India’s New Data Protection Law: Simply Put

Introduction

In a significant move, The Digital Personal Data Protection Bill, 2023 has been approved by both the Lok Sabha and the Rajya Sabha, receiving final assent from the President on 11th August 2023. Now officially the Digital Personal Data Protection Act (“the Act”), this development marks a pivotal moment for safeguarding online privacy of individuals in this data-driven world. The Act seeks to provide protection to Personal Data (as defined below) and the privacy of individuals whose data are collected per se. The Act is also set to replace Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011.

This article has been divided into three parts for easy reading. This first part refers to the concept and Data Fiduciaries. The second part describes the rights, duties & exemptions of data principal, advisory on processing of children’s data and cross border transfer and the third part describes the establishment of Data Protection Board and the penalties to be imposed on violating the said Act.

PART I

Salient features of the Act:

No distinction between data

The Act covers all sorts of Personal Data and does not categorize it into groups like sensitive Personal Data and other Personal Data. Earlier, under the Indian law, there used to be a differentiation between types of data which also required different system of protections. By removing all the distinctions and treating every type of data under one head, the Act makes the system seamless for all the data fiduciaries (“Data Fiduciary”) and data processors (“Data Processor”) holding and Processing (as defined below) data of the data principals or subjects (“Data Principal”).

Applicability

The Act applies to the Processing of Digital Personal Data within India where such data is:

  • collected online, or
  • collected offline and is digitized.  

The Act will not change much for most small businesses. It will create a framework and a designated ombudsman system, but it will not apply to physical data that has not been digitized. This means that a lot of small businesses that store data in paper form will be exempt from the Act.

However, the Act will apply to any data that has been digitized, even if it is just a photo of the data. So, if a small business takes a photo of a customer’s signature, that data would be covered under the Act. In essence, the Act will only apply to businesses that store data in a digital format. It is quite illogical, but if a business only uses physical paper to maintain data, they will be exempted under the Act, regardless of how much data they store.

The Act will also apply to the Processing of Personal Data outside India if it is for offering goods or services to Data Principals in India. “Personal Data” is defined as any data about an individual who is identifiable by or in relation to such data[1]. “Processing” has been defined as wholly or partially automated operation or set of operations performed on digital Personal Data. It includes collection, recording, storage, use, sharing, erasure, destruction, etc.[2]

Consent

The significant aspect of this Act is with regards to the consent for Processing of Personal Data. Section 6 of the Act states that consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with clear affirmative action. It shall be limited to such Personal Data as is necessary for specified purposes.  

One significant feature of the Act is that the Data Fiduciaries obtaining the consent of Data Principals shall give Data Principals an “Opt-out” right, as opposed to international standards of “Opt-in”.

Personal Data may be processed only for a lawful/legitimate purpose after obtaining the consent of the individual.[3]  A notice must be given before seeking consent.  The notice should contain details about the Personal Data to be collected and the purpose of Processing.[4] In the ease of doing business and to make law minimally invasive, where the Data Principal has given the consent for the Processing of their Personal Data before the law comes into force, a similar notice needs to be given to Data Principal as soon as it is reasonably practicable. Hence, the protection to previously obtained consent has also been provided unlike the counterparts in the rest of the world whereby on the prescribed date, all entities i.e., Data Fiduciaries and Data Processers whether big or small were reaching out to every Data Principal to obtain their consent. However, the Data Fiduciary may continue to process the Personal Data until and unless the Data Principal withdraws their consent.

The Data Principal, while giving consent regarding the Processing of their Personal Data, shall have option to view the notice and consent form in English or any other language specified in the Eighth Schedule of the Indian Constitution. This will help a large portion of the population those who are not familiar with English language.

However, consent of Data Principals will not be required if the Personal Data is used for ‘legitimate purposes’[5] which includes:

Specific safeguards for Processing children’s data and provisions for parental control have also been included. For individuals below 18 years of age (as compared to the global standard of 13 years of age), consent will be provided by the parent or the legal guardian.

General obligations of the Data Fiduciary[6]

The Data Fiduciaries, determining the purpose and means of Processing, must:

  • make reasonable efforts to ensure the accuracy and completeness of data,
  • build reasonable security safeguards to prevent a data breach,
  • inform the Board (as defined below) and affected persons in the event of a breach, and
  • erase Personal Data as soon as the purpose has been met unless retention is necessary for legal purposes (storage limitation).  In the case of government entities, storage limitation and the right of the Data Principal to erasure will not apply.

A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any Processing undertaken by it or on its behalf by a Data Processor.

A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process Personal Data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.

Significant Data Fiduciaries[7]

The Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries by considering certain essential factors such as:

  • volume and sensitivity of Personal Data processed,
  • risks to the rights of Data principals,
  • potential impact on the sovereignty and integrity of India
  • risk to electoral democracy
  • security of the state, and
  • public order.  

These Significant Data Fiduciaries will be subject to materially higher compliance obligations including appointing a data protection officer, undertaking impact assessment and compliance audit and such other requirements as may be specified from time to time.

Archana Balasubramanian, Partner with Vineet Lathiya, Associate

[1] Section 2(t) of the Act.

[2] Section 2(x) of the Act.

[3] Section 4 & 6 of the Act.

[4] Section 5 of the Act.

[5] Section 7 of the Act.

[6] Section 8 of the Act.

[7] Section 10 of the Act.

2 thoughts on “India’s New Data Protection Law: Simply Put

Add yours

  1. Pingback: India’s New Data Protection Law: Simply Put – COMMERCIAL LAW BLOG
  2. Pingback: India’s New Data Protection Law: Simply Put – COMMERCIAL LAW BLOG

Leave a comment

Create a website or blog at WordPress.com

Up ↑