India Digital Personal Data ProtectionAct 2023 - All You Need to Know

India, one of the most populous countries in the world and one of the world's largest economies, has a new personal data protection law. The law was published in the Official Gazette in August 2023 and will come into force in 2024.

The law will be rolled out in multiple phases, with India DPDP Phase 2 introducing more granular obligations for significant data fiduciaries and cross‑border transfers.

What is the India Digital Personal Data Protection Act (DPDPA) 2023?

The India Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data protection law. 

It was published in the Official Gazette on 11 August 2023, but the exact date of its coming into force is yet to be announced by the government.

Does the India DPDPA Apply to Your Business?

The India DPDPA applies to all businesses that operate from India and to all businesses that target Indian customers.

The DPDPA clearly states that the law applies to the processing of personal data within the territory of India, where the personal data is collected:

• in digital form; or
• in non-digital form and digitized subsequently.

It also applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India.

It is important to note that the law does not apply to many Indian companies that provide outsourcing services. These companies process data in India, but it has been collected abroad and does not affect data principals from India. Therefore, it may not apply to them.

Here are some examples of businesses that are likely to be subject to the DPDPA:

• E-commerce companies that sell goods or services to Indian customers
• Social media platforms that have Indian users
• Financial institutions that have Indian customers
• Healthcare companies that have Indian patients
• Technology companies that collect data about Indian users

What is Personal Data Under the India DPDPA?

Personal data is defined as "any data about an individual who is identifiable by or in relation to such data." This is the same definition of personal data that is used in other laws around the world.

Unlike these laws, however, the Indian one does not have a definition of sensitive personal data. As a result, it does not provide additional protection to such data.

What Are Data Fiduciaries, Data Processors, and Data Principals?

• A data fiduciary is the person or entity that decides on the processing of data. This is also known as a data controller in many parts of the world.
• A data processor is the person who processes personal data on behalf of the data fiduciary.
• A data principal is the individual whose personal data is being processed. This is also known as a data subject in the GDPR.

The Indian data protection law also introduces the concept of a significant data fiduciary. This is defined as "any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10." The government has not yet announced which companies will be considered significant data fiduciaries, but it is likely that these will be big companies that process vast amounts of personal data.

What Are the Duties of Data Fiduciaries?

Data fiduciaries have numerous obligations under the DPDPA. The most important of them include:

• Obtaining explicit user consent unless the data can be processed on another legal basis.
• Using the personal data only for the purpose it has been collected for.
• Where the personal data has been collected before the commencement of the DPDPA, to provide data principals with a privacy notice informing them about the processing, the privacy rights, and the appeal process.
• Ceasing to process data of a person who has revoked consent.
• Honoring data principal requests to exercise their rights.
• Implementing appropriate technical and organizational measures for data security and protection.
• Deleting personal data that is no longer needed or data of a person who has revoked consent.
• Publishing the contact information of the Data Protection Officer, if applicable.
• Not tracking children for advertising purposes or behavioral monitoring.
• Not processing children's data without parental consent and not processing children's data for any purpose if such processing can be damaging to children.

Data processors, on the other hand, must only process data on written instructions of the data fiduciary and remove data upon the data fiduciary's instructions.

What Are the Rights of Data Principals?

Data principals have the following rights:

• To be informed about the processing of their personal data.
• To access their personal data.
• To have their personal data corrected.
• To have their personal data updated.
• To have their personal data erased.
• To nominate another person to exercise their data privacy rights.
• To submit a grievance to the Data Fiduciary.

They can exercise their rights by the methods prescribed by the data fiduciaries. Once submitted, the data fiduciary must honor the request.

In addition to that, the data fiduciary must establish an effective mechanism for grievances by data principals.

These rights and obligations will be further operationalized in India DPDP Phase 2, especially through enhanced consent‑manager and breach‑notification rules.

Do You Need to Obtain Consent for Data Processing Under the India DPDPA?

The India DPDA requires obtaining explicit users' consent unless you can process the data based on another legal basis.

The consent must be:

• Free: The user must not feel coerced or pressured to give consent.
• Unconditioned: The consent cannot be made conditional on anything else, such as providing a product or service.
• Unambiguous: The user must be clear about what they are consenting to.
• Specific: The consent must specify the purpose for which the data is being collected and processed.
• Informed: The user must be given enough information about how their data will be used so that they can make an informed decision about whether to consent.

The consent request must be in any of the official languages in India and written in plain language that is easy to understand.

The user has the right to revoke their consent at any time.

The other bases include cases where individuals voluntarily provide personal data to the data fiduciary and do not necessarily imply that they do not want their data to be processed. This may involve providing data for the purpose of receiving a product, obtaining customer support, or similar situations.

What is a Consent Manager and Do You Need to Appoint One?

A consent manager is a person who acts as a single point of contact for individuals to give, manage, review, and withdraw their consent to the processing of their personal data. The consent manager must be registered with the Data Protection Board of India (DPB) and must meet the requirements prescribed by the DPB.

Here are some of the key functions of a consent manager:

• Act on behalf of the data principal and protect their interests
• Ensure that the consent process is fair, transparent, and accessible
• Keep records of all consents given, managed, reviewed, and withdrawn

Whether or not a company needs to appoint a consent manager will depend on the specific circumstances of the company and the nature of the data processing activities. However, it is generally advisable for companies to appoint a consent manager to ensure that they are compliant with the India DPDPA.

Do You Need to Appoint a Data Protection Officer?

Not all businesses are required to appoint a Data Protection Officer (DPO). You only need to appoint one if you are a "significant data fiduciary," but we don't yet know what data fiduciaries will be considered to be significant.

Once we know more about this, the significant data fiduciaries will have to appoint a DPO who:

• Is based in India
• Is responsible directly to the Board of Directors or a similar body
• Represents the significant data fiduciary in India
• Is a contact point for a grievance redressal mechanism
  

Do You Need to Conduct a Data Protection Impact Assessment Under the India DPDPA?

Only the significant data fiduciaries are required to conduct a Data Protection Impact Assessment (DPIA).

For all other organizations, it is a good practice that could lead to improved data protection for customers and reduce the risk of penalties.

Can You Transfer Personal Data Outside of India?

The India DPDPA allows free data transfers outside of India unless the government has ruled that data shall not be transferred to a specific country or organization.

Unlike the GDPR, which prescribes that data must not be transferred abroad unless sufficient protections are guaranteed, Indian law allows all transfers as long as the government does not decide that a specific country could pose a risk. Understand the differences between the GDPR and DPDPA.

What to Do In the Case of a Data Breach?

In the case of a data breach, companies must inform the DPB and the affected individuals about the breach. The DPB may then propose measures for mitigating the breach.

Who Enforces the India DPDPA and What Are the Penalties?

The DPB enforces the law. They investigate any violations and determine responsibility. The DPDP Act penalties can range from INR 10,000 (USD 120) to INR 250 crore (USD 30.2 million). The exact amount within this range is determined by the DPB, depending on the nature of the offense.

Here are some additional things to keep in mind about data breaches in India:

• Companies must report data breaches to the DPB within 72 hours of becoming aware of the breach.
• The DPB may order companies to take steps to mitigate the effects of a data breach, such as notifying affected individuals and providing them with credit monitoring services.
• Individuals who are harmed by a data breach may be able to sue the company for damages.