The Digital Personal Data Protection Act, 2023 (“DPDP Act”) has been passed by both the Houses of the Parliament and has now received Presidential assent. It was notified in the official gazette on 11 August 2023 for general information. Sub-section 1(2) of the DPDP Act clarifies that it will come into force on such date as the Central Government would appoint by notification in the official gazette, with different dates being appointed for different provisions. 

Framework

The DPDP Act will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which has been India’s data protection law until now. The framework of the law will comprise the DPDP Act along with rules issued by the Central Government. 

Power to make rules: The Central Government will have the power to make rules on specified subjects (a total of 26 items) to supplement the DPDP Act (subject to the Parliament’s power to modify or nullify such rules) and will also have a limited power to amend the penalty schedule. Some of these subjects include specifying/ clarifying the manner of: 

1. notice given by data fiduciaries (equivalent to data controllers under the GDPR) to data principals (equivalent to data subjects under the GDPR); 
2. registration of consent managers; 
3. intimation of personal data breaches; 
4. publishing the contact information of data protection officers; 
5. obtaining verifiable consent in cases of children’s personal data; and
6. requesting for information, erasure of personal data, or nomination of another person by data principals to data fiduciaries.  

Therefore, a lot of the detail in relation to the DPDP Act and the steps for its implementation will only be clear when the rules are issued. There is no information on whether the Government has prepared an initial draft of these rules and when they will become available.   

Adjudication

The Data Protection Board of India (“Board”) is the adjudicatory body under the DPDP Act. Appeals against the orders of the Board will lie before the Telecom Disputes Settlement and Appellate Tribunal (“Appellate Tribunal”), and further before the Supreme Court of India (“SC”). The process of adjudication has been set out in detail in #9 below.

Set out below is a summary of the key requirements of the DPDP Act: 

Scope and applicability – to regulate processing of digital personal data 

The DPDP Act is applicable when data fiduciaries process digital personal data, where such personal data, capable of identifying an individual, is either collected in digital form or is digitised after it is collected non-digitally. 

• Exclusions: The DPDP Act does not apply to non-personal data. Further, personal data: (i) processed for a personal or domestic purpose or (ii) made publicly available by the concerned data principal or by another person obligated under law to make such data public, is excluded from the ambit of the DPDP Act.  

1. 1. 1. Territorial application: The processing of personal data must be within the Indian territory or if outside, should be in connection with any activity related to the offering goods and services to individuals within the Indian territory. The DPDP Act has done away with its extra-territorial application in case of profiling of data principals within India which had been proposed in the Digital Personal Data Protection Bill, 2022 (“2022 Draft Bill”).
      2. Categorisation of personal data: One significant change introduced in the DPDP Act is that it does not categorise data under different heads (e.g., sensitive personal data (as identified under the SPDI Rules) or critical personal data (as was proposed in an earlier iteration of the draft data protection law)) depending on sensitivity of the personal data. The requirements under the DPDP Act apply to personal data in digital form, unlike the SPDI Rules where additional obligations applied only in respect of sensitive personal data and information. Complying with the DPDP Act will require organisations to implement the same requirements in respect of all types of personal data. 

Notice, consent and processing for certain ‘legitimate uses’ 

• Purpose and the principle of necessity: Processing of personal data should be for a lawful purpose, having been consented to by data principals, unless the processing is for certain ‘legitimate uses’. The processing should also be necessary for the specified purpose.

1. 1. 1. Notice: Data fiduciaries are required to provide a clear and itemised notice, the manner of which will be prescribed by the Government by way of rules, to accompany or precede a request for consent, informing data principals of the purpose of processing their personal data, the manner in which data principals may exercise their rights under the DPDP Act and make a complaint to the Board. The notice has to be given in all the languages mentioned in the 8th schedule of the Constitution of India i.e., a total of 22 languages. For processing that has been consented to before the DPDP Act comes into force, data fiduciaries will be required to give to data principals the above information, as soon as practicable.

• Consent: Affirmative consent to the processing of data for a specified purpose should be free, specific, informed, unconditional and unambiguous. Data fiduciaries will have to be careful while setting out the ambit of specified purpose/ grounds for processing. Data fiduciaries may continue to process personal data until data principals withdraw their consent.

• Consent managers: They are entities registered with the Board, acting as a single point of contact enabling data principals to give, manage, review and withdraw their consent to data fiduciaries through an accessible, transparent and interoperable platform. Data fiduciaries will be required to implement a system to enable consent managers to act on behalf of data principals. Consent managers will be accountable to the data principals; however, the manner of accountability, the obligations of consent managers, the manner of and conditions related to their registration will be clarified by rules to be issued by the Central Government. 

Exceptions from consent – Processing for ‘legitimate uses’

Data fiduciaries may also process personal data for certain ‘legitimate uses’. The following are the exceptions to obtaining consent:

1. for specified purposes for which the data principal has voluntarily provided her personal data, and has not indicated her objection to use such personal data for that purpose;
2. to fulfil any legal obligation in relation to disclosure of information to State/ State instrumentalities;
3. to comply with judgment, decree or order, including orders relating to contractual or civil claims under laws outside India;
4. for medical emergencies (involving a threat to the life/ health of the data principal or another individual) and health services (during an epidemic, outbreak of disease, threat to public health), breakdown of public order (including services provided during any disaster); 
5. for employment/ safeguarding the employer from loss or liability.  

Processing of personal data pursuant to a data principal’s deemed consent in ‘public interest’ has been removed in the DPDP Act, as compared to the 2022 Draft Bill.

• Other exceptions: The provisions of consent (and certain other provisions of the DPDP Act) will also not apply to data fiduciaries when processing personal data is necessary for (a) enforcing any legal right, (b) exercising judicial, quasi-judicial, regulatory or supervisory functions, (c) investigation of offences, (d) mergers, demergers and other schemes, and (e) assessing financial liabilities in cases of payment defaults. 

• Exceptions from consent to State/ State instrumentalities: Applicable in relation to any benefit, service, certificate, license or permit, for which the data principal has previously given her consent to process personal data; and for the performance of any legal function or in the interest of security, sovereignty and integrity of India.  

• Under current laws, consent for processing was only required for sensitive personal data and information and not all types of personal data. The DPDP Act will now require organisations to revisit their grounds for processing to determine whether the processing can be justified as any ‘legitimate use’ or if consent will need to be obtained. Additionally, the threshold for consent is very high and the data fiduciary will need to establish that the consent obtained meets these thresholds.

Data fiduciaries and significant data fiduciaries: Key obligations

Below are the key obligations of data fiduciaries (including on behalf of data processors employed by them under a valid contract):

1. Compliance: With the DPDP Act, including by employing technical and organizational measures. 
2. Accuracy: Ensure accuracy, consistency and completeness of personal data. Again, the onus is on the data fiduciary to ensure that the persona data it has about a data principal satisfies this requirement. 
3. Erasure: Erase personal data from its records once the consent is withdrawn or purpose is fulfilled and retention is no longer required for compliance with any law.
4. Grievance Redressal: Establish an effective grievance redressal mechanism by publishing details of a data protection officer/ any person who can answer questions about processing of personal data. The responsibility to respond to complaints within 7 days (or lower, as prescribed) has been removed in the DPDP Act. Further information on the time period to respond to grievances will be provided for by way of rules.
5. Data Security: Employ reasonable security safeguards to prevent personal data breaches and intimate any such data breach to the affected individual (introduced by the 2022 Draft Bill) and the Board. There is no provision yet on the timeline to report such a breach, but the Government is expected to issue rules on the form and manner of such intimation of breaches to the Board. The current obligation on regulated entities is to report cyber incidents to the Indian Computer Emergency Response Team (“CERT-In”) within 6 hours. 

Data fiduciaries will need to revisit their existing processes and implement mechanism to ensure compliance. 

Overlap – Reporting obligations to the Board and CERT-In

The DPDP Act fails to address a regulatory dilemma – whether companies will be reporting data breaches to the Board or to CERT-In (the nodal agency to address cyber incidents, under Section 70B of the IT Act and associated rules and directions). Companies are mandated to report cyber incidents to CERT-In within 6 hours, under the Directions. 

Significant data fiduciaries 

Central Government can notify companies as ‘significant data fiduciaries’, based on factors like volume and sensitivity of the personal data, risk to the rights of data principals, potential impact on democracy and security. Organisations which routinely deal with large volumes of individual personal data (banks, telecom companies, insurance companies) should assume that they would fall under this category. 

1. Additional obligations of significant data fiduciaries: (i) Appoint a data protection officer based in India; (ii) Appoint an independent data auditor to conduct periodic audit; and (iii) Conduct data protection impact assessments (a process to assess the risk to the rights of data principals).  

Rights of data principals

The rights of data principals are: 

1. Access to information (such as, the summary of the personal data and the processing activities, the names of data fiduciaries their personal data has been shared with). This would imply that data fiduciaries have the corollary duty to maintain and provide to data principals such information, as and when requested, in a sensible manner;  
2. Nomination; 
3. Correction, completion, updating and erasure; and 
4. Grievance redressal (from the data fiduciaries and consent managers before the Board).  

Data principals’ right to data portability has been done away with.

Duties of and penalties on data principals 

The DPDP Act imposes duties on data principals such as, compliance with applicable laws while exercising their rights, not impersonating another person, not supressing material information and furnishing only verifiably authentic information while providing personal data, and not registering any frivolous complaints. Non-compliances may attract a penalty of up to INR 10,000. While the sentiment behind the provision is likely to avoid misuse, a provision such as this is likely to make a data principal vary about exercising his or her right for fear of being penalized. 

Processing children’s personal data

Processing of children’s data (below 18 years, or such age, as may be notified) or data of a person with disability unable to give consent, under the DPDP Act, requires verifiable consent from parents/ lawful guardians, and such processing cannot be used to track or monitor children, direct targeted advertising at them or cause a detrimental effect on their well-being. 

Data localisation and cross-border data transfers 

• The DPDP Act does not prescribe requirements of data localisation. However, data localisation requirements that apply under other laws (e.g. imposed by the RBI on banks and other payment service providers) will continue to apply and accordingly organisations will need to adhere to data localisation requirements applicable under their sector specific laws. 

• The DPDP Act permits cross-border data transfers to all countries, unless restricted by the Central Government by notification, as compared to the 2022 Draft Bill permitting data transfers only to countries falling within a government white list. This is a significant liberalisation from the proposals in the earlier iterations of the bill which were focussed on data localisation and restricting cross border transfers of data from India. 

Data Protection Board of India and the adjudication process

1. 1. Establishment and structure of the Board: A ‘digital by design’ Board will be established as a body corporate by a Central Government notification. The Board will have a chairperson and such number of members, including an expert in the field of law, as may be prescribed by the Central Government. The Central Government will appoint the chairperson and members of the Board for a period of two years, subject to re-appointment, and the salary and other terms and conditions of service will be prescribed by the Central Government. The DPDP Act also specifies, inter alia, the powers of the chairperson and the conditions for disqualification or resignation of the chairperson or members. 

While the 2022 Draft Bill empowered the Central Government to appoint only the chairperson of the Board, the DPDP Act goes further by providing the Central Government with the power to appoint all members of the Board – this, along with the appointment period of 2 years for members of the Board, raises questions in relation to the independence of the Board and might render the Board susceptible to executive interference. This could pose a problem for data transfer into India especially in view of Schrems decision in the EU. 

1. 1. Functions of the Board: The Board has the power to, inter alia, (i) direct any urgent remedial or mitigation measures, inquire into, and impose penalties, upon being intimated of a personal data breach by a data fiduciary; (ii) inquire into and issue penalties upon a complaint made by a data principal in relation to a personal data breach, breach of the obligations of a data fiduciary or consent manager or the exercise of her rights under the DPDP Act; (iii) inquire into any breach of a condition of registration of a consent manager and issues penalties; and (iv) inquire into any breach by an intermediary to furnish information to the Central Government and impose penalties on a reference made by the Central Government. The Board is designed to function as an adjudicatory body and does not have regulatory functions. This differs from previous iterations of the legislation in 2019 and 2021, which tasked the data protection authority with regulatory functions as well. The Board shall have the same investigative powers as a civil court. However, it has not been given the authority to prevent access to any premises or take into custody any equipment which might hinder the daily functioning of an entity. No civil court will have jurisdiction to entertain any proceedings or issue injunctions in respect of matters falling within the purview of the Board. 
   2. Alternative Dispute Resolution: The Board may direct parties to attempt resolution of disputes through mediation. The mediator may be determined by the parties to the dispute – this is a departure from the 2022 Draft Bill which required the Board to designate a body or group of persons as mediators. Giving flexibility to the individuals involved may increase the speed at which these matters are addressed. 
   3. Voluntary undertakings: The Board has the power to stop proceedings for non-compliance in case the violating entity undertakes to perform or refrain from performing certain actions and/or publicise such undertaking i.e. such entity providing a voluntary undertaking. The terms of the voluntary undertaking may be varied post-facto by the Board with the consent of the violating entity. Acceptance of a voluntary undertaking by the Board constitutes a bar on proceedings against the violating entity, unless the violating entity breaches the terms of the voluntary undertaking. 

• Appeals: Appeals from decisions of the Board will lie to Appellate Tribunal. The appeal should be preferred within 60 days of the impugned order and the manner and procedure of the appeals process is expected to be prescribed by the Central Government through rules. The Appellate Tribunal is required to resolve any dispute as expeditiously as possible, within 6 months from the date of the appeal. Any delay beyond this period is required to be explained by the Appellate Tribunal through reasons recorded in writing. Orders of the Appellate Tribunal will be executable as decrees of a civil court and the Appellate Tribunal shall have all the powers of a civil court for enforcement of its orders. Orders of the Appellate Tribunal may be appealed to the SC.

Penalties – No compensation and no criminalisation 

• Breaches and non-compliance of the provisions of the DPDP Act may be penalised. Any amounts realised by way of penalties will be credited to the Consolidated Fund of India.

• The Board is required to consider factors such as the (i) nature, gravity and duration of the breach; (ii) type and nature of personal data affected by the breach; (iii) repetitiveness of the breach; (iv) the realisation of a gain or loss due to the breach; (v) steps taken for mitigation of the breach; and (vi) impact of the penalty on a person, while determining the applicable penalty for a breach of provisions of the DPDP Act. 

• Individual caps for specific breaches will be as set out below: 

S. No.	Non-compliance	Maximum penalty in INR	Maximum penalty in USD (Approximate numbers)
1.	Failure to take security measures to prevent data breaches	250 crores	30 million
2.	Failure of data fiduciaries to notify data breaches	200 crores	24 million
3.	Non-fulfilment of obligations to processing of children’s data	200 crores	24 million
4.	Breach in observance of a significant data fiduciary’s obligations	150 crores	18 million
5.	Breach in observance of a data principal’s obligations	10,000	120
6.	Breach of the terms of a voluntary undertaking	Upto the penalty which may be applicable to the breach in respect of which the voluntary undertaking was submitted	Upto the penalty which may be applicable to the breach in respect of which the voluntary undertaking was submitted
7.	General non-compliance of the DPDP Act	50 crores	6 million

Exemptions (in addition to the ones listed in #3 above)

Below are the key exemptions under the DPDP Act:

1. The Central Government/ State/ State instrumentalities are exempt from the provisions of the DPDP Act in the interests of State’s security, sovereignty and integrity or to maintain public order or to prevent incitement to any cognizable offence. The obligations of erasure, completion and updating also do not apply to them.
2. The provisions of the DPDP Act will not apply when processing data is necessary for research and statistical purposes, if the personal data is not used for any decision specific to a data principal. 
3. The Central Government can exempt certain data fiduciaries (including startups), basis volume and nature of personal data processed from, inter alia, obligations of notice, ensuring accuracy, completeness and erasure of personal data and ensuring data principals’ right to access information. 
4. The Central Government can also exempt certain data fiduciaries for specific periods of time from certain specified obligations.

Conclusion

With the enactment of the DPDP Act and an overhaul of the data protection regime in India, companies will now have to revisit, and revise to the extent necessary, their existing documentation (privacy policies, notices, consent forms and other documents) to comply with the DPDP Act and the supplemental rules to be issued by the Central Government. Further, implementation of privacy obligations will now become stricter with the removal of hierarchisation of personal data as companies will have to fulfil their obligations in relation to all types of personal data. With the implementation of the DPDP Act in a phased manner over a certain time period, data fiduciaries should utilize the upcoming months to make necessary changes to ensure compliance.

Author: Deepa Christopher – Partner

Disclaimer: This publication only highlights key issues and is not intended to be comprehensive. The contents of this publication do not constitute any opinion or determination on, or certification in respect of, the application of Indian law by Talwar Thakore & Associates (“TT&A”). No part of this publication should be considered an advertisement or solicitation of TT&A’s professional services.