After 5-years of legislative back and forth, India passed its new comprehensive privacy law, the Digital Personal Data Protection (“DPDP”) Act, last month.
This week, India’s Minister of State for Electronics and IT said that companies will be given around a year’s time to comply with the Act (though certain organizations like small companies or start-ups may have more time). Given the number of important differences under the Act when compared to the EU’s GDPR or recent US state privacy laws, organizations should start working towards compliance with the Act now.
To give companies a head start, our friends at Kochhar & Co have put together a checklist of the core obligations under the Act.
Our thanks to Stephen Mathias over at Kochar & Co for this valuable resource!
SUMMARY OF REQUIREMENTS OF INDIA’S NEW
DIGITAL PERSONAL DATA PROTECTION ACT
| Nomenclature | Data Subject = Data Principal Data Controller = Data Fiduciary Data Processer = Data Processor |
| Cross Border Applicability | The law applies to anyone who offers goods or services to persons in India. |
| Sensitive Personal Data | There is no definition of sensitive personal data and no separate applicability of the law to sensitive personal data. |
| Grounds for Processing | Consent is the main ground for processing of personal data, but other permitted grounds may exist such as processing personal data for the “specified purpose” for which a data principal “voluntarily” provided her personal data. |
| Requirements of Consent | Consent has to be freely given, specific, informed, unconditional, and an unambiguous indication of consent through a clear affirmative action. The data principal must be given the option to access he request for consent in their choice of English or one of the 22 languages specified in the Indian Constitution. Data fiduciaries must appoint a “Consent Manager” as a sole point of contact for data principals to manage their consent. This Consent Manager must be registered with the Data Protection Board of India. |
| Legitimate Interest | There are exemptions in relation to some requirements that include compliance with law, with court orders, medical emergencies, etc. Processing of personal information in situations of employment is also subject to some exemptions. |
| Notice Requirements | There are broadly 3 notice requirements – (a) what personal data will be processed; (b) what are the specified purposes of processing of personal data; and (c) the grievance rights of the data fiduciary. The data principal must be given the option to access the contents of the notice in their choice of English or one of the 22 languages specified in the Indian Constitution. |
| Purpose Limitation | Personal data can be processed only for specified purposes – the purposes mentioned in the notice. There is no specific mention that the purpose must be legitimate or reasonable. |
| Right to Access | The data principal has a right to ask what personal data is being processed. |
| Right to Correction / Updating | The data principal has a right to require that personal data be updated or corrected. |
| Right to Deletion / Limits on Retention | Unless the data fiduciary is required by law to delete the personal data, the personal data needs to be deleted by the data fiduciary when the purpose for processing is no longer served. This standard would apply also when the data principal asks for deletion. |
| Data Portability | There is no right to data portability |
| Duties of Data Subjects | Data subjects are obligated not to provide false information or engage in frivolous or false complaints. |
| Data Localization | The government has the right to notify countries to which personal data cannot be sent. There is no other means to send personal data to those countries, such as through standard contractual clauses, inter-group arrangements, etc. |
| Children Age Threshold | The age of majority is 18. Verifiable parental consent is required for processing personal data of children. |
| Children Restrictions | The data fiduciary cannot engage in behavioral monitoring or targeted advertising. The government does have the power to exempt certain situations. The data fiduciary cannot process personal data in a way likely to cause a “detrimental effect” on the well-being of a child. |
| Privacy by Design and Default | This is not required by the law. |
| Data Breach Notification to Authority | This is required in every case of a personal data breach or some situations of a data vulnerability. “Personal data breach” is broadly defined to include unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data. |
| Data breach notification to data subject | This is required in every case of a personal data breach or some situations of a data vulnerability. |
| Significant Data Fiduciary (“SDF”) | The government will notify who would qualify as an SDF. The criteria would be processing of a large amount of data, threat to democracy and threat to the integrity and sovereignty of India. |
| Data Protection Officer | Required only for SDF’s. However, other data fiduciaries need to appoint a person to be responsible for the grievance redressal process. |
| Privacy Audit | Every SDF must conduct a privacy audit by an independent privacy auditor. |
| Privacy Impact Assessments | Every SDF must conduct a privacy impact assessment. The details of this would be specified by the government. |
| Grievance Procedure | Every data fiduciary must inform the data principal of its grievance procedure and must prepare a grievance redressal process, including contact details of the person to be contacted. |
| Penalties | There is a schedule that specifies maximum penalties for different violations. The highest penalty is Rs 25 billion. |
| Compensation | There is no requirement of payment of compensation. All penalties would be paid to the government. |
Alex Schlight is a Senior Associate at Hintze Law PLLC. Alex counsels US and international clients on data privacy compliance and risk management strategies.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.