In August 2023, the Indian Parliament passed the Digital Personal Data Protection Act (2023) (the DPDPA or Act). While the compliance period for companies to align with the DPDPA has not yet been finalized, a government official recently indicated it could be as short as six months. Thankfully, much of the DPDPA tracks—or is even less restrictive than—other comprehensive privacy frameworks like the EU’s General Data Protection Regulation (GDPR), so compliance will likely not be a heavy lift for affected companies that are already materially compliant with the GDPR.

The DPDPA

This is India’s first comprehensive data protection law and replaces the previous data protection framework comprised of Section 43A of the Information Technology Act (2000) (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (2011) (SPDI Rules).

Much like the GDPR, the DPDPA establishes, among other things, the obligations of Data Fiduciaries (equivalent to Data Controllers) and rights of Data Principals (equivalent to Data Subjects) and sets up the Data Protection Board of India as the regulatory body charged with oversight and enforcement.

It is important to note that the DPDPA does not replace or supplant the data breach rules and regulations promulgated by CERT-In, which took effect in June 2022. For more information regarding CERT-In cyber incident notification requirements, please see our client alert on the topic.

Applicability

The Act applies to a) any processing of digital personal data within India (irrespective of where the Data Principal resides, except for the carveout below) and b) any processing of digital personal data related to an offering of goods or services to a Data Principal residing in India (irrespective of where the processing takes place).

There is a significant carveout that states most obligations and rights will not apply where personal data is processed within India but belongs to a Data Principal outside India and is processed pursuant to a contract between the Indian and non-Indian entities. This is most likely intended to benefit Indian outsourcing companies that routinely process personal data of persons outside India on behalf of companies outside India. On the other hand, it likely also lessens the prospects that other jurisdictions, such as the EU, will treat India as providing adequate protections for personal data. Companies transferring data from the EU and similar jurisdictions to India will, therefore, need to rely on other international transfer compliance mechanisms, such as Standard Contractual Clauses, for the foreseeable future.  

Requirements, Rights, and Other Notable Provisions

The Act’s requirements will be familiar to companies already compliant with the GDPR and other major privacy frameworks as they include, for example: lawful purpose of processing, adequate notice of processing, various Data Principal rights (e.g., data access, correction, and erasure), specific treatment of children’s data, and carveouts for public information.

Purpose of Processing: The Act requires Data Fiduciaries to have a lawful purpose for processing personal data, which can include consent from the Data Principal. Processing without consent is permitted for limited specific “legitimate uses,” most notably for employment purposes.

Notice of Processing: Notice of processing must include: (a) the types of personal data processed; (b) the purpose of processing; (c) the method to be used to exercise Data Principal rights; and (d) contact details of the data protection officer or other person to exercise Data Principal rights.

Data Principal Rights: The rights of Data Principals established by the Act are:

• The right to access information regarding the personal data processed (i.e., type of data, processing activities, identities of persons with whom the data has been shared, and what data has been shared);
• The right to withdraw consent to process data;
• The right to correct, erase, or update personal data;
• The right to redress for acts or omissions regarding obligations related to their personal data; and
• The right to appoint a nominee to exercise rights if the Data Principal becomes incapacitated.

Significant Data Fiduciaries: The Act empowers the government to designate certain Data Fiduciaries as “Significant Data Fiduciaries” based on factors such as the volume and sensitivity of the personal data they process and the risk to the rights of the Data Principal as well as other factors such as national security, electoral democracy, and public order. The designation is most analogous to the GDPR’s tests for accountability requirements.

Treatment of Children’s Data: Under the Act, personal data of children (under 18 years) can only be processed after obtaining verifiable consent from a parent or guardian. Information as to what constitutes “verifiable consent” will likely be provided later through the implementing rules. Additionally, tracking and behavioral monitoring of children and targeted advertising to children is prohibited. This is applicable to all Data Fiduciaries, and the Act contains no plausible deniability defense.

Public Information: The Act has an exemption for the processing of publicly available personal data. However, it is more limited than comparable exemptions in other frameworks in that it is limited to only personal data made publicly available by the Data Principal themselves or pursuant to a legal requirement. Companies should not assume personal data collected via web crawlers or data brokers will be within the scope of the exemption.

Companies that have a presence in India or that use service providers in India should consider their own potential obligations under the Act and those of their third-party partners, as we await further updates from the Indian government regarding formal compliance deadline and more detailed implementing rules.

If you would like help in evaluating your company’s obligations under the DPDPA and strategically bringing your systems and practices into compliance, please contact the Baker Botts Privacy & Cybersecurity team.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.