India’s DPDPA (Digital Personal Data Protection Act): Key Provisions and Business Implications

Sameer Ahirrao -

The India’s DPDPA (Digital Personal Data Protection Act, 2023) marks a significant step for India in establishing strong data privacy laws. Passed in August 2023, this act aims to reshape how personal data is managed in the digital space, creating both challenges and opportunities for businesses under its scope. As we anticipate the rollout of the act along with its detailed rules, it's essential to grasp its full impact.

India’s DPDP Act implications, scope

A key aspect of India's DPDP Act is its extraterritorial scope, allowing it to apply even outside of India. This means that foreign entities dealing with data of Indian individuals (data principals) must familiarize themselves with the act’s requirements. The act primarily focuses on protecting personal data by prioritizing individual consent and placing specific responsibilities on data fiduciaries, the entities that decide how personal data is processed.

Evolution of data privacy legislation

The Information Technology Act, 2000 (IT Act) addresses data protection but has certain limitations. To supplement this, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI rules), were established to regulate sensitive personal data processing. The India’s DPDP Act will replace significant portions of the IT Act, specifically section 43(A), and will establish a more comprehensive framework for managing digital personal data, also superseding the SPDI rules once it takes effect. This shift highlights India’s dedication to aligning its data protection standards with global practices and tackling the evolving challenges of the digital age.

Core areas of the act

The India’s DPDP Act includes key elements that define its regulatory structure:

  • Personal Data Protection: It establishes principles for processing digitized personal data to maintain privacy, confidentiality, and protect the rights of individuals (data principals).
  • Extraterritorial Reach: The act applies to foreign entities handling the personal data of Indian residents when offering goods or services to them.
  • Data Fiduciary Duties: Entities that collect and determine the processing of personal data are required to adhere to obligations such as obtaining consent, ensuring security, and maintaining transparency. These responsibilities rest solely on the data fiduciary and cannot be transferred to a data processor, even by contract; the data fiduciary is liable for the processor's actions.
  • Individual Rights: The act grants data principals rights over their data, including access, correction, and deletion.
  • Regulatory Oversight: The act introduces data protection officers and establishes bodies like the Data Protection Board to monitor compliance and enforce penalties.

Key provisions

The India’s DPDP Act includes essential provisions that outline its scope and application:

  • Data Categories: It sets up a framework for regulating digital personal data, regardless of its original form.
  • Exclusions: The act excludes personal data processed for personal or domestic use from its regulations.
  • Consent Requirements: Affirmative consent is required for lawful data processing, with clear guidelines for withdrawal. Notably, withdrawing consent does not affect the legality of processing activities that occurred before the withdrawal. Each consent request must be accompanied by a notice to the data principal detailing the personal data involved, the purpose of processing, withdrawal procedures, and a grievance redressal mechanism for issues like data breaches.
  • Legitimate Processing: The act allows for personal data processing without explicit consent in certain cases, such as when data is voluntarily provided for a specific purpose, in the performance of state functions (like granting benefits or licenses), protecting national security, complying with court orders, managing medical emergencies or disasters, and for employment-related purposes, including protecting an employer's intellectual property rights.
  • Data Localisation: The act does not impose data localisation requirements, allowing free cross-border data flow, but it includes a provision for a negative list of countries to which data transfers are prohibited.
  • Children’s Data: Individuals under 18 years are considered children, and the act prohibits advertising targeted at them.

Exemptions

The act outlines certain exemptions and does not apply to state agencies, which the government can exempt if it concerns India's sovereignty, integrity, security, or public order. Furthermore, the government can also exempt specific types of data fiduciaries from requirements related to providing notices, ensuring data accuracy, maintaining data, and data deletion.

Applicability and impact

The introduction of the DPDP Act presents considerable challenges for various industries, requiring them to overhaul their data handling practices and compliance systems. This is especially critical for sectors such as fintech and e-commerce.

Fintech

Fintech companies encounter specific challenges in achieving compliance, particularly in managing data flows and partnerships with traditional financial institutions. Compliance responsibilities primarily rest with data fiduciaries, prompting fintech firms to enhance their data protection strategies and adhere to regulatory standards.

Under the India's DPDP Act, fintech companies are generally categorized as data processors if they handle personal data, while banks and NBFCs are classified as data fiduciaries since they determine the purpose and means of data processing. This aligns with the RBI's 2022 Guidelines on Digital Lending. However, depending on their role and functions, fintechs can also be classified as data fiduciaries under the DPDP Act. The primary compliance burden lies with data fiduciaries, who must ensure that data processors adhere to regulatory requirements. Therefore, fintechs need to implement strong controls, including code management, identity management, and charge management, while ensuring transparency and data accuracy. Achieving ISO certifications and adopting technical measures for data protection are also essential for meeting compliance standards.

E-commerce

Clearly defining data fiduciary roles and responsibilities within e-commerce ecosystems is crucial for compliance. Whether platforms or sellers take on these responsibilities depends on their involvement in data processing and decision-making. Proper role definition is vital for meeting regulatory requirements.

For example, in e-commerce platforms like Amazon, Flipkart, and Myntra, where personal data is collected and analyzed for marketing purposes, the platform typically acts as the data fiduciary and is responsible for compliance. However, if the platform only provides technological infrastructure and the retailer manages all sales activities, the retailer may be the data fiduciary if they collect data for sales fulfillment.

If the platform only facilitates transactions without handling personal data, the seller may be classified as the data processor. The key is to determine which entity decides on the methods and purposes of data collection and processing, as this will dictate their fiduciary responsibilities.

Service-providing platforms

Companies like Uber, Ola, and Urban Clap are recognized as data fiduciaries under the DPDP Act. These platforms are required to share personal data with partners such as drivers and other individuals. Therefore, it is crucial for them to implement strong technical measures, like data masking, to protect sensitive information. They must also ensure that their business partners understand and adhere to privacy protection and compliance requirements.

If a platform is inactive for an extended period or if consent is withdrawn by the data principal, the data fiduciary must ensure that the data is no longer used or retained. Only a minimal amount of data should be shared to reduce privacy risks.

Online advertising companies must also comply with the DPDP Act by securing explicit consent, limiting data collection to what is necessary for their advertising purposes, and using it only for the specified purposes communicated to users at the time of collection. Additional compliance measures may include maintaining records of data processing activities, conducting data protection impact assessments, and appointing a data protection officer.

Ultimately, these entities must prioritize privacy protection not only as a legal requirement but as a core aspect of their operations and values.

Charting the path forward

The India’s DPDP Act marks a new chapter in data protection for India, emphasizing individual consent and accountability. This shift aims to create a safer and more transparent digital environment. As India moves towards becoming a USD 5 trillion economy, adhering to data protection standards will be essential.

Once the implementation rules are set and the Data Protection Board of India is operational, stakeholders can expect a stronger digital landscape that promotes both trust and innovation.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid discovery of data assets and consent management with regional focus for global regulations.