1. What data is covered?
Personal data, i.e., data about an individual that can identify them. This includes identifiers like name, phone number, Aadhaar, PAN. It also includes profiling data or usage data, for e.g., a user’s preferences and choices. It only covers ‘digital’ data, not offline records. It does not cover non-personal data (business insights, anonymized data).
Does not apply to: Data that is made “publicly available” by the individual or any other person under a legal obligation to do so. For e.g., a blogger posts about her spending habits on social media.
2. Who is affected?
Anyone who processes digital personal data. Processing means collecting, recording, structuring, storing, sharing, or any other automated action on the data. The law recognises two entities:
Data fiduciaries: Businesses that define “purpose and means” of processing. Also called data controllers in other parts of the world, these are businesses that call the shots about their users’ data. They decide why data is needed, how it is used, how long it is to be retained. They are responsible for users’ data and are accountable under the law.
Data processors: Businesses that process data on behalf of fiduciaries. For example, cloud service providers who host data for their customers, ‘know-your-customer’ (KYC) service providers who conduct users’ KYC on behalf of banks. Fiduciaries tell them what to do.
Offshore businesses: If you “offer” goods or services in India, the law applies to you.
3. Will this change how companies collect personal data?
Yes. To collect personal data, fiduciaries must either get an individual’s consent or the collection/ processing must be for certain “legitimate uses” recognised in the law.
Consent: Fiduciaries must give users a notice describing what data is collected, for what purpose, users’ rights, and how they can complain to the Data Protection Board (enforcing authority). And on reading this notice, individuals must give clear and affirmative consent confirming that their data can be processed for the specified purpose. They must also allow individuals to withdraw their consent.
Legitimate uses: If companies process data for certain “legitimate uses” recognised in law, they don’t need their consent separately. This includes situations where the individual voluntarily provides her data for a specific purpose; or data is processed to meet legal obligations or to comply with a court order, among other things.
4. What happens to personal data collected before this law?
For data collected before the law kicks in, fiduciaries must send individuals a fresh notice, which sets out what data is processed, purpose, how individuals can exercise their rights and make complaints to the Board.
5. What else should fiduciaries do?
- Implement organizational and technical measures;
- Adopt reasonable security safeguards;
- Notify personal data breaches to the Data Protection Board and affected individuals;
- Ensure accuracy, completeness, and consistency of the personal data, in certain situations;
- Erase personal data once the purpose is met or if the individual withdraws consent;
- Implement a mechanism to resolve grievances;
- Appoint vendors only under a contract that describes how they’ll use and protect the data, among other things.
Fiduciaries that process large volumes of data or sensitive data could be designated as “significant data fiduciaries”. SDFs must: (a) appoint a data protection officer based in India; (b) appoint an independent data auditor and do periodic data audits; and (c) carry out periodic data protection impact assessments.
Action items
- Map data (identify where each team and function interacts with personal data)
- Revisit user interface (identify where to show pop-up notices, checkboxes, more information in the customer journey)
- Update privacy policies or notices
- Review arrangements with vendors
- Train employees (across product, business, sales, HR, etc.)
- Appoint the right officers (grievance officer, data protection officer if a ‘significant data fiduciary’)
Processing children’s data: Companies that collect children’s data must get their parent/ guardian’s consent. They cannot track, monitor a child’s behaviour, or target advertisements to children. The central government can provide exemptions to comply with these obligations.
6. What should data processors do?
The law doesn’t spell out specific obligations for data processors or penalties for them. Fiduciaries may pass these on to processors through contracts. So, processors must review their contracts with fiduciaries closely.
7. Can companies transfer/ process data outside India?
Yes, but the Indian government can restrict transfers to certain countries through notifications.
8. What rights do individuals have over their personal data?
Individuals can ask fiduciaries to give them information on the personal data being processed, processing activities, and identities of all organizations with whom their data has been shared. They can also ask for their information to be corrected/erased and nominate someone else to exercise their rights on their behalf in case they die or are incapacitated. Companies should allow individuals to easily access grievance redressal mechanisms. The law also places duties on individuals, such as, not making false or frivolous claims, not impersonating another person, among other things.
9. What happens if companies don’t comply?
The law sets up a Data Protection Board to enforce the law and hand out penalties. Individuals can approach the Board if a data fiduciary doesn’t comply with the law. The Board can award penalties upto INR 250 crore (approximately USD 30 million) for some breaches. There is no criminal liability. In awarding penalities, the Board will assess any steps the company took to mitigate the impact of the breach or non-compliance . Notably, the Board can also ask the government to issue directions to issue to block access to a fiduciary's platform in certain cases.
10. How is India’s data protection law different from EU’s GDPR?
The Indian law reflects some of the key global privacy principles, such as purpose limitation (data should be collected for a specified purpose), storage limitation (data should be deleted when no longer required), and data subject rights. But it differs from the GDPR in certain key respects. The Indian law is more consent-centric, allows for lesser flexibility in breach reporting obligations, has a higher age of consent, among other differences.
The major differences are:
▪ Data to which it applies: The Indian law applies uniformly to all personal data which is in digital form, or which is digitised after being collected, except certain publicly available data. GDPR recognises certain data – such as data relating to race, political opinions or religious beliefs; genetic, biometric, health related data; data concerning a person’s sex life or sexual orientation - as ‘special categories of personal data’ and processing such data requires heightened obligations. GDPR applies to all personal data, whether digitised or not, and also applies to publicly available data.
▪ Grounds for processing data: The grounds on which data can be processed are wider under the GDPR. GDPR allows data to be processed for their ‘legitimate interests’ apart from other grounds such as consent and contract. This ground offers flexibility to businesses – if the processing is for their legitimate interest, they don’t need to take consent. Businesses justify data processing for fraud prevention measures, IT security measures, as legitimate interests. Indian law allows data to be processed for ‘certain legitimate uses,’ but these are narrower, specified grounds which include purposes such as employment purposes, complying with a court order and medical emergency.
▪ Parental consent for children’s data: The Indian law treats all individuals below 18 years of age as children, and their data can only be processed with ‘verifiable parental consent.’ Under the GDPR, the age below which parental consent is needed, ranges between 13-16 years of age, depending on the individual member state.
▪ Reporting of data breach: The GDPR requires data breaches to be reported to the supervisory authority – if they result in risk to the rights and freedoms of individuals. Breaches which pose a higher risk also need to be reported to data subjects. The Indian law requires all personal data breaches to be reported to the impacted users and the Data Protection Board.
▪ Cross border flow of data: The GDPR follows a ‘whitelist’ or adequacy regime, where transfer of personal data outside the European Economic Area is allowed, if the receiving country offers an adequate level of protection for personal data in the assessment of the European Commission. Personal data can also be transferred pursuant to standard contractual clauses or binding corporate rules approved by data protection authorities and where individuals provide explicit consent to such transfer. The Indian law, in contrast, has adopted a ‘blacklist’ regime - data transfers are generally allowed, unless the transfer is to a country that is notified by the government.
▪ Data retention periods: The GDPR permits entities to retain data only until it is necessary for the purposes for which it was collected. The Indian law follows a similar standard, but with a more prescriptive approach. Under the Indian law, if a user does not avail of a service for a particular period of time, or if they don’t exercise their rights for a period of time, the purpose is deemed to be served. The data can then no longer be retained (unless the data is required to comply with a law). The government will define this time period through rules.
▪ Actors: The GDPR equivalent for ‘data fiduciary’ is ‘data controller’ and for ‘data principal’ is ‘data subject.’ ‘Data processors’ is a common term in the GDPR and the Indian law. The Indian law creates a category of ‘significant data fiduciaries’ (SDFs). The Indian government can designate any data fiduciary or class of data fiduciaries as SDFs based on certain factors, like the volume and sensitivity of the personal data they process, the risk to data principal’s rights and the impact on India’s national security. The Indian law also creates a new mechanism of ‘consent managers’ – for users to give, review and withdraw consent. This is absent in the GDPR.
11. By when do companies need to comply? When will the rules be published?
The law doesn’t set this out. The Government has indicated that draft rules are expected to be published by November 2023 followed by a public consultation, and the final rules by the end of December 2023. It has indicated that rules will not be very prescriptive – they’ll tell the companies what they must do, not how exactly they must do it. The intent is to allow a certain flexibility to the industry.
The Minister of State for Electronics and Information Technology, Mr. Rajeev Chandrasekhar (MoS) has said that big-tech companies must comply with the data law in 6 months. There is likely to be a graded timeline for compliance for others– such as government entities, MSMEs, private companies and start ups. There are indications that the compliance window for them may be 12 months, or slightly more. And that this timeline may be extended based on mutual agreements or as and when required. The MoS has also said that implementation timelines will only be extended in cases where there is a need to restructure the technology to ensure compliance, and where the obligation is unique, i.e., it is not found in other data protection laws like the GDPR.
Image credits: Ikigai Designs
For more on the topic please reach out to us at contact@ikigailaw.com
Disclaimer: The contents of this blog are only informational, and should not be construed as legal advice/opinion. Please seek legal advise before undertaking any action.
