On August 11, 2023, India’s long-awaited general personal data protection legislation, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was finally enacted.
Governing the world’s fifth largest economy and one of its fastest growing digital markets, the DPDPA will be of importance to a large number of international businesses that operate in India, rely on Indian service providers/group service companies for their operations, or are looking to enter Indian markets.
The evolution of the DPDPA through the years, and some of its salient features, are discussed here.
While the DPDPA takes inspiration from the GDPR, unlike previous drafts, it is a distinct legal regime which differs from GDPR in significant ways. It has many similarities with Singapore’s Personal Data Protection Act 2012, as further discussed in our recent blog post on the similarities between the Singaporean and Indian regimes (available here).
Five years on since the introduction of the GDPR, international businesses are now well-versed with the requirements of compliance with that regime.
In this joint blog post, Herbert Smith Freehills and Cyril Amarchand Mangaldas outline some key differences between the DPDPA and GDPR and how international businesses can best prepare for the new rules of India’s data economy.
Background
Currently, the general data protection regime in India provides limited coverage. While limited requirements around processing of narrowly defined ‘sensitive personal data’ (including health information, financial information etc.) were contained in the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the “SPDI Rules”), these are outdated; largely regulate data collectors (as opposed to controllers); become relevant only in the context of data breaches; and are poorly enforced. As a result, market practice has been to collect large volumes of data pursuant to broad, inconsistent, bundled consents, and to process and transfer such data widely.
However, in 2017, the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India (“Puttaswamy”) reiterated that the right to informational privacy was a fundamental right, flowing from the fundamental right to life and personal liberty. This decision laid the groundwork for a first iteration of India’s data bill, which, following a long and winding legislative journey, culminated in the DPDPA.
The Focus of Regulation
The DPDPA is squarely focused on regulating data fiduciaries (similar to data controllers under the GDPR), on the basis that they hold data on behalf of data principals (similar to data subjects under the GDPR), who are the ultimate “owners” of such personal data. Unlike the GDPR though, which places statutory obligations on both data controllers and data processors (although the latter are subject to far fewer obligations), the DPDPA makes data fiduciaries expressly responsible for actions of data processors engaged by them.
Another key difference is that unlike the GDPR, the DPDPA does not distinguish between personal data and sensitive personal data. Instead, all personally identifiable data is regulated in the same way.
In addition, whilst data that has been made public is nonetheless protected under the GDPR, the DPDPA completely excludes from its ambit all data that is made publicly available, either by the data principal, or under applicable law.
International data transfers
While GDPR requires international data transfers to take place pursuant to additional safeguards, the DPDPA does not currently specify additional measures to be followed for international data transfers, although these may be set out subsequently in further regulations and the Indian government may also specify jurisdictions to which data cannot be transferred.
In addition, international data transfers are subject to existing sector-specific restrictions (of which there are several, including in relation to payment data), and other laws which ‘provide a higher degree of protection for or restriction on transfer of personal data’. As a result, international data transfers under Indian law may be subject to both country specific, as well as sector-specific restrictions.
While secondary legislation is expected to provide more guidance, given increased tensions with respect to countries sharing land borders with India, companies with data flows to such countries may need to think about how to move personal data if transfers to some of these countries are blocked.
How are lawful bases for processing of personal data different?
Under the DPDPA, personal data can only be processed lawfully if: (i) the data principal has provided consent; or (ii) data being processed for a ‘legitimate use’.
This contrasts with the GDPR, which provides a longer list of lawful bases for the processing of personal data, including processing for purposes of a contract, and processing in the legitimate interests of the data controller. This could mean that the GDPR lawful bases cover a larger number of processing activities than may be available under the DPDPA.
With respect to consent, the threshold for valid consent under the DPDPA is only slightly less onerous than that under the GDPR. Both the GDPR and the DPDPA require “free, specific, informed, unambiguous, and affirmative” consent. However, unlike GDPR, consent under the DPDPA will likely not need to be granular, although further guidance is expected in the rules. Similarly, while detailed rules on the form of consent and privacy notices are yet to be published, it is expected that privacy notices will need to set out the purposes for processing on a granular basis but the actual act of providing consent (for instance, by ticking a check box) may not need to be granular – arguably easing the compliance load.
In addition, language in the DPDPA suggests that even having clear consent is not necessarily carte-blanche for all kinds of processing. In particular, express purpose-specific consent may still not be sufficient if the processing activity is not considered “necessary” for the consented purpose.
The DPDPA also provides for specific retention periods to be prescribed, and data collected will be deemed to be no longer relevant after expiry of such retention periods, even where consent has been collected to allow for a longer retention period.
With respect to the other lawful basis (‘legitimate use’), the DPDPA sets out a list of pre-defined legitimate uses, which include personal data voluntarily provided for a specified purpose, emergency care, compliance with law, certain employment related purposes, loan recovery, court approved M&A, legal and state use, etc.. However, several of these uses are narrowly defined, and private entities operating in India are therefore likely to have to largely rely on clear, purpose-based, revocable consent for their processing.
How are the data principal rights different?
Whilst the DPDPA has introduced a comprehensive set of data principal rights, there are several distinctions from the GDPR that organisations will need to be aware of.
Under the DPDPA, data principals have:
- an absolute right to receive data breach notifications (regardless of harm);
- a right to seek erasure of personal data and this right is only subject to: (1) necessity for the specific purpose for which personal data was collected; and (2) applicable law;
- a right to escalate to the Data Protection Board if grievances are not resolved within a time period which will be prescribed (previous iterations provided for seven days);
Certain data subject rights under the GDPR, such as the right to data portability, and right against automated decision making are not expressly provided for under the DPDPA.
Data principals in India can also engage ‘consent managers’ (who are third parties that will need to be registered with the Data Protection Board) to administer and manage consents and personal data on their behalf. This is a unique concept that GDPR compliant organisations may not be familiar with. Whilst Article 80 of the GDPR does provide for data subjects to be represented by not -for -profit bodies, the Indian concept of consent managers goes further. Empowered through economies of scale and mandatory interoperability, consent managers may lead to an ecosystem where data principal rights are more actively enforced.
Enforcement
Whilst the GDPR drew on the Charter of Fundamental Rights of the EU and the previous Data Protection Directive, the DPDPA is a legislative expression of the fundamental right of privacy which was laid out by the Supreme Court in 2017.
The DPDPA establishes a new data protection regulatory authority in the form of the Data Protection Board. However, the scope of the Data Protection Board is focused on adjudicating grievances and penalising data breaches. This is in contrast to national supervisory authorities in Europe (and in the UK) that have a broad regulatory mandate, including rulemaking, and other administrative functions.
Under the DPDPA, all rule-making powers lie with the Indian government, which has indicated strong preferences for simplicity and business friendliness. This will likely mean a simpler, less granular, more principles-based regime in India, with a resultant increased scope for interpretation and possibly uncertainty.
The DPDPA provides for significantly higher penalties than existing Indian law, and fines of up to INR 250 crores or around GBP 25 million can be levied under the new regime. The fines are penal instead of compensatory and are credited to the Consolidated Fund of India. Further, uniquely Indian concepts in the form of alternate dispute resolution, including, electronically, and voluntary undertakings by data fiduciaries are set out under the DPDPA. The DPDPA also permits the Government to block access by the public to any information (potentially including websites and applications) which may be used by the data fiduciary to offer products and services in India for repeat offenses.
The DPDPA is a substantially distinct regime from the existing SPDI Rules and represents a very significant step-up for the Indian data protection framework. Consequently, in a market where examples may need to be made to ensure compliance with a novel regime, and ‘bans’ on websites are not uncommon, entities should expect more aggressive hands-on regulation, moving beyond black letter law, by both the Data Protection Board and sector-specific regulators like the Reserve Bank of India.
Key takeaways
Although the DPDPA has been enacted, it has not yet come into force. A lot of the detail under the legislation will be specified through the rules that that are yet to be published. It is expected that the DPDPA will then be implemented in a phased manner.
Although there are similarities to GDPR concepts and principles which will not be completely alien to international organisations familiar with European and UK-based compliance, the enacted version of the law is not a carbon copy of the GDPR and there are important differences which will need to be carefully considered. For multi-nationals, this is another example of one size not fitting all when it comes to global data protection compliance.