India – home to the planet’s largest national population of a whopping 1.4 billion people, and as of August 11th, 2023, one of its newest data privacy laws. Join us as we take a deep dive into the Indian Digital Personal Data Protection (DPDP) Act’s fundamental rights, responsibilities, and implications for everyday internet users and online entities alike.
Digital Personal Data Protection DPDP Act India 2023 – What You Need To Know
Rights Provisioned by the Indian DPDP
In what can be seen as a continuation of a growing trend around the world, India’s Digital Personal Data Protection Act establishes several fundamental rights for citizens whose information may be collected from businesses online.
The Right to Access
Individuals have the right to access whatever personal information a company has collected about them. Companies must provide the individual with an easily understandable copy of their personal data in a commonly used electronic format, and should also indicate the purpose for which it was processed.
The Right to Correct
Should any information stored or handled by a company be incorrect, users may request to have it corrected. Companies are responsible for ensuring the accuracy of their information and must facilitate requests to update or amend it without undue delay.
The Right to Erase
The DPDP affords Indian citizens the ability to request the complete erasure of their personal data by online entities that process it. Again, companies that receive such requests must follow through in a timely manner. The only exceptions under which collectors can keep information in spite of a request for erasure is when retention is necessary for its specified purpose or for legal compliance.
The Right to Complete
Kind of like the right to correct, the right to complete establishes that Indian internet users have the power to require online collectors to fill in any incomplete information they may possess. Individuals can also demand that their data be updated should it become outdated or irrelevant to the purpose for which it was originally collected.
The Right to Grievance Redressal
India’s law is a bit unique in that it introduces something called ‘grievance redressal’, which essentially gives individuals a guaranteed right to complain about and follow up on potential violations of the DPDP. This is similar to the European Union’s General Data Protection Regulation (GDPR), which includes a right for individuals to be informed about how their data is used and collected, as well as have access to that information.
Types of Data Covered by India’s DPDP
This novel data protection law deviates slightly from its counterparts by defining and applying its rules with a very broad brush. Unlike the GDPR, which recognizes special categories of data like race, ethnic origin, and religion, India’s DPDP does not.
‘Personal data’, as it’s defined under the law, is any electronic form of information capable of identifying a ‘data principle’, or person. This might include things such as name, address, phone number, or email address. It’s worth noting that India’s data privacy framework applies to any type of online personal data, regardless of whether it was initially collected through digital or non-digital means.
Applicability of the DPDP
Laws like the GDPR are designed to act as a guardrail for organizations that profit off of consumers’ personal data. They aren’t traditionally targeted at small businesses or individual proprietors so long as their processing activities take place on a small scale.
The DPDP is a bit different, though; instead of outlining numerical qualification criteria, such as a minimum percentage of profit derived from the sale of data, it broadly applies to anyone who meets three basic conditions.
Processing Personal Data
The first qualifying criterion is to be a data fiduciary, or controller. This is defined as any entity that either alone or in partnership with others, seeks to collect and use digital data for their own predefined purposes.
Handling Personal Data Connected to India
The DPDP stands to affect any organization that processes digital personal data either within its country’s borders or in connection with consumer-facing business activities in India. Being located in New Delhi, for instance, would be an instant qualifier. International companies that operate from abroad but have customers that are located in India also fall under the scope of DPDP.
While there aren’t many to be noted, India’s DPDP does outline a few circumstances under which its rules and penalties may not apply. State agencies are unlikely to have to follow these new guidelines, as the government reserves the discretion to override them when deemed necessary. Other matters relating to national security, public order, or the country’s sovereignty are exempt as well.
As for specific categories of data that might receive an exception, the DPDP states that personal information processed for domestic purposes, as well as information intended for use in research and statistics, is not covered by its rights and protections.
Legal Grounds for Data Processing Under the DPDP
Much like the GDPR, the DPDP provisions two lawful bases upon which companies may process individuals’ personal data: consent and legitimate use.
Consent is pretty straightforward. It’s the way most websites go about insulating themselves from privacy law fines – with a consent banner (or cookie banner) asking users for permission to process their data for marketing or related business purposes. For example cookie consent. Harcore industry readers will know, however, that consent isn’t one and the same across global data privacy regulations. Europe’s GDPR defines consent as ‘freely given’, while California’s CPRA assumes it is given and instead only requires sites to provide visitors with an easy way of indicating otherwise.
India’s new policy will follow an opt-in framework, meaning like in the EU, organizations will need to obtain consent before processing any applicable data.
Just when you thought things couldn’t get any more technical, there’s legitimate use. This concept is similarly applied in data laws around the world, albeit with different thresholds for what does and doesn’t constitute reasonable grounds for data processing.
The entire point of establishing legitimate uses is to give processors a bit of flexibility when it comes to high-stakes situations, like those involving court orders or medical emergencies.
Some regulations are more stringent than others, though, and companies are expected to both meet requirements and have proof that they’ve done so when going this route.
India’s DPDP specifically outlines that government, emergency, and public health concerns have the power to override individuals’ privacy rights as legitimate interests. Employment purposes also cover routine acts of processing intended to safeguard the organization from loss or liability.
What DPDP Compliance Looks Like
Let’s delve a little deeper by fleshing out what all of India’s new rules for data consent look like in action. Because although they might be similar to other laws, they aren’t the exact same. Any organization that wants to avoid penalties under the DPDP should take special care to understand the unique nuances of this framework. It’s not uncommon for gaps to exist between new laws and already existing ones, while in some cases, a new law might go even further than whatever precedents have already been set.
Obtaining Lawful Consent
We’ve already established that the DPDP follows an opt-in framework, which means consent needs to be freely given by end users. But what defines ‘freely given’?
Obtaining valid consent for data processing goes beyond simply adequately informing individuals of what they’re agreeing to – it also entails asking them in an ethical way. According to the DPDP, this looks like full transparency outright. Websites cannot request consent for one purpose and then use it as grounds for others.
‘Bundled consent’, an approach under which companies aim to request user permission for a broad range of uses with little detail, isn’t allowed either.
Part of what makes a ‘right’ a ‘right’ is that it’s unconditionally guaranteed. Most, if not all major data privacy frameworks that exist to date recognize this, and as such explicitly prohibit data processors from making their requests for consent transactional in any way.
Being no exception, individuals covered by India’s new DPDP are fully entitled to browse a website and access the exact same services as anyone else regardless of whether they opt-in to data sharing or not. Companies are barred from treating people differently should they choose to exercise their rights under the law.
Special Considerations for Minors
Children are given additional protections under India’s data privacy law, which means that websites must adhere to special rules when requesting access to or using their personal information. Verifiable parental consent is required in any case where a data subject is less than 18 years of age. Like it is with adults, the permission that a parent or guardian provides must be affirmative, or opt-in. Consent cannot be assumed, nor can any data be processed should a website know its user is a minor.
In addition to requiring confirmation of age and special consent when applicable, the DPDP prohibits online entities from targeting advertising (through tracking cookies) to children and taking part in processing activities with the potential to detrimentally affect them. What makes something ‘detrimental’ is determined on a case-by-case basis, but activities that exploit the trust of children or influence their behavior have been flagged as particularly hazardous.
If you want to know more about (tracking) cookies, read our article: What are cookies?
Providing Visitors with a Withdrawal Mechanism
Just like how individuals have the right to freely give websites permission to process their personal data, they can also take it away. Not just ‘can’, for that matter, but should always have the option to. The DPDP is clear about the fact that data subjects are fully entitled to change their mind and withdraw their consent.
All websites are expected to include a mechanism that makes it easy for visitors to opt out of having their data processed by them. This can be in the form of a button, link, or other feature that is clearly visible on their website. If users want to revoke their consent and delete all data related to them, they should be able to do so without difficulty.
Appointing a Data Protection Officer
While this next part remains somewhat unclear in terms of applicability, it’s still worth covering for those who may be required to follow it once further details emerge.
Like California and Europe’s data laws, India’s new framework recognizes the importance of having a designated point of contact for compliance-related matters. A Data Protection Officer, or DPO, is responsible for monitoring the organization’s activities related to personal data and is tasked with making sure that all operations are fully compliant with guidelines.
This individual can technically be anyone, although organizations are encouraged to hire professionals who are fully familiar with the legislation they must adhere to.
So far, India’s government has provided little information about when a DPO will be necessary under the DPDP. We know that it’s a requirement for ‘significant data fiduciaries’, but have no definition of what makes an organization one. For the time being, it would be wise for any medium-sized or large business to start exploring potential options in case they are indeed expected to appoint someone.
Notifying In the Case of a Breach
Having a Data Protection Officer can come in handy with respect to another one of the DPDP’s guidelines – notification of data breaches. Organizations need to be ready to both identify and inform affected parties within a reasonable time frame.
Using Data Processing Agreements
Data processing agreements are a type of contract that essentially outlines the terms and conditions upon which two separate organizations share data with one another. Many prominent international data privacy laws already require this from site operators – you may already have agreements with partners under the GDPR or recently established EU-US Data Privacy Framework.
The caveat of it being required in the DPDP is that, like legitimate use, India has its own set of rules for data processing agreements. Or maybe a lack thereof for the time being, as the country’s government has yet to release official guidance on the matter.
At the very least, website operators should expect to need partners that both meet DPDP standards for data security and can enter into a binding contract.
Implementing Adequate Security Practices
Laws like India’s DPDP are no good if not strict. It is guidelines that establish expectations for data processors and likewise the extensity of those guidelines that define how effective a data protection law truly is.
Organizations under the purview of this Indian and other major laws are required to uphold whatever rights and responsibilities legislators fill out in the official text. Not only that, but they are also expected to continuously operate in line with set standards for data security.
Again, these can differ from policy to policy, but across the board, generally consist of basic measures such as:
- Implementing encryption technology
- Access control and authentication systems
- Logging processes to monitor data usage, etc.
India DPDP Fines
You could tout how broad in applicability a framework is to the masses, but it ultimately won’t make a difference without teeth. As famous cases with the likes of Meta and Amazon have shown us, large companies aren’t afraid to overstep their jurisdiction when it comes to data privacy law, even when policies such as the GDPR, which is considered one of the world’s comprehensive, apply.
That’s why India hasn’t held back in drafting its Digital Personal Data Protection Act, concisely identifying what kinds of penalties await those who break the rules.
The law provides for fines ranging between INR 10,000, or roughly $120.71 USD, to INR 250 Crores, about $30,177,175 USD. India’s government does not establish fines based on annual turnover and instead applies them on a case-by-case basis. The country’s Data Protection Board has the power to carry out investigations upon receipt of a complaint, issue warnings and notices to concerned parties, and impose penalties as necessary.
Don’t want to leave your organization’s privacy law compliance to chance? Choose CookieFirst. Our advanced consent management platform (CMP) helps businesses around the world stay ahead of the ever-changing regulatory landscape. Try it today!