Introduction

The Digital Personal Data Protection Act, 2023 ("DPDP Act") which had received presidential assent was notified in the official gazette on August 11, 2023. It will come into force on a date yet to be notified by the central government. The DPDP Act has been introduced as a specific legislation to govern personal data vis-a-vis an individual's right to privacy in India.

At present, the Information Technology Act, 2000 ("IT Act") along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("SPDI Rules") regulates the collection1, disclosure2, transfer3 and security practices and procedures4 for handling of Personal Information5 and/or Sensitive Personal Data/Information6.

Privacy Policy under the SPDI Rules

The SPDI Rules apply to all body corporates or any persons who on behalf of a body corporate (collectively, "Body Corporates") collect, receive, posses, store, deal or handle Personal Information including Sensitive Personal Data or Information of any person located within India7.

The SPDI Rules stipulate that Body Corporates while collecting Personal Information including Sensitive Personal Data or Information must, in relation to such collection, publish a privacy policy which must include8:

  1. a clear and easily accessible statement on its practices and policies;
  2. type of information collected under Rule 3 of SPDI Rules which may include Sensitive Personal Data/Information;
  3. purpose of collection and usage of such information;
  4. policy on disclosure to third parties under Rule 6 of SPDI Rules; and
  5. reasonable security practices and procedures adopted by the Body Corporate under Rule 8 of the SPDI Rules (collectively, "SPDI Requirements").

Other Requirements under the SPDI Rules

While Rule 4 of the SPDI Rules outlines mandatory SPDI Requirements for a privacy policy, the general rule has become to include certain other provisions of the SPDI Rules within a privacy policy, as good practice.

An important part of the SDPI Rules is that any Body Corporate collecting Sensitive Personal Data or Information must obtain consent from the provider of information ("Provider"). Further, a Body Corporate must enable the Provider with the option to opt out and withdraw consent for the Personal Information and/or Sensitive Personal Data/Information.9 Body Corporates must also offer the Provider with the right to review, correct or amend such information to ensure that the same is accurate and there is no deficiency.10 In case of transfer of Sensitive Personal Data or Information outside India, the Provider must explicitly consent to the transfer of Sensitive Personal Data or Information to another Body Corporate or any other country.11 Further, a Body Corporate is required to publish the name and contact details of its grievance officer on its website12. As a general practice, the above requirements are incorporated within a privacy policy by a Body Corporate along with the mandatory SPDI Requirements.

Such practices enable the Body Corporate to have in place a blanket document that eliminates the requirement for repetitive updates each time Personal Information and/or Sensitive Personal Data/Information is collected, disclosed, or transferred by a Body Corporate. This practice further enables the Body Corporate to conveniently obtain explicit consent of its users without seeking specific consent for every collection, disclosure or transfer of Personal Information and/or Sensitive Personal Data/Information.

The Digital Personal Data Protection Act, 2023

Unlike the SPDI Rules, the DPDP Act, does not explicitly lay down the requirement for publication of a privacy policy. However, the DPDP Act states that consent for processing13 of Personal Data14 be "free, specific, informed, unconditional and unambiguous with a clear affirmative action15." To meet the criterion of "informed" the DPDP Act states that Data Principals16 must be provided with a written notice17 prior to or at the time they are requested to grant their consent. Such notice must specify:

  1. category and the purposes of Personal Data to be processed;
  2. the contact details of the relevant Data Protection Officer18;
  3. manner in which the Data Principal can make a complaint to the Board19; and
  4. the manner in which a Data Principal can exercise its rights under the DPDP Act, which includes the:
    1. right to withdraw its consent for processing of Personal Data; and
    2. right to grievance redressal (collectively, "Content").

The DPDP Act states that Data Principals must be provided with the option to access such notice in English or one of the languages identified under the Eight Schedule to the Constitution of India.20

However, the DPDP Act has not provided any explicit provision on the procedure for effecting translation of such notice.

Further, under the DPDP Act, the Data Fiduciaries21 are obligated to obtain verifiable consent of a parent or legal guardian of children or persons with disability prior to the processing of their Personal Data.22

The DPDP Act has laid down certain additional rights of Data Principals such as:

  1. right to access the Personal Data shared and the processing activities including the names of Data Fiduciaries23;
  2. right to nominate an individual in the event of a Data Principal's death or incapacity24; and
  3. right to correct, complete, update and erase Personal Data shared25 (collectively "Rights").

Additionally, the DPDP Act imposes certain obligations on the Data Principals to prevent any exploitation of rights granted under the DPDP Act, such as the duty to26:

  1. not impersonate another person while providing Personal Data;
  2. not suppress any material information while providing Personal Data;
  3. not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
  4. furnish only such information as is verifiably authentic (collectively "Duties").

However, there is no legal requirement to explicitly notify the Data Principals of such Rights and Duties in the notice mandated under Section 5 of the DPDP Act.

Good practice for a Privacy Policy under the DPDP Act

Accordingly, while the DPDP Act does not explicitly mandate a privacy policy, the construct of a privacy policy remains integral and cannot be disregarded under this new regime of the DPDP Act. The fundamental elements of a privacy policy (as stated above) have remained constant in line with the SPDI Rules. The DPDP Act has introduced a few new additional provisions which may be incorporated within a privacy policy as good practice. Such additions, amongst other provisions, include:

  1. the Content;
  2. the manner and procedure for Data Principals to file complaints with the Board;
  3. Rights and Duties of Data Principals;
  4. children and persons with disabilities' right to provide consent through their parent or legal guardian (as may be applicable) prior to the processing of their Personal Data; and
  5. option to view the above provisions in either English or one of the languages identified under the Constitution of India.

GDPR versus the DPDP Act

Much like other data protection laws across the world, the DPDP Act also draws inspiration from the General Data Protection Regulation (EU) 2016/679 ("GDPR") which sets out standards for protection of an individual's privacy. While the GDPR is not applicable to anonymized data27, the DPDP Act has language which could imply that it will not apply to data that cannot identify an individual28. Fundamental principles of obtaining free and informed consent of Data Principals under the DPDP Act29 are in line with the GDPR30. Processing of personal data under both the DPDP Act31 and GDPR32 require a lawful purpose. In a manner akin to the GDPR, the DPDP Act lays down certain legitimate uses33 for the processing of personal data without explicit consent for certain situations such as employment, medical emergencies, or performance of any legal obligation.

While an existing compliance program under the GDPR can be used as a starting point, it is pertinent to note that the DPDP Act has also incorporated certain elements that differ from the GDPR in certain respects. For example, unlike the GDPR, the DPDP Act does not classify personal data into specific categories. While the GDPR also applies to offline data34, the DPDP Act only governs data in digitized form35. Transfer of personal data under the DPDP Act is permitted except to countries which may be prohibited by the central government36, whereas GDPR permits such transfer of data under certain specific conditions. The DPDP Act has also introduced a new set of actors under its purview i.e., the Consent Managers37 to manage consents for Data Principals. Hence, while capturing the essence of the GDPR, the DPDP Act has incorporated certain unique elements within its text.

Conclusion

With the enactment of the DPDP Act, businesses will now have to revise their existing legal documentation including its privacy policies and other ancillary documents. This process will ensure compliance with the evolving data protection regime under the DPDP Act. While certain specific rules, standards and procedures supplementing the DPDP Act are yet to be notified by the central government, it can be expected that the foundational elements of a privacy policy (as was prevalent under the SPDI Rules) shall remain constant, with the only exception of the new additions (as stated above) introduced by the DPDP Act.

Footnotes

1. Rule 5 of the SPDI Rules.

2. Rule 6 of the SPDI Rules.

3. Rule 7 of the SPDI Rules.

4. Rule 8 of the SPDI Rules.

5. Rule 2(1)(i) of the SPDI Rules defines "Personal Information" as any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

6. Rule 3 of the SPDI Rules defines Sensitive Personal Data or Information of a person as personal information which consists of information relating to: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the aforementioned information, as provided to the entity for providing service; (viii) any information received under above sub-clauses by an entity for processing or are stored or processed under lawful contract or otherwise. Information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 will not be considered sensitive personal data or information.

7. https://www.meity.gov.in/writereaddata/files/PressNote_25811.pdf

8. Rule 4 of the SPDI Rules.

9. Rule 5(7) of the SPDI Rules.

10. Rule 5(6) of the SPDI Rules.

11. Rule 7 of the SPDI Rules.

12. Rule 5(9) of the SPDI Rules.

13. Section 2(x) of the DPDP Act defines "processing" in relation to personal data, as a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

14. Section 2(t) of the DPDP Act defines "Personal Data" as any data about an individual who is identifiable by or in relation to such data.

15. Section 6(1) of the DPDP Act.

16. Section 2(j) of the DPDP Act defines "Data Principal" as the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.

17. Section 5 of the DPDP Act.

18. Section 2(l) of the DPDP Act defines a "Data Protection Officer" as an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10 of the DPDP Act.

19. Section 2(c) of the DPDP Act defines "Board" as the Data Protection Board of India established by the Central Government under section 18 of the DPDP Act.

20. Section 5(3) of the DPDP Act.

21. Section 2(i) of the DPDP Act defines "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

22. Section 9 of the DPDP Act.

23. Section 11 of the DPDP Act.

24. Section 14 of the DPDP Act.

25. Section 12 of the DPDP Act.

26. Section 15 of the DPDP Act.

27. Recital 26 of the GDPR.

28. Section 3 of the DPDP Act.

29. Section 6 of the DPDP Act.

30. Article 7 of the GDPR.

31. Section 4(1) of the DPDP Act.

32. Article 6 of the GDPR.

33. Section 7 of the DPDP Act.

34. Article 2 of the GDPR.

35. Section 3 of the DPDP Act.

36. Section 16(1) of the DPDP Act.

37. Section 2(g) of the DPDP Act defines a "Consent Manager" as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.