Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.
While the Act adopts several principles from global data protection frameworks such as the EU and UK General Data Protection Regulation (the “GDPR”) and US data protection laws like the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”)—including (i) free, purpose-specific, informed consent, based on transparent notice and (ii) technical and organizational measures (“TOMS”) and appropriate security practices (to secure data)—it has several distinctive aspects, including a flat definition of “Personal Data”, a remarkably consent centric regime (leaving private entities with few other lawful bases for processing), a requirement to demonstrate necessity even where consent has been obtained, statutory data retention thresholds and a potential “black list” of jurisdictions to which transfers may be restricted.
In this blog post, jointly authored by Cleary Gottlieb and Cyril Amarchand Mangaldas, we analyze the Act against relevant US data protection laws and GDPR, particularly with respect to (i) coverage, (ii) notice, consent and purpose and (iii) minors’ data. We also recommend actionable items for organizations to determine next steps for compliance with the Act, and highlight opportunities to leverage existing compliance processes and procedures to minimize the costs of once again revisiting obligations with respect to personal data processing.
Coverage
While the Act uses broadly familiar definitions, it does so with key differences. Namely, “Personal Data” under the Act extends to all data about an individual who is identifiable by, or in relation to, such data. Such data need not be capable of being reasonably linked to an individual and means of identifying individuals need not be reasonably available. The Act also does not define any sub-categories of sensitive data or specify bright line standards for de-identification or anonymization.
Additionally, while the Act covers all processing in India, and extends to processing outside India, in connection with activities “related to” offering goods or services in India, it does not require that such activity be targeted toward Indian individuals (like the GDPR) or cross thresholds (like the CCPA).
Finally, the Act excludes Personal Data processing for personal or domestic purposes. Further, deviating from the GDPR, but similar to US state comprehensive privacy laws, the Act excludes data made publicly available by the Data Principal (i.e., the “data subject” under the GDPR or “consumer” under the CCPA) or by any other person pursuant to a legal obligation.
Breaches and Regulation
Though the Act recognizes the concept of data processors like the GDPR (or service providers or contractors under the CCPA), it does not devolve any statutory obligations on to them, and instead imposes obligations almost entirely on Data Fiduciaries[1] (i.e., entities that determine the purpose and means of processing, akin to a “data controller” under the GDPR or a “business” under the CCPA). Indeed, a Data Principal’s rights such as correction, erasure and deletion upon withdrawal of consent must be honored by the Data Fiduciary, which in turn must ensure that its Data Processors honor such rights as well.
Finally, for a special class of Data Fiduciaries referred to as Significant Data Fiduciaries, which will be defined or notified based on criteria such as processing volume, sensitivity and potential impact (including on electoral democracy, which is particularly relevant in view of the emerging election), the Act’s obligations can be even higher.[2]
Like the amendments to the CCPA passed in 2020, the Act creates a new regulator, the Data Protection Board of India (the “Board”), which will be responsible for investigating breaches and grievances, instituting investigations and levying fines. Similar to most supervisory authorities in Europe under the GDPR, but unlike the California Privacy Protection Agency under the CCPA, the Board does not have any rulemaking powers. Finally, unlike the CCPA, the Act does not contain a private right of action.
Legal Grounds to Process Personal Data
Unlike the GDPR, where processing occurs under a prescribed set of legal bases such as necessary for performance of contract or the legitimate interest of data controllers, or U.S. data protection laws which largely permit data processing upon notice (in addition to opt-out methods for specific processing activities)[3], the Act only allows two means for private Data Fiduciaries to process Personal Data: (i) consent from the Data Principal or (ii) pursuant to a few, narrowly tailored “legitimate uses”.
Consent. The Act’s requirements for consent—namely that it must be informed, timely, unambiguous and narrowly tailored for the purpose at hand—are largely harmonious with global requirements. However, the Act is distinctive in its treatment of consent, necessity and purpose limitation. Under the Act, a Data Principal’s consent for a purpose which is later found to be unnecessary may not be considered valid even where a Data Fiduciary has duly recorded the Data Principal’s consent. By way of illustration, the Act provides an example whereby a Data Principal provides consent to a telemedicine app to both (i) process her Personal Data for making available telemedicine services and (ii) access her mobile phone contact list. However, because access to the mobile phone contact list is not necessary for making available telemedicine services, the Data Principal’s consent will be limited to the processing of her Personal Data for making available telemedicine services. Separate consent will have to be obtained or separate legitimate use will have to be established to permit access to the Data Principal’s contact list. In this way, unlike other data protection regimes, Data Principal consents can arguably be invalidated by regulators for a particular kind of processing where no necessity exists to collect or retain certain Personal Data.
Furthermore, even after receiving valid consent, Data Fiduciaries must cease processing Personal Data (even if the Data Principal has not withdrawn consent) in circumstances where it is reasonable to assume that the Data Principal no longer uses their services or where the Data Principal no longer continues to engage with the Data Fiduciary for a reasonable period.
Consent must be collected based on a valid notice, whose contents more closely mirror the targeted requirements of a Notice at Collection under the CCPA amendments than the detailed notices required more generally of privacy policies under the GDPR and other US data protection laws. Specifically, notices under the DPDPA must describe (i) the categories of Personal Data and purpose for which such data will be processed; (ii) the manner in which the individual may withdraw consent; (iii) the grievance redressal mechanisms provided by the Data Fiduciary or Consent Manager[4] and (iv) the means by which the Data Principal may submit a grievance to the Board. Additional requirements with respect to notice and consent obligations may be prescribed in future rulemaking.
Additionally, notice obligations apply to Personal Data collected and processed on the basis of legacy consents, meaning that Data Fiduciaries must provide updated notice at the time the Act comes into force in order to continue to process such previously collected data until consent is withdrawn.
Legitimate Use. The Act only permits processing without consent by private Data Fiduciaries for narrowly defined “legitimate” uses.
For example, one such use is the voluntary provision of data by a Data Principal for a specific purpose. Given its drafting, this basis is likely to be available only when such purpose is immediately clear at the time of submission, such as the provision of a digital receipt requested by an individual for a transaction.
Furthermore, while the Act recognizes purposes of employment as another legitimate use, it (unlike its draft iteration) narrowly tailors these uses to only include prevention of loss or liability of the employer, and provision of benefits sought by an employee. This, along with a narrow set of examples such as preventing corporate espionage and protection of trade secrets, means that consent will still be the primary basis for processing Personal Data of employees (and other individuals like consultants and contracts) for purposes such as hiring, retention, performance evaluation and attendance.
Other legitimate use exemptions include providing emergency care, compliance with law and judgements, processing data relating to defaulters, and transfers pursuant to court approved M&A.
Processing of Minors’ Data and Verifiable Parental Consent
Like US data protection laws (such as the Children’s Online Privacy Protection Act) and the GDPR, each of which requires covered entities to receive verifiable parental or guardian consent to process personal data of children under the age of thirteen (13) or sixteen (16) (or thirteen (13), in some EU states), respectively, the DPDPA similarly requires prior verifiable parental or guardian consent for such processing. However, in an apparent nod to the UK and California Age Appropriate Design Codes, the Act requires verifiable parental consent prior to the processing of any Personal Data obtained about an individual under the age of eighteen (18), as well as for persons with disabilities. Guidelines around how “verifiable parental consent” can be obtained will come under future Central Government rulemaking, and the effectiveness of the Act in protecting children and achieving bona fide parental consent may well depend on how these rules are framed.
Notwithstanding such consent, Data Fiduciaries are prohibited from tracking, engaging in behavioral monitoring of or targeting advertising toward children or indeed engaging in any such related processing.
Next Steps
While the Act has been finalized, rulemaking activities are in process and work is reportedly underway to appoint the Board, there are no formal timelines in place for implementation. This, along with an impending general election in India, have led to much uncertainty on what large global businesses, particularly those that interact with India-based customers, can do to comply with the Act today.
The unique requirements of the Act, along with the significant “step-up” over the current legal regime in India, also make aligning with global regimes non-trivial. Some immediate steps that can be considered are:
- Conduct Data Mapping: With respect to covered Personal Data, entities should update current data inventories and conduct data mapping to identify: (i) the nature of such data and the purpose(s) for which it was collected and is currently used; (ii) whether such usage remains relevant and warranted given the enhanced necessity and retention requirements under the Act and (iii) the adequacy and traceability of existing consent frameworks;
- Prepare Necessary Notices and Consents:Entities must update existing privacy notices and present clear and precise notices to all Data Principals as well as implement mechanisms to obtain interim consents. Entities should also stay abreast of additional notice or consent obligations that may arise in connection with future Central Government rulemaking;
- Identify Exclusions and Non-Consent Bases for Processing: Entities should identify datasets that are excluded from the Act, which must be called out in applicable privacy notices, as well as identify data and purposes for which legitimate use processing is permissible;
- Assess Continued Need to Process Minor’s Data: Entities should consider the extent to which it engages with or needs to process the Personal Data of individuals under the age of eighteen (18) and cease restricted processing (e.g., tracking, engaging in behavioral monitoring of or targeting advertising toward, children);
- Update Grievance Redressal, Breach Response and Retention Plans: Entities may need to update internal data protection processes and plans, along with corresponding TOMS, for compliance with the Act; and
- Review Contracts with Data Processors: Entities should review existing contractual arrangements with Data Processors to ensure that appropriate data security measures and practices are put in place, along with the requirement to certify compliance or provide warranties on adequacy of legal practices and obligations.
[1] Notably, the Act leaves open the possibility for the Central Government to implement blanket exceptions for certain Data Fiduciaries to whom certain provisions of the Act will not apply (e.g., startups). Furthermore, for the first five years after commencement of the Act, the Central Government can declare that any provision of the Act will not apply to certain Data Fiduciaries or classes of Data Fiduciaries for a period of its choosing.
[2] Such heightened obligations include (i) the appointment of a data protection officer based in India, (ii) undertaking audits performed by independent data auditors, (iii) performance of data protection impact assessments and (iv) other requirements to be later prescribed through Central Government rulemaking.
[3] Note that a number of U.S. state privacy laws further impose opt-in or consent requirements for the processing of “sensitive personal data” such as the Virginia Consumer Data Protection Act, the Colorado Privacy Act and the Connecticut Data Privacy Act.
[4] A Consent Manager is a person registered with the Board who acts on behalf of the Data Principal and as their single point of contact to enable such Data Principal to give, withdraw and/or manage provision of consent for the processing of their Personal Data.
