The highlights of India’s new data privacy law
Managing IP is part of the Delinian Group, Delinian Limited, 4 Bouverie Street, London, EC4Y 8AX, Registered in England & Wales, Company number 00954730
Copyright © Delinian Limited and its affiliated companies 2024

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement
Cookies Settings
Expert AnalysisLocal Insights

The highlights of India’s new data privacy law

Sponsored by

remfry-sagar-400px.png
Bisman Kaur
Shubhankar Das
August 17, 2023
cyber-security-3400555.jpg

Bisman Kaur and Shubhankar Das of Remfry & Sagar analyse the tighter data protection norms brought in by India’s new data legislation – the Digital Personal Data Protection Law, 2023

Given the dominance of the digital world, a robust data protection ecosystem is essential. To this end, several iterations of a data privacy law have been released by the Indian government in recent years; however, stakeholder scrutiny has always forced a reconsideration of the provisions.

On August 3 2023, a new draft titled the Digital Personal Data Protection Bill, 2023 was introduced in the Indian Parliament. This bill was subsequently passed by both houses of Parliament and on August 11 2023 received presidental assent to become The Digital Personal Data Protection Law, 2023 (the New Law). Below are its highlights.

Scope

The New Law aims to regulate the processing of digital data in India, whether it is collected in digital form or in non-digital form and digitised subsequently. It also covers the processing of personal data outside India, if such processing is in connection with any activity related to the offering of goods and services to data principals (individuals to whom the personal data relates) within India.

The New Law clarifies that it does not apply to:

  • Non-digital data;

  • Data processed for personal or domestic purposes; and

  • Publicly available personal data.

The list is much more comprehensive than the Draft Digital Personal Data Protection Bill, 2022 (the Old Bill), which did not apply to non-automated processing and offline data.

Grounds and conditions for processing personal data

Entities collecting and processing personal data – namely, data fiduciaries – may process data for ‘lawful purposes’ or ‘certain legitimate uses’. A lawful purpose is one not expressly forbidden by law. Data fiduciaries are required to obtain consent from data principals which is free, informed, unconditional and unambiguous with a clear affirmative action before processing their data. In contrast to the Old Bill, the New Law requires data fiduciaries to inform data principals about:

  • The data being collected and the purpose of its collection;

  • The manner in which a data principal can exercise its rights on providing or withdrawing consent, or seek recourse to grievance redressal mechanisms; and

  • The manner in which the data principal may make a complaint to the Data Protection Board (the Board).

Data fiduciaries are also obligated to furnish such details for personal data collected prior to the commencement of the New Law. Significantly, if the consent obtained by a data fiduciary is broader than necessary, it will be interpreted as being limited to the specified purpose. For example, if an individual downloads a telemedicine app and gives consent for the processing of personal data for telemedicine services and accessing their mobile phone contact list, since the latter is unnecessary for telemedicine services, consent will be restricted to processing data for telemedicine services.

However, data can be processed even without express consent for ‘legitimate uses’. This can be where the data principal has volunteered personal data for a specified purpose (e.g., for mailing a sales receipt) or the provision of benefits, subsidies and services by the state or complying with a judgment/decree or dealing with a medical emergency. This is contrary to the ‘deemed’ consent provision in the Old Bill, which could be invoked for broad and vague purposes under ‘fair and reasonable grounds’ and ‘public interest’.

Data fiduciaries must implement reasonable security measures to prevent data breaches and maintain the accuracy of data. Furthermore, data is to be deleted when the purpose of its collection is fulfilled or consent is withdrawn, whichever is earlier. Appropriate technical and organisational measures are to be employed by data fiduciaries and reasonable security safeguards implemented to prevent any breach of personal data. Notably, data processors may be engaged by data fiduciaries, but only under a valid contract.

An effective mechanism for grievance redressal must be set up by all data fiduciaries and in the event of a data breach, the data fiduciary is required to notify the Board and each impacted data principal.

Data principals have the right to access the personal data collected about them and know with whom it has been shared. They can also request the deletion, correction, or updating of their personal data and nominate another individual to exercise rights on their behalf in the event of the principal’s death or incapacity. However, they are obligated to provide authentic personal information and not withhold material information or impersonate others.

Significant data fiduciaries

As in previous iterations, the New Law prescribes that the government may designate any data fiduciary as a ‘significant data fiduciary’, on the basis of an assessment of identified factors, including:

  • The volume and sensitivity of the personal data processed;

  • Any risk to the rights of the data principal;

  • The potential impact on the sovereignty and integrity of India; and

  • Any risk to electoral democracy, the security of the state, or public order.

Significant data fiduciaries are subject to stricter obligations: they must appoint a data protection officer based in India and an independent data auditor for compliance assessment, and undertake a periodic data protection impact assessment.

Data pertaining to children and persons with a disability

For data concerning children (individuals below 18 years of age) and persons with a disability with lawful guardians, the consent of the parents or the legal guardians must be obtained by a data fiduciary before processing personal data.

Exemption from parental/guardian consent is possible and the activities of tracking, behavioural monitoring of, or targeted advertising for children may be permissible if the government deems the data processing as verifiably safe.

Cross-border data transfers

Unlike the Old Bill, which set forth a permitted list of countries to which data could be transferred for processing, the New Law allows the cross-border transfer of personal data and its processing to all countries except those in the list of rejected countries.

Also, the New Law will not prevail over stricter norms of any other law in India related to the transfer of data outside the country.

The Data Protection Board

The New Law provides details regarding the composition of a Data Protection Board of India, an independent body responsible for determining non-compliance, directing remedial action and imposing penalties. The Board is also vested with the power to direct parties to mediation.

Under the Old Bill, the government could only appoint the chairman; however, under the New Law, the government has the power to nominate the chairman and other members of the Board.

An order by the Board would be akin to a decree passed by a civil court and appealable to the Telecom Disputes Settlement and Appellate Tribunal within 60 days.

Penalties of up to INR 2.5 billion (approximately $30 million) – reduced from an upper limit of INR 5 billion under the Old Bill – may be imposed on data fiduciaries.

Exemptions

In connection with the implementation of a scheme of compromise, a merger or an acquisition, or the recovery of a debt, the New Law allows for exemptions for the purpose of ascertaining the financial information of loan defaulters, etc.

Additionally, for a specific period or otherwise, the government may exempt certain classes of data fiduciaries, including start-ups, from the need to comply with particular provisions.

Miscellaneous powers of the government

Government entities can be exempted from certain provisions in the interest of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, the maintenance of public order, or preventing incitement to any cognizable offence.

A new provision gives the government the power to block a data fiduciary’s platform in the interest of the general public upon a referral by the Board.

The government can also ask the Board or any data fiduciary or intermediary to furnish it with any information it requires.

Upon receipt of a referral by the Board, the government can issue directions for the imposition of monetary penalties on a data fiduciary and the blocking of public access to any information generated, transmitted, received, stored, or hosted in any computer resource that enables the data fiduciary to carry on any activity relating to the offering of goods or services to data principals.

Final thoughts

Through the New Law, the government has attempted to tighten the rules concerning data fiduciaries, such as by setting higher monetary penalties. It has also addressed ambiguities highlighted in previous iterations, including those concerning cross-border transfers of data, while the scope of exemptions for the government has broadened.

The new legislation intends to reshape the landscape for Indian citizens and their data – let us see how that pans out in the days and months ahead.

Topics

IndiaRemfry & Sagar
kaur-bisman-300px.jpg
Bisman Kaur
Of counsel Remfry & Sagar
Contact
Shubhanker-Das-Colour-Edited.jpg
Shubhankar Das
Senior associate Remfry & Sagar
Contact
more from across site and ros bottom lb

More from across our site

MIP+ WcW 680x383 Reputation@2x.png
What Corporates Want: depth of team
High-earning businesses place most value on the depth of the external legal teams advising them, according to a survey of nearly 29,000 in-house counsel
Sukanya Sarkar, April 26, 2024
Awards
AwardsKilpatrick.jpg
Kilpatrick Townsend wins big at Managing IP Americas Awards 2024
Kilpatrick Townsend was recognised as Americas firm of the year, while patent powerhouse James Haley won a lifetime achievement award
Rani Mehta, April 26, 2024
Patents
AI inventor
AI & inventorship: Comparing patenting in the US & UK
Partners at Foley Hoag and Kilburn & Strode explore how US and UK courts have addressed questions of AI and inventorship
John Lanza, April 26, 2024
Patents
CSR.jpg
Weekly take: In-house must push IP firms towards sustainability
In-house lawyers have considerable influence over law firms’ actions, so they must use that power to push their external advisers to adopt sustainable practices
Sukanya Sarkar, April 26, 2024
Patents
Personnel recruitment and a magnet attracts good employee leader
This week on MIP: Partner move insights, Marks & Clerk to face commissions trial
We provide a rundown of Managing IP’s news and analysis from the week, and review what’s been happening elsewhere in IP
Max Walters, April 26, 2024
Trade Secrets
The contract has been crossed out with a red pen. Vector illustration.The concept of termination old, refusal contract. Failed deal. Violation of conditions commercial agreement. Expired treaty.
‘Non-stop’ client talks: how firms are reacting to FTC’s non-compete ban
Counsel say they’re advising clients to keep a close eye on confidentiality agreements after the FTC voted to ban non-competes
Rani Mehta, April 25, 2024
Patents
TT story.png
Talent Tracker quarterly report: Paul Hastings and Spencer Fane make waves in 2024
Data from Managing IP+’s Talent Tracker shows US firms making major swoops for IP teams, while South Korea has also been a buoyant market
Rani Mehta, April 25, 2024
Awards
WIBL EMEA shortlist announced logo
Women in Business Law Awards EMEA 2024: shortlist announced
The finalists for the 13th annual awards have been announced
John Harrison, April 25, 2024
Patents
Document checking, agreement or contract validation, financial or budget analysis, search for document files concept, businessman manager holding big magnifying glass checking document paper.
How briefings shakeup could shape PTAB arguments
Counsel reveal how a proposal to create separate briefings for discretionary denials at the USPTO could affect their PTAB strategies
Rani Mehta, April 24, 2024
Patents
UK Supreme Court
Marks & Clerk to face ‘secret commissions’ case at trial
The UK Supreme Court rejected the firm’s appeal against an earlier ruling because it did not raise an arguable point of law
Max Walters, April 24, 2024
Gift this article