ARTICLE
7 August 2023

Decoding India's Data Protection Act 2023

I
Ikigai Law

Contributor

Ikigai Law logo
Ikigai Law is an award-winning law firm with a sharp focus on technology and innovation-led businesses. We advise clients from high impact startups to mature market-leading companies and are often at the forefront of policy and regulatory debates for emerging business models. Our TMT practice is ranked by Chambers and we were named Boutique Law Firm of the Year in 2019 by Asian Law Business.
Explore
India's Digital Personal Data Protection Act 2023 was assented to by the President of India on 11 August 2023. Read on for a quick explainer of what the law means for you.
India Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

India's Digital Personal Data Protection Act 2023 was assented to by the President of India on 11 August 2023. Read on for a quick explainer of what the law means for you. Our summary of the Act is available here.

1. What data is covered?

Personal data, i.e., data about an individual that can identify them. This includes identifiers like name, phone number, Aadhaar, PAN. It also includes profiling data or usage data, for e.g., a user's preferences and choices. It only covers 'digital' data, not offline records. It does not cover non-personal data (business insights, anonymized data).

Does not apply to: Data that is made "publicly available" by the individual or any other person under a legal obligation to do so. For e.g., a blogger posts about her spending habits on social media.

2. Who is affected?

Anyone who processes digital personal data. Processing means collecting, recording, structuring, storing, sharing, or any other automated action on the data. The law recognises two entities:

Data fiduciaries: Businesses that define "purpose and means" of processing. Also called data controllers in other parts of the world, these are businesses that call the shots about their users' data. They decide why data is needed, how it is used, how long it is to be retained. They are responsible for users' data and are accountable under the law.

Data processors: Businesses that process data on behalf of fiduciaries. For example, cloud service providers who host data for their customers, 'know-your-customer' (KYC) service providers who conduct users' KYC on behalf of banks. Fiduciaries tell them what to do.

Offshore businesses: If you "offer" goods or services in India, the law applies to you.

3. Will this change how companies collect personal data?

Yes. To collect personal data, fiduciaries must either get an individual's consent or the collection/ processing must be for certain "legitimate uses" recognised in the law.

Consent: Fiduciaries must give users a notice describing what data is collected, for what purpose, users' rights, and how they can complain to the Data Protection Board (enforcing authority). And on reading this notice, individuals must give clear and affirmative consent confirming that their data can be processed for the specified purpose. They must also allow individuals to withdraw their consent.

Legitimate uses: If companies process data for certain "legitimate uses" recognised in law, they don't need their consent separately. This includes situations where the individual voluntarily provides her data for a specific purpose; or data is processed to meet legal obligations or to comply with a court order, among other things.

4. What happens to personal data collected before this law?

For data collected before the law kicks in, fiduciaries must send individuals a fresh notice, which sets out what data is processed, purpose, how individuals can exercise their rights and make complaints to the Board.

5. What else should fiduciaries do?

  1. Implement organizational and technical measures;
  2. adopt reasonable security safeguards;
  3. notify personal data breaches to the Data Protection Board and affected individuals;
  4. ensure accuracy, completeness, and consistency of the personal data, in certain situations;
  5. erase personal data once the purpose is met or if the individual withdraws consent;
  6. implement a mechanism to resolve grievances;
  7. appoint vendors only under a contract that describes how they'll use and protect the data, among other things.

Fiduciaries that process large volumes of data or sensitive data could be designated as "significant data fiduciaries". SDFs must: (a) appoint a data protection officer based in India; (b) appoint an independent data auditor and do periodic data audits; and (c) carry out periodic data protection impact assessments.

Action items

  • Map data (identify where each team and function interacts with personal data)
  • Revisit user interface (identify where to show pop-up notices, checkboxes, more information in the customer journey)
  • Update privacy policies or notices
  • Review arrangements with vendors
  • Train employees (across product, business, sales, HR, etc.)
  • Appoint the right officers (grievance officer, data protection officer if a 'significant data fiduciary')

Processing children's data: Companies that collect children's data must get their parent/ guardian's consent. They cannot track, monitor a child's behaviour, or target advertisements to children. The central government can provide exemptions to comply with these obligations.

6. What should data processors do?

The law doesn't spell out specific obligations for data processors or penalties for them. Fiduciaries may pass these on to processors through contracts. So, processors must review their contracts with fiduciaries closely.

7. Can companies transfer/ process data outside India?

Yes, but the Indian government can restrict transfers to certain countries through notifications.

8. What rights do individuals have over their personal data?

Individuals can ask fiduciaries to give them information on the personal data being processed, processing activities, and identities of all organizations with whom their data has been shared. They can also ask for their information to be corrected/erased and nominate someone else to exercise their rights on their behalf in case they die or are incapacitated. Companies should allow individuals to easily access grievance redressal mechanisms. The law also places duties on individuals, such as, not making false or frivolous claims, not impersonating another person, among other things.

9. What happens if companies don't comply?

The law sets up a Data Protection Board to enforce the law and hand out penalties. Individuals can approach the Board if a data fiduciary doesn't comply with the law. The Board can award penalties upto INR 250 crore for some breaches. There is no criminal liability. In awarding penalties, the Board will assess any steps the company took to mitigate the impact of the breach or non-compliance. Notably, the Board can also ask the government to issue directions to block access to a fiduciary's platform in certain cases.

10. How much time do we get to comply?

The law doesn't say. It could be graded implementation – with some requirements kicking in before others.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Person photo placeholder
Ikigai Law
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More