Data Protection & Privacy 2024

Last Updated February 13, 2024

India

Law and Practice

Authors



IndusLaw is a top-tier, full-service Indian law firm, with more than 400 lawyers spread across offices in Bengaluru, Chennai, Delhi & NCR, Hyderabad and Mumbai. It offers legal services to a wide range of international and domestic clients from a variety of sectors and across a broad spectrum of practice areas, including technology, media and telecommunications; financial services – regulatory; employment law; capital markets; litigation and arbitration; and private equity, venture capital and acquisitions. The TMT practice group comprises 25-30 lawyers and consistently advises clients on complex and cutting-edge matters, including data protection and privacy-related laws, Web3 offerings such as cryptocurrencies, the structuring of data-sharing contracts and regulatory compliance, in addition to assisting with mitigating risks and responding to data security incidents.

Until recently, India did not have a dedicated law on data protection and privacy, relying instead on specific provisions on privacy found in the Information Technology Act, 2000 (the “IT Act”) and the rules framed thereunder – specifically the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”). However, in the 2017 decision in Justice K.S. Puttaswamy (Retd.) v Union of India, the Supreme Court of India recognised the right to informational privacy as a “fundamental right” arising from the right to life and personal liberty under Article 21 of the Constitution of India.

Around the same time, the central government set up an expert committee to draft India’s first dedicated law on data privacy; after multiple iterations, the Digital Personal Data Protection Bill was placed before the Parliament in August 2023 and was passed as the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The DPDP Act replaces the privacy provisions under the IT Act and the SPDI Rules as a standalone data protection legislation. It is not yet in force, but the Indian government is expected to enforce it in the next few months.

The key enforcement provisions under the IT Act are as follows.

  • Section 43A – a body corporate processing sensitive personal data or information (SPDI) that is negligent in implementing reasonable security practices and procedures (RSPP) or that is non-compliant with SPDI Rules and the data processing principles thereunder (ie, notice, consent, purpose limitation, data accuracy and grievance redressal) can be held liable for compensation if such negligence results in wrongful gain or wrongful loss. SPDI is defined as personal information that consists of information relating to passwords, financial information (such as bank account, credit card, debit card or other payment instrument details), medical records, biometric information, physical, physiological and mental health condition, sexual orientation, etc.
  • Section 72A – a service provider that discloses personal information without consent or in breach of its contractual obligations, with the intention of or knowing that such disclosure is likely to result in wrongful gain or wrongful loss, can be held criminally liable with imprisonment or a fine, or both. Personal information is defined as information relating to a natural person that directly or in combination with other information is capable of identifying such person.

The DPDP Act on the other hand is a comprehensive and landmark piece of legislation that will regulate the processing of digital personal data in India. It is designed to protect individuals' fundamental right to privacy, and to give them more control over their personal data. The DPDP Act provides for the following, among other matters.

  • Applicability to digital personal data – the DPDP Act applies to the processing of personal data (ie, data about an individual who is identifiable by or in relation to such data) in digital form or that is digitised after collection, or that is in connection to any activity related to the offering of goods or services to “data principals” in India. It is relevant to note that the DPDP Act further categorises personal data into sensitive/critical personal data and provides same degree of protection to all personal data.
  • Consent and notice – any processing of personal data will be subject to consent. The consent needs to be freely given (through a clear affirmative action), specific, informed and unconditional, and should unambiguously indicate the data principal’s affirmation of the processing of his/her personal data for the specified purpose. At the time of or prior to seeking consent, the data fiduciary is also required to provide a privacy notice to the data principal, in clear and plain language.
  • Legitimate uses – the DPDP Act stipulates certain “legitimate uses” for which a data fiduciary can process the personal data of data principals without obtaining their explicit consent.
  • Data retention – the data fiduciaries must cease to retain personal data upon the withdrawal of consent or as soon as the specified purpose for which the personal data was collected is no longer being served, whichever is sooner, unless an applicable law requires a longer data retention period.
  • Personal data breach – data fiduciaries are required to implement reasonable security safeguards along with appropriate technical and organisational measures to prevent personal data breaches. The data fiduciary is required to notify any data breach to the Data Protection Board (DPB), and to the data principals concerned.
  • Significant data fiduciaries – the central government can notify any data fiduciary or class of data fiduciaries as significant data fiduciaries, based on the volume and sensitivity of personal data processed, risk of harm, security of the state, etc. The DPDP Act imposes certain additional obligations on such significant data fiduciaries.
  • Rights of a data principal – the DPDP Act provides certain rights to data principals, including the right to erasure, the right to correction, the right to grievance redressal, the right to nomination and the right to withdraw consent for the processing of personal data.
  • Penalty for violation of the DPDP Act –penalties of up to INR250 crore (~USD30 million) may be imposed for non-compliance with provisions of the DPDP Act by “data fiduciaries”. It is important to note that the DPDP Act also imposes a penalty of up to INR10,000 (~USD120) on “data principals” for failure to comply with their duties under the DPDP Act. However, no criminal liability has been envisaged under the DPDP Act.
  • Processing of children’s data – the DPDP Act requires data fiduciaries to obtain verifiable consent from the parent or legal guardian of a child before processing the personal data of children. A data fiduciary also has to ensure that such processing does not have a detrimental effect on the well-being of a child and that they do not undertake tracking, behavioural monitoring or targeted advertising directed at children.

In essence, by giving individuals more control over their personal data and preventing its misuse, the DPDP Act creates a more transparent and accountable framework for the processing of personal data.

Separately, there are several sectoral regulations in sectors such as banking, insurance, telecoms, etc, that prescribe data protection requirements for entities regulated under those sectors; see 2.2 Sectoral and Special Issues for more detail.

The IT Act provides for the appointment of an adjudicating officer to decide if a person has contravened any of its provisions or the rules framed thereunder, where the claim for injury or damage does not exceed INR5 crores (~USD600,000). Any other claims would be decided by the civil court. The adjudicating officer has the power of a civil court, and the government has designated the Secretary to the Ministry of Information Technology in each state as the adjudicating officer.

However, the DPDP Act provides for the creation of India’s first data protection authority, the DPB, which would function as an enforcement agency, a digital office and an independent body. As per the DPDP Act, the DPB will be responsible for addressing and resolving disputes, complaints and cases related to data breaches, privacy violations and other data-related concerns. Please see 1.3 Administration and Enforcement Process for the enforcement process and investigative powers and procedures of the DPB.

Separately, there are sector-specific regulators in the banking, securities, insurance and telecommunications sectors. The regulations flowing from each of these sectoral regulators also have certain data-specific and compliance requirements that may have an impact on data privacy and protection.

The adjudicating officer appointed under the IT Act has the same powers as vested in a civil court (such as summoning the attendance of persons and examining them on oath, requiring the discovery or production of documents and other electronic records, receiving evidence on affidavits and issuing commissions for the examination of witnesses or documents) and is required to follow the general procedural laws applicable to civil courts in deciding matters. Furthermore, while determining the quantum of compensation, the adjudicating officer is required to have regard to the following factors:

  • the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
  • the amount of loss caused to any person as a result of the default; and
  • the repetitive nature of the default.

The DPB to be established pursuant to the DPDP Act also has the same powers as vested in a civil court. The DPB’s primary function is to issue directions, conduct inquiries into breaches of obligations by data fiduciaries and impose monetary penalties. It can initiate proceedings in the following circumstances:

  • upon receipt of an intimation of a personal data breach – the DPB may direct any urgent remedial or mitigation measures, inquire into the matter and impose a penalty;
  • upon a complaint made by a data principal – a data principal may make a complaint to the DPB in case of a personal data breach, or a data fiduciary’s failure to observe its obligations in relation to their personal data or exercise of their rights under the DPDP Act;
  • upon a reference made by the government or a state government, to inquire into a breach by the data fiduciary; and
  • upon directions of any court, to inquire into a breach by the data fiduciary.

Prior to initiating an inquiry, the DPB would have to determine if there are sufficient grounds for such inquiry. Upon determining such grounds, which are recorded in writing, the DPB would have to adhere to the rules of natural justice in conducting such inquiry. Furthermore, while determining the quantum of penalty, the DPB is required to have regard to:

  • the nature, gravity and duration of the breach;
  • the type and nature of the personal data affected by the breach;
  • the repetitive nature of the breach;
  • whether the person has realised a gain or avoided any loss as a result of the breach;
  • whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
  • whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breaches of the provisions of the DPDP Act; and
  • the likely impact of the imposition of the monetary penalty on such person.

Any appeals from orders of the DPB would lie before the Telecom Disputes Settlement and Appellate Tribunal and thereafter before the Supreme Court of India.

As a member of the United Nations, India adopted the Model Law on Electronic Commerce adopted by UNCITRAL via resolution A/RES/51/162, dated 30 January, 1997. This framework laid the foundation for India’s first information technology law: the IT Act.

The DPDP Act does not adopt nor relate to any multinational systems/multilateral obligations. While influence has clearly been drawn from other privacy legislation, the DPDP Act was enacted by the Parliament of India after consultation with relevant stakeholders and is designed as a unique Indian legislation. Please see 1.6 System Characteristics regarding similarities between the DPDP Act and the GDPR.

When it comes to technology policy, India is home to a wide ecosystem of stakeholders, including think tanks, NGOs and industry self-regulatory organisations (SROs). The government regularly consults with SROs and NGOs regarding a widely dynamic technology ecosystem. For the DPDP Act, the Indian government constituted a committee of experts to examine and prepare draft legislation governing data privacy which, following multiple stakeholder consultations and iterations, was eventually passed in Parliament as law.

Prominent industry bodies and NGOs active in the Indian privacy and data protection landscape include IAMAI, NASSCOM, the Centre for Communication Governance, the Centre for Internet and Society, the Internet Freedom Foundation, etc.

The Constitution of India gives the central government power to legislate on matters that have not been allocated specifically to the state governments or where the power to legislate has not been shared between the central and state governments. Data protection and privacy is one such matter, where the central government enacted the IT Act and the DPDP Act to apply to the whole of India.

Privacy and data protection laws in India are at a very nascent stage compared to the EU’s GDPR. The DPDP Act is similar to the GDPR in many ways – for instance, the GDPR's fiduciary relationship between a “data subject” and a “data controller” is reflected in the DPDP Act between a “data principal” and a “data fiduciary”. Another similarity is the explicit codification of the (broadly similar) rights of individual data principals.

Both the DPDP Act and the GDPR adopt a consent-centric approach as grounds for the processing of personal data. The DPDP Act is also similar to the GDPR in its general applicability to all categories of entities that deal with digital personal data, regardless of the sector in which such entity operates or the type of digital personal data involved. The DPDP Act’s territorial applicability is also akin to the GDPR.

This being said, the DPDP Act and the GDPR are also divergent in many ways – for instance, the DPDP Act’s introduction of “legitimate uses” for the processing of digital personal data without consent (which is an exhaustive list) is different from the GDPR’s processing for purposes of “legitimate interests” (which is subjective). The DPDP Act requires a data principal to exhaust the opportunity of redressing grievances before approaching the DPB, but there is no such requirement under the GDPR. The DPDP Act provides for a penalty of up to INR10,000 (~USD120) to be imposed on “data principals” for failure to comply with certain prescribed obligations, but no such penalty on data principals exists under the GDPR.

With the introduction of the DPDP Act, 2023 was widely seen as the starting point for an imminent sea change in IT governance in India. The Indian government is in the process of formulating a Digital India Act (DIA), which is intended to overhaul and replace the existing IT Act and the rules made thereunder. The DIA is intended to be future-ready legislation by the Indian government, covering provisions that will safeguard and enable innovations in disruptive technologies such as artificial intelligence (AI), machine learning, intermediaries and safe harbour, Web 3.0, autonomous systems, internet of things, blockchain, etc, and it will also have provisions similar to the Digital Services Act and the Digital Markets Act in the EU.

Another key development on the horizon is the introduction of rules under the DPDP Act by the Ministry of Electronics and Information Technology (“MeitY”), along with the timelines for the implementation of the DPDP Act itself. These rules are expected to provide vital clarifications and procedures for the implementation of the DPDP Act, potentially enhancing its robustness and comprehensiveness.

Please see 2.5 Enforcement and Litigation regarding key privacy-related litigation over the past 12 months.

As mentioned in 1.7 Key Developments, the introduction of the DIA and the rules under the DPDP Act are the most anticipated changes that may be introduced in the near future.                

Overview

Currently, the omnibus law applicable to data privacy in India is the IT Act and the rules thereunder – specifically the SPDI Rules; please see 1.1 Laws for a brief outline of both.

The DPDP Act is yet to be enforced and is intended to be overarching personal data protection legislation that will govern the manner in which the digital personal data of users is processed through the whole data life cycle. Please see 1.1 Laws, 1.2 Regulators, 1.3 Administration and Enforcement Process and 1.6 System Characteristics for an overview of the DPDP Act.

Requirement to appoint privacy or data protection officers

Under the currently prevailing SPDI Rules, every body corporate collecting SPDI is required to appoint a “Grievance Officer” to address any discrepancies and grievances raised by the person providing such SPDI. The SPDI Rules also require the name and contact details of the Grievance Officer to be provided on the website of the body corporate collecting such information. The DPDP Act outlines a data principal’s right for grievance redressal, but it remains silent on the appointment of a grievance redressal officer. It is yet to be seen whether further clarity will be provided under the rules to be prescribed under the DPDP Act.

Under the DPDP Act, every significant data fiduciary (ie, a data fiduciary that is classified as “significant” by the central government based on several identified factors) is required to appoint a resident individual as a “data protection officer”. This data protection officer is intended to represent the significant data fiduciary under the provisions of the DPDP Act and to be the point of contact for the grievance redressal mechanism under the DPDP Act.

Criteria necessary to authorise collection, use or other processing

Under the SPDI Rules, a body corporate can only collect SPDI if:

  • the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
  • the collection of the SPDI is considered necessary for that purpose.

The body corporate or any person on its behalf must obtain consent from the data principal in writing through letter, email or other mode of electronic communication, and inform them of the purpose of usage before the collection of such information.

The DPDP Act allows for the processing of personal data for a “lawful purpose”, either:

  • if the data principal has given their consent for such processing; or
  • if the processing is done for certain “legitimate uses”.

Data fiduciaries can process the personal data of data principals by obtaining their free, specific, informed, unconditional and unambiguous consent provided through a clear affirmative action. Separately, a data fiduciary may process the personal data of a data principal for specified legitimate uses without obtaining the specific consent of the data principal, such as:

  • for specified purposes where data principals have voluntarily provided their personal data and have not objected to the use of their personal data;
  • for purposes of employment or for safeguarding an employer from loss or liability;
  • for responding to a medical emergency involving a threat to life or an immediate threat to public health;
  • for fulfilling an existing legal obligation to disclose any information to the state or any of its instrumentalities; and
  • for compliance with any judgment, decree or order issued under any law in force.

“Privacy by design” or “by default”

While the concept of privacy by design was included in an earlier iteration of the bill that led to the passage of the DPDP Act, the DPDP Act as it currently stands has no explicit provisions for privacy by design or default. However, the rules under the DPDP Act may prescribe processes that may emulate these concepts.

Privacy, fairness or legitimate impact analyses

The DPDP Act requires significant data fiduciaries to undertake periodic “data protection impact assessments” (DPIAs). A DPIA involves assessment of:

  • the description of the manner in which the personal data is processed;
  • the purpose of processing personal data;
  • the harm in relation to the processing of personal data and the measures for managing the risk of such harm; and
  • such other matters with respect to the processing of personal data as may be prescribed by the central government.

That said, it may be important for all data fiduciaries to conduct periodic internal audits and compliance checks to avoid the risk of incurring penalties.

Internal or external privacy policies

Under the SPDI Rules, every body corporate that processes or handles the personal information of its users is required to publish a privacy policy conspicuously on its website containing statements of its practices and policies, the type of personal information collected, the purpose of collection and usage, the manner and reasons for its disclosure, and the reasonable security practices and procedures adopted by it to safeguard the personal information.

While the DPDP Act does not explicitly warrant the adopting of internal or external privacy policies, the privacy notice, consent, rights of data principals and grievance redressal would need to be documented. which would mostly be done in the form of a data principal-facing privacy policy. Similarly, the technical and organisation measures, security practices, etc, to be implemented pursuant to the DPDP Act would need to be documented, which would be done in the form of internal policies on data governance and handling.

Data subject access rights

The SPDI Rules give data principals the right to review the information they have provided to a body corporate and to ensure that any SPDI found to be inaccurate or deficient is corrected or amended as feasible. The SPDI Rules also oblige body corporates or anyone acting on their behalf to provide data principals with the option not to provide the data or information sought to be collected, and to withdraw the consent previously given at any time while availing the services or otherwise. Please see 1.1 Laws regarding data subject rights provided under the DPDP Act.

Use of data pursuant to anonymisation, de-identification or pseudonymisation

There is no explicit provision under the extant data protection laws nor any dedicated legislation that governs non-personal data (NPD). However, MietY has undertaken policy initiatives to regulate this facet of data protection. For instance, India introduced the “Data Accessibility & Use Policy” (DAU Policy) in February 2022 to regulate the usage of NPD, and MeitY released the Draft National Data Governance Framework Policy in May 2022 for public consultation. It aims to ensure that NPD and anonymised data from both the central government and private entities is made accessible for research and innovation. This draft policy is still under consultation.

Separately, it is anticipated that the DIA might provide some guidance on the standards of ownership for anonymised personal data collected by internet intermediaries.

Restrictions on profiling, microtargeting, automated decision-making, online monitoring, big data analysis, AI and algorithms

The DPDP Act explicitly prohibits the behavioural tracking of children (ie, persons under the age of 18), as well as the directing of targeted advertisements towards them. It does not impose any general restriction on profiling/targeted marketing, provided the processing of personal data for such purposes is in compliance with the DPDP Act.

The relevance of “injury or harm” to national privacy and data protection law

As mentioned in 1.3 Administration and Enforcement Process, the IT Act provides that a data fiduciary that fails to implement reasonable security practices and procedures for the protection of personal information and sensitive personal data may be required to compensate an aggrieved data subject for any “injury or harm” caused to them on account of such failure. In addition, the IT Act states that the following have to be accounted for when determining the quantum of compensation to be provided to data principals:

  • the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
  • the amount of loss caused to any person as a result of the default; and
  • the repetitive nature of the default.

The DPDP Act does not use the terms “injury” or “harm” in its definition of “personal data breach”. However, as mentioned in 1.3 Administration and Enforcement Process, as per the DPDP Act, when determining the quantum of penalty to be levied on a data fiduciary, the DPB is required to have regard to factors such as the nature, gravity and duration of the breach, the repetitive nature of the breach, loss caused, etc.

It is also pertinent to note that the DPDP Act, while dealing with the processing of children's data, prohibits data fiduciaries from undertaking the processing of personal data “that is likely to cause any detrimental effect on the well-being of a child”, although the term “detrimental effect” is not defined.

As mentioned in 1.1 Laws, the SPDI Rules recognise the protection of two sets of data: “personal data” and SPDI. Currently, any protection accorded to data sets that are perceived as “sensitive” stems from the SPDI Rules and is specifically only applicable to information that is covered under the definition of SPDI as outlined in 1.1 Laws. This protection is regardless of the source or use case of the SPDI.

The DPDP Act now provides uniform protection for all personally identifiable data, and has removed the classification of SPDI. It is yet to be seen if any special protection will be accorded to data sets considered “sensitive” in the rules to be issued under the DPDP Act or under the DIA.

AI data

There is currently no overarching law that governs the use and disclosure of AI-related data in India; AI data continues to be regulated under the extant IT Act and the SPDI Rules.

Financial data

As mentioned in 1.1 Laws, financial data forms part of SPDI and is accorded protection under the SPDI Rules, while no special protection has been accorded under the DPDP Act as mentioned hereinabove. That said, certain sector-specific legislation does provide the following additional obligations with regard to financial data, among others:

  • an obligation to ensure the confidentiality of customer data and the localisation of payments data under the Payment and Settlement Systems Act, 2007;
  • an obligation for banks to maintain the confidentiality of customer data under the Banking Regulation Act, 1949;
  • an obligation to maintain the confidentiality of credit information by credit institutions under the Credit Information Companies (Regulation) Act, 2005;
  • explicit consent requirements and restrictions on the collection, storage and use of certain data sets of the customer, such as location data or biometric data in the context of digital lending; and
  • specific know-your-customer (KYC) and anti-money laundering requirements prescribed by the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) and other financial sector regulators.

Health data

Being considered SPDI, health data is also currently accorded protection under the SPDI Rules and is also covered under the DPDP Act to the extent it constitutes personally identifiable information. That said, India does not currently have specific legislation governing the use of health data.

It may be relevant to note that the Ministry of Health and Family Welfare released a policy in 2017, known as the “National Digital Health Mission: Health Data Management Policy”, which aimed to digitise the entire healthcare ecosystem of India. However, compliance with this policy is not legally mandated under any prevailing law.

The Ministry of Health and Family Welfare also introduced draft legislation in 2018, called the “Digital information Security in Healthcare Act, 2018”, to enforce privacy and security measures for electronic health data, and to regulate the storage and sharing of electronic health records. However, the draft law has not yet been notified.

Communications data

The licence agreement executed between the licensed telecom service provider (TSP) and the Department of Telecommunications imposes a data localisation requirement on the TSP with respect to accounting information and user information relating to the telecom subscriber. Apart from this, there are no specific laws addressing communications data, which is regulated under the IT Act and the SPDI Rules (if applicable). Such data will be governed under the DPDP Act once it comes into force.

Children’s or student data

The DPDP Act defines a child as an individual who has not reached the age of 18 years, and imposes certain additional obligations and restrictions on the processing of personal data relating to children. Please see 1.1 Laws for more details.

Employment data

Under the SPDI Rules, since employee data may include data relating to the individual such as their passwords, bank account details, biometric information, etc, employers who collect and process employees' SPDI would be required to comply with the obligations under the SPDI Rules.

The DPDP Act provides certain “legitimate use” exceptions for the processing of personal data for the purposes of employment or for safeguarding an employer from loss or liability, such as the prevention of corporate espionage, the maintenance of confidentiality of trade secrets, intellectual property, classified information or the provision of any service or benefit sought by a data principal who is an employee. Given the wide nature of this “legitimate use” and in the absence of any clarifications in this regard, it appears that employers have been provided a blanket exemption from obtaining consent from their employees so long as the employer can justify that the collection and storage of such personal information fall under the aforesaid legitimate use.

Other categories of sensitive data

Sexual orientation has been identified as a category of SPDI, so any body corporate handling data in relation to the sexual orientation of an individual must comply with the obligations under the SPDI Rules. Union memberships, political beliefs and philosophical beliefs have not been accorded any additional protection under the SPDI Rules. That said, data sets including sexual orientation would be protected under the provisions of the DPDP Act to the extent that they are capable of personally identifying the individual to whom such data belongs.

Browsing data, viewing data, cookies and beacons

There are no specific laws or provisions in existing laws that govern the processing of browsing data, viewing data, cookies or beacons in particular. Since the majority of such data constitutes non-personal or anonymised data, it falls outside the purview of the extant personal data protection laws in India. In the event such data constitutes any personal data, its processing will be regulated under the SPDI Rules (if applicable), and will be governed under the DPDP Act once it comes into force.

Location data

Section 69B of the IT Act empowers the central government to monitor and collect “traffic data” or information generated, transmitted, received or stored in any computer resource, in order to enhance cybersecurity, for identification, or for the analysis and prevention of intrusion or the spread of computer contaminants in the country. Traffic data has been defined as any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted, and includes communications origin, destination, route, time, data, size, duration or type of underlying service and any other information. In addition, under the Digital Lending Guidelines issued by the RBI, entities regulated by RBI – such as banks and other financial institutions and lending service providers engaged by such entities – are allowed to access location data only on a one-time basis for KYC or onboarding purposes alone.

Tracking technology and targeted advertising

The Ministry of Consumer Affairs through the Central Consumer Protection Authority (CCPA) has issued the Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022, which lay down the conditions for non-misleading and valid advertisement, bait advertisements and free claims advertisements, among other things. The CCPA has also issued the Guidelines for Prevention and Regulation of Dark Patterns, 2023, which prohibit the use of “dark patterns” that mislead or trick users into doing something they originally did not intend or want to do, by subverting or impairing the autonomy or decision-making ability of the user.

These regulations together govern behavioural tracking and targeted advertising in India, with the focus being on the protection of consumer rights rather than on data privacy. The data protection laws in India do not currently cover tracking technology and behavioural or targeted advertising, with the exception of the DPDP Act, which explicitly prohibits the behavioural tracking of and targeted advertising towards children.

Content of electronic communications, social media, search engines, large online platforms and intermediary liability for user-generated content

Internet intermediaries are regulated under the IT Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”). Section 79 of the IT Act provides safe harbour protection to intermediaries against content liability, provided they satisfy certain due diligence obligations, including:

  • prominently publishing the rules and regulations, privacy policy and user agreement on its website, mobile-based application or both;
  • not hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating or sharing any information that belongs to another person, or that is defamatory, obscene, pornographic, paedophilic, invasive of another's privacy (including bodily privacy) or harmful to a child, or that infringes any patent or violates any law;
  • periodically informing its users, at least once every year, that in case of non-compliance by the user with rules and regulations, privacy policy or user agreement, the intermediary has the right to terminate the access or usage rights of the users to the computer resource immediately or remove non-compliant information or both;
  • complying with the reasonable security practices and procedures as prescribed in the SPDI Rules; and
  • reporting cybersecurity incidents and sharing related information with the Indian Computer Emergency Response Team.

The IT Rules, 2021 also recognise intermediaries that have more than 5 million registered users on their platform as “significant social media intermediaries”. The IT Rules, 2021 also recognise online gaming intermediaries, which are defined as intermediaries that enable users to access one or more games offered on the internet. The IT Rules, 2021 prescribe additional due diligence obligations for both these special classes of intermediaries to comply with, in addition to the obligations imposed on all categories of intermediaries.

Separately, the Ministry of Consumer Affairs has issued the Consumer Protection (E-commerce) Rules, 2020 (“E-Commerce Rules”), which apply to “e-commerce entities” – ie, entities that own, operate or manage a digital or electronic facility or platform for electronic commerce (excluding sellers on market-place e-commerce platforms). Among other things, the E-commerce Rules prescribe different duties for different categories of e-commerce entities, focused on the protection of consumer rights.

Data principal rights

As mentioned in 1.1 Laws, the DPDP Act gives data principals the following rights:

  • the right to access information, including the right to obtain a summary of the personal data processed, the processing activities undertaken, the identities of parties with whom the personal data is shared and other information related to the personal data and its processing;
  • the right to correction and erasure, including the right to correct, complete, update and seek erasure of personal data;
  • the right of grievance redressal, including the right to access readily available means of grievance redressal in respect of any act or omission by the data fiduciary; and
  • the right to nominate another individual to exercise the above rights of the data principal in the event of his/her death or incapacity.

That said, the DPDP Act does not provide the data subject with a data portability right. Separately, while there is no explicit right to object to the sale of data, tracking, etc, the data principal has a right to withdraw his/her consent at any time.

While not explicitly regulated by the IT Act and the DPDP Act, commercial or marketing communications will be subject to the consent, notice and purpose limitation requirements prescribed thereunder. Separately, the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR) regulate communications made using phone calls or through SMS. Under the TCCCPR, one may opt to list their telephone number on the “do not call” registry maintained by the telecom regulator. Upon such registration, unsolicited commercial communications through calls and SMS cannot be made/sent to such person. However, it may be noted that the TCCCPR focuses on the rights of a customer rather than on data protection.

Please see 2.2 Sectoral and Special Issues regarding constraints on behavioural and targeted advertising.

The DPDP Act provides for certain exception situations or special conditions where the personal data can be processed without compliance with the notice, consent and several other requirements prescribed under said Act. These situations include processing for enforcing any legal right or claim, or for the prevention, detection, investigation or prosecution of any offence or contravention. Accordingly, employers and employees may be able to utilise the above exemptions in processing personal data for workplace monitoring, whistle-blower complaints, internal investigations or disciplinary proceedings on the contravention of laws (eg, proceedings before an internal complaints committee in light of sexual harassment at the workplace), etc.

For more information on the processing of employment data, please see 2.2 Sectoral and Special Issues.

Please see 1.3 Administration and Enforcement Process for an outline of the administration and enforcement of the IT Act and the DPDP Act, including instances in which action may be initiated by the regulator. The potential enforcement penalties are covered briefly under 1.2 Regulators and 1.3 Administration and Enforcement Process.

Among several instances where the “right to privacy” as mentioned in 1.1 Laws was sought to be enforced, including through writ petitions before the judiciary, leading developments include the following:

  • the order of the Supreme Court of India directing WhatsApp to allow its users to continue using its services without accepting the amendments made to its privacy policy in 2021 regarding the sharing of personal data with group companies;
  • the writ petition before the Delhi High Court on privacy concerns reading the central government’s COVID-19 contact tracing application, Aarogya Setu; and
  • the writ petition before the Madras High Court against the use of facial recognition technologies by law enforcement agencies.

Class actions are not specifically recognised under the IT Act or the DPDP Act, but Indian courts do allow “public interest litigation” (PIL) – ie, litigation initiated by a person or by a group acting on behalf of the public good, rather than for their own personal interests.

PIL is also filed for the enforcement of fundamental rights under the Indian Constitution. The right to “informational privacy” is one such fundamental right, so individuals may approach the judiciary for the enforcement of the right to privacy through PIL.

Section 69 of the IT Act empowers MeitY to intercept, monitor or decrypt any information generated, stored, transmitted or received on any computer resource on grounds such as:

  • being in the interest of the sovereignty or integrity of India;
  • the defence of India or the security of the state;
  • friendly relations with foreign states;
  • being in the interest of public order;
  • preventing incitement to the commission of any cognisable offence; or
  • being for the investigation of any offence.

The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 issued under the IT Act lay down the procedure to be adhered to while passing an order for the interception, monitoring or decrypting of any information. Such activities must comply, inter alia, with the following:

  • it must contain the reasons for passing the order and must be forwarded to a review committee;
  • before issuing such an order, the authorised government authority must consider the possibility of acquiring the necessary information by other means, and only issue such an order when it is not possible to acquire the information by any other reasonable means; and
  • it must specify the name and designation of the officer of the authorised agency to whom the intercepted, monitored, decrypted or stored information shall be disclosed, and also specify the use of such intercepted, monitored or decrypted information.

Separately, Indian courts have laid out safeguards against the violation of the right to privacy through judicial precedents. Most prominently, in the landmark case of K.S. Puttaswamy v Union of India, the Supreme Court of India identified the right to privacy as a “fundamental right” and laid down a four-pronged approach to identifying a legitimate intrusion of one’s privacy. In this case, the court made the following statements:

  • any action intending to encroach on privacy must be sanctioned by law, and must be necessary in a democratic society for a legitimate aim;
  • the extent of such interference must be proportionate to the need for such interference; and
  • there must be procedural guarantees against the abuse of such interference.

Subsequently, in the case of Gujarat Mazdoor Sabha v State of Gujarat, the Supreme Court of India held that a state action that could infringe on fundamental rights must pass the following conditions to determine its validity:

  • interfering with the fundamental rights must have a state purpose;
  • said rights-infringing measure must be based on a rational nexus between the interference and the state aim;
  • the measures must be necessary to achieve the state aim;
  • the restrictions must be necessary to protect the legitimate objective; and
  • the state should provide sufficient safeguards for the possibility of an abuse of such rights-infringing interference.

Please see 3.1 Laws and Standards for Access to Data for Serious Crimes regarding the government’s right to access data for intelligence, anti-terrorism or other national security purposes and safeguards against such activities. Furthermore, the Indian Telegraph, 1885, allows the central government, state government or any other officer especially authorised in this respect to intercept or detain messages in the event of a public emergency or if doing so is in the interest of public safety, in accordance with the procedure established by law. It may be relevant to note that the recently enacted Telecommunications Act, 2023 (which is yet to be enforced) provides identical grounds for the interception of messages.

India is not a signatory of the OECD’s Declaration on Government Access to Personal Data Held by Private Sector Entities.

The DPDP Act permits the processing of personal data under legitimate use for:

  • the performance by the Indian government of any function under any law for the time being in force in India or in the interest of the sovereignty and integrity of India or the security of the State; or
  • compliance with any judgment, decree or order issued under any law for the time being in force in India, or with any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India.

Accordingly, foreign governments' access requests that may fall within the purview of the above legitimate uses may be processed by the data fiduciary. The transfer of personal data, if any, will be subject to the transfer restrictions imposed under the DPDP Act.

Separately, please note that India has not signed a Cloud Act agreement with the USA.

The collection of sensitive personal information for the Aadhaar programme was one of the trigger points for the discussion on Indian citizens' right to privacy. While the matter was sub-judice before the Supreme Court of India, the central government felt that it was time to address the need of the hour: a dedicated data protection law. This led to the formation of the expert committee that later culminated in the passage of the DPDP Act by the Parliament.

That said, the DPDP Act excludes from its regulatory ambit the processing of personal data by the government in the interests of sovereignty and the integrity of India, the security of the state, friendly relations with foreign states, the maintenance of public order or the prevention of incitement to any offence. This has been heavily debated ever since the earlier iterations of the bill on personal data protection were made public.

Under the SPDI Rules, a body corporate that collects and processes SPDI may transfer such SPDI to any other body corporate or a person located outside India that ensures the same level of data protection as provided under the SPDI Rules. Such transfer may be allowed only if it is necessary for the performance of a contract between the body corporate and the data principal, or where the data principal has consented to such data transfer.

The DPDP Act enables the central government to restrict the transfer of personal data to certain jurisdictions through notification. At present, no such notification has been issued. The DPDP Act further clarifies that if any law in India provides for a higher degree of restriction on the transfer of personal data to foreign jurisdictions (such as data localisation requirements prescribed by sectoral regulators), the applicability of the latter will not be prejudiced by the DPDP Act.

Separately, it should be highlighted that data transfers between the EU and India are currently undertaken through data processing agreements based on standard contractual clauses prescribed by the EU.

Please see 4.1 Restrictions on International Data Issues.

Government approvals or notification to the government are not required for the purposes of transferring data internationally under the extant data protection laws in India. The position under the DPDP Act has been clarified in 4.1Restrictions on International Data Issues.

Neither the SPDI Rules nor the DPDP Act impose any data localisation obligations.

There are, however, sector-specific regulations (in insurance, payments, digital lending, telecommunications, etc) that impose data localisation obligations restricting the free transfer of certain data sets outside India.

There are no requirements under the extant data protection laws in India on sharing software code algorithms, encryption or similar technical details. That said, if an order is issued under Section 69 of the IT Act as mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, the recipient of such order would be obliged to provide access to such data.

The DPDP Act does not stipulate any specific requirements in relation to the sharing of algorithms or technical details with the government. However, the central government may ask any data fiduciary to furnish any information as deemed necessary for the purposes of the DPDP Act.

As it has powers akin to a civil court in India, the DPB has the power to order the discovery and production of documents and the inspection of any data, book, document, register, books of account or any other document.

Please see 3.3 Invoking Foreign Government Obligations regarding the transfer of personal data pursuant to foreign government access, and see 2.4 Workplace Privacy regarding internal investigations.

Section 69A of the IT Act empowers MeitY to ask an intermediary or a government agency to block access to websites in Indi, on the following grounds:

  • in the interest of the sovereignty and integrity of India;
  • for the defence of India;
  • for the security of the State;
  • for friendly relations with foreign States;
  • for public order; or
  • for preventing incitement to the commission of any cognisable offence relating to the above.

The Information Technology (Procedure and Safeguards for Blocking for access of information by public) Rules 2009 (“Blocking Rules”) under the IT Act empower other government ministries to request MeitY to issue blocking orders to intermediaries. Even a natural or legal person in India can make a complaint to the relevant government ministries and request the blocking of a URL; such complaints are forwarded to MeitY for consideration, and thereafter blocked upon MeitY’s review and satisfaction of the existence of the aforesaid grounds.

Separately, in India all TSPs are bound by the unified licensing agreement (ULA) executed with the Indian government, which prescribes the conditions applicable to TSPs while providing telecommunication services to the public. Among other things, the ULA states that: “In the interest of national security or public interest, the Licensee shall block Internet sites/Uniform Resource Locators (URLs)/Uniform Resource Identifiers (URIs) and/or individual subscribers, as identified and directed by the Licensor from time to time.”

Under the DPDP Act, the DPB can advise the central government that it is in the interest of the general public to block public access to a data fiduciary’s application, website or platform upon providing the central government intimation of the imposition of a monetary penalty by the DPB in two or more instances. Once such advice is received, the central government may issue a blocking order after giving the data fiduciary the opportunity of a hearing.

Under the extant data protection laws, there are no specific stipulations surrounding the regulation of big data analytics, automated decision-making, IoT, autonomous decision-making, geolocation, drones and deep-fakes; as mentioned in 1.7 Key Developments, the DIA is intended to regulate such emerging technologies.

Drones fall under the larger ambit of data privacy regulations, but the Ministry of Civil Aviation has also prescribed the Drone Rules, 2021, which govern the classification, certification and usage of drones in India.

As for disinformation, deepfakes or other online harms, as mentioned in 2.2 Sectoral and Special Issues, the IT Rules, 2021 provide safe harbour protection to intermediaries, subject to certain compliance around the nature of information communicated. Separately, given the rising instances of deepfakes being misused, MeitY issued an advisory that such intermediaries should strictly comply with the requirements of the IT Rules, 2021.

There are currently no laws that govern AI but, as mentioned in 1.7 Key Developments, the DIA intends to cover the regulation of AI in a detailed manner. Furthermore, the Indian Computer Emergency Response Team (“CERT-In” – India’s nodal cybersecurity agency under the IT Act) has issued an advisory highlighting the risks involved in the use of AI-based applications and the safety measures that may be adopted to mitigate such risks.

It should also be noted that the DPDP Act in its entirety is based on the cornerstone of the “data principal – data fiduciary” relationship wherein a data controller (ie, a person or entity that determines the purposes and means of the processing of personal data) is seen as a “fiduciary” who is expected to handle the personal data of the data principal fairly.

In India, organisations with IT and data-centric businesses typically have internal policies involving data governance, handling and management. Such entities also have established committees to oversee the implementation of and compliance with such policies. Such committees are also typically entrusted with the responsibility of reviewing and updating such policies from time to time.

Sectoral regulators such as the RBI and SEBI also prescribe specific IT governance, cybersecurity and cyber-resilience requirements, which are followed by entities operating in the respective domains of such regulators.

There have been multiple large-scale data breaches, data thefts and cyber-attacks in recent times. However, in most cases no penalties have been imposed on the data fiduciaries – ie, the entities affected by the cybersecurity incident. While the IT Act imposes penalties for cyber offences such as hacking, unauthorised access to computer resources, etc, the number of prosecutions has been minimal.

The due diligence process for corporate transactions in the context of data protection includes:

  • analysing the data sets collected and processed by the entity in question;
  • reviewing internal and customer-facing policies and contracts that deal with data processing and IT governance;
  • reviewing consent-related compliance; and
  • analysing the entity’s product offerings and user interface (where applicable) in light of the IT Act, SPDI Rules and the IT Rules, 2021, along with a review of the entity’s compliance with the DPDP Act.

A relevant point to note in the context of processing personal data for the purpose of mergers and acquisitions (M&A) is that the DPDP Act provides an exemption on all compliances except:

  • the requirement for maintaining reasonable security safeguards to prevent personal data breaches; and
  • ensuring that no personal data is transferred to a jurisdiction that has been notified to be restricted by the Indian government.

However, these exemptions seem to be accorded only to M&A that are approved by relevant courts/tribunals, and do not extend to non-court-driven M&A – this has been widely seen as a miss under the DPDP Act.

Where the entity in question is also regulated by a sectoral regulator, the due diligence process also involves a deep-dive analysis of the applicable sectoral regulations, especially in the context of data protection and cybersecurity.

While there are no disclosure requirements with regard to an entity’s cybersecurity risk profile or experience under extant data protection laws, sectoral regulators such as the RBI, SEBI and the Insurance Regulatory and Development Authority of India (IRDAI) do prescribe the evaluation of cybersecurity risks and the cyber-resilience capabilities of entities regulated by them. Furthermore, SEBI requires publicly traded companies to disclose the purposes and means of the processing of personal data in its quarterly compliance report to recognised stock exchanges.

As mentioned in 1.7 Key Developments, the government is in the process of formulating the DIA, which is intended to be a coherent code factoring in aspects of competition, consumer protection and privacy. The government intends to promote an open internet wherein key competition-related metrics such as protecting the availability of choices and ensuring online diversity and fair market access have been considered. Likewise, it is also the intention of the DIA to bring about online safety and trust by bringing about the moderation of fake news and enhanced requirements for grievance redressal, among other things. The DIA also incorporates aspects of data privacy, such as the rights of data principals, protection for minors, privacy from invasive devices and securing cyberspace.

There are no other significant issues that have not already been covered.

IndusLaw

#101, 1st Floor, Embassy Classic
#11 Vittal Mallya Road
Bengaluru 560 001
India

+91 80 4072 6600

+91 80 4072 6666

bengaluru@induslaw.com www.induslaw.com
Author Business Card

Trends and Developments


Authors



BTG Advaya is a disputes and transactional law firm with best-of-breed technical expertise, a culture of innovation and an unrelenting commitment to excellence. It focuses particularly on the defence, industrial, digital business, energy (renewables and nuclear), retail, transport (railways and electric vehicles) and financial services sectors. Practices include corporate transactions (capital raises, M&A, JVs, investments, exits, restructuring and reorganisations), commercial contracting, public procurement, private equity and venture capital, regulatory compliance and risk mitigation, labour and employment, pre-litigation advisory and dispute management, business crime and other areas of law that are fast-developing, with rapid changes in technology and methods of doing business. The firm has offices in Mumbai, New Delhi and Bengaluru.

Data Protection and Privacy in India: an Introduction

Earlier law

India’s privacy framework has had a long and storied journey. The right to privacy was first recognised by Indian courts and interpreted to form part of the fundamental right to life under India’s constitution. Subsequently, the privacy framework was given a formalised existence under the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”). While the IT Act regulates cyberspace in India overall, the Privacy Rules stipulate the compliances to be followed for processing specific categories of personal data. These rules are brief and set out nominal requirements, such as prior consent collection, issuing a privacy policy, security standards to be adhered to, etc.

With the onset of the 4th Industrial Revolution and the burgeoning of India’s digital markets, the need for a specialised and matured form of privacy legislation became paramount, resulting in lawmakers floating various drafts of the potential privacy law over the past five years, with the final legislation being passed by Parliament in August 2023.

The current state of play

India has had an eventful year in data privacy and protection, with the Indian Parliament passing the Digital Personal Data Protection Act of 2023 (DPDPA) in early August 2023. The DPDPA is the first cross-sectoral law on personal data protection in India, and has been enacted after more than half a decade of deliberations.

The DPDPA is a concise 33-page document with several illustrations. In its scope, the DPDPA applies to personal data that is collected in digital form and in non-digital form but subsequently digitised. It does not apply to:

  • non-digital data;
  • data processed for personal or domestic purposes; and
  • data made available by a data principal or any other person under a legal obligation.

The new law imposes obligations on data fiduciaries concerning the processing of personal data, with a stress creating effective and accessible grievance redressal mechanisms. Data fiduciaries are also allowed to engage data processors through valid contracts, but the responsibility to set security safeguards that are to be followed by data processors to ensure user privacy somehow falls squarely on the shoulders of data fiduciaries.

The provisions of the new law apply to personal data outside of India only if the processing of such personal data is in connection with the offering of goods and services to data principals within India. Another example, which turned out to be a huge relief to the industry, is the provision relating to the cross-border transfer of data: the DPDPA allows for digital personal data to be transferred to all countries except those barred by the central government.

The DPDPA will set up India’s first Data Protection Board (DPB), which is to function as an adjudicatory and enforcement body and not as a regulator. The DPB is empowered to impose penalties on data fiduciaries for not complying with obligations under the act. The provisions of the DPDPA are “principle-based”, with the more intricate details of implementation being left to the realm of rule-making or delegated legislation.

Regulators and enforcement powers

The existing regulatory framework for data privacy does not provide for a specialised regulatory body overseeing personal data processing. As such, enforcement in this regard has been sporadic. Enforcement responsibilities were shouldered by the Ministry of Electronics and Information Technology and the Computer Emergency Response Team of India, which were also tasked with the overall regulation of the digital ecosystem in India, wherein privacy was an important subset. However, the DPDPA provides for the setting up of the DPB– a specialised entity that will deal exclusively with data privacy and protection issues. To clarify, it will be an adjudicatory and enforcement body and not a regulator. The central government is tasked with formulating the composition and functioning of the Board, with the criteria for membership and the composition of the DPB being set out under the law.

The DPB's functions and powers include:

  • implementing direct urgent remedial and mitigation measures in response to the reporting of a personal data breach, and imposing penalties as prescribed (set out in this section below);
  • governing the operations of consent managers; and
  • conducting proceedings in the event of non-compliance with the New Privacy Law, and imposing penalties (if required).

Penalties under the IT Act and Privacy Rules are only applied for failure to protect personal data, for the disclosure of personal data in a breach of contract, and for non-compliance. However, penalties under the DPDPA are provided for various actions, such as:

  • failure to adopt the requisite safeguards for the protection of personal data;
  • breaches in observing obligations prescribed for children personal data;
  • failure to inform the DPB and affected data principal (ie, the provider of personal data per the New Privacy Law) in the event of a personal data breach, etc.

The penalties range from INR10,000 (approximately USD120/EUR110) to INR250 crores (approximately USD30 million/EUR28 million).

Key new features of the DPDPA

Notice and consent

The regime of notice and consent takes centre-stage in the DPDPA. When obtaining consent from a data principal, data fiduciaries must now notify them of:

  • the type of personal data being processed and its accompanying purpose;
  • the way data principals may exercise their rights to withdraw consent and grievance redressal; and
  • how data principals may file a complaint with the DPB.

Consent under the DPDPA is defined as an indication by the data principal signifying an agreement for their data to be processed for a specified purpose. Consent should be free, specific, informed, unconditional and unambiguous, and it should be through clear affirmative action.

Grounds for processing, and obligations of data fiduciaries

The DPDPA has moved away from the “deemed consent” framing of non-consent-based processing of data. The act now provides a narrow list of legitimate uses and has done away with the “fair and reasonable purposes” and “public interest ground”.

There are provisions within the DPDPA that allow for the processing of data without consent when a data principal has provided such data willingly and has not indicated that they are not willing to allow processing. The act helpfully provides illustrations of scenarios in which such processing can be allowed – for example, when data is provided in exchange for services.

The new law imposes the following significant obligations on data fiduciaries:

  • to ensure their data processors' compliance with the DPDPA;
  • to set up grievance redressal mechanisms;
  • to ensure the accuracy and completeness of data, particularly if such data is shared with third parties; and
  • to delete the data of data principals when the data principal has withdrawn consent or if it is reasonable to assume that the specified purpose is not being served.

Furthermore, under the DPDPA the central government is allowed to notify certain categories of data fiduciaries as significant data fiduciaries by assessing factors such as:

  • the volume and sensitivity of the personal data processed;
  • the risk to the rights of the data principals; and
  • the potential impact on the sovereignty and integrity of India.

Rights of data principals

The DPDPA allows data principals to seek information on the personal data being processed and the processing activities that have been undertaken. They also have the right to know the identities of all the data fiduciaries and processors with whom their data has been shared. Furthermore, data principals have been given the right to the correction and erasure of their data, and the right to nominate an individual to exercise rights on their behalf. Lastly, a right to grievance redressal is provided.

Data principals have also been given the right to withdraw their consent and utilise the services of consent managers. Data principals or users can access information made available to them in English, or can choose any language specified in the Eighth Schedule of the Constitution of India. Once again, the responsibility of ensuring such access to users falls on the shoulders of data fiduciaries.

Uniquely, the DPPA has also placed some duties on data principals, who must not register a false or frivolous complaint, nor furnish any false particulars or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of up to INR10,000.

Processing of children’s data

With regard to children's data, data fiduciaries must obtain verifiable consent for processing. The DPDPA prohibits tracking and targeted advertising towards children that is likely to have any detrimental effect on the well-being of a child. However, it provides some cases in which the government can exempt certain classes of data fiduciaries from requiring parental consent.

Cross-border transfers

The DPDPA has done away with the “white-list” approach seen in a past 2022 iteration, instead adopting what can be defined as a “negative-list” approach. Essentially, data can be transferred to all countries outside of those barred by the central government by way of notification. Sectoral restrictions on personal data transfers such as those of the Reserve Bank of India will continue to apply.

Data Protection Board

As noted earlier, the central government is tasked with the constitution and oversight of the DPB. The chairperson and other members will be chosen if they possess special knowledge or practical experience in the field of data governance, administration or the implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field the central government believes may be useful to the DPB.

Blocking powers and exemptions

The DPDPA allows the central government or any of its authorised officers to block public access to the platform of a data fiduciary on the recommendation of the DPB. However, blocking can only be ordered if it is necessary or expedient in the interests of the public, and the fiduciary should be given an opportunity to be heard before a blocking order is issued. The central government can order any intermediary to assist in giving effect to the blocking order.

The new act also exempts the application of certain provisions on the processing of personal data in cases such as:

  • the investigation of offences;
  • the implementation of a scheme of compromise or merger or amalgamation;
  • the detection of financial frauds; and
  • the processing of data of a data principal who is situated outside India under a valid contract.

The central government may also provide exemptions for research, archiving and statistical purposes if the data is not being used to make any decision specific to the data principal. Lastly, certain data fiduciaries, including start-ups, may also be exempted.

Three questions that remain unanswered

The DPDPA is a step forward for digital regulations in India. Mandating data minimisation, purpose limitation and cross-border data transfer regulations, the new law has sought to strike a balance between innovation and user protection.

However, in the absence of rules spelling out how the new law is to be implemented, some parts of the law are unclear. The following issues will need addressing, going forward.

Non-regulation of harm arising out of data processing

The DPDPA does not specifically regulate “harms” that could potentially result from data processing. Harms could include material losses such as financial loss and loss of access to benefits or services. They may also include identity theft, loss of reputation, discrimination, and unreasonable surveillance and profiling. It would have been prudent to allow the data principal to seek compensation from data processors in the event of having suffered any harm.

Defining “harm” associated with data processing and allowing data principals to seek compensation for the same would have added a much-needed layer of extra protection for individual rights. Furthermore, such provisions would have been in line with the judicial committee set up for the formulation of a privacy law in India and would have also been in tune with global exemplars. For instance, the United Kingdom’s Information Commissioner Office has issued guidance documents for determining the level of “harm” associated with personal data processing, and provides a “taxonomy” for the categorisation of harm caused (financial harm, bodily harm, discrimination, chilling effect, etc) based on the type of entity impacted (individual/societal).

Absence of the right to data portability and the right to be forgotten

The new data protection law does not provide for the right to data portability nor the right to be forgotten (earlier 2018 and 2019 versions of the bill did have these rights.) The right to data portability allows data principals to obtain and transfer their data from data fiduciary for their own use, in a structured, commonly used and machine-readable format. It gives the data principal greater control over their data, and may facilitate the migration of data from one data fiduciary to another.

The right to be forgotten refers to the right of individuals to limit the disclosure of their personal data on the internet. It is essentially based on the principle that instils the limitation of memory into an otherwise limitless digital sphere.

Although essential to an individual’s right to privacy, both these rights have to be balanced against competing rights and interests. But not including them at all in the final iteration of the law raises more questions than it provides answers.

Potential problems regarding the processing of children’s data

  • Definition of a child: under the DPDPA, a child has been defined as a person below 18 years of age. In the USA and the UK, persons above the age of 13 can give consent for the processing of personal data. The European Union GDPR sets this age at 16, and member countries may lower it to 13.
  • Verifiable consent: the DPDPA requires a data fiduciary to obtain “verifiable consent” from the legal guardian before processing the personal data of a child. To comply with this provision, a data fiduciary will have to verify the age of everyone signing up for its services, and will have to determine whether the data being processed by it is that of a child or not. Thereafter, it will have to obtain verifiable consent from the parent or guardian. In the absence of a clear set of rules governing the implementation of such provisions, data fiduciaries will struggle to put mechanisms in place that can correctly obtain verifiable consent without raising issues of technical feasibility. Such provisions are also bound to reduce anonymity in the digital sphere.
  • What is detrimental to the well-being of the child: the DPDPA prohibits a data fiduciary from undertaking any data processing that may be detrimental to the well-being of the child. However, it does not define what is a detrimental effect, and nor does it lay down any criteria for determining what could be detrimental to the well-being of a child. Such ambiguity in the wording of a provision creates apprehension amongst data fiduciaries, and allows for nearly all data processing activities to be judged on the altar of what is detrimental to a child’s well-being. There must be clear standards and criteria in place that provide a better understanding of what constitutes harm to a child, specifically in terms of harm that could arise from data processing.

Cross-sectoral impact

Financial services

The DPDPA's influence on the financial services sector is expected to be significant, particularly in light of the sector's ongoing digital transformation. The financial services sector is already highly regulated, and faces the challenge of aligning with an additional law in the DPDPA.

Existing regulations such as the Prevention of Money Laundering Act of 2002, the Companies Act, 2013, the Securities and Exchange Board of India Regulations, the Reserve Bank of India Regulations and the Information Technology Act, 2000 already provide for certain data practices – eg, payment data localisation. This intersection calls for careful consideration of the legal requirements for data collection, retention, sharing with authorities, and compliance roadmap development. Accustomed to strict privacy and data protection rules, financial firms are likely to have a more mature approach to compliance than other sectors.

Significant data fiduciaries in the financial services sector will have increased responsibilities under the DPDPA. Regulators are expected to customise DPDPA requirements to sub-sectors they regulate and train supervisory staff accordingly.

Players in the banking, financial services and insurance domain will become primary data fiduciaries responsible for DPDPA compliance. Risk management is central to their core function, and they must ensure consent is obtained before processing personal data.

The DPDPA's focus on personal data protection reshapes IT and data safeguarding practices. Financial institutions must invest in advanced threat detection, strong encryption and regular audits to safeguard customer data from cybercriminals.

Product management will have to prioritise data protection, transparency and user rights. This includes integrating “privacy by design”, strong consent mechanisms, clear user control, transparent communication and well-defined data usage policies. Under the DPDPA, Indian fintechs, in partnerships with financial institutions, must adhere to stringent data fiduciary regulations, likely leading to a transformation in the regulated entity-fintech collaboration models.

Online gaming

The online gaming sector deals with multiple types of personal data. Depending on the nature of the game, players disclose data(sets) revealing identifiable information about themselves and others, which online gaming platforms in turn process in the context of their business activities. Common examples include names, gamer tags, e-mail addresses, sex/gender, age and – depending on whether in-game transactions and/or membership fees are at play – credit card and other payment details. As such, online gaming will be one of the sectors where the impact of the DPDPA and its compliance obligations will be felt the most.

Data fiduciaries – which would include online gaming platforms under the DPDPA – must only process personal data for a lawful purpose and, with limited exceptions, must only do so based on consent or for certain legitimate uses. The legitimate or lawful purposes/interests of the online gaming platform or a third party appointed by it constitute another ground for lawful data processing under the DPDPA. For online gaming platforms to rely on this legal basis, the processed data needs to be limited to what is strictly necessary for fulfilling the legitimate interest, and must stand in proportion to the data subjects’ interests.

Under the DPDPA, a data principal has the right to withdraw his or her consent. Users of online gaming platforms will have to be afforded the same right and should ideally be able to withdraw their consent as easily as they gave it. In practice, this would imply that online gaming platforms should ensure that consent must be obtainable and withdrawable through the same user interface.

Online gaming platforms often process personal data that is used to make decisions about users, such as to block a user based on a review of their behaviour within a game or when they transfer personal data to other data fiduciaries or data processors. In these cases, the platforms will have to ensure data completeness, accuracy and consistency, and should consider implementing tools such as audit logs to track modifications to databases to maintain data quality and integrity.

Furthermore, online gaming platforms should ensure that contracts with data processors mandate the same level of data security to be maintained by them while processing user personal data. Online gaming platforms would do well to have data retention and erasure protocols in place that are universally accepted.

Certain online gaming platforms may be classified as significant data fiduciaries based on factors such as the number of users, the quantum of transactions processed and even the negative perception of online gaming amongst the public. Online gaming platforms will then have to comply with obligations applicable to significant data fiduciaries under the act, such as appointing a data protection officer, undertaking data protection impact assessment, periodic audits, etc.

The DPDPA has clear prohibitions with regard to directing targeted marketing towards children, and requires verifiable consent to be obtained from their parents for processing. This becomes particularly relevant regarding consent that is obtained from underage gamers; the under-18 age group forms a massive chunk of the user base for a lot of online gaming platforms in India.

Under the DPDPA, online gaming platforms can only process the personal data of a child after verifying their age and obtaining the consent of their parent or guardian. Although age-gating is a required facet of any data protection regime, it might lead to a dip in the number of users under the age of 18 for online gaming platforms.

The multiple levels of verification for teenagers, or even adults, could potentially hinder business prospects. Furthermore, in terms of users, in cases where online gaming platforms have to take explicit consent, the repetitive nature of such processes may lead to consent fatigue.

Several online games these days offer additional in-game content for sale, such as booster packs and/or loot box mechanics, functional or aesthetic items, and access to distinct levels, game modes and/or maps. This content is often promoted through in-game commercials during loading screens or in-game stores. In some cases, this may fall foul of the prohibition against targeting children.

BTG Advaya

2nd Floor, Hague Building
Dr SS Ram Gulam Marg
Ballard Estate
Fort
Mumbai – 400 001
India

+91 22 6177 2900

office@btgadvaya.com www.btgadvaya.com
Author Business Card

Law and Practice

Authors



IndusLaw is a top-tier, full-service Indian law firm, with more than 400 lawyers spread across offices in Bengaluru, Chennai, Delhi & NCR, Hyderabad and Mumbai. It offers legal services to a wide range of international and domestic clients from a variety of sectors and across a broad spectrum of practice areas, including technology, media and telecommunications; financial services – regulatory; employment law; capital markets; litigation and arbitration; and private equity, venture capital and acquisitions. The TMT practice group comprises 25-30 lawyers and consistently advises clients on complex and cutting-edge matters, including data protection and privacy-related laws, Web3 offerings such as cryptocurrencies, the structuring of data-sharing contracts and regulatory compliance, in addition to assisting with mitigating risks and responding to data security incidents.

Trends and Developments

Authors



BTG Advaya is a disputes and transactional law firm with best-of-breed technical expertise, a culture of innovation and an unrelenting commitment to excellence. It focuses particularly on the defence, industrial, digital business, energy (renewables and nuclear), retail, transport (railways and electric vehicles) and financial services sectors. Practices include corporate transactions (capital raises, M&A, JVs, investments, exits, restructuring and reorganisations), commercial contracting, public procurement, private equity and venture capital, regulatory compliance and risk mitigation, labour and employment, pre-litigation advisory and dispute management, business crime and other areas of law that are fast-developing, with rapid changes in technology and methods of doing business. The firm has offices in Mumbai, New Delhi and Bengaluru.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.