DATA PRIVACY LAWS IN INDIA AND GLOBAL COMPARATIVE
Rajat Agrawal
Rajat Agrawal is a company secretary and law-commerce graduate, engaged in corporate, financial, commercial and privacy laws. He is passionate on exploring niche areas, and he also delves into financial markets, defense, and global affairs. A faculty for ICSI for student training and jury member, he is an avid reader, writer, and co-author of two newsletters. He is also the member of the Professional Research and Publication Committee of the ICSI.
Introduction
The Digital Personal Data Protection Act (“DPDPA”), 2023, is a transformative legislation introduced by the Indian government to regulate the collection, processing, storage, and sharing of personal data in a rapidly evolving digital ecosystem. The Act aims to safeguard individual privacy, a fundamental right under the Indian Constitution while enabling businesses and the government to leverage data responsibly for innovation, governance, and economic growth. This Act is a critical step in India’s journey towards building a secure and transparent digital economy, ensuring that individuals’ rights and businesses’ needs coexist harmoniously.
Objectives of the Law
The primary objective of DPDPA is to establish a robust framework for managing personal data in India. It seeks to safeguard the fundamental right to privacy, giving individuals control over how their data is collected, processed, and stored. The Act also aims to foster trust between individuals and entities handling data by ensuring transparency, accountability, and fairness in data processing practices. Furthermore, the legislation aims to create a conducive environment for innovation, ensuring businesses can utilize data while adhering to ethical and legal boundaries. By addressing privacy concerns and the need for data-driven growth, the DPDPA strikes a delicate balance, ensuring India remains competitive in the global digital economy.
Scope and Applicability
The DPDPA applies to all entities within India that process digital personal data, whether in the public or private sector. This includes companies, consultants, startups, and government bodies that collect or process data in digital form. For example, an e-commerce company based in India that collects customer data for personalized recommendations falls squarely within the Act’s purview. Even entities not primarily engaged in data-centric activities must comply if they handle digital personal data in any capacity. It signifies that organizations across sectors must ensure their data processing activities align with the DPDPA’s principles.
The Act extends beyond Indian borders, covering foreign entities involved in processing the personal data of Indian citizens. If a foreign company offers goods or services to individuals in India or engages in profiling Indian citizens, its data processing activities will be subject to the DPDPA. For instance, a global e-commerce platform selling products to Indian customers or an international social media company analyzing Indian user behavior for targeted advertising would fall under the Act. This ensures that data collected from Indian citizens remains protected, regardless of where the processing occurs. The extraterritorial applicability aligns with global practices, as seen in frameworks like the European Union’s General Data Protection Regulation (“GDPR”). By extending its jurisdiction, the DPDPA aims to address the challenges caused by cross-border data flows and ensure that Indian citizens’ data rights are protected globally.
Focus on Data Collected within India
The Act explicitly applies to any digital personal data collected within India, even if the subsequent processing happens in foreign jurisdictions. For example, if a multinational company collects user data in India and processes it on servers located abroad, the data must still be handled in compliance with the DPDPA. This provision safeguards against potential exploitation by companies that collect data domestically but attempt to circumvent Indian laws by processing it elsewhere. It ensures accountability throughout the data lifecycle, from collection to processing and storage.
Exemptions for Specific Scenarios
While the DPDPA’s scope is extensive, it includes certain exemptions to maintain practicality and focus on scenarios that pose significant risks to data privacy.
- Personal or Domestic Use: The Act does not apply to the processing of personal data by individuals for purely personal or domestic purposes. For example, creating a family WhatsApp group, sharing personal photographs with friends, or maintaining a personal contact list would not attract the provisions of the DPDPA. This exemption ensures that individuals’ personal activities remain unaffected by regulatory obligations.
- Anonymized Data: The DPDPA does not govern the processing of anonymized data that cannot be linked back to identifiable individuals. Anonymized data, often used for research, analytics, or policy-making, falls outside the Act’s purview as it does not pose a threat to individual privacy. However, entities must ensure that anonymization is irreversible and that the data cannot be re-identified to comply with this exemption.
Key Definitions
The DPDPA introduces key terms to define the roles and responsibilities of stakeholders involved in data processing. “Personal data” is broadly defined as any information that can identify an individual, either directly or indirectly. A “Data Principal” refers to the individual to whom the personal data pertains, while a “Data Fiduciary” is the entity responsible for determining the purpose and means of processing such data. The Act also introduces the concept of a “Consent Manager”, an intermediary tasked with ensuring that individuals provide informed and explicit consent for the processing of their data. These definitions lay the foundation for understanding the rights and obligations outlined in the Act.
Consent Framework
Consent forms the cornerstone of the DPDPA, emphasizing that individuals must have complete control over their data. For consent to be valid, it must be freely given, specific, informed, and unambiguous. Data fiduciaries are required to provide clear and accessible information about how personal data will be used. Importantly, the Act allows individuals to withdraw their consent at any time, and entities must ensure compliance with such requests. This consent-based framework empowers individuals to make informed decisions about their data, reinforcing their autonomy and control in the digital landscape.
Notice
The notice provisions under the DPDPA ensure that individuals are fully informed before their personal data is collected or processed. This promotes transparency, accountability, and informed decision-making.
- Purpose of Notice: Notices serve as a tool to communicate essential information about data processing activities to the Data Principal. This includes the identity and contact details of the data fiduciary, the specific purposes for which the data is being collected and processed, the categories of personal data being collected, and whether providing such data is mandatory or voluntary. Notices also outline the rights available to Data Principals, such as the right to access, correct, or withdraw consent, and provide information on grievance redressal mechanisms available to address potential disputes.
- Timing of Notice: The Act mandates that notices must be provided at the time of data collection or as soon as possible thereafter. If the purpose of data processing changes or additional activities are introduced, a fresh notice must be issued to keep Data Principals informed about the changes.
- Accessibility and Clarity of Notice: To ensure effectiveness, notices must be clear, concise, and free from technical jargon that could confuse individuals. They should be written in simple and easily understandable language and made available in multiple languages to cater to India’s diverse population.
Rights of Data Principals
The DPDPA accords individuals a robust set of rights to ensure they have control over their personal data. These rights underscore the importance of privacy and empower individuals to hold data fiduciaries accountable for their data processing activities.
- Right to Access Information: The right to access allows Data Principals to obtain detailed information about how their personal data is being processed. This includes an understanding of the purpose for which the data is collected, the categories of data being processed, the entities or individuals with whom the data is shared, and the duration for which the data will be retained. By providing transparency in data handling practices, this right empowers individuals to evaluate whether their data is being used responsibly and in compliance with legal requirements.
- Right to Correction and Erasure: The right to correction and erasure grants individuals the ability to rectify inaccuracies in their data. This includes correcting errors, ensuring incomplete or misleading data is updated, and requesting the deletion of data that is no longer required for the specified purpose or has been unlawfully processed. This provision ensures that personal data remains accurate and relevant while adhering to the principle of data minimization.
- Right to Grievance Redressal: The right to grievance redressal ensures that Data Principals have mechanisms to file complaints if they believe their data has been mishandled or their rights have been violated. Data fiduciaries are required to establish efficient grievance mechanisms to address such complaints. If these mechanisms fail to provide adequate resolutions, individuals can escalate their grievances to the Data Protection Board (DPB), which serves as a regulatory authority for adjudicating disputes.
- Right to Nominate: The right to nominate is a unique provision in the DPDPA, allowing individuals to designate a nominee who can exercise these rights in the event of their death or incapacitation. This ensures continuity in the management of personal data and protects the individual’s data rights even in unforeseen circumstances.
While the aforesaid are the rights explicitly granted by the DPDPA, the following rights are also provided to the Data Principal in certain interpretations of the law and court judgements: - Right to Portability: Data Principals may, in specific scenarios, have the right to transfer their personal data from one service provider to another in a structured, commonly used, and machine-readable format. This promotes competition and prevents monopolistic practices in data-dependent industries.
- Right to be Forgotten: In the case of Karthick Theodore v. Ikanoon Software Development Private Limited, the Madras High Court addressed the emerging concept of the “Right to Be Forgotten” in the Indian context. The petitioner sought the removal of his personal information from online platforms to safeguard his privacy and prevent reputational harm. The court recognized the importance of balancing individual privacy rights with public interest and freedom of expression, highlighting the lack of a specific legislative framework to enforce this right. This case emphasized the relevance of DPDPA, which now explicitly includes provisions for erasure of data under certain circumstances.
Significance of Data Principal Rights
These rights collectively aim to restore the balance of power in the digital ecosystem, where individuals often feel vulnerable to the data practices of corporations. They ensure accountability, transparency, and fairness, allowing individuals to participate in decisions regarding their data.
Obligations of Data Fiduciaries
Data fiduciaries are entrusted with significant responsibilities to ensure data protection. They must adhere to the principle of data minimization, collecting only the data necessary for specific purposes. Fiduciaries are also required to maintain the accuracy and confidentiality of personal data, implementing robust security measures to prevent breaches. Transparency is a critical obligation, requiring entities to disclose their data processing practices in clear terms. Moreover, organizations handling sensitive personal data must appoint a Data Protection Officer (DPO) to oversee compliance and act as a point of contact for grievances. These obligations create a framework of accountability, ensuring fiduciaries handle data responsibly.
Cross-Border Data Transfers
The Act recognizes the importance of international data flows in a globalized economy. It permits the transfer of personal data to specific countries or territories that provide adequate data protection measures, as notified by the Indian government. This provision balances the need for global business operations with the requirement to safeguard individual privacy. However, the lack of immediate clarity on approved jurisdictions poses a challenge for businesses, necessitating further regulatory guidance.
Exemptions
The DPDPA includes certain exemptions to facilitate smooth governance and innovation. Government agencies are allowed to process personal data without prior consent for purposes such as national security, public order, and law enforcement. Additionally, data processed for research, archiving, or statistical purposes, provided it is anonymized, is exempt from the Act’s provisions. These exemptions ensure that the Act remains flexible and pragmatic while preventing unnecessary regulatory burdens in areas where the risk to privacy is minimal.
Penalties for Non-Compliance
The Act imposes stringent penalties for non-compliance to ensure accountability. For instance, a failure to protect against data breaches can result in fines of up to INR 250 crore. Other violations, such as processing data without valid consent or failing to meet transparency requirements, attract penalties ranging from INR 50 crore to INR 200 crore. These penalties underscore the seriousness of the Act, encouraging organizations to prioritize data protection and avoid negligence.
Establishment of the Data Protection Board
The DPDPA establishes the Data Protection Board (DPB) as the regulatory authority responsible for overseeing compliance with the Act. The DPB is tasked with investigating complaints, adjudicating disputes, and imposing penalties for non-compliance. It also serves as a platform for individuals to seek redressal for grievances related to data privacy. The establishment of DPB ensures centralized oversight, promoting consistency and fairness in the enforcement of the Act.
Comparison with Global Framework
The DPDPA in India, the GDPR in the EU, and the California Consumer Privacy Act (“CCPA”) in the USA are landmark privacy laws that shape how personal data is collected, processed, and safeguarded. While the GDPR sets a global benchmark for data protection, the CCPA focuses on consumer rights in the USA, and the DPDPA caters to India’s evolving digital landscape. This comparative analysis highlights similarities, differences, and unique aspects of these frameworks to provide a clearer understanding of their impact.| Aspect | DPDPA | GDPR | CCPA |
|---|---|---|---|
| Scope of Application | Digital personal data processed within India or targeting Indian citizens. | Personal data of individuals in the EU, regardless of where processing occurs. | Data of American residents collected by businesses operating in the country or targeting them. |
| Regulatory Authority | Data Protection Board of India. | Supervisory authorities in each EU member state. | California Attorney General; California Privacy Protection Agency (CPPA). |
| Consent Requirements | Explicit consent is required; deemed consent is allowed for specified purposes (Opt-in). | Requires freely given, specific, informed, and unambiguous consent (opt-in). | Opt-out framework; consumers have the right to opt out of data sales. |
| Rights of Individuals | Right to access, correction, and grievance redressal. | Right to access, rectification, erasure, data portability, and objection. | Right to know, delete, and opt out of the sale of personal data. |
| Data Processing Principles | Purpose limitation, data minimization, security safeguards, and accountability. | Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and security. | Transparency, purpose limitation, and opt-out mechanisms. |
| Cross-Border Data Transfers | Allowed to “trusted” jurisdictions to be notified by the government. | Permitted only to countries with “adequate” protection or based on standard contractual clauses. | No explicit restriction; focuses on consumer rights and opt-out from data sales. |
| Penalties for Non-Compliance | Up to INR 250 crore (~USD 30 million) depending on the nature of the violation. | Up to EUR 20 million or 4% of global annual turnover, whichever is higher. | Up to USD 7,500 per intentional violation or USD 2,500 per unintentional violation. |
| Anonymized Data | Not covered under the Act. | Not considered personal data if anonymized irreversibly. | Not applicable; focuses on identifiable personal data. |
| Children’s Data | Requires consent from parents or guardians for individuals under 18. | Requires parental consent for children under 16 (or under 13 in some countries). | Applies to children under 13; must comply with COPPA (Children’s Online Privacy Protection Act). |
| Data Breach Notification | Immediate notification to the DPB and affected individuals and detailed notification within 72 hours of the breach. | Mandatory notification to the supervisory authority and affected individuals within 72 hours. | Mandatory notification to consumers and the California Attorney General. |
