Brave New World: Understanding India's Digital Personal Data Protection Act, 2023

On 18 November 2022, the Ministry of Electronics and Information Technology released its fourth iteration of the proposed data protection law, this time specifically targeting digital data.

The Ministry initially invited public comments on this proposed law and on 3 August 2023, an amended version titled the Digital Personal Data Protection Bill 2023 was tabled before the lower house of Parliament. By 11 August 2023, the Bill was passed by both houses and received the President of India’s assent. On the same day, the Digital Personal Data Protection Act, 2023 (“Act”) was published in the Gazette of India, however it is yet to come into force.  

India desperately needed a personal data protection legislation. On the one hand, India has been promoting its digital infrastructure including Aadhaar (A Unique Identification issued by the Government), the Unified Payments Interface, DigiLocker etc. These programs have led to not only an increase in the number of private third party service providers making use of such digital infrastructure but also the number of internet users.   

In the meantime, between the previous iteration and its recent amendments, India has witnessed a surge in cyber-attacks. In March 2023, the Hyderabad Police apprehended a gang of cyber criminals responsible for selling the personal and sensitive personal information of 168 million individuals which they had collected from various service providers. Later in June 2023, it was revealed that India’s COWIN portal (which facilitates Covid - 19 vaccinations) was subject to a massive data leak where personal data including vaccination details of crores of Indians had been exfiltrated.  

Enterprises of all sizes have experienced an endless digital assault and a general lack of knowledge on maintaining appropriate security and mitigation measures has provided a fertile ground for threat actors. Now that the Act has been passed, it may bring about responsible data processing conduct and awareness amongst internet users about their rights and obligations.  

Through this document, we hope to answer some common questions we repeatedly get asked about this new legislation.  

1. Is the Act already in force? 
   Not yet. While both houses of Parliament have passed the Bill and the President of India has given her assent, the Act and its provisions will come into force as and when the Central Government issues a notification in the Official Gazette. The Central Government may even designate different dates for different provisions of this Act to come into force.  

2. Will the Act apply to all kinds of data? 
   The provisions of the Act and the rules which will be notified from time to time will apply to both digital personal data as well as personal data in non-digitised form which is subsequently digitized.  

3. Will the provisions of the Act apply if the data of Indian Citizens is processed outside India? 

   Yes, on its territorial reach, the provisions of the Act and its rules will apply to:  

   1. Digital personal data which is processed outside India, if such processing is in connection with any activity related to offering of goods and services to data principals in India; and 

   2. Digital personal data which is processed within the territory of India. 

4. What do the terms “Data Principal”, “Data Fiduciary” and “Data Processor” mean? 

   1. A Data Principal is the individual to whom the personal data relates. In case the Data Principal is a child, the Act has expanded the definition of Data Principal to include her parents or lawful guardian and where the Data Principal is a person with a disability then it includes her lawful guardian, acting on her behalf.   

   2. Further, a Data Fiduciary is the entity which alone or in conjunction with others determines the purpose and the means of processing personal data.   

   3. Finally, a Data Processor is any entity which processes personal data on behalf of a Data Fiduciary.  

5. What is a “Significant Data Fiduciary”? 

   The Central Government is likely to notify any or a class of data fiduciaries as Significant Data Fiduciaries considering certain relevant factors such as volume and sensitivity of personal data processed, risk to the Data Principal, potential impact upon the sovereignty and integrity of India, risk to electoral democracy, security of the State and public order.   

   These Significant Data Fiduciaries will need to comply with additional compliances including appointing a data protection officer, independent data auditor, conduct periodic data protection impact assessment and other measures.  

6. What are the rights and obligations of a Data Principal? 

   A Data Principal is entitled to seek from the Data Fiduciary a summary of the personal data being processed, processing activities undertaken and identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared.  

   Data Principals are also entitled to seek correction and erasure of their data. Further, the Central Government may prescribe other information which can be requisitioned from the Data Fiduciary. 

   The Act has also imposed duties that Data Principals must adhere to. Duties include but are not limited to ensuring that they do not impersonate others, supress material information while providing data for any document issued by the Government, not register false grievances etc. Non-compliance with such duties may attract the scrutiny of the Data Protection Board. Penalties of up to INR 10,000 (GBP 100 approximately) may be attracted if Data Principals are found to be non-compliant with their obligations under this legislation.  

7. What is a “Consent Manager”? 

   A “Consent Manager” is an entity who is accountable to Data Principals and act on their behalf to manage their consent.  

   A Consent Manager is required to be registered with the Data Protection Board and act as a single point of contact to enable the Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.  

8. Some of our users are minors, do I need to undertake additional compliances to provide them services on our platform? 
   The Act defines a ‘child’ as a person below 18 years of age and mandates that consent be sought from their parents or legal guardians before processing their data. However, the Act has also granted powers to the Central Government to relax the age requirement in the event it is of the view that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe.  

9. We routinely collect the personal data of Data Principals / customers to provide them services. Do we have to undertake any compliances prior to processing their data? 

   Yes, in most cases, consent is a condition precedent to processing a Data Principal’s personal data. Consent is meant to be freely given, specific, informed, and unambiguous with a clear affirmative action.  

   Prior or at the time of seeking consent, it is mandatory that the Data Principal be issued a notice broadly informing her of the following: 

   1. The personal data sought to be collected and the purpose for processing such data; 

   2. The manner in which a Data Principal can withdraw consent and exercise her right to grievance redressal in the event of any act or omission by the Data Fiduciary; and  

   3. The manner in which a complaint may be preferred before the “Data Protection Board”. 
      Finally, a Data Fiduciary is mandated to erase data stored with it and its Data Processor as soon as consent is withdrawn by the Data Principal or as soon as it is reasonable to presume that the specific purpose for which the data was processed is no longer being served.  

10. We have been processing Data Principals / our customers personal data prior to the Act coming into force. Do we need to undertake any compliances? 

    Yes, despite having collected personal data prior to the commencement of the Act, once the Act is in force, a Data Fiduciary will be mandated to issue a notice to the Data Principal in the same manner as they would have done if notice was issued along with the request for consent as set out above. In the event the Data Principal does not withdraw her consent, after issuance of notice, a Data Fiduciary can continue to process such personal data.   

11. Am I mandated to share the personal data collected with any third parties? 
    Yes, broadly such processing is undertaken at the behest of the State or its instrumentalities to comply with applicable provisions of law, respond to certain medical issues, ensure safety to individuals during disasters and to maintain public order.   

12. We outsource the activity of data processing to a third party, will we, the Data Fiduciary still be potentially liable in the event of a personal data breach by the third party?  

    Data Fiduciaries are mandated to enter into valid contracts with Data Processors. The provisions of such contract will determine the extent and scope of liability of the Data Processor towards the Data Fiduciary. The Act itself does not provide for any statutory limits of liability to either the Data Fiduciary or the Data Processors. In fact, the Act holds the Data Fiduciary responsible for complying with its provisions and rules made in respect of any processing undertaken by it or on its behalf by the Data Processor.  

    Much would depend upon the language used in the contract between the Data Principal and the Data Fiduciary, however, in the event the Data Processor represents and warrants maintaining reasonable security safeguards and is found in breach, it may be liable to the Data Processor for the loss incurred owing to its negligence.  

13. We routinely collect and store personal data of Data Principals / our customers to provide services. What steps do I need to take to ensure that personal data of the Data Principals remains safe? 

    The Data Fiduciary is mandated to implement appropriate technical and organisational measures to ensure that effective observance of the provisions of the Act and its rules. Moreover, a Data Fiduciary is mandated to protect personal data in its possession or under its control including in respect of any processing undertaken by it or on its behalf by a Data Processor by taking reasonable security safeguards to prevent data breach.  

    Previously, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 provided that a body corporate or a person on its behalf shall be considered to have complied with “reasonable security practices and procedures”, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.  

    Unlike the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, the Act does not specify what “reasonable security measures” would entail. However, compliance with International Standards such as ISO 27001 may assist in demonstrating to the Data Protection Board, or any other authority, that a comprehensive information security programme was maintained.  

14. Can I use the services of a Data Processor located outside India? 
    At this stage, it may be perceived that the Act allows for the transfer of personal data outside India provided the Central Government has not specifically restricted its transfer to a particular country or territory. The manner of drafting the clause hints that in cases where the Central Government has not issued specific restrictions, cross border processing of data may be allowed. However, this provision has been caveated, not restricting the applicability of any law that provides for a higher degree of protection. 

15. I accidently sent an email with the personal data of my customers to a third party, am I mandated to notify the customers and the Data Protection Board? 
    Under the Act, a personal data breach includes an accidental disclosure of personal data that compromises the confidentiality, integrity or availability of personal data. Consequently, in appropriate cases, it may become necessary to notify the affected Data Principals / customers and the Data Protection Board.  

16. A threat actor has unauthorisedly accessed our computer systems and encrypted personal data of our customers and employees. They are now demanding a ransom for sharing a decryption key. Do I need to notify the Data Protection Board? 

    A ransomware incident will fall within the meaning of a personal data breach and consequently will be required to be notified to the Data Protection Board and the concerned Data Subjects.  

    CERT-In has through advisories recommended that Data Fiduciary take the following steps in the event of a ransomware incident which may be undertaken by the affected Data Fiduciary:  

    • Immediately disconnect and isolate infected systems from the network.  

    • If several systems or subnets appear impacted, take the infected network offline at the switch level. 

    • Disconnect all external storage: memory sticks, attached phones/cameras, external hard drives, USB drives. 

    • Turn off any wireless functionality: Wi-Fi, Bluetooth, NFC. 

    • Isolate backups immediately, if any connected to network 

    • Consider temporarily disabling any external facing remote connectivity service [VPN/RDP] 

17. What is the Data Protection Board? 

    The Data Protection Board is an independent body which has been tasked conducting inquiries, responding to personal data breaches, issuing interim orders, determining non-compliance with the provisions of the Act and imposing suitable penalties.  

    The Data Protection Board may if it concludes that there has been a significant non-compliance by any entity to which the Act applies, impose harsh financial penalties. Broadly, these penalties will be determined based on a set criterion and the nature of the offence.  

18. What is the procedure of grievance redressal for Data Principals? 

    The Act mandates that a Data Principal should first exhaust its remedy of seeking redressal from the concerned Data Fiduciary or Consent Manager before approaching the Data Protection Board. 

    In the event the Data Principal is still aggrieved by the decision of Data Fiduciary or Consent Manager, it may approach the Data Protection Board through a complaint. The Data Protection Board may inquire into the complaint and pass appropriate orders. Separately, the Act also grants powers to the Board to refer parties to mediation.

    The decision of the Data Protection Board may be appealed by an aggrieved party before the existing Telecom Disputes Settlement and Appellate Tribunal. The orders passed by the Telecom Disputes Settlement and Appellate Tribunal will be executable as a decree passed by a civil court. Finally, the decision of the Telecom Disputes Settlement and Appellate Tribunal may be challenged before the Supreme Court of India by the aggrieved party.

Authored by CSL Chambers, New Delhi, an associated office of Clyde & Co: Sumeet Lall (Partner - Sumeet.Lall@cslchambers.com), Nikhil Lal (Senior Associate – nikhil.lal@cslchambers.com) – The contents of this document are for informational purposes only and should not be treated as a legal opinion. Should you have any queries relating to the content of this insight piece or require further information, please don’t hesitate to contact us.