The DPDP Rules: Decoding India’s New Data Protection Law

What is DPDPA

The Digital Personal Data Protection Act, or DPDP Act, is a privacy legislation in India that strives to protect the digital personal data of Indian residents.

The DPDP Rules are supplementary guidelines to enforce the DPDP Act and the privacy law protection mechanism as a whole. In effect, the DPDP Act and DPDP Rules apply to Indian residents and businesses that collect and process the data of Indian residents and to non-citizens living in India, whose data processing “in connection with any activity related to the offering of goods or services” happens outside India.

For instance, when a Canadian citizen living in India receives digital goods and services within India from an Australian provider, the Australian provider is covered by the DPDP Act. Thus, the act also applies extraterritorial.

In principle, the DPDP Act is aimed at striking a balance between the recognized need to process personal data for a variety of purposes on the one hand, and the individuals’ right to control and protect their data, on the other hand. The DPDP Rules bring the legislation to life by guiding their implementation.

Further, the DPDP Bill also allows for specific legal bases for data processing aside from the consent of the owner of the data (or the data principal). However, consent is fundamental for most purposes of data processing.

In sum, the DPDP Act and DPDP Rules strive to establish a higher threshold of accountability and responsibility for all those operating within India, including both internet and mobile app companies, and any business involved in the collection, storage, and processing of citizens’ and resident non-citizens’ data.

Overview of the act

A broad overview of the DPDP Act, 2023 is as follows:

– Applicability: The DPDP Act applies to Indian residents and businesses that collect and process the data of Indian residents. It also applies to non-citizens living in India, whose data are processed, in connection with any activity related to offering goods and services, outside India.

– Purposes of Data Collection and Processing: The DPDP Act allows for the processing of personal data for any lawful purpose. The data can be processed either on the consent taken from the data principal or for legitimate uses as explained by the act. Consent must always be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and for a specific purpose. Data collected must be limited to all that is necessary for the specific purpose. Data principals must be given a clear notice containing all these details and their rights under the law. Once given, consent can be withdrawn at any time. The law defines legitimate use to include situations:

Where an individual provides personal data for a specific purpose
Involving the provision of any subsidy, benefit, service, license, certificate, or permit by any agency or department of the Indian state, provided that the individual has consented to receiving any other such service from the state
Concerning the sovereignty or security of India
Involving the fulfilment of a legal obligation to disclose information to the state
Concerning compliance with judgments, decrees, or orders,
Of medical emergency or threat to life or epidemics or threat to public health
Of disaster or breakdown of public order.

– The DPDP Act prescribes particular rights for users and consumers of Data-Related Products and Services, and creates related obligations as a corollary for data fiduciaries. These details are listed under the sections dedicated to each category of actors.

– The creation of Significant Data Fiduciaries (SDFs), who are to be designated by the government based on certain criteria, such as the volume and sensitivity of data and risks to data protection rights, sovereignty and integrity, electoral democracy, security, and public order. SDFs will have additional obligations such as appointing a data protection officer, conducting data protection impact assessments and audits, and taking other measures as prescribed by the government.

– The DPDP Act also provides exemptions from consent and notice requirements and other obligations of data fiduciaries and related requirements where:

Processing is essential to enforce any legal right or claim
Personal data has to be processed by courts or tribunals, or for the prevention, detection, investigation, or prosecution of any offences
Personal data of non-Indian residents is being processed within India.

– The DPDP Act establishes the Data Protection Board (DPB), which has a limited mandate to oversee the prevention of data breaches and direct remedial action and to conduct inquiries and issue penalties for noncompliance with the law. It does not have any powers to frame regulations or codes of conduct or to call for information to supervise the workings of businesses. It can only do so during the process of conducting inquiries. The members of the DPB shall be appointed by the government and shall be governed by the terms and conditions of service as prescribed by the government in its rules.

– The DPDP Act allows the board to impose monetary penalties of up to 250 crore rupees for violations. Decisions of the Board can be appealed against, before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

– The government, based on a reference from the DPB, can also block the public’s access to any information that enables a data fiduciary to provide goods or services in India, and this is based on two criteria: the board has imposed penalties against such data fiduciaries on two or more prior occasions, and the board has recommended a blockage. The data fiduciary must be given an opportunity to be heard before such action is taken.

The DPDP Rules, at the time of writing, are to be released soon for public feedback and inputs, according to the Minister of I&B, Railways, and MeitY, Ashwini Vaishnaw.

Comparison with GDPR

The DPDP Act and GDPR are similar in that they both grant individuals basic rights over their personal data (e.g., right to access, modification, deletion, etc.), require that individuals’ data privacy rights be respected and upheld, and provide for the enforcement of the law and penalize non-compliance.

However, they also differ significantly on the following grounds.

– In terms of applicability, the GDPR applies to personal data that forms part of the filing system, but the DPDP Act applies to personal data collected digitally or offline and then digitized.

– In terms of the obligations imposed, the GDPR places obligations on the data controller (fiduciary) and the processor, with the latter having lesser obligations than the former. However, the

DPDP Act attributes all obligations and responsibilities to data fiduciaries, who also have to ensure that processors adhere to the DPDP Act.

– The DPDP Act makes a novel addition in the form of consent managers, which the GDPR does not.

– Consent from the customer is necessary under the GDPR irrespective of whether the data is available publicly, but under the DPDP Act, publicly available data can be processed without taking explicit consent.

– The DPDP Act has a narrower definition than the GDPR for the term “legitimate use cases,” beyond which consent is essential to process data.

– Both laws offer similar rights to the data principal, except that the DPDP Act alone offers a right to correction of data and the GDPR alone offers the right to data portability.

– While the GDPR makes it mandatory for organizations to notify customers within 72 hours of a data breach and cater to the Data Subject Access Request within 30 days of receiving it, the DPDP

Act requires these duties to be performed but does not impose a time limit.

– Under the GDPR, parental consent is necessary for processing data of minors aged below 16 years (and member states can lower it to 13 years if they so wish) but the DPDP Act places the threshold at 18 years.

– Whereas the GDPR makes it mandatory for organizations to store customer data within the EU, the DPDP Act does not have stringent clauses on data localization.

– For severe violations, the GDPR levies a fine of up to Euro 20 million or 4% of the annual turnover of the organization, whichever is higher. The DPDP Act levies up to INR 250 crores in penalties depending on the nature of non-compliance and the steps taken by the organization to become DPDP compliant

DPDP fines

Compliance with the DPDP Act is mandatory, as non-compliance elicits penal consequences. Specifically, any failure to comply with privacy rules is punishable with a fine of up to INR 100,000 and compensation to the affected person extending up to INR 100,000 and INR 1,000,000 in the case of an individual and company, respectively.

Penalties for non-compliance with the DPDP Act overall ranges from INR 10,000 to INR 25 crores, based on the nature and degree of severity of non-compliance. Should the entity in question fail to comply with the directions of the CERT-In, it may be punishable with imprisonment for a term that may extend to one year or with a fine that may extend to INR 10,000,000 or both.

Data Principal

A Data Principal is the individual whose data is gathered and processed. They are effectively the data subject. For example, when a person submits their full name, temporary and permanent address, age, and relevant documentation to a healthcare provider, this person is the data principal. The DPDP Act is intended to protect the data of the data principal. Under the DPDP Act, a data principal has the right to:

– Access their personal data held by data fiduciaries, including the source of the data, the purpose for which the data is being processed, as well as the categories of data recipients.

– Correct their personal data, if it is inaccurate, incomplete, or incoherent.

– Erasure of their personal data. A data principal can decide if they want to have their personal data erased if they find that it is no longer necessary for the purpose for which it was collected or processed, and if they withdraw their consent to processing and collection.

– Restrict the processing of their personal data in particular circumstances, and a data fiduciary and processor must honour this decision.

– Data portability, meaning that they can obtain a copy of their personal data in a structured, machine-readable format that is commonly used. They also have the right to transmit that data to another data fiduciary.

– Object to the processing of their data for certain purposes through the formal channels of the data fiduciary or through a legal route.

– Withdraw consent at any point in time, which makes it mandatory for the data fiduciary to comply and to stop collecting and processing data from that particular data principal.

Data Processor

A Data Processor is responsible for processing digital personal data on behalf of a data fiduciary. Broadly, they are of two categories of data processors. Non-customer-facing and customer-facing data processors. The former processes personal data shared by a data fiduciary, and not directly by a data principal. For example, card printing companies and logistics companies that deliver those cards, as well as marketing technology companies that send OTPs and email notifications. The latter processes personal data directly from the data principle. For example, v-KYC companies and white labeled platforms.

Data fiduciary

A Data Fiduciary is an entity that, either independently or in collaboration with others, establishes the purpose and methods for processing personal data. In effect, this entity is similar to a data controller. Under the DPDP Act, a data fiduciary may be classified as a Significant Data Fiduciary, if their processing activities (such as the volume and sensitivity of personal data involved and the impact on the rights of data principals) relate to larger social and national concerns such as India’s sovereignty and integrity, electoral democracy, state security, and public order. If a Data Fiduciary is classified as an SDF, there are additional obligations imposed on them – such as appointing a Data Protection Officer (DPO) responsible for addressing the inquiries and concerns of data principals. The government may impose restrictions on an SDF from time to time, through notifications. The data fiduciaries are responsible for

– Maintaining security safeguards

– Ensuring completeness, accuracy, and consistency of personal data

– The intimation of data breach in a prescribed manner to the Data Protection Board of India (DPB)

– Data erasure on consent withdrawal or on the expiry of the specified purpose

– The data fiduciary having to appoint a data protection officer and set up grievance redress mechanisms

– Consent of the parent/guardian being mandatory in the case of children/minors (those under eighteen years of age).

Further, any data processing that is likely to have a detrimental effect on a child is not permitted. The law prohibits the acts of tracking, behavioural monitoring, and targeted advertising directed at children. The government can prescribe exemptions from these requirements for specific purposes.

Dual nature of DP & DF

Under the DPDP Act, a pertinent question that may emerge is the distinction between the data fiduciary and data processor, and whether they might be the same entity at all. In principle, the data fiduciary is the one who determines the purpose and means of processing personal data collected, and the data processor is the one who processes the data on behalf of the data fiduciary.

There is a tendency to assume that the data fiduciary alone has obligations under the DPDP Act and that the data processor does not. This assumption has given room for data fiduciaries to find ways to stretch the definition of a data processor to accommodate them within its scope. However, under the law, as personal data privacy is the core focus, a data processor can be implicitly understood to have a responsibility to verify consent, respond to data deletion and updation requests, and to maintain a clear repository of PII data and consent received for each item gathered and for the purpose for which it is gathered. While the law may not mandate this in as many words, it is a good practice to build this commitment to the privacy ecosystem in order to ensure transparency.

Parent-child consent and right to Nomination

Under the DPDP Act, the personal data of a child and of persons with disabilities cannot be processed without the consent of their parents or lawful guardians. To collect valid consent for the use of a child’s personal data, it is essential to verify whether the user is a child or a person with disabilities, to validate the guardian’s identity and age to ensure that they are not minors in themselves, to verify the legitimacy of the relationship between the parent and child, and to collect verifiable consent from the parent or guardian. It is essential to maintain detailed records demonstrating the fulfilment of these prerequisites to meet the threshold of verifiable consent. Under the DPDP Act, the Data Fiduciary is responsible for ensuring that the user is not a child.

The DPDP Act bans any data processing that can produce a detrimental effect on the well-being of children. The term ‘detrimental effect’, however, has not been defined under the law, but can be interpreted to mean consequences that comprise a child’s privacy, security, health, and well-being. The DPDP Act also prohibits tracking and monitoring children and targeting them with advertisements.

As of now, the government has reserved the power to notify exceptions to the DPDP Act concerning children’s consent in relation to particular classes of data fiduciaries to whom the obligations will not apply (e.g., educational and healthcare providers); specific purposes of processing that will be exempt (e.g., child welfare and academic purposes); and a lower age for applicability of the rules on parental consent and tracking in certain contexts.

PII data

The DPDP Act considers any data of an individual that can be potentially used to identify that individual their personal data. Public information does not fall under the scope of personal data. Any information published by the data principals themselves or authorized government agencies is considered public information. All personal data published to a specified audience or not published anywhere is protected as personal identifying information.

Notice design

The DPDP Act requires all privacy notices and requests for consent to be accessible in English and in all languages listed under the 8th Schedule of the Constitution of India. Any notice provided should be clear, accessible, and easy to understand. Data fiduciaries must issue privacy notices alongside every request for consent, which should contain the categories of personal data collected, the purposes for which personal data is collected, the process of exercising consumer rights, the procedure to revoke consent, and the procedure to file complaints with the data protection board.

Cookies

Cookies refer to data stored on a user’s device, which allows the website storing such data to identify and profile the user at a later date. The DPDP Act does not explicitly designate cookies as personal data, although it is possible that cookies can be considered thus – essentially because the data helps identify the individual, which is the definition of personal information under the act. This may mean that online businesses will have to revamp their websites to offer proper and compliant consent banners to continue operating and using their cookies.

DPO

The DPDP Act requires Significant Data Fiduciaries to appoint a contact person, known as the Data Protection Officer, to address questions that a Data Principal may have about the processing of their personal data. DPOs must be based in India and shall be responsible to the board of directors or any similar governing body of the Data Fiduciary. DPOs will also be the point of contact for a Data Principal for the redressal of any grievance under the DPDP Act.

Consent Artifact

A possible way to operationalize the orchestration of appropriate notices relevant to a compliant digital interaction is leveraging a consent artifact, an immutable, machine readable electronic record that stores consent information throughout the course of its validity period. It is expected that the consent artifact shall need to be built on top of MeiTy’s Electronic consent framework, therefore containing appropriate signatures of the data principal and the data fiduciary. This shall enable it to be admissible in a court of law

IDfy

Solutions Overview

KYC API Suite

Background Verification

Risk and Fraud

Video Solutions

Bank Statement Analysis

CrimeCheck

Privy Suite

IDfy360

Self Serve Portals

Banking

eCom & Payments

Capital Markets & Wealth

Communities

Insurance

Gaming

Fintech

HR & Recruitment

Company

Life at IDfy

Partners

Our Team

Careers

Blogs

Webinars

Industry Insights

BGV Cost Calculator

Frequently Searched