India Enacts a New Privacy Protection Act

After six years of extensive deliberations, the Digital Personal Data Protection Act in India was approved into law by the President of India. The law offers an approach distinguishable from the GDPR and imposes notable obligations on “data fiduciaries”, which are comparable to data controllers. These responsibilities include a duty to issue privacy notices in English and 22 additional languages, covering nearly all consent-based processing of personal data. The legislation mandates informing data subjects about each data security incident and prohibits the provision of personal information as part of freedom of information requests. Non-compliance with the provisions of the new law can result in fines of up to thirty million U.S. dollars.

The legislation has been critiqued to have certain disadvantages that may enable misuse by data fiduciaries. These concerns arise due to the absence of clear definitions of scenarios in which information is voluntarily or automatically provided to trustees, an overly broad; disproportionate and unreasonable exemption for government entities; inapplicability personal data of foreigners; and a lack of robust enforcement mechanisms for the Data Protection Board of India (DPBI), the entity responsible for overseeing the legislation’s execution.

This legislation introduces new terms like “data principal” and “significant data fiduciary.” Only significant data fiduciaries are obliged to appoint a data protection officer (DPO), while each data fiduciary must designate a contact person to address public inquiries on privacy matters.

The legislation’s extraterritorial reach extends to cases where the processing of personal data of Indian data subjects relates to the provision of goods or services within India. Consent remains the primary basis for data processing, and it must be explicit, informed, voluntary, and unambiguous. The legislation also permits processing information without consent in limited legitimate scenarios, such as for employment purposes or when the data subject voluntarily provided information for a specific purpose or did not object to the use of their automatically collected personal data.

The legislation emphasizes the privacy rights of data subjects, encompassing rights to access, correct, and erase personal data provided voluntarily or through consent. Alongside these rights, the legislation mandates several duties for data subjects, such as providing accurate information and refraining from frivolous complaints. The legislation requires security breach notifications to both the DPBI and the data subjects affected by each breach. Data transfers are permissible to any country which is not blocked. Transfer of data to blocked countries will require data subject consent or adherence to standardized contractual clauses.

Click here to read the Digital Personal Data Protection Act.