A new law that defines how companies should process users’ data came into force with the President giving assent to the Digital Personal Data Protection (DPDP) Act passed by Parliament in the just-concluded monsoon session.
The law arms individuals with greater control over their data while allowing companies to transfer users’ data abroad for processing, except to nations and territories restricted by the Centre through notification.
It also gives the government power to seek information from firms and issue directions to block content. While the new law seeks to establish a robust framework for the protection of personal data in the digital realm, it has drawn criticism from some quarters over broad exemptions granted to state entities and some of its provisions diluting the landmark Right to Information (RTI) law.
Here are key takeaways from the freshly-minted, landmark law:
1. What is regulated: The DPDP Bill provides an expansive definition for “Data Principal”, i.e., the individual to whom the personal data relates, and includes a child (i.e., a person under 18 years) as well as the parent or lawful guardian of the child concerned. The bill has simplified the definition of “Personal Data” as ‘any data about an individual who is identifiable by or in relation to such data. The DPDP Bill requires data fiduciaries (within India or outside India) to provide data principals with a notice stating: (i) the personal data to be collected; and (ii) the purposes for which such personal data will be processed. Such notice is required to be provided on or before requesting the data principal’s consent for processing.
2. Penalties for non-compliance: The DPDP Bill defines ‘Personal Data Breach’ widely as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data. The DPDP Bill prescribes penalties for personal data breaches, with penalties of INR 250 crore (about USD 30 million) for a failure to take reasonable security safeguards. It also requires personal data breaches to be reported to every affected data principal, with non-compliance triggering a penalty of INR 200 crore (about USD 25 million). The wide definition has implications not only for the kind of instances that are reported as personal data breaches, but also for parallel penalties that may apply to the same processing activities.
3. Consent Mechanism: The DPDP Bill provides two broad bases for the processing of personal data – express consent and deemed consent. The DPDP Bill allows for data fiduciaries to process personal data based on the consent obtained from individuals. Such consent must be free, specific, informed and unambiguous (although these factors have been left undefined) and must be provided through affirmative action for a specified purpose. The DPDP Bill also permits the processing of personal data based on ‘deemed consent’. This includes some of the standard grounds typically recognized across other jurisdictions, e.g., for compliance with a judgement or order; medical emergencies; and employment-related purposes.
4. Data Fiduciaries under the DPDP Bill are required to take reasonable efforts to ensure personal data processed by them or on their behalf is accurate and complete where the data is (i) likely to be used by the data fiduciary to make a decision that affects the data principal, or (ii) is likely to be disclosed by the data fiduciary to another data fiduciary. The DPDP Bill also requires every data fiduciary to implement reasonable security safeguards to prevent personal data breaches and to protect the personal data in its possession or control. The specific standards for such safeguards, however, have not been prescribed.
5. The DPDP Bill does not impose a hard data localization requirement i.e., to process and store critical personal data only in India. All personal data may be transferred outside of India to countries or territories that are notified by the Central Government (based on factors it considers necessary) in accordance with the terms and conditions that it may specify (reports indicate that this ‘whitelisting’ approach may change to a ‘blacklisting’ one, in revised drafts). Note that the DPDP Bill does specify that its provisions are in addition to (and not in derogation of) existing laws, and only in cases of a conflict will the provisions of the DPDP Bill prevail. Given this, any localization requirements under existing laws (such as those applicable to payments data that also qualifies as personal data) will continue to apply even after the DPDP Bill (if notified in its present form) comes into force.
What Happens Next: Timelines: The Lok Sabha approved the bill on August 7, and Rajya Sabha on August 9, marking the completion of Parliamentary approval process. The government expects to implement DPDP within 10 months, IT Minister AshwiniVaishnaw had said.