On 11th August 2023, the Draft Digital Personal Data Protection Bill, 2023 received President of India’s assent after passage in both the Houses of the Parliament and became a law i.e. the Data Protection Act, 2023 (“DPDP Act”). The DPDP Act has been notified by the Government. This Act provides a framework for processing of digital personal data in a manner that recognises the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
By way of brief background, in 2017, a Committee of Experts headed by Justice B.N. Srikrishna (Retd.) (“Srikrishna Committee”) was constituted to identify key data protection issues and provide a legislative framework for data protection in the country. The Srikrishna Committee submitted its report in 2018 along with a draft of the Personal Data Protection Bill, 2018. Thereafter, the Personal Data Protection Bill, 2019 (“2019 PDP Bill”) was tabled before the Parliament and later referred to the Joint Parliamentary Committee (“JPC”) which published its report in 2021 along with a draft Data Protection Bill, 2021. However, on 3rd August 2022, the Government of India withdrew the 2019 PDP Bill from the Parliament. Later that year, on 18th November 2022, the Ministry of Electronics and Information Technology (“MeitY”) released the Digital Personal Data Protection Bill 2022 (“Draft DPDP Bill 2022”) for stakeholder consultations. Finally, in the 2023 Monsoon Session of the Parliament, the Draft Digital Personal Data Protection Bill, 2023 was tabled before the Parliament which, after going through the Parliamentary procedure, has now become the law in India. The DPDP Act is the first consolidated legislation governing personal data protection and privacy in India.
Brief Overview of the DPDP Act
The operationalization of the DPDP Act would be contingent on various rules/notifications issued by the Government of India and the DPDP Act will be implemented in phases through separate notifications.
Key Deviations from EU General Data Protection Regulations (“GDPR”)
S.no. | Topic | GDPR | DPDP Act |
1. | Cross border data transfer | Codifies cross-border transfer of data and allows for transfer of personal data to a third country basis the adequacy test or the specified safeguards (i.e., Standard Contractual Clauses). | Cross-border transfer of data will be based on a negative list. No provision of any principles for assessing adequacy of countries that may be barred/restricted by the Central Government. Further, if there is a higher degree of restriction on transfer of personal data outside India in any other law, then the same must be followed. This would mean that sectoral laws like RBI’s localisation mandate for payment system data will continue to be applicable. |
2. | Notice | The GDPR requires providing information in the notice relating to the recipients or categories of recipients of the personal data, the period of retention of such data, and transfer of data. | The Notice requirements have been stripped down significantly in the DPDP Act and corresponding requirements of notice are not present. Information relating to relating to processing activities and recipients can be accessed by the Data Principal upon request. |
3. | Personal Data Breach Notification | Data Controllers required to notify affected individuals without undue delay only if it is likely to result in a “high risk” to individuals. | Data Fiduciaries are required to notify affected Data Principals for any breach of personal data without any guidance on scale or severity of such breach. |
4. | Public Authority | Each Member State is required to establish an ‘independent’ public authority responsible for monitoring the application of the GDPR. | While the Board is required to be an independent body, in practise it may not enjoy ‘independence’ from the Central Government as the appointment of employees in the Board will be subject to Government approval and also their conditions of service, etc. will be prescribed by such Government. |
5. | Right to be forgotten | The GDPR specifically caters to the Right to be Forgotten when personal data has been published and requires that a Controller, in response to a request for the deletion of data that was previously made public, would need to “take reasonable steps” to inform any third parties that may be processing the data of the Data Subject who has requested deletion. There is also an obligation under the GDPR to communicate the deletion request directly to any known recipients of the data unless it would be impossible or would require disproportionate effort. | While the DPDP Act provides a right to erasure and a Data Fiduciary on receipt of such a request must erase the personal data of the Data Principal, it does not have any obligation to erase personal data that has been published by the Data Fiduciary or by its Data Processors that have been provided this data by the Data Fiduciary. |
6. | Age of consent | The GDPR imposes additional obligations when collecting consent from children under the age of 16 (or, at an age set between 13 and 16 by Member State law). | The DPDP Act defines a child as an individual under 18 years of age. The Central Government can notify a lower age for processing of children’s data if it is satisfied that the Data Fiduciary has ensured that processing of personal data of children is in a “verifiably safe” manner. Such Data Fiduciaries would be exempt from the applicability of all or any of the special obligations relating to child’s data. |
Our Take:
By notifying the DPDP Act, the Government has taken a significant step towards introducing a comprehensive stand-alone legislation governing data protection and privacy in India. While the DPDP Act is largely based on the GDPR, there are significant departures from the GDPR. For instance, GDPR codifies cross-border transfer of data provisions and allows for transfer of personal data to a third country basis the adequacy test or specified safeguards. However, the DPDP Act does not provide any such threshold for cross-border transfer of personal data. Further, while the GDPR provides for the right to be forgotten, the DPDP Act does not specifically provide such right.
There are many concerns with the provisions of the DPDP Act. Notably, many terms used in the DPDP Act, such as “verifiable consent”, “detrimental effect on the well-being” of a child, “as soon as reasonably practicable” (for providing notice to Data Principals who had provided consent before commencement of the Act), have not been defined, leaving such terms open to interpretation. Further, the Central Government has broad powers, under the DPDP Act, to prescribe rules, regulations, and notifications in various areas, such as notice, data breach reporting, children’s digital personal data, list of countries for cross-border transfer etc. thereby giving excessive power to the government to notify the nuances of such provisions which would be critical in the effective implementation and compliance of the DPDP Act.
The DPDP Act also confers excessive powers to the Central Government allowing it to call for any information from a Data Fiduciary/Intermediary. The DPDP Act does not provide any guidance or safeguards in respect of the information that can be called for by the Government. Moreover, in addition to the Section 69A of the IT Act, the Central Government is also empowered under the DPDP Act to issue directions to an intermediary (albeit upon satisfaction of certain conditions) to block access, if it is in the ‘interest of the general public’, to information identified by the government.
Moreover, unlike the IT Act, the DPDP Act does not provide the right to seek compensation to the affected person in the event of any negligence on the part of the Data Fiduciary in implementing and maintaining reasonable security practices and procedures leading to a wrongful loss or wrongful gain while possessing, dealing or handling any sensitive personal data or information. To seek compensation from the erring Data Fiduciary, a Data Principal who suffers a civil wrong can invoke legal liability as a claimant against the person committing such wrongful act for compensatory damages, under tort law.
Furthermore, the compliance costs are likely to increase in light of the requirements, inter alia, to provide the option to access the contents of the notice and request for consent in English or any of 22 languages mentioned in the Eighth Schedule of the Indian Constitution. Further, the DPDP Act imposes a mandate of reporting data breaches to the Board and affected Data Principals. This would be in addition to the mandate of reporting cyber incidents to the Indian Computer Emergency Response Team as per the IT Act and rules and directions issued therein.
The DPDP Act prescribes hefty penalties (upto INR 250 crores, depending on the nature of the breach) for any non-compliance with its provisions on not only the Data Fiduciary but also the Data Principal.
While the DPDP Act codifies the rights and duties of Data Fiduciaries and Data Principals, Government’s approach in notifying various provisions of the DPDP Act and the timelines it seeks to provide to entities for transitioning and making appropriate administrative changes in a way that do not disrupt ongoing operations of businesses would be pivotal in the compliance and implementation of the DPDP Act.
This area of law in India is now an evolving landscape, and complete clarity will be available once the phased implementation of the DPDP Act is complete, and the corresponding delegated legislation passed by Parliament and notified.
Link to the Digital Personal Data Protection Act, 2023: https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
This article was first published on Saikrishna & Associates