The DPDPA in the making

The DPDPA is simpler than some privacy laws around the world and clearly less prescriptive than the EU's General Data Protection Regulation (GDPR). This is a departure from the initial drafts beginning in 2018 but is a modified version of the simpler 2022 draft.

By way of background, in 2022, the Government decided to step back from enacting comprehensive data privacy legislation because of a concern that it would be too difficult for the industry to deal with it. This concern is not misplaced. India has very little history of data privacy compliance; it is mostly the companies that are doing business outside India that have experience in complying with data privacy laws. Further, India has a huge SME sector, which would have struggled to comply with a comprehensive data privacy law. 

The Government also walked back its earlier intention to include substantial data localization requirements in the data privacy law by opting for a 'blacklist' of countries to whom personal information cannot be sent. We expect this will cover mostly countries that do not have a data protection laws or countries that are perceived as being unfriendly to India. The DPDPA does clarify, however, that it will not affect sectoral regulations in this regard, which means that controversial requirements such as in the payment space would remain. 

A brief overview of the DPDPA's requirements

The DPDPA relies on consent as the main ground for processing personal data, although there are some legitimate uses that do not require consent. There are also other situations to which most of the DPDPA does not apply. It grants data subjects (referred to as data principals) certain rights - the right to access what personal data is being processed, the right to correct and update personal data, and the right to ask for personal data to be deleted in certain circumstances. Further, the DPDPA requires the data controller (referred to in the law as the data fiduciary) to delete personal data on its own when the purpose for which the personal data has been collected is no longer served. As noted above, instead of a data localization requirement, the DPDPA grants the power to the government to notify a 'blacklist' of countries to whom personal data cannot be transferred. While the law requires data fiduciaries to use reasonable security standards to protect personal information, if there is a breach, the data fiduciaries are required to notify both the Data Protection Board of India and the concerned data principals. It includes civil penalties for violations of the law with penalties rising up to $30 million. There is, however, no scope for payment of compensation to concerned data principals. 

The law has taken a light-touch approach to big data and AI. There is no prohibition on making decisions entirely through an automated process. Personal data used to make those decisions must, however, be complete, accurate and consistent. Further, the DPDPA is somewhat silent on the concept of 'necessity.'  While personal data can only be processed for a 'specified purpose,' the specified purpose means the purposes listed in the privacy notice. There does not appear to be a clear prohibition on including purposes that are not necessary for performing the service for which the personal data was collected.    

Consent

Under the DPDPA, consent is the main ground for processing personal information. Consent must be 'freely given,' 'specific,' 'informed,' 'unconditional,' and an 'unambiguous indication of consent' and through a 'clear affirmative action.' Except for the word 'unconditional,' the language used to qualify consent is the same as under GDPR. Given this reality, in the absence of an indication to the contrary by the Government, one would have no choice but to apply the same standards of consent under GDPR.  For a variety of reasons, these standards are considered quite difficult to comply with by many businesses in the EU. If the GDPR's standards are applied, then it may become very difficult for Indian businesses to obtain consent. 

This is why building principles into legislation is important. Ultimately, it is not about consent but whether the processing is reasonable or legitimate. The GDPR includes the concept of legitimate interest -  a data controller can process personal information if it has a legitimate interest in doing so. The DPDPA does include some 'legitimate uses' for which consent is not required but these are quite specific and don't encompass the broad ground that is a legitimate interest. One possible result is that businesses may obtain consent in any way they want. Then, the requirement to obtain consent will become quite meaningless and the law will not serve the purpose for which it is meant. 

Breach notification

The DPDPA is stricter than GDPR in another way - it requires data breaches to be notified to the data protection authority, the Data Protection Board of India, and the concerned data principals. A data breach refers to an accidental disclosure, use, alteration, or destruction of personal data, that compromises its confidentiality, integrity, or availability. There is no threshold which means that even small breaches need to be notified. In the EU, a breach needs to be notified to both the data protection authority and the individual only if there is a risk to their rights and freedoms. Notifying small breaches could lead to confusion and concern among data principals and also a reputational loss for the data fiduciary. 

The law also requires that data principals have a choice of receiving the privacy notice in any of the 22 scheduled languages. This means that a business may have to translate the notice into 22 languages on the assumption that any of these languages could be selected by a concerned data principal. This is a somewhat strange requirement, and it is hoped it will be diluted through delegated legislation. Businesses will either have to find some clever workaround for this or proceed to translate the notice into all 22 languages. 

A key concern for data fiduciaries is the fact that the DPDPA requires data fiduciaries to be responsible for compliance with the law by data processors. The law is not absolutely clear whether a data processor can be held liable for violations - there are indications in the law that it will be only the data fiduciary who will be held liable, which means that the data fiduciary will have to be careful about contracts signed with data processors and in particular, the indemnity provisions in those contracts. 

Data Protection Board of India

One concern I find with the DPDPA is the lack of powers given to the Data Protection Board of India. It is by and large an adjudication authority, to adjudicate complaints from data principals. The power of delegated legislation is entirely with the Central Government. In that sense, India will not have a data protection authority with fully vested powers. This is unfortunate because personal data is so omnipresent that it is difficult to implement legislation on it without the authority to issue clarifications, and guidance notes and essentially build the jurisprudence around the law. This is even more so given that India has little history of data privacy laws, and jurisprudence in this area is more or less non-existent. This looks like a costly miss that will hamper the growth of data privacy compliance in India.

Concluding thoughts

Ultimately, the Government has opted for a law that involves more black or white (either it applies or it doesn't), rather than a principles-based approach, such as whether legitimate or not or whether risks are involved or not (which involves some reasoning and context). This can be seen in the decision not to include a legitimate interest type ground, the lack of threshold in data breach reporting, and even the lack of guidance power to the Data Protection Board of India. The principles-based approach is, however, more suitable for data privacy legislation. 

The final enacted version of the DPDPA may also be reflective of the lack of history of data privacy law. Having said this, some key issues have not been dealt with particularly well. The lack of transparency that resulted in introducing the final draft directly in Parliament and enacting it within a few days reflects the frustration of the Government in dealing with multiple drafts over five years. However, there was also no space given to point out key concerns with the final version. As we have seen in the past, India has a way of finding a model that works even though it may not necessarily reflect the literal requirements of the law. I expect some form of that will work itself out over time.    

Stephen Mathias Senior Partner and Co-Chair of the Technology Law Practice
[email protected]
Kochhar & Co, India