On August 11th 2023, the Indian Government enacted the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “the Act”) by publishing it in the Official Gazette. The DPDP Act, when effective (as per dates to be notified), will govern the personal data processing activities of a broad range of organisations that operate in the Indian market.
To align with global standards, the DPDP Act has been partially modelled off Regulation (EU) 2016/679 (“the GDPR”), and data protection laws of Singapore and Australia. The DPDP Act will replace the current data protection laws encapsulated under the Information Technology Act (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”).
The law does not contain an explicit transition or grace period for compliance. In light of the inaugural round of discussions concerning the implementation of the DPDP Act by the Ministry of Electronics and Information Technology (“MEITY”) on September 20th, 2023, a graded approach for compliance with the DPDP Act with transition timelines may be possible.
The structure of this article is as follows: we provide an analysis of the law below and explore the key similarities and differences to the GDPR, we then explain with reference to the DPDP Act its scope and covered actors, processing obligations, data subject rights, transparency and accountability requirements, cross-border data transfers, and enforcement and liability.
Similarities to GDPR | Differences to GDPR |
The DPDP Act applies to personal data processing in India where such data is in digital form or is in non-digital form and is digitized subsequently. It will also apply to processing outside of India if the processing is in connection with any activity related to the offering of goods or services in India. |
Unlike the GDPR which has both an establishment (Article 3(1) of the GDPR) or targeting criterion (Article 3(2) of the GDPR) for its territorial scope, certain provisions of the DPDP Act do not apply to processors in India that process personal data of individuals outside of India pursuant to any contract entered into with companies also located outside of India (e.g., in outsourcing arrangements). |
The DPDP Act covers “data fiduciaries” and “data processors” (which overlap with the concepts of data controller and data processor in the GDPR, respectively). A written agreement must be struck between data fiduciaries and data processors. However, the data fiduciaries remain responsible for complying with the provisions of the Act. |
A category of organisations that the Central Government designates as “significant data fiduciaries” will carry heightened obligations (including appointing a data protection officer (DPO) in India and conducting periodic data protection impact assessments (DPIA), audits, etc). |
Data fiduciaries must have a lawful purpose of processing and adhere to other processing principles. Some conditions that permit lawful processing in the DPDP Act mirror the legal bases under the GDPR. |
Consent must always be collected except in circumstances where there is a “legitimate use” of the data, one of which relates to employment purposes. However, certain legal bases provided for in the GDPR, are not included in the DPDP Act such as contractual necessity and legitimate interests. |
When obtaining consent from individuals, data fiduciaries must ensure it is free, specific, informed, unconditional and unambiguous with a clear affirmative action. A privacy notice describing details such as the purpose of processing and the types of data collected must be presented. |
Unlike the GDPR, the DPDP Act does not contain a section on special categories of personal data nor seems to require data fiduciaries to publish privacy policies (as is the case with Articles 13 & 14 of the GDPR) in general situations. There are certain obligations under other sectoral laws. |
The DPDP Act grants rights to individuals including the right to access, correction, erasure, nominating individuals and seeking grievance redressal. |
Unlike the GDPR, the DPDP Act does not contain a right to data portability or a right not to be subject to automated decision making with legal or significantly similar effect. Access rights may be limited to scenarios. |
The DPDP Act imposes special safeguards around the processing of children’s data. |
Before processing any personal data of children or persons with disabilities (with lawful guardians), data fiduciaries must obtain verifiable parental consent of the parent (or such lawful guardian). The manner of obtaining such verifiable parental consent will be prescribed through rules under the Act. A child is anyone under the age of 18, unless designated otherwise by the Government. |
Data fiduciaries must adopt technical and organisational measures to ensure security of data. In case of a personal data breach, the Data Protection Board of India (“DPBI”) and the affected data subjects have to be informed. Other data breach notification rules will be subsequently promulgated by the Government. |
Unlike the GDPR, which mandates a representative is appointed in writing where an organisation is caught by Article 3(2) of the GDPR’s extraterritorial scope, data fiduciaries on the other hand, do not have to appoint a representative. However, data fiduciaries are required to appoint a point of contact and significant data fiduciaries are required to appoint a DPO respectively for the purpose of grievance redressal. Significant data fiduciaries are also required to conduct a DPIA, undertake periodic audits, etc. |
The DPBI will enforce the DPDP Act and can issue enforcement orders and financial penalties for violations. This is the new Indian data protection supervisory authority. |
Unlike the GDPR, which mandates that transfers of personal data to third countries or international organisations may only take place in defined circumstances and in compliance with Chapter V of the GDPR, the DPDP Act by default permits the transfers of data across borders. However, the Indian Government may establish possible transfer conditions in future and designate certain countries to which data transfers are prohibited. Also, cross border data transfers will be subject to any higher degree of protection or restrictions under any other laws in India. The Central Government may through notification exempt its agencies from the provisions under the Act, inter alia in the interests of state security and maintaining public order. Such exemption could extend to the conditions for processing personal data, as well as the applicable data protection principles, such as collection, purpose and storage limitation requirements under the Act. |
Section 3 of the DPDP Act sets forth the scope of the law, which applies to the processing of personal data both within and outside the territory of India if certain conditions are met.
In addition to these scoping provisions, Section 3 includes a household exemption when data processing occurs for solely personal or domestic purposes. The Act will similarly not cover personal data made publicly available by the data subject or under law (Sec. 3(c)).
The DPDP Act applies to the processing activities of data fiduciaries. Like the concept of controller in the GDPR, a data fiduciary refers to any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data (Sec. 2(i)). The Central Government of India may designate a special class of these entities as significant data fiduciaries, based on factors such as the volume and sensitivity of data processed and the risk of harm. These entities must comply with heightened obligations (see below). It is expected that big tech companies may be designated under this category.
A data processor is any person who processes personal data on behalf of a data fiduciary (Sec. 2(k)). The DPDP Act does not contain many terms (or a separate section) that uniquely apply to data processors. For instance, while there is an equivalent provision to Article 28 of the GDPR that requires data fiduciaries to enter into a data processing agreement (DPA) with their processors, the DPDP Act does not prescribe any minimum necessary terms. In addition, processors in India processing data of foreign individuals on behalf of or pursuant to a contract with a company also outside of India will be exempted from certain provisions of the Act (Sec. 17(1)). This is different from the GDPR, under which processors located in the EEA would still fall within the scope of the GDPR in application of its Article 3(1), regardless of whether or not they process personal data on behalf of organisations located outside of the EEA.
The DPDP Act governs the processing of personal data of data principals, which are the individuals to whom the personal data relates. The concepts of personal data and processing seem to overlap textually with those in the GDPR: personal data is that which relates to an “identified or identifiable individual” while processing includes typical operations such as collection, structuring, storage, sharing, disclosure by transmission, destruction etc. While the DPDP Act offers some illustrative examples of processing activities, it remains unknown how the text will apply in practice.
With respect to data principals, this term is for the most part the same as data subjects under the GDPR, but also extends to parents or lawful guardians of children or a person with disability (Sec. 2 (j)).
Chapter 2 of the DPDP Act establishes the obligations of data fiduciaries, including the circumstances where they may process personal data. Although the DPDP Act does not expressly refer to data protection principles, the Citizens’ Data Security and Privacy Report submitted to the Lok Sabha (i.e. Lower House of the Parliament of India) on August 1st 2023, that outlines the Act’s legislative history and key considerations, explains their explicit connection to the requirements of the law and their similarity to internationally recognised standards. For instance, the law includes provisions that govern:
Like the GDPR, the DPDP Act requires data fiduciaries to have a lawful purpose for all processing operations. By contrast, it does not list separate lawful grounds from which an organisation can choose (such as in Article 6 of the GDPR). Rather, data fiduciaries must primarily obtain consent and can in some circumstances rely on “legitimate use” conditions.
Consent – Section 6 of the DPDP Act sets forth rules on consent, which significantly change existing requirements for data fiduciaries. Currently, the SPDI Rules require organisations to obtain consent in writing when they collect “sensitive personal data” which includes an exhaustive list of data types. The DPDP Act extends this requirement to all personal data and imposes a more stringent standard for consent using a ‘clear affirmative action’, that seems to be partially modelled off the GDPR.
Legitimate Uses – As mentioned above, data fiduciaries may rely on certain legitimate uses to process personal data under limited circumstances, when obtaining consent to lawfully process personal data may be practically infeasible. These nine alternative grounds are defined as certain legitimate uses, under Section 7 of the Act. While some of these grounds overlap with the lawful grounds to process personal data under the GDPR, certain grounds are unique to the Indian context.
Exemptions – Section 17 exempts data fiduciaries from most obligations under the Act in specific situations including when processing is (i) necessary to enforce legal rights and claims, (ii) conducted by courts or tribunals in the connection of a judicial function, and/or (iii) in the interest of prevention, detection, investigation, and prosecution of any offence under law. Notably, the Act does not apply to processing of personal data by government agencies notified by the Central or State Government (on certain grounds such as when in the interest of Indian sovereignty and security). Further, the Central Government may exempt processing that is necessary for research, archiving, and statistical purposes from the scope of the Act, provided that (i) such processing is not used to make decisions about a specific data principal, and (ii) is carried out in accordance with the standards prescribed by the Central Government. The Central Government may also exempt certain data fiduciaries (including start-ups) from certain provisions of the law considering the nature and volume of personal data processed.
The DPDP Act sets forth additional processing requirements for special circumstances. Like the GDPR, there is a recognition in the law that these conditions require heightened care due to the enhanced risks they carry. The DPDP Act notably does not contain provisions seen in other global data protection laws such as a section on special category data or automated decision-making (ADM).
Like other data protection laws, the DPDP Act identifies rights of the data principal, but uniquely obligates these individuals to also adhere to certain requirements when exercising them (and even imposes monetary penalties on individuals that violate these requirements). These include not registering false or frivolous grievances, impersonating other data principals, and/or providing false identity materials (Sec. 15). Notably, the section on data subject rights only applies to data fiduciaries and not their processors – although this obligation may flow down via contractual arrangements.
Rights Included | Description |
Right to Access |
Data principals may obtain confirmation of whether the data fiduciary processes their personal data, a summary of the data being processed, the processing activities involved, and, the identities of all data fiduciaries and processors that have received the data and the categories of data shared, subject to certain exemptions. Note, like under the GDPR, this right can be actioned with regards data fiduciaries only. |
Right to Correction |
Data principals may request data fiduciaries to correct, complete, and update any inaccurate or misleading personal data (for which, the data principal has previously given consent, or has voluntarily provided such data for a specified purpose) they process. State bodies may be exempt from this provision if certain conditions are met (Sec. 17(4)). |
Right to Erasure |
Upon request, a data fiduciary must erase the personal data of a data principal that is no longer necessary for the purpose for which it was processed unless the retention is necessary under law or the purpose for which it was processed has not expired. State bodies may be exempt from this provision if certain conditions are met (Sec. 17(4)). It is unclear if this right to erasure includes a right to be forgotten, as it seems expressly conditional on the purpose of processing expiring. |
Right to Grievance Redressal |
Data principals may register a complaint with a data fiduciary for any processing activity related to their personal data. If the data principal is not satisfied with the response, that individual may register a complaint with the DPBI. |
Right to Nominate |
Data principals may also nominate another individual who, in the event of death or incapacity of the data principal, shall exercise that principal’s rights. |
Rights Excluded |
Description |
Right to Data Portability |
The DPDP Act does not set forth a right to data portability or discuss transferring data held by one data fiduciary to another. |
Right Not to be Subject to automated decision-making |
The DPDP Act does not include provisions regarding the scope and applicability of automated decision-making with legal or significantly similar effects. |
The DPDP Act explicitly recognises that the Central Government may exempt certain data fiduciaries from the requirement to respond to an access request (Section 17(3)) as well as certain other obligations.
In addition to lawfulness of processing, the DPDP Act imposes other obligations on data fiduciaries including accountability measures and security requirements.
Transparency Disclosures and Privacy Policies – While data fiduciaries must present a privacy notice to individuals when they collect their consent, the DPDP Act does not contain an equivalent to GDPR Articles 13 and 14 that require general disclosures for transparency purposes. The content and manner of providing such privacy notices under the DPDP Act may be further clarified by the Central Government in due course. Data fiduciaries must give an option to data principals to access the consent notice in English or any of the 22 languages specified in the Eighth Schedule of the Indian Constitution.
Accountability Requirements – Data fiduciaries are responsible for the processing activities of their processors and must take steps to ensure accountability including publishing the contact details of its DPO (if considered a significant data fiduciary) or a person who is able to answer data protection related questions. These organisations must also establish a grievance redressal mechanism for data principals to make complaints (Sec. 8(10)).
Compared with the GDPR, the DPDP Act does not require other accountability obligations such as:
Like with other sections of the law, these requirements may be expanded and clarified by subsequent rules and guidance.
Data Breaches and Technical and Organisational Measures – Data fiduciaries and data processors must implement appropriate technical and organisational measures, although the specifics of these remain undetermined in the law and will be addressed in subsequent rules. In the event of a personal data breach, Section 8(6) requires companies to notify the DPBI and every affected data principal in a manner that will be prescribed by future rules. It is currently unclear how these requirements will compare with the GDPR and other data protection laws around the world. The DPDP Act defines a personal data breach as any unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of personal data that compromises confidentiality, integrity, or availability of personal data (Section 2(u)). While the definition seems to resemble that of the GDPR, it does not contain a concept of risk of harm for determining reportability thresholds. As stated above, this may be clarified in future rules.
Chapter 4 of the Act governs the transfer of personal data outside of India. It specifies that a data fiduciary may transfer personal data for processing to any country or territory outside India except to countries to which it the Central Government may restrict transfers by notification. The Central Government may through notification set forth conditions for the transfer of personal data, including restrictions to certain destinations such as restrictions on data transfers to neighbouring countries owing to geopolitical considerations. Compared with previous iterations of the DPDP Act at bill stage, which imposed localisation requirements for certain categories of critical personal data, the DPDP Act significantly relaxes data transfer obligations. Notably Section 16(2) clarifies that the DPDP Act will not supersede existing transfer restriction requirements operating in India under different sectoral laws or administrative regulations (e.g., RBI rules).
Finally, the DPDP Act calls for the creation of the DPBI to inquire into complaints, oversee compliance with the Act, and issue administrative sanctions including corrective orders and monetary penalties.
The authors thank Khaitan & Co for their insights and contribution to this article.