India’s data privacy protections continue to mature: The Digital Personal Data Protection Act
India recently passed its long-awaited Digital Personal Data Protection Act (Act). It is an expansive law with carve-outs that provide rights for individuals and obligations on organizations operating under its purview.
Definition of Personal Data
Personal data in the Act is defined as data about an individual who is identifiable by such data. Personal data can mean data in digital form or data that was collected in non-digital form and later digitized.
Scope of the Digital Personal Data Protection Act
The Act covers any entity processing digital personal data within India’s territory, with some exceptions. The Act also has expansive extraterritorial scope, covering organizations that process data outside of India, “if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.”
The Act does not apply to the processing of personal data for domestic or personal purposes by individuals, or data made publicly available by the data principal or by someone with the legal obligation to publish the data, such as the personal data of directors that regulated companies must publicly disclose by law. Additionally, Section 17(3) of the Act empowers the government to exempt any category of data fiduciaries from certain or all compliance obligations, while categorically referring to “startups” as one such class or business which could be exempted.
The Act covers:
- Data fiduciaries
- The individual or individuals who determine the purpose and means of processing of personal data, commonly referred to as “data controllers” in other global privacy laws
- Data processors, which consistent with other privacy laws means the person who processes the personal data on behalf of a data fiduciary
Unlike Europe’s General Data Protection Regulation, the responsibility of compliance with the Act falls solely on the data fiduciary, who may use data processing agreements to ensure data processors’ compliance.
While the Act does not categorize data based on its sensitivity in defining personal data, it does create a category of Significant Data Fiduciaries, which can meet one of several factors, such as the volume and sensitivity of personal data processed, the risk to the rights of data principals, along with several others. It also empowers the central government to notify a data fiduciary or class of data fiduciaries that they fall into the category of significant data fiduciaries, and places additional requirements such as the appointment of a data protection officer, an independent data auditor, and undertake periodic audits and other measures which may be prescribed.
A significant portion of the Act is dedicated to consent, being given its own section with multiple illustrations to make clear to data fiduciaries what is expected. Data fiduciaries are to obtain consent from the data principal for the processing of her data, and such consent,
“shall be free, specific, informed unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specific purpose and be limited to such personal data as is necessary for such specified purpose.”
There are a few narrowly defined grounds for the processing of personal data without consent, such as the fulfilment of any legal or judicial obligations of a specified nature, medical emergencies, and breakdown of public order. Conspicuously absent are the “contractual necessity” or “legitimate interests” that appear in GDPR and other data privacy laws as legal processing grounds. The absence of these expressed grounds for processing could present a significant challenge for organizations, particularly large organizations already relying on the grounds to process personal data for routine or necessary business operations.
Rights of Citizens under the Digital Personal Data Protection Act
Similar to other global privacy laws, the Act creates a series of rights for data principals that place obligations on businesses to provide and honor said rights. The right to information mirrors many laws’ “right to know,” meaning that upon request, data fiduciaries must provide to individuals the methods of data processing in a clear and understandable way. The Act also provides rights to correct and submit grievances found in GDPR and others. The Act provides a unique right of a data principal to nominate other individuals to exercise their rights in the event or incapacity. Organizations should set up mechanisms in place to track and record when data principals exercise these rights to ensure they and their data processors are in compliance.
How to Prepare for the Digital Personal Data Protection Act
While it is not yet confirmed that organizations have six months to come into compliance, it is clear that actions should be taken sooner rather than later to avoid running afoul of the Act. The Act explicitly calls for mechanisms in place to allow organizations to ensure the compliance of data processors with its consent requirements. Organizations should review and determine which processing activities rely on consent, and if consent is required, or if it falls into one of the narrow exceptions. To ensure that consent is “free” and “unambiguous,” organizations should avoid bundling the consent requests with other terms and conditions, and create standalone notice and consent requests for data principals to review and submit.
Given the significance of consent within the Act, organizations would do well to establish or cement a process of collecting and managing the consent of data principals, and verifying the consent of parents of children and guardians of persons with disabilities.
The other side of that coin is having a consent withdrawal process that is just as easy as it is for the data principal to provide. Of course, organizations need to be able to accurately and efficiently track and synchronize consents and withdrawals across systems to ensure that the applicable processing is occurring or ceasing. Perhaps most importantly, an organization must be able to show that it received valid consent from the data principal to engage in data processing in the first place, making accurate records of consent key.
If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.