For the second day of data, we are taking a look around the world. The most significant new international data protection law of 2023 is probably India’s long-awaited comprehensive data protection law, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The DPDP Act was enacted and notified in the Official Gazette on 11 August 2023. The law will not come into effect until the government provides notice of an effective date, which is still forthcoming, with different effective dates expected for different provisions. Last month, Rohan Massey, co-leader of Ropes & Gray’s data, privacy & cybersecurity practice, sat down with Sajai Singh, a partner at J. Sagar Associates in Bangalore, to discuss the law.
Although the DPDP Act reads with some familiarity for those accustomed to complying with the EU/UK General Data Protection Regulation (the “GDPR”) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), it also diverges in certain ways. This perhaps reflects the need for the DPDP Act to work for local companies and processes, but lessons may also have been taken from how other jurisdictions have approached similar laws and the subsequent functionality. We review a few of those key similarities and differences in this post to provide a deeper understanding of how the DPDP Act fits into global privacy law.
Framework, scope, and definitions
The DPDP Act sets out the framework for data protection laws in India, with supplementation expected from the Government in due course. Due to this, the full effect of the DPDP Act on companies will only become clear as and when the rules are issued over time and the Data Protection Board of India (the “Board”), which is to be an independent regulatory body, is established. This is similar to the California Privacy Protection Agency (“CPPA”), which is vested with full authority to implement and enforce the CCPA.
The DPDP Act governs Data Fiduciaries (which, under the GDPR, are referred to as “controllers”, and to some degree under the CCPA as “businesses”), Data Processors and Data Principals (which, under the GDPR, are known as “data subjects”, and under the CCPA, are known as “consumers”). Similar to the GDPR, the DPDP Act applies to the processing of “personal data” (which is defined as data about an individual who is identifiable by or in relation to such data), either (i) within India; or (ii) outside of India, but where such processing is in connection with offering goods or services to Data Principals within the territory. The CCPA’s approach to extraterritoriality is somewhat similar, applying to businesses that conduct business in California, provided they meet one of the prescribed thresholds. Unlike the GDPR and the CCPA, the DPDP Act applies only to digital personal data, meaning personal data either collected in digital form or non-digital data that is subsequently digitized. In addition, the scope is narrower than the GDPR and CCPA, and does not include entities outside of India that are monitoring the behaviour of Data Principals within India.
The DPDP Act applies to all types of digital personal data and introduces no additional controls or requirements for the processing of personal data that would, under the GDPR, be called “special category personal data” (i.e. personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation), or under the CCPA, as “sensitive personal information” (for example, government identifiers, financial accounts, genetic data, biometric information used to identify a consumer, and information concerning a consumer’s health, sex life, sexual orientation, racial or ethnic origin, and religious beliefs).
Whilst the GDPR requires that measures such as data protection officer appointments and the conducting of data protection impact assessments happen in certain circumstances, for example where large-scale special categories of personal data are being processed, the DPDP Act takes a more controlled approach with its introduction of a “Significant Data Fiduciary”. India’s Central Government can designate any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary, based on factors that could include the volume and sensitivity of personal data it processes or risks to the rights of Data Principals, and require that the Significant Data Fiduciary (i) appoint a data protection officer; (ii) appoint an independent data auditor to carry out a data audit and conduct periodic audits; and (iii) conduct periodic data protection impact assessments. The CCPA diverges from the GDPR and DPDP Act in some regards, including there being no requirement to employ a data protection officer or data auditor. However, the CPPA is responsible for issuing regulations requiring businesses to perform annual cybersecurity audits that are “thorough and independent” and to submit regular risk assessments to the CPPA if those businesses process personal information in a manner which presents significant risk to consumers’ privacy or security.
The DPDP Act allows Data Fiduciaries to process personal data where it is for a lawful purpose that is not expressly forbidden by law, and where either consent has been obtained from the Data Principal or the processing is for a legitimate use. The legitimate uses basis is potentially broad and includes, amongst other uses, (i) fulfilling any obligation under law; (ii) responding to a medical emergency; and (iii) for the purposes of employment or those uses related to safeguarding the employer from loss or liability.
Data subject rights
The DPDP Act grants Data Principals who have previously given consent for processing personal data the right to:
- A summary of personal data which is being processed by a Data Fiduciary and the processing activities undertaken with such personal data;
- The identities of Data Fiduciaries and Data Processors with whom the personal data has been shared and a description of the data shared;
- Correction, completion, updating and erasure of personal data; and
- Have complaints redressed by the Data Fiduciary and, if this avenue is exhausted unsuccessfully, by the Board.
- The rights are similar to those afforded to data subjects under the GDPR and CCPA, however the DPDP Act does not include the right to data portability or the right to be forgotten as the GDPR does. Additionally, the CCPA also prescribes a right to opt out of the sale or sharing of a consumer’s personal data and a right of no retaliation following an opt-out or exercise of any data subject right.
- Unlike the GDPR or CCPA, the DPDP Act also sets out duties of Data Principals, with the potential of a penalty of up to 10,000 rupees (approximately GBP 100 or USD 120) for non-compliance. The duties for Data Principals to observe include (i) complying with all applicable laws while exercising rights under the DPDP Act; (ii) not impersonating another person; (iii) not suppressing any material information; and (iv) ensuring false or frivolous grievances or complaints are not filed with Data Fiduciaries or the Board.
Notice and consent
Similar to the CCPA, where a Data Fiduciary seeks to rely on the consent of a Data Principal, it needs to be accompanied or preceded by a clear and plainly worded privacy notice stating (i) what personal data is concerned and the purpose for which it will be processed; and (ii) the rights the Data Principal has, including to withdraw consent at any time and the right to make a complaint to the Board. Any consent granted should be free, specific, informed, unconditional and unambiguous and given with a clear affirmative action. Where the Data Fiduciary is relying on the alternative lawful purpose, being for certain legitimate uses, a privacy notice is not required.
Where the Data Fiduciary is providing a privacy notice, it should make such notice available in English or any of the 22 languages set out in the Eighth Schedule of the Indian Constitution, and accept consent from a Data Principal in any of these languages. We understand that the privacy notice does not have to be presented to the Data Principal in all 23 languages (including English), but where the document in one of these languages is requested and not available, the Data Fiduciary will need to have it translated appropriately. Although subsequent rules may expand the content requirements of such a privacy notice, the content specified is far shorter than the requirements under the GDPR.
In terms of the timing of providing the privacy notice, where Data Principals have already consented prior to the commencement of the DPDP Act, they should receive a copy of the privacy notice within a reasonable time. Comparing this to the requirements under the GDPR, privacy notices should be provided to individuals at the time of data collection where possible, although there is flexibility where data is not collected directly from the data subject, being a reasonable period after obtaining the personal data, but at the latest within one month.
The CCPA requires businesses to inform consumers about how they process a consumer’s personal data, including a description of what personal data is collected, the purpose for collecting such data, disclosures about the sensitive personal information processed, a list of the data subject rights afforded to consumers, a list of the categories of third parties with whom personal data is shared, and the business’s data retention period, among other requirements.
Cross-border transfers of data under the DPDP Act can be made to any country unless explicitly restricted by the Central Government. Meanwhile, under the GDPR, the options include relying on adequacy decisions, standard contractual clauses (EU), international data transfer agreement (UK) and binding corporate rules.
Vulnerable person personal data
As under the CCPA, when processing the personal data of children or a person with a disability who has a lawful guardian, consent must be obtained from a parent or lawful guardian (as applicable). There are additional restrictions on using such data, for example Data Fiduciaries should not undertake tracking or behavioural monitoring of children.
Although the idea under the DPDP Act of obtaining consent on behalf of children is similar to that in the GDPR and the CCPA, the age of majority is different – with the DPDP Act defining a child as someone under the age of 18 and the GDPR and CCPA setting this age as a person who is 16 years old. The GDPR allows this age to be lowered from 16 years old to 13 years old, which some member states (and the UK) have done.
Penalties for breaches and non-compliance of the DPDP Act are focused on the type of breach, with the maximum penalty being 250 crore rupees (approximately GBP 24 million or USD 30 million). Although this number is not dissimilar to the fine framework specified under the GDPR of EUR 20 million/GBP 17.5 million, unlike the GDPR, the DPDP act does not have the alternative of the higher option of a percentage of global turnover of the preceding fiscal year. When determining the applicable penalty, the Board will consider the (i) nature, gravity and duration of the breach; (ii) type and nature of the personal data affected; (iii) repetitive nature of the breach; (iv) whether as a result of the breach, a gain is realized or a loss avoided; (v) mitigating actions; (vi) whether the monetary penalty is proportionate and effective; and (vii) the likely impact of the monetary penalty.
The CCPA prescribes potential penalties of up to $2,500 for unintentional violations and $7,500 for each intentional violation. This is after the California Attorney General provides the business with 30 days’ notice to comply with the CCPA. Additionally, the CCPA affords consumers the right to file private lawsuits for between $100 to $750 in statutory damages or for actual damages (whichever is higher) for each incident of breach of their unredacted and unencrypted data stored in a business’s’ server. Businesses have up to 30 days to resolve the violation after being served a notice by the consumer before facing civil penalties.
Exemptions to certain provisions of the DPDP Act that are of interest to note include that:
- Consent will not always be required by Data Fiduciaries when processing is necessary for mergers, demergers and similar actions;
- Consent will not always be required when processing to ascertain what financial information and assets and liabilities of a person who has defaulted in payment are due;
- The Central Government may, up to five years from the date of commencement of the DPDP Act, declare that any provision of the DPDP Act does not apply to certain Data Fiduciaries or classes of Data Fiduciary; and
- The Central Government may, after considering the volume and nature of personal data processed, declare that certain provisions of the DPDP Act do not apply to Data Fiduciaries or classes of Data Fiduciary, including startups. Startups are defined as a private limited company or a partnership firm or a limited liability partnership incorporated in India, which is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government.
The CCPA provides entity-level exemptions from compliance for businesses that are nonprofits, government agencies, insurance institutions, agents and support organizations. Additionally, the CCPA provides data-level exemptions for financial information, protected health information, clinical trial information, consumer reporting information, and other data.
The DPDP Act is the first comprehensive law for protecting digital personal data in India. We are still waiting for the government to announce an effective date, and we expect different provisions to have different commencement dates, which will allow for a phased implementation.
Although there is still guidance to follow that will add significant further detail, companies under the jurisdiction of the DPDP Act should consider the following measures if they do not already have these in place:
- Starting to map the personal data held in the business;
- Considering what policies will be needed to comply with the DPDP Act; and
- Getting buy-in from senior leadership, so the potential updates and changes are acknowledged and progress can start to be made.
Where companies already have an established GDPR or CCPA compliance programme, this will serve as a strong foundation and starting point to draft policies and procedures that comply with the DPDP Act. Companies should review existing policies and make plans to amend existing documentation (privacy notices, internal policies on data subject rights or breaches, contract requirements, consent forms, etc.) to comply with the DPDP Act.
We do not know yet exactly what enforcement of the Act will look like in 2024, but we will be watching this area closely, along with other developments in international privacy law.