On August 9th 2023, India enacted its first data protection legislation, the Digital Personal Data Protection Act (DPDP). This comes after a long-awaited journey with two bills being introduced in parliament in 2019 and 2022, respectively, that did not pass, and six years after the Supreme Court of India in the landmark case of Justice K.S. Puttaswamy v. Union of India,¹ recognized the fundamental right to privacy and urged the government to put in place a regime for the protection of personal data.²

The Act has been welcomed by various government and private bodies noting that the Act will help better regulate big tech firms; offer recourse for citizens’ privacy rights, and penalties for data breaches. The Minister for Technology and Telecom welcomed the enactment of the legislation noting that it would limit cross border data transfer and provide a framework for setting up a data protection authority to ensure compliance by tech companies.³ Notably, India is one of the largest offshoring destinations for IT companies across the world.⁴

Provisions of the DPDP Act

Similar to several other national data protection legislations, the Act provides for the processing of digital personal data in consideration and recognition of both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and in accordance with the provisions of the Act.

The Act carefully outlines the obligations of a data fiduciary (data controller), rights and duties of the data subject (referred to in the Act as Data Principle), which include, the right to access information about one’s personal data, the right to correction and erasure of personal data, the right of grievance redressal i.e. the right to complain against data breaches or acts of omission by the data controller in the processing of their personal data, the right to nominate a person who will exercise the rights of the data subject in the event of death or incapacity. The Act further provides for the processing of personal data outside of India, the exceptions to this, the establishment of the Data Protection Board of India, appeal of decisions of the board, alternative dispute resolution and penalties under the Act. (These are but highlights of core provision not an exhaustive outlay of the Act. The Act can be accessed here for further interaction with the provisions).

A distinctive feature of the Act is that, after every provision, the Act provides an illustration of the application of the specific provisions or / explanations as to the application of the provisions. Although not a common feature in legislative texts, the illustrations guide in the application of the provisions and are likely to aid with application, compliance, and understanding of the Act.

Key Observations

Although the Act contains provisions that are similar to most data protection legislation, a few observations are made. These observations are guided by a comparison of the provisions of the Kenya Data Protection Act (DPA) enacted in 2019 and a holistic overview of the Indian Act in itself.

• Terms: In contrast with the DPA, data controllers under the Indian Act are referred to as Data Fiduciary and are described as “any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data.” Data Subjects are referred to as Data Principle and described as, “an individual to whom the personal data relates and where such individual is a child, including the parents or lawful guardian of such a child and a person with a disability, including the lawful guardian, acting on their behalf” although the terms of reference are different, the definitions remain relatively similar.

• Application: A reading of the definition of terms in the DPDP Act would lead one to believe that it is designed to protect only electronically processed personal data. Whereas most personal data held in different capacities by different entities is now held in digital format as a result of digitization, some information may still be held and exist manually or on paper. This is especially true for government bodies and even private entities. The DPDP Act is not clear, however, on whether the provisions equally extend to manually collected data. In considering privacy versus the right to Information, the Act amends the Right to Information Act 2005. Previously, a senior government officer would determine whether public interest outweighed the need to protect personal data, the new legal position would be that personal data can never be disclosed as part of a right to information request.⁵

• Processing personal data of minors: Under the DPDP Act, verifiable parental consent must be sought prior to processing personal data of a child [Section 9(1)]. Further, consent of a lawful guardian must also be sought in the case of persons with disability. Additionally, the Act prohibits the tracking or behavioural monitoring of children, or targeted advertising directed at children. The distinction with section 33 of the DPA is in the use of the term verifiable parental consent. Verifiable Parental consent is identified under the United States Children Online Privacy Protection Act and described as the “requirement for an operator of a commercial online service directed to children under 13 (or with actual knowledge that it has collected personal information from children under 13) to provide parents with detailed, direct notice and to obtain their affirmative express consent prior to the operator’s collection of a child’s personal information.” ⁶ Under the DPA, a child’s personal data may only be processed where consent is given by the child’s parent or guardian. The DPA does not have a direct reference to verifiable parental consent, however section 33(2) alludes to it where it notes that a data controller or processor has the responsibility to incorporate mechanisms for age verification and consent in order to process a child’s personal data.

• Data Principal Rights: data principals in the DPDP Act are granted an additional right to grievance and complaint, which is, the right to have a well-established complaints avenue in the event of breach. In comparison to the DPA, this is not provided as a right, however, a complaints mechanism is established through the office of the Data Protection Commissioner (ODPC).

• Voluntary provision of personal data: Although the main ground for processing of personal data under the DPDP Act is consent, it touches on voluntary provision of personal data under section 7 (a). This provision states that: “a Data Fiduciary (Data Controller) may process personal data of a Data Principal for any of following uses, namely:—(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary. An illustration is used to demonstrate this where, X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt. “This is similar to section 26(g) of the DPA on duty of the data processor to notify and inform the data subject on any data being collected whether required by law or whether such data collection is voluntary.

• Consent: The DPDP introduces the concept of a consent manager who is described as a person registered with the Data Protection Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform. The DPA does not establish the role of a consent manager, however, section 32(2) provides for the right of a data subject to withdraw consent.

• Automated decision making: A key observation on this is that the DPDP does specifically provide for the data principal’s right to not be subjected to automated decision making similar to the provision under section 35(1) of the DPA. However, section 8(2) of the DPDP provides that the data fiduciary is responsible for ensuring completeness, accuracy and consistency of personal data where processing will be used to make a decision that will affect the data principal or will be disclosed to another data fiduciary. The Data Principal in this context does not have such a right as granted under the DPA, however, the data fiduciary has the responsibility to ensure that where data is processed for automated decision making the data is complete, accurate and consistent.

• Digital Office: The DPDP provides that, the Data Protection Board of India shall function as a digital office as far as practicable with respect to the receipt of complaints, allocation, hearing and pronouncement of decisions and adopt techno -legal measures that will allow it to function as such. A Digital office is described in the Act to be an office that adopts an online mechanism where the process of receiving or instituting a complaint from beginning to receiving directions, final determination or even appeal as the case may be is conducted online or in a digital mode. In comparison, the DPA establishes a complaints mechanism under section 56 which may either be made orally or in writing in however, there is no specific provision for the establishment of an online complaints mechanism under the DPA. The Office of the Data Protection Commissioner has however established an online complaints mechanism where one can report data breaches or file a complaint.

• Registration of Data Controllers and Processors: A key observation in contrast with the DPA is that the DPDP Act does not require the registration of data controllers and processors. Although both Kenya and India have distinct data protection regimes, it begs the question on whether an omission of registration of data fiduciaries and processors will make it difficult for the Data Protection Board of India to monitor compliance and enforcement of the newly enacted data protection legislation.

• Cross border data flow: In contrast with the DPA, where the data may be transferred to another country provided the conditions of section 48 of the DPA are met, the DPDP under section 16 gives power to the central government to restrict transfer of personal data outside India. However, exceptions to the restrictions apply where data transfer outside of India is governed by laws already put in place with a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary [section 16(2)]. This refers to already established sectoral laws for banking and telecommunications for example. Whereas the DPA provides criteria for transfer outside of Kenya under section 48, the DPDP does not.

Conclusion

In conclusion, this legislation marks a significant milestone in the realm of data privacy and protection, noting its historical background and how long it has taken India to enact the law. Over the coming years. it will be interesting to observe the implementation processes of the Act, particularly after the operationalization of the DPDP Act through the appointment of the data protection authority. Additionally, it will also be interesting to note whether the enactment of the DPDP will reduce the cases of personal data breaches.

Image Source: Digital Personal Data Protection Act