In brief
Companies operating in India should note that India’s Digital Personal Data Protection Act (“DPDPA“) is expected to come into effect by the end of 2024. India enacted the DPDPA, its first comprehensive data privacy law on August 11, 2023. The DPDPA largely aligns with the European Union’s General Data Protection Regulation (“GDPR“) and the California’s Consumer Privacy Act (“CCPA“) but includes unique, consumer-friendly features, such as expanded consumer rights and newly established requirement to designate “consent managers”, which may pose challenges for businesses seeking to leverage their existing compliance programs. With penalties ranging from INR500 million to INR2.5 billion (approximately $5 million – $29.6 million at the time of publication), companies should prioritize auditing and tailoring their privacy programs to comply with the DPDPA.
The DPDPA’s Requirements
Whom does the DPDPA apply to?
The DPDPA applies to entities that processes digital personal data or non-digital data that is subsequently digitized within India and outside of India if such processing is related to the offering of goods or services to individuals. Covered entities are known as data fiduciaries, and individual data subjects are referred to as data principals. There is also a secondary category of data fiduciary called significant data fiduciary (“SDF“). SDFs are designated by the Indian government based on: 1) the volume and sensitivity of personal data processed; 2) the risk to the rights of the data principal; 3) the potential impact on the sovereignty and integrity of India; 4) the risk to electoral democracy; 5) security of the state of India; and 6) public order.
What is Personal Data under the DPDPA?
“Personal data” is broadly defined as any data about an individual, who is identifiable by, or in relation to, such data.
What is a Legal Basis for Processing Data?
Like the GDPR, the following are a “legal basis for processing”: 1) compliance with laws; 2) ensuring the safety of a person; 3) performance of statutory duties/functions; and 4) employment purposes. However, the DPDPA diverges from the GDPR as for the performance of a contract is not recognized as a legal basis for processing.
What are Data Principal Rights Under the DPDPA?
Data principals have the following rights under the DPDPA: 1) right to be informed; 2) right of access; 3) right of rectification; 4) right of erasure; 5) right to object to and restrict processing; 6) right to withdraw consent; 7) right to grievance redressal; 8) right to nominate; and 9) right to lodge a complaint with the regulator.
The first seven rights are similar to those found in the GDPR and CCPA, but the last two rights are novel. The right to nominate allows a data principal to nominate an individual to exercise their rights in the event of death or incapacity, similar to the right to appoint a representative. The right to lodge a complaint with the regulator appears in some other data protection laws, but here it specifically says data principals must exhaust grievance processes with the data fiduciary before approaching the Data Protection Board.
Consent
Consent is required in all cases where a company collects personal information, unless it falls under one of the exceptions below. Consent must be: 1) duress-free; 2) specific; 3) informed; 4) unconditional; 5) unambiguous; 6) with a clear affirmative action signifying an agreement to the processing of personal data for the specified purpose; and 7) presented in clear and plain language with the option to accept such requests as per the language requirements. A request for consent must be in English or in any of the 22 languages enumerated in the Indian Constitution.
The DPDPA provides certain exceptions to the consent requirement, including: 1) employment related processing, which allows for processing without consent when it relates to employment purposes or safeguards the employer from loss or liability such as corporate espionage, maintaining the confidentiality of trade secrets, intellectual property, classified information, and managing employee-related services or benefits; 2) data that was voluntarily shared; 3) compliance with judicial orders and other legal obligations; 4) health emergencies; and 5) disasters and breakdown of public order.
Unique to the DPDPA is requirement to designate a consent manager, registered entities that act on behalf of data principals to review, provide, manage, and withdraw consent through a transparent platform. Consent managers are not employees at the organization and are separate from a company’s Data Protection Officer. Consent managers act as independent brokers or intermediaries between the data principal and data fiduciary. All companies must have a consent manager by either: 1) registering as a consent manger or 2) giving data principals the option to nominate a registered consent manager.
Other Data Fiduciary Obligations
Sensitive Data
The DPDPA does not define or use the term “sensitive data” and there are no equivalent categories. Thus, unlike many existing data privacy laws, the DPDPA does not afford special protections to sensitive personal data. However, the DPDPA does take into consideration, “the volume and sensitivity of personal data processed” in assessing whether a data fiduciary is an SDF.
Data breach
Under the DPDPA, data fiduciaries must notify any personal data breaches to the Data Protection Board and to impacted data subjects. Unlike some other data breach notification laws, there is no minimum threshold of affected individuals or risk or harm that triggers the reporting obligation — any breach impacting data subjects’ personal data must be reported. There are no specific deadlines for reporting although the DPDPA gives the Data Protection Board the authority to prescribe the form and manner of the notification. Organizations must still report cyber incidents, infosec, and data breaches to CERT-IN (the Indian Computer Emergency Response Team) within the six-hour deadline of “noticing such incidents”.
Data Protection Impact Assessments
Only SDFs are required to conduct periodic data protection impact assessment. The impact assessment is a process comprising a description of the of data principal rights and the purpose of processing of their personal data, and assessment and management of the risk to data principal rights.
Data Protection Officer
In alignment with other data privacy laws, a company must appoint a Data Protection Officer (“DPO“) who is able to answer data principal’s questions on behalf of the data fiduciary. The DPO’s business contact must also be published.
The DPO of an SDF (but not ordinary data fiduciary) must reside in India, is responsible to the board of directors and acts as the point of contact for the grievance redressal mechanism under the DPDPA.
International Data Transfer
The DPDPA authorizes the Indian government to publish a list of countries to which data transfers are strictly restricted. Outside of the forthcoming restricted countries, entities are allowed to transfer data outside of India.
What’s Next
Although the DPDPA largely conforms with the GDPR and the CCPA, there are several important modifications companies should make to comply with India’s first data privacy law that will largely be consent based and consumer friendly.
Companies should proactively start complying with DPDPA before it goes into effect by: 1) seeking express consent and provide notice to individuals it has already collected personal data from as soon as possible; 2) review current policies and practices; and 3) stay up to date with any last-minute alterations the Indian Government provides during its finalization of the DPDPA.
If you have any questions about DPDPA compliance, please contact your Baker McKenzie attorney or the authors below.