Commentary on India’s Digital Personal Data Protection Act

After receiving the President’s assent on August 11 and being notified in the Government Gazette on the same day, India’s Digital Personal Data Protection Bill became law, with subsidiary rules and regulations to be made by the Indian government in the coming months.

The Digital Personal Data Protection Act (“Act”) has several key features.

First, the Act adopts new vocabularies (s 2) to refer to key stakeholders that are termed in a relatively uniform manner in other similar legislation, such as “Data Fiduciary” (by extension “Significant Data Fiduciary”) for data controller and “Data Principal” for data subject, though curiously the term “Data Processor” as it is usually understood is retained.

Second, the Act applies, among others, to the processing of digital personal data outside the territory of India “if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India”. Its extra-territorial effect could thus be said to be rather broad. However, the Act generally will not apply to India’s vast outsourcing industry by virtue of an exemption based on contract (s 17(d)).

Third, the Act offers a blanket exemption from its application digital personal data that are made or caused to be made publicly available by the Data Principal herself or any other person who is under an obligation under any prevailing law to make such personal data publicly available (s 3(c)).

Fourth, the Act allows Data Fiduciaries to process personal data on two lawful grounds. The first is when consent has been obtained from a Data Principal. Among other requirements, consent given by the Data Principal must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose” (s 6(1)). The latter half of this section in essence codifies the principles of purpose specification and limitation. The second lawful ground is for “certain legitimate uses”, a detailed list of which can be found in S 7. This list does not include the “legitimate interest” exemption.

Fifth, the Act permits cross-border transfers of digital personal data to any destination, unless the Central Government restricts such transfer to notified destinations (s 16(1)). In other words, the Acts adopts the “blacklist” rather than the “whitelist” approach. On the other hand, the Act has also made it clear that a higher degree of protection or restriction on transfer of personal data outside India under any other Indian law will prevail (s 16(2)). The restrictions on cross-border data transfer to notified, i.e., blacklisted, destinations will affect the outstanding industry insofar as those data are concerned.

Sixth, depending on how one counts, the Act imposes six or seven general obligations on Data Fiduciaries (s 8), while grants four or five primary rights to Data Principals (ss 11 – 14). Additional obligations are imposed on Significant Data Fiduciaries (s 10), including appointing a resident data protection officer and conducting periodic data protection impact assessments.

Seventh, the Act creates an independent data protection authority called the Data Protection Board of India (“Board”) which has fairly broad powers, bars the jurisdiction of civil courts on lawsuits or proceedings for any matter in respect of which the Board is empowered to adjudicate, and allows appeal of the orders and directions of the Board to an Appellate Tribunal which is the Telecom Disputes Settlement and Appellate Tribunal.

Eighth, the Act does not make any distinction between sensitive and non-sensitive personal data, though it imposes additional obligations with respect to personal data of a child and personal data of a person with disability (s 9).

Quoted by Indian media, IT Minister Ashwini Vaishnaw has said that the Indian Government expects to implement Act within the next ten months and that the regulations to be prescribed will be “kept simple and there will not be a multitude of layers of rules.”

ABLI continues to watch developments relating to the Act. More about ABLI’s work in data privacy and protection in the region and its outputs can be found here and here.

 

 

Whilst every effort has been made to ensure that the information contained in this update is correct, the Asian Business Law Institute disclaims all liability and responsibility for any error or omission in this update, and in respect of anything, or the consequences of anything, done or omitted to be done by any person in reliance, whether wholly or partially, upon the whole or any part of the contents of this update.