Articles
Country guides
India's Digital Personal Data Protection (DPDP) Act, 2023: everything you need to know
Country guides
new

India's Digital Personal Data Protection (DPDP) Act, 2023: everything you need to know

Published  

9/8/2023

by 

Ali Talip Pınarbaşı

10
min read

Published  

September 8, 2023

by 

Ali Talip Pınarbaşı

10 min read
Summary

If you have customers from India, or your website and/or mobile app is accessible to Indian citizens, then we have some breaking news for you: India has recently passed a new data protection law called the Digital Personal Data Protection Act  (shortened as DPDP Act) which governs how organizations such as corporate entities like yours can collect, use, share, and delete personal data. 

 

Furthermore, the DPDP Act imposes other obligations on your business, such as how you can obtain consent, how you should respond to access requests, and how you should notify a data breach to authorities. 

 

If you want to handle Indian users’ personal data in compliance with the privacy law India recently implemented, read our practical guidance below.

 

 

India's new data privacy law, the DPDP Act, in a nutshell

 

Up until the DPDP Act, India did not have a comprehensive data privacy law similar to the EU’s General Data Protection Regulation. 

 

The turning point for the protection of personal data in India was the Supreme Court of India’s Puttaswamy decision in 2017.  This Supreme Court declared that the “right to privacy” is a fundamental right, paving the way for the drafting of a Personal Data Protection Bill and the enactment of a comprehensive privacy law in India.

 

The legislative efforts to pass a data protection law culminated in the DPDP Act, which was approved by both houses of the Indian Parliament on August 11, 2023, and then received the President’s assent. 

 

However, the DPDP Act has not come into force yet. It will become enforceable when the Indian Government publishes a notification in the Official Gazette.

 

Furthermore, it should be noted that the DPDP Act acts as a framework and sets out the key principles for the privacy law regime in India. Therefore, the requirements will be further elaborated on by the “Rules” that will be issued by the Central Government. These rules will cover 26 specified areas.

 

In addition to the power to set out these rules, the DPDP Act gives the central government other powers. For instance, the central government can ask for any information it deems appropriate from the data fiduciaries.

 

Does India’s Digital Personal Data Protection Act (DPDP Act) apply to you? 

DPDP Act will apply to organizations like yours processing data if the following conditions are met:

 

  • You process “digital personal data,” which is capable of identifying the “data principal.” The Data Principal is the individual to whom the data relates.
  • The data you process is either collected in digitized format or will be digitized.
  • You process digital personal data within Indian territory. Alternatively, if you process digital personal data outside of India but the processing is in connection with an activity concerning the offering of goods or services to individuals in India.

 

As you can see from these conditions, India’s DPDP Act has a broad scope and does not set any thresholds for the applicability of its provisions. It may apply to entities both inside and outside of India.

 

Key definitions under the DPDP Act

While the majority of concepts in the DPDP Act are similar to those in the GDPR, the terminology differs. Key definitions you need to get familiar with are as follows:

 

  • Data fiduciary: It is the entity that, alone or jointly with others, determines the purpose and the means of processing personal data. (i.e., data controller)
  • Data Processor: Entity that processes digital personal data on behalf of a data fiduciary.
  • Data principal: Individuals whose personal data are collected and processed (i.e., data subject).

 

What personal data is exempt from the scope of the DPDP Act?

Aggregated data, data used for household/domestic purposes, and publicly available personal data are outside the scope of the DPDP Act.

 

What are the key requirements for India's privacy law, and how to comply? 

 

Didomi - India data privacy law-2

 

If you are familiar with the EU GDPR’s requirements, such as obtaining consent, signing a data processing agreement, and breach notification, some of the DPDP Act’s requirements will be easier to grasp and implement for your business. 

 

Key obligations you need to comply with are as follows:

 

Identify a lawful basis to collect and process personal data

Under the DPDP Act, you need to rely on one of these two legal bases to process personal data: Consent or Legitimate use. 

 

The primary rule is that you need to obtain consent from the data principals and this consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” 

 

For instance, if you use analytics cookies on your website or if you collect contact information via a web form, you will likely need consent from the data principals. 

 

In limited circumstances, you may rely on “Legitimate Use” to justify the processing of digital personal data. This is only available in limited circumstances, such as the “voluntary sharing” of personal data by data principals and the processing of digital personal data to protect the employer against liability.

 

Sign a data processing agreement

One of the key provisions of the Act, Section 8.2, requires that data fiduciaries sign a contract with data processors. However, the content of such a contract is not defined, and businesses need to stay updated with any guidance or rules on this requirement.

 

Implement information security practices

Under the new legislation, data fiduciaries need to put in place reasonable security practices to prevent data breaches and, in the event of a personal data breach, are expected to inform the board and each affected data principal.  

 

Data subject rights

When you collect and process digital personal data of data principals from India, you must respond to their subject access requests and satisfy them if necessary. The DPDP Act gives data principals the right to access, correct, rectify, erase, and complete their personal data.

 

Furthermore, they have the right to “grievance redressal,” which refers to the availability of an easily accessible point of contact to address complaints from the data principal.

 

Lastly,  data principals may also exercise the right to appoint a nominee. This right allows the data principal to appoint someone to exercise his/her data subject rights in case of death or incapacity. 

 

Verify parental consent

When you collect and process children’s data, you must obtain verifiable parental consent prior to collection of children’s data. 

 

How to obtain Consent in accordance with the Digital Personal Data Protection (DPDP) Act? 

 

Whether you use cookies like Google Analytics or you ask your customers to submit their personal contact details through a web form, you will first need to identify a legal basis to collect and process personal data lawfully. 

 

More often than not, you will have to obtain valid consent from data principals before you can collect and use their personal data.  In particular, if you collect personal data using third-party tools such as meta pixel, social media plugins, and other trackers, you will have to ask for prior consent. 

 

Therefore, you need to ensure that you obtain the consent of data principals as specified by the DPDP Act: The consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” 

 

In particular, you need to take into account the following criteria:

 

How to fulfill the "informed" criterion: Provide data principals with the privacy notice

To obtain valid consent in accordance with the DPDP Act, you need to make sure that the data principals are “informed.” This requires data fiduciaries to provide data principals with a privacy notice.

 

This notice should explain to data principals how their personal data is processed, for what purposes such data is used, and how data principals may exercise their data subject rights under the DPDP Act.

 

Withdrawal mechanism

The DPDP Act also requires you to implement necessary consent withdrawal mechanisms so data principals can withdraw consent as easily as giving consent.

 

“Specific” criterion

The consent should be for the specified purposes and should not later be extended to other unspecified purposes. Therefore, bundled consents are unlikely to satisfy this criterion.

 

Unconditional consent

You should not condition tie giving consent to other conditions, such as the provision of services.

 

However, be noted that you may also rely on “legitimate use” if certain conditions as specified in the DPDP Act are met.

 

Data Protection Board

The Data Protection Board of India has the power to carry out investigations for non-compliance and to impose fines.

 

Penalties for non-compliance with data privacy law in India

 

If you fail to comply with the DPDP Act’s requirements, you may face a monetary fine of up to  30.2 $ million. The Data Protection Board has the authority to carry out investigations and impose fines. 

 

Unlike the EU GDPR, the DPDP Act does not take into account the turnover of a business when determining the amount of fine. Instead, the Schedule A to the DPDP Act lists predetermined ranges for each violation.

 

EU's GDPR vs. India's DPDP Act

 

There are certain similarities between the EU GDPR and India’s DPDP Act. These similarities include affording individuals data subject rights, setting out rules for data controller-data processor relationships, and requiring organizations to rely on a lawful basis to collect and use personal data.

 

However, there are notable differences between the EU GDPR and the India’s DPDP:

 

Lawful bases

The GDPR provides six distinct lawful bases, while the DPDP Act only contains two bases. Under the EU GDPR, organizations can rely on six different legal bases to justify the collection and processing of personal data, including “contractual necessity” and “legitimate interest.”

 

However, India’s DPDP Act only lists two legal bases: “Consent” and “Legitimate Use.” 

 

In Art. 6.4., the DPDP Act mentions that when consent is the legal basis for the processing of personal data, the data principal must have the right to withdraw that consent at any time, as easily as it was to give it in the first place.

 

Data breach obligation

India’s DPDP imposes more strict obligations for data breach notification. Under India’s DPDP Act, the data fiduciary(i.e., the data controller) must notify all data breaches to the Data Protection Board and the Data Principals. 

 

In contrast, the GDPR imposes mandatory breach notification requirements only if there is a risk to the rights and freedoms of data subjects.

 

Right to data portability and tp object processing

GDPR introduces the right to data portability and the right to object processing of personal data, whereas the DPDP Act does not contain such rights.

 

Record keeping and data minimization

GDPR entails obligations such as keeping records of processing activities (Article 30 GDPR)  and data minimization, which are not addressed in India’s DPDP Act

How Didomi can help you comply with India Data Protection Law

 

If you want to ensure compliance with the DPDP Act’s requirements and safely handle Indian people’s data, you must start by relying on a legal basis to justify your data processing activities. Consent is the primary legal basis, and it can justify the use of third-party advertising, personalization, and profiling cookies alongside social media plugins.

 

Therefore, you must obtain consent that fulfills the criteria set by the DPDP Act. With a Consent Management Platform (CMP), you can collect consent in a compliant manner and keep a record of it all.

 

Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you turn data privacy into a business opportunity, and how Didomi focuses on addressing regulations and assisting companies around the world: 

 

{{talk-to-an-expert}}

 

Frequently Asked Questions (FAQ)

 

Who does India's Privacy Law apply to?

DPDP Act will apply to an organization if the processing of personal data fulfills the following conditions:

 

  • An organization processes “digital personal data,” which is capable of identifying the “data principal.” The Data Principal is the individual to whom the data relates.
  • The data organization process is either collected in digitized format or will be digitized.
  • Organization processes digital personal data within Indian territory. Alternatively, if you process digital personal data outside of India but the processing is in connection with an activity concerning the offering of goods or services to individuals in India.

 

What are the key requirements for compliance with India's data privacy law?

Some of the key requirements of India's DPDP include:

 

  • Identifying a lawful basis to collect and process personal data
  • Signing a data processing agreement between the data fiduciary and the data processor
  • Fulfilling data subject requests such as access and erasure requests in accordance with the DPDP Act
  • Verifying parental consent
  • Implementing appropriate data security measures

 

What are the lawful bases for collecting and processing personal data under India’s DPDP Act?

“Consent” and “Legitimate Use” are the only two lawful bases you can rely on.

 

What are the potential penalties for non-compliance with data privacy laws in India?

If you fail to comply with the DPDP Act’s requirements, you may face a monetary fine of up to  30.2 $ million. The Data Protection Board has the authority to carry out investigations and impose fines.

 

What is consent under the DPDP Act?

To obtain valid consent under the DPDP Act, you need to ensure that consent is “free, specific, informed, unconditional and unambiguous with a clear affirmative action”

 

Does the India DPDP Act address sensitive personal data and/or international data transfers?

The DPDP Act does not distinguish between personal and sensitive personal data/critical personal data. The DPDP Act does not restrict international data transfers out of India.