesAct, 2016.

11. Section 13, Digital Personal Data Protection Act,2023.

12. Section 10(1), Digital Personal Data Protection Act,2023.

13. Section 2(l), Digital Personal Data Protection Act,2023.

14. Section 6(1), Digital Personal Data Protection Act,2023.

15. Section 6(3), Digital Personal Data Protection Act,2023.

16. Section 6(7), Digital Personal Data Protection Act,2023.

17. Section 8(7), Digital Personal Data Protection Act,2023.

18. Clause 25(1), Digital Personal Data Protection Bill,2022.

19. Section 29(1), Digital Personal Data Protection Act,2023.

20. Section 29(2), Digital Personal Data Protection Act,2023.

21. Schedule 5, Digital Personal Data Protection Act,2023.

22. Explanation to Section 17(3), Digital Personal DataProtection Act, 2023.

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.