The Indian Parliament has passed its new data protection law – the Digital Personal Data Protection Act 2023 (“Act”). The Act will take effect upon notification by the government. The law governs how businesses collect and use individuals’ data. It is a high-level principles-based law. Details around implementation will be set out through rules, which are now expected before the end of 2023.
- The Scope
The Act covers personal data, i.e., data about an individual that can identify them. This includes identifiers like name, phone number, email address, postal address and Aadhaar number (i.e. national ID). It also includes profiling data or usage data, for e.g., a user’s preferences. It only covers ‘digital’ data, not offline records unless they are digitised. It does not cover non-personal data (business insights, anonymized data). It doesn’t apply to data that is made “publicly available” by the individual or any other person under a legal obligation to do so. For e.g., a blogger posts about her spending habits on social media. The exception for “publicly available” data also creates room for scraping of such data on the internet for training of AI/ML models.
- Who does the law apply to?
Anyone who processes digital personal data will be impacted, barring some exceptions. Processing means collecting, recording, structuring, storing, sharing, or any other automated action on the data. The data could be processed in India or abroad. If data is processed abroad, the law will apply if it relates to “offering” goods and services in India. So, if offshore businesses offer goods or services in India, the law applies to them.
The law recognises two entities – data fiduciaries and data processors.
Data fiduciaries: Businesses that define “purpose and means” of processing. They’re also called data controllers in other parts of the world. These are businesses that determine why user data is needed, how it is used, how long it is to be retained, etc. They are responsible for the data and assume responsibility under the law.
Data processors: Businesses that process data on behalf of fiduciaries. For example, cloud service providers who host data for their customers or ‘know-your-customer’ (KYC) service providers who conduct users’ KYC on behalf of a payments company. Fiduciaries tell them what to do.
- How should companies collect personal data?
Fiduciaries must either get an individual’s consent or the collection/ processing must be for certain “legitimate uses” recognised in the law.
Consent: Fiduciaries must give users a notice describing what data is collected, for what purpose, users’ rights, and how they can complain to the enforcing authority – the Data Protection Board (or “Board”). And on reading this notice, individuals must give clear and affirmative consent confirming that their data can be processed for the specified purpose. They must also allow individuals to withdraw their consent.
For data collected before the law kicks in, fiduciaries must send individuals a fresh notice, which sets out what data is processed, purpose, how individuals can exercise their rights and make complaints to the Data Protection Board.
Legitimate uses: If companies process data for certain “legitimate uses” recognised in law, they don’t need their consent separately. This includes situations where the individual voluntarily provides her data for a specific purpose; or data is processed to meet legal obligations or to comply with a court order, among other things.
The law also recognises some circumstances (exemptions), where the law does not apply. This includes processing data to detect or prevent an offence, for enforcing a legal right or claim, among others.
- What else should fiduciaries do?
(a) Implement organizational and technical measures;
(b) adopt reasonable security safeguards;
(c) notify personal data breaches to the Data Protection Board and affected individuals;
(d) ensure accuracy, completeness, and consistency of the personal data, in certain situations;
(e) erase personal data once the purpose is met or if the individual withdraws consent;
(f) implement a mechanism to resolve grievances;
(g) appoint vendors only under a contract that describes how they’ll use and protect the data, among other things.
Fiduciaries that process large volumes of data or sensitive data could be designated as “significant data fiduciaries” (“SDFs”) by the government. SDFs must: (a) appoint a data protection officer based in India; (b) appoint an independent data auditor and do periodic data audits; and (c) carry out periodic data protection impact assessments.
Processing children’s data: Companies that collect children’s data must get their parent/ guardian’s consent. They cannot track, monitor a child’s behaviour, or target advertisements to children. The central government can provide exemptions to comply with these obligations.
- What should data processors do?
The law doesn’t spell out specific obligations for data processors or penalties for them. Fiduciaries may pass these on to processors through contracts. So, processors must review their contracts with fiduciaries closely.
- Can companies transfer/ process data outside India?
Yes, but the Indian government can restrict transfers to certain countries through notifications.
- What rights do individuals have over their personal data?
Individuals can ask fiduciaries to give them information on the personal data being processed, processing activities, and identities of all organizations with whom their data has been shared. They can also ask for their information to be corrected/erased. They can nominate someone else to exercise their rights on their behalf in case they die or are incapacitated. Companies should allow individuals to easily access grievance redressal mechanisms. The law also places duties on individuals, such as, not making false or frivolous claims, not impersonating another person, among other things.
- What happens if companies don’t comply?
The law sets up a Data Protection Board to enforce the law and hand out penalties. Individuals can approach the Board if a data fiduciary doesn’t comply with the law. The Board can award penalties up to INR 250 crore (USD 30 million) for some breaches. There is no criminal liability. In awarding penalties, the Board will assess any steps the company took to mitigate the impact of the breach or non-compliance. Notably, the Board can also ask the government to issue directions to block access to a fiduciary’s platform in certain cases.
- By when do companies need to comply? When will the rules be published?
The law doesn’t set this out. By the time of publication of this note, the Government has indicated that draft rules are expected to be published by November 2023 followed by a public consultation, and the final rules by the end of December 2023. It has indicated that rules will not be very prescriptive – they’ll tell the companies what they must do, not how exactly they must do it. The intent is to allow a certain flexibility to the industry.
The Minister of State for Electronics and Information Technology, Mr. Rajeev Chandrasekhar (MoS) has said that big-tech companies must comply with the data law in six months. There is likely to be a graded timeline for compliance for others– such as government entities, MSMEs, private companies and start ups. There are indications that the compliance window for them may be 12 months, or slightly more. And that this timeline may be extended based on mutual agreements or as and when required. The MoS has also said that implementation timelines will only be extended in cases where there is a need to restructure the technology to ensure compliance, and where the obligation is unique, i.e., it is not found in other data protection laws like the GDPR.
- What are the next steps for companies?
Begin by preparing an inventory of the personal data that the company holds and processes. Map the flow of personal data within the company and outside (such as third party vendors and processors). Identify each instance where the company ‘processes’ personal data, the purpose for which it does so, and identify where it acts as a – (i) data fiduciary; and (ii) data processor. Maintain clear records of these activities.
Companies should strengthen their internal data handling, data retention and data security measures; train their employees across teams on the new law; and identify a point of contact for data privacy related issues and requests. They should also revisit their user interface (identify where to take consent) and review their arrangements with vendors. Once the rules are notified, companies can revisit their privacy policies and consent notices.