The Digital Personal Data Protection Act, 2023 (Act or DPDP Act) was assented to by the President of India on 11 August 2023. The Act differs materially from its predecessor, the 2022 Bill. Key changes include: a negative-list regime for cross-border data transfers; removal of the reasonable purposes and public interest grounds of processing; exemption to data made publicly available by a data principal or under legal obligation; exemption of data fiduciaries from parental consent and other children’s data processing obligations in certain cases; and government powers to block access to the data fiduciary’s platform, among several others. The Act is lean, and its provisions are principle-based and high-level, while details around implementation will be set out in rules.
Here is a summary:
1. Applicability and scope:
Material scope: The Act applies to personal data that is collected in digital form or in non-digital form but digitized subsequently.[1] This is clearer than the 2022 Bill, which used terms such as ‘online’ and ‘offline’ data, which were ambiguous.[2] The Act does not apply to: (i) non-digital data; (ii) data processed for personal or domestic purposes; and (iii) data made publicly available by a data principal or any other person under a legal obligation.[3] The list is clearer and narrower than the 2022 Bill, which did not apply to ‘non-automated’ processing and ‘offline’ data.
Territorial scope: The Act applies to personal data outside India only if such processing is in connection with offering of goods and services to data principals within India.[4] In contrast, the 2022 Bill also applied outside India if the processing was in connection to ‘profiling’ of Indian data principals.[5]
2. Notice: The 2022 Bill requirement to provide ‘itemized’ notice has been dropped.[6] Now, while obtaining consent, data fiduciaries must give data principals a notice: containing a description of the personal data and the purpose for which it will be processed; details of the way data principals may exercise their rights to withdraw consent and grievance redressal; and details on how data principals may file a complaint with the Data Protection Board (DPB).[7]
3. Consent: Consent means an indication by the data principal signifying an agreement for their data to be processed for a specified purpose.[8] Consent should be free, specific, informed, unconditional and unambiguous.[9] And it should be through clear affirmative action.[10] The Act limits the validity of consent to the personal data necessary for satisfying the specified purpose.[11] Data principals also have the right to withdraw their consent and utilize the services of consent managers.[12] If a data principal withdraws their consent, the data fiduciary must get the data processor to stop processing that individual’s personal data, unless it is otherwise authorized.[13] Data principals or users can access information made available to them in English, or choose any language specified in the Eighth Schedule of the Constitution of India.[14] The provisions on consent are largely unchanged from the 2022 Bill.
4. Grounds of processing: The Act moves away from the ‘deemed consent’ framing for non consent based processing. These are now called ‘legitimate uses’.[15] However, the Act provides a narrow list of ‘legitimate uses’, since both the ’fair and reasonable purposes‘ – the residuary ground – and the ‘public interest’ grounds have been removed. Further, under the Act, data fiduciaries can process data without consent when the data principal voluntarily provides their data and does not indicate unwillingness to consent to its use.[16] According to illustrations provided in the Act , this would enable entities to process data without consent in scenarios when data is provided in exchange for a service – such as phone numbers shared with a pharmacy for obtaining a receipt or data provided for services related to finding rental accommodation. Other legitimate uses include data processed for performance of state functions, or in the interest of sovereignty, integrity and security of the State,[17] or for providing/issuing benefits,[18] disclosures for fulfilling legal obligation/court order,[19] assistance in a health emergency,[20] disaster or public order situation,[21] and in relation to employees.[22] Grounds such as processing for ‘performance of contract’ and ‘legitimate interests’ – found in global data protection laws like the EU GDPR – are not provided in the Act.
5. Obligations of data fiduciary: Data fiduciaries are responsible for compliance with the Act, even for any processing undertaken on their behalf by a data processor.[23] They must establish grievance redressal mechanisms.[24] And ensure accuracy and completeness of personal data, if it is used to make a decision that affects a user or is to be shared with another data fiduciary.[25] Data fiduciaries must delete data, and cause its data processor to delete it, if the user withdraws their consent or if it is reasonable to assume that the specified purpose is no longer being served, i.e. when the user does not contact the fiduciary for the performance of the purpose or exercise their rights for a specified period (suggesting if an account is inactive for a while, the platform must delete data).[26] The fiduciary can continue retaining the data if required by law.[27] The 2022 Bill allowed data fiduciaries to retain data for undefined ‘business and legal’ purposes.[28] Finally, data fiduciaries must report data breaches – which retains its broad definition from the 2022 Bill – to both the DPB and users.[29]
6. Significant data fiduciaries: The government may notify ‘significant data fiduciaries’ (SDFs) by assessing factors like volume and sensitivity of the personal data processed, risk to the rights of the data principals (this was previously harm to DPs), potential impact on the sovereignty and integrity of India, among other things.[30] The 2022 Bill allowed the government to also consider ‘other factors’, but this has been removed.[31] Like the 2022 Bill, SDFs must: (i) appoint a data protection officer (DPO) based in India – who will be responsible to the board of directors of the SDF;[32] (ii) appoint an independent data auditor to evaluate the SDF’s compliance with the Act;[33] (iii) undertake data protection impact assessments (DPIA)[34] and periodic audits, as may be prescribed under rules.[35]
7. Data processors: Data fiduciaries can engage data processors under a valid contract.[36] The 2022 Bill appeared to require user consent for engaging a data processor, which has now been done away with. The requirement to set security safeguards falls on data fiduciaries only, unlike the 2022 Bill, which required data processors to also adhere to it.[37] Similarly, data fiduciaries – not data processors – must report data breaches to authorities and users.[38] The liability for not reporting breaches or failing to institute safeguards falls on data fiduciaries only.[39]
8. Children’s data: The Act retains the definition of a ‘child’– an individual below the age of 18 years – from the 2022 Bill. Data fiduciaries must continue to obtain ‘verifiable’ parental consent to process children’s data. It also prohibits tracking and advertising targeted towards children and processing that is likely to cause any ‘detrimental effect’ – characterized as ‘harm’ in the 2022 Bill – on the well-being of a child. The government can exempt classes of data fiduciaries and processing for certain purposes from the requirement of obtaining parental consent and prohibiting behavioral monitoring. It also empowers the government to exempt data fiduciaries in certain scenarios from processing data of children above a certain age (but below 18 years) without the obligations attached to processing children’s data.
9. Rights of Data Principal: Like the 2022 Bill, data principals can seek information on the personal data being processed, the processing activities, and identities of all the data fiduciaries and processors that their data has been shared with.[40] Data principals may also ask data fiduciaries to correct or erase their personal data[41] and have the right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation.[42] Data fiduciaries must also offer readily available grievance redressal mechanisms to data principals.[43] The Act emphasizes that the data principal must exhaust all options for grievance redressal before approaching the DPB.[44] The Act also casts responsibility on the data principal to not impersonate another person or suppress information when applying for any document or proof from the state, and to provide only authentic information while exercising their right to data erasure.[45]
10. Cross-border data transfers: The Act moves from the white-list approach (recommended in the 2022 Bill) to a negative list.[46] This means that data transfers are allowed to all jurisdictions except those barred by the government through notification.[47] The principles/conditions under which such countries will be barred are not specified. Any stricter sectoral restrictions on data transfers – like the Reserve Bank of India’s payments data localization mandate – will continue to apply.[48]
11. Data Protection Board: Under the Act, the DPB continues as an adjudicatory and enforcement body, and not a regulator.[49] The central government exercises control over the composition and operations of the DPB.[50] The Act provides details around the composition of the DPB and the criteria for membership, which was absent in the 2022 Bill.[51] The DPB will enforce the provisions of the Act. It can issue directions and direct data fiduciaries to adopt urgent measures in case of data breaches,[52] receive complaints by affected persons or references by the central or state governments[53] and impose penalties for non-compliance.[54] It can conduct hearings, summon and enforce attendance, examine persons on oath, among other functions.[55] The DPB can also accept voluntary undertakings – i.e., an entity subject to proceedings for non-compliance can undertake to perform or abstain from certain action, in which case the enforcement proceeding will stop.[56]
12. Blocking power: Under the Act the central government or any authorized officer can order blocking of public access to the data fiduciary’s platform, upon a reference by the Board.[57] Blocking can only be ordered if it is necessary or expedient in the interests of the general public, and before issuing a blocking order data the fiduciary should be given an opportunity to be heard.[58] The government can order any intermediary to assist in giving effect to the blocking order.[59] This is a new provision.
13. Government’s power to call for information: The Act empowers the central government to call for information from the Board or any data fiduciary or intermediary for the purposes of the Act.[60] This is a new provision.
14. Exemptions: The Act exempts the application of certain provisions for data-processing for: a) investigation of offences;[61] b) implementation of scheme of compromise or merger or amalgamation; [62] c) detecting financial frauds; [63] and d) processing data of a data principal who is outside India, under a contract, among others. [64] The government can exempt the entire application of the Act for notified state agencies in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, among other reasons. [65] It may also provide exemptions for research, archiving or statistical purposes – if the data is not used to take any decision specific to a data principal. [66] Lastly, the government can also notify certain data fiduciaries including startups that may be exempt from the Act – keeping in mind the volume and nature of personal data processed by them. [67]
15. Penalties: The DPB can issue monetary penalties to data fiduciaries in case of non-compliance.[68] Penalties are only applicable to data fiduciaries, which is a departure from the 2022 Bill.[69] The maximum penalty that can be issued is INR 250 crore.[70] In the 2022 Bill, the DPB could levy a maximum penalty of INR 500 crore.[71] The government has the power to amend the schedule to increase the penalties but cannot increase to more than double of the existing figures.[72]
16.Rules: The Act continues to give the Government broad powers to make subordinate legislation or decisions on any aspect permitted under the Act, including consent manager[73], process and format for reporting data breaches[74], matters related to processing of children’s data[75], significant data fiduciaries[76] and process for impact assessment[77], among others. It is unclear if the rules will be put to stakeholder consultation.
17. Implementation: The Act proposes a staged implementation, with the government notifying the clauses that will take effect periodically.[78] However, no specific timelines are provided in the Act.
Image credit: Ikigai Designs
For more on the topic please reach out to us at contact@ikigailaw.com
[1] Clause 3(a), DPDP Act.
[2] Clause 4(1), 2022 Bill.
[3] Clause 3, DPDP Act.
[4] Clause 3(b), DPDP Act.
[5] Clause 4(2), DPDP Act.
[6] Clause 6(1), 2022 Bill.
[7] Clause 5, DPDP Act.
[8] Clause 6(1), DPDP Act.
[9] Clause 6(1), DPDP Act.
[10] Clause 6(1), DPDP Act.
[11] Clause 6(1), DPDP Act.
[12] Clause 6(7), DPDP Act.
[13] Clause 6(6), DPDP Act.
[14] Clause 6(3), DPDP Act.
[15] Clause 7, DPDP Act.
[16] Clause 7(a), DPDP Act.
[17] Clause 7(c), DPDP Act.
[18] Clause 7(b), DPDP Act.
[19] Clause 7(d)-(e), DPDP Act.
[20] Clause 7(f), DPDP Act.
[21] Clause 7(h), DPDP Act.
[22] Clause 7(i), DPDP Act.
[23] Clause 8(1), DPDP Act.
[24] Clause 8(10), DPDP Act.
[25] Clause 8(3), DPDP Act.
[26] Clause 8(7)-(8), DPDP Act.
[27] Clause 8(7), DPDP Act.
[28] Clause 9(6)(b), 2022 Bill.
[29] Clause 8(6), DPDP Act.
[30] Clause 10(1), DPDP Act.
[31] Clause 10(1), DPDP Act.
[32] Clause 11(1)(g), 2022 Bill.
[33] Clause 10(2)(a) DPDP Act.
[34] Clause 10(2)(b), DPDP Act.
[35] Clause 10(2)(c), DPDP Act.
[36] Clause 8(2), DPDP Act.
[37] Clause 8(5), DPDP Act.
[38] Clause 8(6), DPDP Act.
[39] Clause 33 & Schedule, DPDP Act.
[40] Ch III, DPDP Act.
[41] Clause 12, DPDP Act.
[42] Clause 14(1), DPDP Act.
[43] Clause 8(10), DPDP Act.
[44] Clause 13(3), DPDP Act.
[45] Clause 15(b)-(c) & (e), DPDP Act.
[46] Clause 16(1), DPDP Act.
[47] Clause 16(1), DPDP Act.
[48] Clause 16(2), DPDP Act.
[49] Clause 27, DPDP Act.
[50] Clause 16 & 17, DPDP Act.
[51] Clause 19, DPDP Act.
[52] Clause 27(1)(a), DPDP Act.
[53] Clause 27(1)(b), DPDP Act.
[54] Clause 27(1), DPDP Act.
[55] Clause 28(7), DPDP Act.
[56] Clause 32, DPDP Act.
[57] Clause 37(1), DPDP Act.
[58] Clause 37(1) proviso, DPDP Act.
[59] Clause 37(2), DPDP Act.
[60] Clause 26, DPDP Act.
[61] Clause 17(1)(c), DPDP Act.
[62] Clause 17(1)(e), DPDP Act.
[63] Clause 17(1)(f), DPDP Act.
[64] Clause 17(1)(d), DPDP Act.
[65] Clause 17(2)(a), DPDP Act.
[66] Clause 17(2)(b), DPDP Act.
[67] Clause 17(3), DPDP Act.
[68] Clause 33 & Schedule, DPDP Act.
[69] Schedule, DPDP Act.
[70] Schedule, DPDP Act.
[71] Schedule, DPDP Act.
[72] Clause 42(1), DPDP Act.
[73] Clause 6, DPDP Act.
[74] Clause 8(6), DPDP Act.
[75] Clause 9(4), DPDP Act.
[76] Clause 10(1), DPDP Act.
[77] Clause 10(2)(c)(i)and(iii), DPDP Act.
[78] Clause 1(2), DPDP Act.
