India has finally enacted its data privacy law, the Digital Personal Data Protection Act. The legislation is slated to come into force in about 10 months. India has chosen a somewhat different path from other countries by enacting a simpler and less prescriptive law than the typical GDPR type legislations that are commonplace today.
From the perspective of international businesses, the law will cover processing of personal data if a business outside India offers goods or services to persons within India. The law is largely inapplicable to the huge Indian outsourcing/offshoring industry which processes personal data of non-Indians. The main requirement here is to ensure reasonable security safeguards.
Consent is the key ground for processing personal data. Significantly, there is no general legitimate interest ground. Consent must be freely given, specific, informed, unconditional, and an unambiguous indication of consent through a clear affirmative action. Given that the language is more or less the same as under GDPR, if consent is interpreted in a similar manner as under GDPR, one wonders how businesses will cope with these requirements.
There are several exemptions to some provisions including the need for consent. These mostly relate to compliance with law, compliance with court judgments, public order, medical emergencies, etc. There are several exemptions applicable to the government. One key exemption is where personal data is provided “voluntarily” by the data subject (“data principal” under the new law), and there is no objection to processing of the personal data by the data principal. Surprisingly, there is a fairly broad exemption covering processing of personal information for employment.
The government can also notify classes of data controllers (referred to as “data fiduciaries” under the new law) including start-ups, who can be exempted from certain provisions of the law.
The law includes basic rights of data principals such as the right to access what personal data is being processed, the right to have personal data corrected or updated and the right to deletion, where the purpose for the personal data is no longer served. The data principal can also withdraw consent. The data principals also have a right to complain about any grievances. Data portability is however not included as a right.
There is a requirement that data fiduciaries must ensure reasonable security to safeguard personal data. This largely covers all data fiduciaries including those exempt from consent requirements. Failure to comply can result in penalties that can go up to Rs 25 billon (US$ 30 million). The law has a fairly wide definition for a data breach that appears to include vulnerabilities and it also has a strict standard that requires every data breach to be notified to the data protection authority and the concerned data principals.
The law also prescribes strict standards with regard to children. The age threshold is at 18 years. Parental consent is required. The law does not allow behavioral monitoring or targeted advertising. However, the government does have the power to relax these prohibitions.
India has moved away from its earlier position on data localization and has provided for a fairly relaxed regime – the government will notify countries to which personal data cannot be transferred. However, there are no other means of transferring personal data to these countries, such as through SCC’s. The law will not affect data localization requirements under sectoral laws, for example, the data localization requirements in the payment space.
The new Indian law includes a concept of a significant data fiduciary (“SDF”). This would mostly cover very large data controllers. However, the criteria to be considered by the government in notifying who is an SDF includes “threat to democracy” and “potential impact to the sovereignty and integrity of India”. This may then cover smaller data fiduciaries, especially those involved in media and content platforms.
Only an SDF needs to appoint a data protection officer. However, the law does require all data fiduciaries to appoint a person to oversee grievances. An SDF has to conduct privacy audits by an independent privacy auditor and also conduct privacy impact assessments in a manner to be prescribed by the government.
The law prescribes a schedule of maximum penalties for various violations with the maximum penalty, applicable to failure to maintain reasonable safeguards to protect personal information, being Rs 25 billion (US$ 30 million). There is however no provision for awarding compensation – all penalties are paid to the government.
Overall, the approach adopted by the Government of a simpler law is more suited to a country like India. However, some of the requirements are stricter than GDPR and will require a stronger compliance effort. Given that the law is finalized now, it is time for international companies doing business in India to begin the process of complying with the new law.
 |
Stephen Mathias Senior Partner at Kochhar & Co stephen.mathias@bgl.kochhar.com |
