Analysis of the Digital Personal Data Protection Act, India’s New Personal Data Protection Law

Banner - Analysis of the Digital Personal Data Protection Act - India

On August 11, 2023, India passed a bill for the protection of digital personal data, the Digital Personal Data Protection Act (hereafter “DPDP”). This Act replaces a relatively old body of rules consisting of the Information Technology Act (Section 43A) 2000 and the Information Technology Rules 2011.

NB: to date, the DPDP has not yet come into force, and the Indian Executive has not given any precise indication on this point. It is assumed that implementation will be announced and will take place during the 2nd half of 2024, after the 2024 general elections in India.

While the general scheme introduced by the law of August 11, 2023 has certain similarities with the GDPR, it departs from it on major points. Moreover, the DPDP is planned to be supplemented on a number of subjects by specific rules or guidelines.

The law is based on seven general principles, namely: consent and transparency; purpose limitation; data minimization; data accuracy; limited retention period; data security; and responsibility of actors.

Scope

The DPDP governs the processing of digital personal data, i.e. data collected digitally or digitized following non-digital collection, which makes it possible to identify individuals. The notion of “personal data” in the DPDP is based on the criterion of identifiability of individuals, without consideration of nationality or residence, as is the case for the GDPR. On the other hand, the DPDP applies indiscriminately to all personal (digital) data without distinction; there are no special categories of data.

Processing carried out for personal or domestic purposes and processing concerning personal data that are public or made accessible to the public, are excluded from the material scope of the law.

To these two exclusions must be added the numerous exemptions – total or partial – provided for by the DPDP, foremost among which are the exemptions enjoyed by government institutions and other exemptions applicable to specific processing activities. These include, for example, processing for research, statistical or archival purposes. There is also the “outsourcing exception”, a derogation that benefits operators in India who process the personal data of individuals located outside the country under a contract with a partner also located outside the country.

As regards territorial scope, Indian law has adopted the extraterritorial approach of the GDPR, since it applies to data processing carried out in India, as well as to processing carried out outside the country, insofar as they relate to the supply of goods and services to persons on Indian territory. Contrary to the GDPR, the profiling of individuals is not envisaged.

Lawfulness

To be lawful under the DPDP, the processing of personal data must pursue a lawful purpose, i.e. any purpose not expressly prohibited by law, and be founded on one of two legal bases: the consent of the data subjects (“data principals”) or a legitimate use.

The choice of legal basis has a direct impact on the rights and obligations of the parties involved in the processing operation, since the DPDP requires that the rights of data subjects, including the right to information, be implemented only in the case of processing operations based on consent (and in cases where the data subject voluntarily submits the data).

Information and consent

The DPDP requires the data controller to inform the data subject and obtain his or her consent at the time of or prior to the processing of his or her personal data.

NB: in the case of a person who consented to the processing of his or her data before the DPDP came into force, the data controller is required to inform the person “as soon as reasonably possible”.

The information notice accompanying the collection of the data subject’s consent must contain the following:

  • The personal data to be processed and the purpose of the processing;
  • How the data subject can exercise his/her rights;
  • How to lodge a complaint with the supervisory authority.

The characteristics of the consent to be obtained are similar to those set out in the GDPR; it must be “free, specific, informed, unequivocal and unambiguous” (with one notable constraint being the obligation to be able to provide the request for consent in the 22 languages recognized by the Constitution).

The DPDP introduces an original system for managing consent through “consent managers” registered with the supervisory authority, who act as a single point of contact between data controllers and data subjects for all matters relating to consent (granting, revision and withdrawal). The conditions required for a company to register as a consent manager have yet to be specified.

Legitimate uses

Consent is not systematically required, as personal data can also be processed for a whole range of legitimate uses listed by law.

Legitimate uses include the voluntary transmission of data by the data subject without opposition to its use; compliance with any legal obligation to disclose data to public authorities; a medical emergency involving a threat to life or an immediate threat to health; the need to ensure safety or provide assistance or services in the event of a disaster or disturbance of public order, and so on.

Obligations of data processing actors

The DPDP governs the activities of data controllers and data processors.

The data controller’s obligations are as follows:

  • comply with the provisions of the DPDP, whether the processing is carried out by the controller itself or by a processor, even in cases where the data subject fails to comply with its own obligations;
  • implement appropriate technical and organizational measures to ensure compliance with the law (the DPDP does not impose or specify any such measures);
  • guarantee the accuracy, completeness and consistency of personal data when such data is processed for the purpose of making a decision that affects the data subject, or when it is likely to be transmitted to another controller;
  • protect personal data in its possession or under its control by taking reasonable security measures to prevent data breaches (the DPDP neither prescribes nor recommends the standards to be implemented);
  • in the event of a personal data breach, notify the supervisory authority and each data subject (in a form and according to procedures yet to be specified);
  • where applicable, publish the professional contact details of the Data Protection Officer (DPO), or of a person able to respond on behalf of the controller to questions from data subjects about the processing of their data (publication in a form to be specified);
  • subject to compliance with the law, erase data and, where applicable, require their erasure by the data processor when the data subject withdraws his consent or when the intended purpose has been achieved.

The DPDP proves to be more pragmatic than the GDPR by distinguishing data controllers according to, among other things, the volume and sensitivity of the data processed, the risk incurred for individuals, or even the potential impact of the processing activity on the country’s sovereignty and integrity.

Thus, “significant data fiduciaries” (controllers) have stronger obligations: they must for example appoint a DPO (who must be based in India), carry out regular data protection impact assessments, and appoint an independent auditor to assess compliance with the DPDP.

Conversely, data controllers of minor importance, such as start-ups, may be exempted from certain legal requirements.

Framework for contractual relations

The data controller may use the services of a data processor to process personal data on its behalf for any activity connected with the supply of goods and services to the data subject.

In this case, the DPDP requires that a valid contract be concluded between the parties but does not provide for any specific stipulation that must be included in this contract.

As a matter of principle, the data controller is held responsible for ensuring compliance with the law, regardless of any contractual stipulations that may be adopted with any subcontractor.

Rights and duties of data subjects

The DPDP guarantees the right to information, access, correction and deletion of data to those who consent to the processing of their data, or to those who voluntarily submit their data without expressing any opposition to its use.

Furthermore, consent can be withdrawn at any time, and data controllers must ensure that the process of withdrawing consent is as simple as the process of collecting it. Once consent has been withdrawn, the data must be deleted (unless there is a legal obligation to retain it).

The DPDP also provides for two other rights for data subjects: the right to “grievance redressal”, which requires the data controller to designate an easily accessible point of contact to respond to complaints (data subjects are obliged to use this facility before they can lodge a complaint with the supervisory authority), and the right to appoint a representative to exercise rights in the event of death or incapacity.

Finally, contrary to most data protection laws currently in force, the DPDP imposes certain duties on data subjects, under penalty of fine (for example, a ban on filing spurious claims or complaints).

Cross-border data transfers

In contrast to the GDPR, the transfer of personal data is permitted by default to all countries, with the exception of those that will be expressly prohibited by the Indian authorities. The criteria used to restrict transfers to certain countries are not specified in the law.

It should be noted, however, that certain sector-specific laws (e.g. in the banking or telecommunications sectors) already restrict the cross-border flow of certain data.

Controls and sanctions

The Data Protection Board of India, a supervisory authority created by the DPDP, is vested with the power to receive complaints, monitor and sanction non-compliance and data breaches. It does not, however, have the power to issue soft law rules, guidelines, etc.

The fines provided for under the DPDP sanctions regime are listed in the schedule attached to the law and can reach the equivalent in rupees of around 25 million euros (in cases of data breaches occurring in the absence of sufficient security measures).

DPDP and artificial intelligence

Certain provisions of the DPDP are compatible with AI learning from personal data.

For example, the law excludes from its application most publicly accessible personal data (provided it has been made public by the data controller, or by another person legally obliged to publish said data). Similarly, the law exempts the processing of personal data required for research or statistical purposes (except where the processing activity in question is used to make a specific decision concerning the individual).

Furthermore, the DPDP does not provide for a right not to be subject to a decision based exclusively on an automated process in the manner of the GDPR; it simply requires that personal data used to make individual decisions – which may include automated or algorithmic decisions -, be accurate, consistent and complete.

Conclusion

After much debate, the Indian legislator has succeeded in adopting a modern and intelligible law, which lays down the broad outlines of a general data protection system. Unfortunately, the law’s generality and conciseness are also its weaknesses. To date, in fact, the law remains imprecise, due to the many subjects that have been deferred to later additions, leaving an impression of unfinished business.

As far as the substance of the matter is concerned, the Indian legislator can be criticized for making timid choices with regard to the issues at stake in such a regulation – in particular, with regard to the rights of individuals and the principle of transparency, which are essentially confined to processing based on the consent of individuals. Similarly, the choice of two legal bases in all is too limited. Finally, it is regrettable that the supervisory authority created by the law is unable to create soft-law, which condemns the system to a certain inertia.

However, the most pressing criticism of the DPDP is undoubtedly the numerous derogations provided for in the law, which give rise to heterogeneous, mixed regulations and relative legal uncertainty. The very broad exemptions granted to public authorities give rise to fears of uncontrolled state surveillance.

We’ll have to wait for the supplements to the law to be enacted by the Indian government, to get a clearer picture of the new data protection system and whether the weaknesses mentioned can be overcome.

Alexis Chauveau Maulini Manager