India finally enacted the Digital Personal Data Protection (DPDP) Act last month, six years after a landmark Supreme Court judgement that recognized the right to privacy enshrined in the constitution.
The DPDP Act introduces a consent-based data management regime by which individuals have the option to withdraw consent and request the deletion of their personal data. The act is expected to be implemented over the next six months with the establishment of the Data Protection Board of India and further data protection rules under the legislation.
It heralds a new national framework that replaces existing data protection rules set out in the Information Technology Act 2000. Under the new act, fiduciaries are required to obtain consent from every data principal and are expected to inform the Data Protection Board of India in the event of any breaches. Failure to do this may result in a fine of up to $30 million.
Data principals also have rights and duties under the act, which prohibits them from supplying incorrect personal information or filing false or frivolous grievances. Under Section 14, individuals can nominate others to exercise their data-principal rights in the event of death or incapacity.
Data fiduciaries are expected to offer informed consent notifications in all major Indian languages to allow data principals to make decisions. The fiduciaries are also expected to allow principals to correct or inspect their personal data.
The DPDP Act is not limited to Indians and applies to all data principals whose personal data is processed by fiduciaries in India. Indian fiduciaries or foreign fiduciaries operating in India are expected to keep a copy of personal data in India if they are transferring data globally. Under Section 16, the transfer of data to specific countries that are not trusted by Indian regulators can be limited in future.
Section 8 places an obligation on the fiduciary to ensure that the data being shared with a processor is subject to a contract containing reasonable safeguards. The act forces fiduciaries to retain personal data required under various other Indian laws and at the same time forces the fiduciary to ensure deletion of personal data shared with data processors.
Every significant fiduciary is expected to appoint a data protection officer based in India. The notification of significant fiduciaries by the government under Section 10 will be based on criteria linked to the volume of personal data being processed, the risk to national security, risk posed to electoral democracy, and risk to public order. Foreign firms operating in India are more likely to be made significant fiduciaries, requiring them to appoint a data protection officer in India.
The act also empowers the government of India to block websites and order the censorship of content that is being processed against interests of the general public under Section 37. It can also require any data fiduciary to furnish relevant information under Section 36 of the act.
A significant part of the act allows the government to make rules which will further shape the framework. This is likely to occur in the coming months, and a list of global regions in which data may not be processed is expected to be introduced. China is expected to be included on this list, given India’s history of banning websites and apps that send personal data to servers in Beijing.
The act provides exemptions for companies processing publicly available data that has been shared by a data principal. Any information that has been shared on social media or through a blog is exempt from being processed within the limitations of copyright protections. It also allows firms to process personal data where there is “legitimate use.”
The legislation provides for broad exemptions for the government to demand data from various fiduciaries, and also gives it powers to exempt fiduciaries under various sections of the act. The lack of surveillance reforms and these wide exemptions are seen as a security risk with potential for misuse of these powers.