The highlights of India’s new data privacy law
Bisman Kaur and Shubhankar Das of Remfry & Sagar analyse the tighter data protection norms brought in by India’s new data legislation – the Digital Personal Data Protection Law, 2023
Given the dominance of the digital world, a robust data protection ecosystem is essential. To this end, several iterations of a data privacy law have been released by the Indian government in recent years; however, stakeholder scrutiny has always forced a reconsideration of the provisions.
On August 3 2023, a new draft titled the Digital Personal Data Protection Bill, 2023 was introduced in the Indian Parliament. This bill was subsequently passed by both houses of Parliament and on August 11 2023 received presidental assent to become The Digital Personal Data Protection Law, 2023 (the New Law). Below are its highlights.
The New Law aims to regulate the processing of digital data in India, whether it is collected in digital form or in non-digital form and digitised subsequently. It also covers the processing of personal data outside India, if such processing is in connection with any activity related to the offering of goods and services to data principals (individuals to whom the personal data relates) within India.
The New Law clarifies that it does not apply to:
Data processed for personal or domestic purposes; and
Publicly available personal data.
The list is much more comprehensive than the Draft Digital Personal Data Protection Bill, 2022 (the Old Bill), which did not apply to non-automated processing and offline data.
Grounds and conditions for processing personal data
Entities collecting and processing personal data – namely, data fiduciaries – may process data for ‘lawful purposes’ or ‘certain legitimate uses’. A lawful purpose is one not expressly forbidden by law. Data fiduciaries are required to obtain consent from data principals which is free, informed, unconditional and unambiguous with a clear affirmative action before processing their data. In contrast to the Old Bill, the New Law requires data fiduciaries to inform data principals about:
The data being collected and the purpose of its collection;
The manner in which a data principal can exercise its rights on providing or withdrawing consent, or seek recourse to grievance redressal mechanisms; and
The manner in which the data principal may make a complaint to the Data Protection Board (the Board).
Data fiduciaries are also obligated to furnish such details for personal data collected prior to the commencement of the New Law. Significantly, if the consent obtained by a data fiduciary is broader than necessary, it will be interpreted as being limited to the specified purpose. For example, if an individual downloads a telemedicine app and gives consent for the processing of personal data for telemedicine services and accessing their mobile phone contact list, since the latter is unnecessary for telemedicine services, consent will be restricted to processing data for telemedicine services.
However, data can be processed even without express consent for ‘legitimate uses’. This can be where the data principal has volunteered personal data for a specified purpose (e.g., for mailing a sales receipt) or the provision of benefits, subsidies and services by the state or complying with a judgment/decree or dealing with a medical emergency. This is contrary to the ‘deemed’ consent provision in the Old Bill, which could be invoked for broad and vague purposes under ‘fair and reasonable grounds’ and ‘public interest’.
Data fiduciaries must implement reasonable security measures to prevent data breaches and maintain the accuracy of data. Furthermore, data is to be deleted when the purpose of its collection is fulfilled or consent is withdrawn, whichever is earlier. Appropriate technical and organisational measures are to be employed by data fiduciaries and reasonable security safeguards implemented to prevent any breach of personal data. Notably, data processors may be engaged by data fiduciaries, but only under a valid contract.
An effective mechanism for grievance redressal must be set up by all data fiduciaries and in the event of a data breach, the data fiduciary is required to notify the Board and each impacted data principal.
Data principals have the right to access the personal data collected about them and know with whom it has been shared. They can also request the deletion, correction, or updating of their personal data and nominate another individual to exercise rights on their behalf in the event of the principal’s death or incapacity. However, they are obligated to provide authentic personal information and not withhold material information or impersonate others.
Significant data fiduciaries
As in previous iterations, the New Law prescribes that the government may designate any data fiduciary as a ‘significant data fiduciary’, on the basis of an assessment of identified factors, including:
The volume and sensitivity of the personal data processed;
Any risk to the rights of the data principal;
The potential impact on the sovereignty and integrity of India; and
Any risk to electoral democracy, the security of the state, or public order.
Significant data fiduciaries are subject to stricter obligations: they must appoint a data protection officer based in India and an independent data auditor for compliance assessment, and undertake a periodic data protection impact assessment.
Data pertaining to children and persons with a disability
For data concerning children (individuals below 18 years of age) and persons with a disability with lawful guardians, the consent of the parents or the legal guardians must be obtained by a data fiduciary before processing personal data.
Exemption from parental/guardian consent is possible and the activities of tracking, behavioural monitoring of, or targeted advertising for children may be permissible if the government deems the data processing as verifiably safe.
Cross-border data transfers
Unlike the Old Bill, which set forth a permitted list of countries to which data could be transferred for processing, the New Law allows the cross-border transfer of personal data and its processing to all countries except those in the list of rejected countries.
Also, the New Law will not prevail over stricter norms of any other law in India related to the transfer of data outside the country.
The Data Protection Board
The New Law provides details regarding the composition of a Data Protection Board of India, an independent body responsible for determining non-compliance, directing remedial action and imposing penalties. The Board is also vested with the power to direct parties to mediation.
Under the Old Bill, the government could only appoint the chairman; however, under the New Law, the government has the power to nominate the chairman and other members of the Board.
An order by the Board would be akin to a decree passed by a civil court and appealable to the Telecom Disputes Settlement and Appellate Tribunal within 60 days.
Penalties of up to INR 2.5 billion (approximately $30 million) – reduced from an upper limit of INR 5 billion under the Old Bill – may be imposed on data fiduciaries.
In connection with the implementation of a scheme of compromise, a merger or an acquisition, or the recovery of a debt, the New Law allows for exemptions for the purpose of ascertaining the financial information of loan defaulters, etc.
Additionally, for a specific period or otherwise, the government may exempt certain classes of data fiduciaries, including start-ups, from the need to comply with particular provisions.
Miscellaneous powers of the government
Government entities can be exempted from certain provisions in the interest of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, the maintenance of public order, or preventing incitement to any cognizable offence.
A new provision gives the government the power to block a data fiduciary’s platform in the interest of the general public upon a referral by the Board.
The government can also ask the Board or any data fiduciary or intermediary to furnish it with any information it requires.
Upon receipt of a referral by the Board, the government can issue directions for the imposition of monetary penalties on a data fiduciary and the blocking of public access to any information generated, transmitted, received, stored, or hosted in any computer resource that enables the data fiduciary to carry on any activity relating to the offering of goods or services to data principals.
Through the New Law, the government has attempted to tighten the rules concerning data fiduciaries, such as by setting higher monetary penalties. It has also addressed ambiguities highlighted in previous iterations, including those concerning cross-border transfers of data, while the scope of exemptions for the government has broadened.
The new legislation intends to reshape the landscape for Indian citizens and their data – let us see how that pans out in the days and months ahead.