India pushes ahead with new Digital Personal Data Protection Act
On 11 August 2023, India's new data protection legislation – the Digital Personal Data Protection Act 2023 – was enacted and published in the Official Gazette. The Act sets out obligations and rules for entities processing personal data, each referred to a Data Fiduciary, and the rights of individuals in respect of that processing, which the Act refers to as Data Principals.
The below is a summary of certain key provisions of the Act:
- Bases for processing: As opposed to the EU GDPR's six bases for processing, the Act provides two legal bases for processing: consent and "certain legitimate uses". The "certain legitimate uses" are set out in section 7 of the Act and include the fulfilment of certain legal obligations, employment purposes, and responding to medical emergencies. Significantly, there is no broader "legitimate interests" basis for processing, which it would seem will create a "bases gap" and consequently inhibit a variety of processing activities for which consent is not or cannot efficiently be obtained.
Section 7(a) provides that personal data of a Data Principal may be processed "for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data". This may be construed as allowing a Data Fiduciary to engage in processing for a purpose compatible with the purpose for which the Data Principal initially consented so long as the Data Principal has not opted-out, as otherwise it is difficult to rationalise what section 7(a) adds to the consent basis for processing. This would to some extent fill the "bases gap". Arguably, a more liberal interpretation could justify processing for certain additional yet limited legitimate interests use cases, although such legitimate interests may need to be linked to the purpose for which the data was initially provided. In any event, it is more restrictive that the EU GDPR concept of "legitimate interests" which is absent from the Act.
- Obligations of Data Fiduciaries: Data Fiduciaries may be designated as "Significant Data Fiduciaries" by the Indian government due to, for example, the volume and sensitivity of personal data processed. Other Data Fiduciaries such as start-ups may benefit from exemptions from certain obligations. Significantly, Data Fiduciaries who fail to take reasonable security safeguards to prevent personal data breaches may be fined up to INR 250 crores (approximately £24 million), and those for who fail to report data breaches may be fined up to INR 200 crores (approximately £20 million).
- Extraterritorial applicability: Similarly to the EU GDPR, the Act applies to the processing of digital personal data outside the territory of India if such processing is in connection with any activity related to offering of goods and services to Data Principals in India.
- International transfers: On data transfers, the Act envisages a "blacklisting" approach, with all jurisdictions deemed as providing adequate protection to personal data except where the Indian government determines otherwise. This is unlike the "whitelisting" approach of the EU adequacy system.
A particular concern for the Opposition to the Act is the independence of the Data Protection Board which is to be established by the Act to adjudicate non-compliance with its provisions. Another cause of concern is the scope of impending subordinate legislation given the Act's reference to matters "as may be prescribed" some 26 times despite its relatively short length.
The Act is due to come into effect on a date to be decided by the government, which is authorised to determine different dates for entry into force of various provisions of the Act. In the meantime, businesses should assess their current state of compliance with the Act and prepare an action plan to ensure they are prepared for its entry into force.