India Digital Personal Data Protection Act (DPDPA)

Who is excluded from DPDPA compliance? 

India’s privacy law does not apply to “personal data processed by an individual for any personal or domestic purpose; and personal data that is made or caused to be made publicly available by either the Data Principal to whom such personal data relates; or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.” One illustrative example offered by the law here is as follows: “X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.”

In addition to these, the following instances of processing of personal data are exempted: 

• “Processing by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and
• Processing necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.”

How can I keep my organization DPDPA compliant?

Under DPDP, processing of personal data can only be done for lawful purposes, with the consent of the data subject, and for legitimate uses. Lawful purpose here is understood as “any purpose which is not expressly forbidden by law.” In addition, a notice has to be provided before or at the moment of collection of personal data, informing data subjects of the types of data being collected and the purpose for this, the way in which they can exercise their data subject rights, and the way in which they can submit a complaint to the regulatory authorities. 

Consent has to be “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose” and can be withdrawn at any time. Other obligations of data controllers (data fiduciaries) include the following: 

• complying with the provisions of the DPDP and any rules issued with respect to data processing performed by themselves or by a data processor; 
• ensuring that any activity of a data processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals is performed only under a valid contract;
• where personal data is likely to be used to make a decision that affects data subjects or it is likely to be disclosed to another data controller, the processing of such data has to be complete, accurate, and consistent;
• implementing appropriate technical and organizational measures to ensure the effective observance of the provisions of the law and any rules issued;
• protecting the personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor, by taking reasonable security safeguards to prevent personal data breaches;
• in the event of a personal data breach, informing the Board and the affected data subject of this;
• unless required for compliance with any law, a controller has to cease the retaining personal data and instead erase personal data upon the withdrawal of consent by a data subject, or as soon as it is reasonable to assume that the purpose of collection no longer applies, and ensure that any data processor that received the data also erases this.
• if applicable, make available the details of the Data Protection Officer, or of a person who is able to answer on behalf of the data controller to any questions raised by the data subject about the processing of their personal data;
• establishing an effective mechanism for grievance redressal of data subjects; 
• before processing any personal data of a child or a person with disability who has a lawful guardian, controllers must obtain verifiable consent from the parent of such child or the lawful guardian.

Additionally, if they are categorized as a ‘significant data fiduciary,’ controllers have an obligation to do all of the following: 

• “appoint a Data Protection Officer who shall
  • represent the Significant Data Fiduciary under the provisions of this Act;
  • be based in India;
  • be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and
  • be the point of contact for the grievance redressal mechanism under the provisions of this Act;
• appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and
• undertake the following other measures, namely:—
  • periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;
  • periodic audit; and
  • such other measures, consistent with the provisions of this Act, as may be prescribed.”

What data access rights does DPDPA grant? 

The DPDP grants the following rights to data subjects: 

• Right to Access
• Right to Correct
• Right to Delete
• Right of grievance redressal
• Right to nominate a third part to act on their behalf

How to address data subject access requests under DPDPA?

The text of the law offers no specifics as to how data subject requests have to be handled. It is expected that the official rules that have yet to be published will clarify the matter.  

Enforcement and Penalties under India's Data Protection Law DPDPA 2023

The enforcing authority will be the Data Protection Board of India, an independent body that has yet to be appointed by the Central Government.  Once appointed, the DPB will have the authority to enforce the DPDP right away, investigating any violations and imposing penalties accordingly. According to Section 33 of the law, “if the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard,” impose monetary penalties, which include the following: 

• Not taking reasonable security measures to prevent data breaches: up to 250 crore rupees (approx. USD 3,000,000).
• Not informing the DPB and the data subject in the event of a data breach: up to 200 crore rupees (approx. USD 2,400,000).
• Not fulfilling obligations related to the processing of personal data of children: up to 200 crore rupees (approx. USD 2,400,000).
• Not fulfilling obligations related to Significant Data Fiduciaries: up to 150 crore rupees (approx. USD 1,800,000).
• Not fulfilling obligations related to Data Fiduciaries: up to 10,000 rupees (approx. USD 120,000). 
• Breach of any term of voluntary undertaking accepted by the Board: Penalty up to the extent applicable for the breach.
• Any other violations of the provisions of the DPDP: up to 50 crore rupees (approx. USD 600,000). 

Data Subject Rights - GDPR vs. DPDP