Share :
Introduction
India has passed a comprehensive data protection law – the Digital Personal Data Protection Act, 2023 (the “Act”). The Act establishes the foundation for the updated data protection system. Additional guidelines will be provided by the Central Government over time to compliment this framework. The Act replaced Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which have been India’s data protection framework until now.
The Act introduces robust provisions concerning notice and consent obligations, delineates the permissible legitimate uses for processing personal data without explicit consent, establishes an appellate tribunal for grievance redressal, and imposes enhanced responsibilities upon data fiduciaries when handling the data of children, among other changes.
Scope of the Act
The Act governs data fiduciaries (i.e. data controllers), data processors, and data principals (i.e. data subjects). The Act applies to personal data capable of identifying the data principal, which is either collected digitally or digitized after it is collected non-digitally. Personal data processed for personal or domestic purposes or aggregated personal data collected for research and statistical purposes which is not used for any decision specific to a data principal are excluded from the Act. The Act applies to data that is processed within the Indian Territory or, if processed outside, is in connection with any activity relating to the offering of goods and services to individuals within India. However, the Act does not apply to entities outside India that monitor the behavior of data subjects within India.
The Act applies uniformly to all types of digital personal data. There are no additional controls on processing sensitive personal data (as identified under the SPDI Rules) or critical personal data (as was proposed in an earlier iteration of the draft data protection law). The Act contains a more limited concept of privacy. Where a data fiduciary needs to rely on consent to process personal data, that consent should be free, specific, informed, unconditional, and unambiguous.
Consent is not always needed and data fiduciaries may also process personal data for certain ‘legitimate uses’. This includes processing for:
- Specified purposes for which the data principal has voluntarily provided her/his data, and has not indicated her/his objection to use such personal data for that purpose;
- Fulfilment of any legal/judicial obligations of a specified nature;
- Medical emergencies and health services, breakdown of public order; and
- Employment.
The provisions of consent (and certain other obligations) will also not apply to data fiduciaries when processing is necessary for mergers, demergers, and other schemes and for assessing financial liabilities in case of payment defaults (among other things).
Applicability
The Act governs the processing of digital personal data within India in two scenarios:
- When such data is collected from data principals in digital format; or
- When initially collected in non-digital form and subsequently digitized. Thus, the Act shall not apply to the processing of personal data in non-digitized form. It is clearer and narrower than the 2022 Bill, did not apply to ‘non-automated’ processing and ‘offline’ data.
Moreover, the scope of the law has been extended and now has an extra-territorial application, to encompass the processing of digital personal data beyond India’s borders if it pertains to the provision of goods or services to data principals located within India. The Act does not explicitly address whether its provisions apply to the processing of personal data belonging to data principals situated outside India.
Unlike the General Data Protection Regulation (“GDPR”), which confines its applicability to processing the personal information of individuals physically present within the European Union or EU citizens, the Act adopts a broader approach. It does not limit the definition of ‘data principal’ to individuals within India’s boundaries or solely to Indian citizens. This could potentially lead to ambiguity regarding the full scope of the Act’s jurisdiction. The resolution of this ambiguity concerning the Act’s extraterritorial application hinges on the interpretation that the Central Government eventually provides, most likely in the rules that would be framed under the Act.
How we can help?
By offering the following services, our team can help organizations comply with the Act:
- Our team can assist by undertaking a comprehensive analysis of the organization’s data privacy standards. This evaluation will assist in identifying the areas where the organization needs to make improvements to adhere to the rules.
- Our team of professionals can assist in creating a thorough privacy policy that complies with the Protection Act’s standards. This policy will ensure accountability and openness.
- Our team can assist in setting up solid consent management systems which includes putting in place procedures that allow people to withdraw their consent if they so want quickly.
- Our professionals can assist in developing a data breach response plan. This plan will detail the actions to be done to lessen the effects of a breach, notify those who might be impacted, and adhere to legal requirements.
For more information or queries, please email us at
[email protected]