The DPDP Act recognizes that the Government and industry need to process personal data in certain contexts, and the law brings clarity on the ambit of privacy. The Act spells out the circumstances in which the Government can seek information, and what data can be processed by private entities. For instance, when individuals volunteer their personal data, it can be used for the purpose for which it was provided and needs to be erased once the purpose is fulfilled. However, the data fiduciary can transfer this data to data processors if it is for the intended purpose.

Data voluntarily shared by individuals in the public domain is not subject to privacy, unlike Europe’s Global Data Protection Regulation, which does not permit this without consent. In that sense, the approach India has taken is a departure from Europe’s, while on the other extreme is China, where the Government has extensive powers over the data of its citizens.

Use of data by AI in countries like the US and Australia is still governed by legacy laws. In this context, the Indian government has been cognizant of industry demands and the needs of startups. There are some residual concerns regarding adequate protection of privacy of personal data of individuals and adequate safeguards being laid down for access of personal data by the Government, which perhaps will be addressed in due course by legal institutions and processes.

Processing of foreign personal data has been carved out separately, subject only to the contractual terms and with adequate security safeguards.

The Data Protection Board of India is the statutory body for grievance redressal envisaged under the law. The 2022 version of the draft bill was ambiguous on some counts, but the new law is sufficiently clear on who can be appointed to the board, what their qualifications, experience and expertise should be, and the duration of the appointment. That is a welcome addition.

The board is not envisaged as a regulator—it is a statutory body which responds to complaints of a breach or an invasion of privacy. And when such a complaint is made, the board can investigate the matter and, if the Data Fiduciary is found culpable, impose a penalty.

The concept of a consent manager in the new law is also different from how it was previously envisaged. While the consent manager was a mandatory part of the chain of consent in the earlier draft bill, in the new law the consent manager is more of a facility available to people for managing their consent.

In summary, the law is a fairly well-nuanced attempt to create a conducive environment for processing of personal data while recognizing that privacy is a fundamental right, and simultaneously that the Government needs to have access to personal data in certain contexts for legitimate purposes of governance. Concerns of the industry regarding location of data, enabling AI development, providing limited exemptions to startups, and enabling research and analysis have also been adequately addressed.

The DPDP Act will apply to personal data collected in digital form and personal data collected in non-digital form and then digitized. It will also apply to digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to individuals providing personal data, or Data Principals, within the territory of India. Personal data may be processed only for a lawful purpose for which the Data Principal has given consent, and consent may be withdrawn at any time. The Central Government may conditionally allow processing of children’s data if it is satisfied that a Data Fiduciary—that is, the entity that determines the purpose and means of processing of personal data—has ensured that its processing of personal data of children is done in a manner that is verifiably safe.

Analysis: Deletion of a “deemed consent” clause will disrupt delivery of some digital services. A previous draft contained a “deemed consent” clause, which assumes consent for the processing of data, rather than needing to seek it explicitly. The clause made provision for data processing in the public interest, which forms the bulk of activities for data processors who scrape the data of individuals on the internet. The DPDP Act, however, has removed the “deemed consent” clause, instead determining that the consent of the individual will be deemed to have been given only in legitimate circumstances. The deletion of the “deemed consent” clause may disrupt delivery of certain digital services that process personal data as an essential business activity. Online entities, including websites, apps, gaming, social media, and instant messaging services, will be required to obtain parental consent for every individual under 18 years of age before processing their data. These platforms may also face restrictions on using advertisements targeting children to shield their privacy and online safety.

Obligations to Data Fiduciaries and Penalties

Data Fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and erase personal data upon the withdrawal of consent or as soon as the purpose for which such personal data was collected is over. The Central Government may notify any Data Fiduciary or class of Data Fiduciaries processing big data as “Significant Data Fiduciary” based on an assessment. Such Significant Data Fiduciaries shall have to comply with additional obligations like appointment of a Data Protection Officer and periodic safety audits. The maximum penalty for a breach in observing the obligations of a Data Fiduciary will be Rs 250 crore (USD 35 million). Penalties will be imposed by the Board after conducting an inquiry.

Analysis: Companies may face increased compliance, fines, and operational costs. Data Fiduciaries are likely to bear the burden of compliance to ensure security and integrity of personal data, though the rules still need further clarification compliance requirements. The burden of compliance rests upon Significant Data Fiduciaries, in particular, which are denoted by the Government based on volume, data sensitivity, risk of harm for processing, or other criteria. And while the Government regulates Significant Data Fiduciaries more strictly, including heavy fines for data breaches, penalties stop short of criminal charges, which is a relief for entities and an important confidence-building step. Also, the final law reduced the maximum penalty from Rs 500 crore (USD 70 million) in an earlier draft to Rs 250 crore (USD 35 million). The reduction is helpful for large industry players, but it is still prohibitive for startups. Businesses are also at risk of increased operational costs due to the need for adequate firewalls to secure data.

Cross Border Data Processing

Cross-border data flow to certain countries and territories is permitted, along with the relaxation of data localization requirements. The Government is also to establish a list of countries to which the transfer of data or where data processing of Indian subjects will be restricted.

Analysis: Offshore entities will be subject to the law, but data localization requirements will loosen. The new law will facilitate international data transfer by bringing in offshore entities serving India data subjects within its compliance jurisdiction. Under the new provisions, the law does not impose restrictions on transfer of personal data outside of India. Relaxations in data localization that will boost cross-border data processing and bring down input costs of offshore entities, though restrictions on specific sectors like banking and telecoms will continue. Offshore entities employing Indians, merchants, and vendors will be subject to the regulation if storing personal data. The Government will publish a blacklist of countries to which cross-border data flow will be disallowed.

Exemptions to Entities, Startups

Exemptions are provided to companies where data processing is necessary and approved by a court, tribunal, or other competent authority in cases such as mergers and amalgamations. The Central Government may, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, as Data Fiduciaries to whom exemptions may be provided. State agencies and organizations that process data for law enforcement or legal process have also been exempted from the compliance burden.

Analysis: State agencies and startups enjoy exemptions. State agencies have been given exemptions in public interest. Exemptions in cases where ascertaining the financial information is required will help courts and tribunals speed up the litigation process. Startups have also been given relief to help them grow by reducing the compliance burden. Exemption to startups means they get extra protection if they collect data for research or tech development. Media entities not making it to the exemptions list will redefine their content strategy.

Data Protection Board & Appellate Authority

The Central Government shall appoint a Data Protection Board of India. The Board shall consist of a chairperson and other members. Its key functions will be monitoring compliance and imposing penalties, directing data fiduciaries to take necessary measures in the event of a data breach, and hearing grievances made by affected persons. Any person aggrieved by an order or direction made by the board may appeal before the appellate tribunal. The Government has designated the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) as the Appellate Tribunal.

Analysis: Disputes may suffer prolonged litigation. The board is not a regulatory authority. The DPDP Act, 2023 provides only adjudicatory powers to the board. While the Data Fiduciaries may find relief that the Government has stopped short of creating another regulatory body, the delinking of the regulatory and adjudicatory powers may also lead to prolonged litigations over disputes in certain cases. Previously, High Courts were designated as the authority, but the new law has streamlined the appeals process by appointing TDSAT as the appellate body. A central authority to hear appeals is expected to expedite dispute resolution.

Edelman Global Advisory (EGA) provides tailored government affairs and business advisory services to companies, institutions, organizations, and governments seeking to navigate today’s changing geopolitical and economic landscape. Headquartered in Washington, DC, we have 67 offices across 25 countries in six markets: the US and Canada, APAC, MENA, Europe, Latin America, and India. The India EGA team is comprised of 10 public affairs experts, including senior industry professionals, researchers, lawyers, and former journalists. We have access to an extended group of advisors from civil service, media, and NGO circles who help us navigate the vast and complex stakeholder universe in India and we are backed by the Edelman network of 250+ India-based communicators with specialties in media, digital, creative, and content.       

To learn more about the G20 India Presidency, please visit edelmanglobaladvisory.com, or reach out to Anand.Patel@EdelmanEGA.com.