The key aspects of India’s Data Protection Act

DPDP Act implications, scope

One of the most notable features of the DPDP Act is its extraterritorial reach, extending its jurisdiction beyond Indian borders. This necessitates a comprehensive understanding of its provisions by offshore entities catering to Indian data principals (individuals to whom the personal data relates). At its core, the act aims to safeguard personal data by emphasising the consent of individuals and imposing obligations on data fiduciaries (entities which determine the purpose and means of processing personal data).

Evolution of data privacy legislation

The Information Technology Act, 2000 (IT Act), governs aspects of data protection, albeit with limitations. Subsequently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI rules), were introduced to govern the processing of sensitive personal data. The DPDP Act will replace key provisions of the IT Act, particularly section 43(A), and sets a more comprehensive framework for the processing of digital personal data. It will also replace the SPDI rules on the act coming into force. This transition underscores India’s commitment to aligning its data protection standards with international norms and addressing evolving challenges in the digital landscape.

Core areas of the act

The DPDP Act has several pivotal components that shape its regulatory framework:

1. Protecting personal data. The law lays down principles governing the processing of digitised personal data to ensure privacy and confidentiality while protecting the rights of data principals.
2. Extraterritorial applicability. The extension of jurisdiction to offshore entities processing personal data of Indian data principals for providing goods or services to persons resident in India.
3. Data fiduciary obligations. Responsibilities including consent, security and transparency have been imposed under law on entities collecting personal data and determining the means of processing such data. The law obliges compliance with the requirements of the act by a data fiduciary that cannot be passed onto a data processor even under contract. The data fiduciary is also held responsible for actions performed by the data processor.
4. Individual rights. Granting data principals rights over their data, such as access, correction and deletion.
5. Regulatory oversight. The appointment of data protection officers and the establishment of authorities, including the Data Protection Board, to oversee compliance and enforce penalties.

Key provisions

The DPDP Act encompasses crucial provisions that define its scope and applicability:

1. Data categories. The law provides for a framework for regulation of digital personal data, regardless of its initial form.
2. Exclusions. It provides for exceptions for personal data processed for personal or domestic purposes.
3. Consent requirements. The law mandates an affirmative consent as a cornerstone for lawful processing, with clear criteria for a withdrawal. Importantly, revoking consent does not invalidate the legality of data processing activities based on the consent given prior to its withdrawal. Prior to, or alongside, each request for consent, a notice must be issued to the data principal detailing the personal data and intended purpose of processing, the procedure for withdrawing consent, and the grievance redressal mechanism in case of any data leakage.
4. Legitimate processing. Instances where personal data can be processed without explicit consent, under specified conditions include: voluntarily providing personal data for a specified purpose; provision of state functions such as granting subsidies, benefits, services, certificates, licences or permits; safeguarding the sovereignty, integrity or security of India; as well as complying with court orders, addressing medical emergencies or disaster management efforts and fulfilling employment-related purposes for the protection of intellectual property rights, including trade secrets, of an employer.
5. No data localisation. The law does not contain data localisation requirements and provides for free cross-border flow of personal data. Nonetheless, it envisages a negative list of countries where personal data cannot be transferred.
6. The law recognises an individual up to the age of 18 years to be a child and prohibits advertising aimed at children.

Exemptions

The act provides for specific exemptions and does not extend to state instrumentalities, which the government may exempt based on factors such as India’s sovereignty, integrity, security and public order. Additionally, the government has the authority to grant exemptions to specific classes of data fiduciaries from obligations regarding notice, data accuracy, maintenance and data erasure.

Applicability and impact

The enactment of the DPDP Act poses significant challenges for industries, necessitating a revamp of data handling practices and compliance mechanisms. This is particularly true in sectors like fintech and e-commerce.

Fintech

Fintech companies face unique challenges in ensuring compliance, especially concerning data flows and partnerships with traditional financial institutions. Compliance obligations primarily fall on data fiduciaries, urging fintech firms to fortify their data protection measures and align with regulatory standards.

Under the DPDP Act, depending on the role of collection or processing of personal data, fintech companies could typically be categorised as data processors, while banks and NBFCs would be deemed to be data fiduciaries responsible for determining the means and purpose of data processing.

This classification aligns with the Guidelines on Digital Lending, issued by the RBI in 2022. However, depending on the role and functions performed, a fintech could be categorised as a data fiduciary under the DPDP Act. Compliance obligations primarily fall on the data fiduciary, which must ensure that the processors comply with regulatory requirements. Therefore, it is essential for fintechs to establish robust controls, including code management, identity management and charge management, while maintaining transparency and data accuracy. Obtaining ISO certifications and implementing technical measures for data protection are also crucial to meet compliance standards.

E-commerce

Clarifying data fiduciary roles and determining data fiduciary responsibilities within e-commerce ecosystems is essential for compliance. Whether platforms or sellers assume these obligations depends on their roles in data processing and decision-making. Clarity in delineating these roles is critical for ensuring adherence to regulatory mandates.

Typically, e-commerce platforms like Amazon, Flipkart and Myntra, where personal data collection and analysis for marketing occurs, the platform serves as the data fiduciary and is accountable for compliance. However, if the platform solely provides a technological infrastructure and the retailer assumes all other sales-related responsibilities, the retailer may be considered a data fiduciary if they collect data to fulfil sales.

If the platform merely facilitates transactions without disclosing personal data, the seller may be viewed as the data processor. Ultimately, the determination of the data fiduciary depends on the business model, with the guiding principle being to identify the entity responsible for determining data collection and processing methods and objectives.

Service-providing platforms

Companies like Uber, Ola and Urban Clap are designated as data fiduciaries under the act. These platforms are mandated to share personal data with various partners, including drivers and other individuals. Consequently, it becomes paramount for them to deploy robust technical measures, such as data masking, to safeguard sensitive information. Moreover, they must sensitise their business partners to the importance of privacy protection and necessary compliances.

In scenarios where the platform remains inactive for a substantial duration, or if consent is revoked by the data principal, it falls on the data fiduciary to ensure that the data is neither utilised nor retained. Only a limited subset of data should be shared to mitigate privacy risks effectively.

Online advertising companies could be required to demonstrate compliance with the DPDP Act by obtaining explicit consent, limiting the collection of personal data to what is necessary for their advertising activities, and only using it for specified purposes outlined to users at the time of collection. Further compliance may be required through measures such as maintaining records of data processing activities, conducting data protection impact assessments, and appointing a data protection officer.

It is incumbent on such entities to prioritise the principles of privacy protection, not just as a legal obligation, but as a fundamental aspect of their operations and ethos.

Charting the path forward

The DPDP Act heralds a new era of data protection in India. By prioritising individual consent and accountability, the act paves the way for a safer and more transparent digital ecosystem. As India progresses towards a USD5 trillion economy, adherence to data protection standards becomes crucial.

Once the rules for implementation are finalised and the Data Protection Board of India is established, stakeholders can anticipate a more resilient digital landscape, fostering trust and innovation in equal measure.