India’s New Data Protection Law
The Digital Personal Data Protection (DPDP) Act of 2023 was passed by the Indian Parliament in early August, representing the nation's inaugural cross-sectoral legislation for personal data protection. This enactment comes after more than five years of deliberation. This analysis explores whether the protracted deliberative process has resulted in a "good" law one that adequately safeguards personal data and effectively balances, as stated in the law's preamble, "the right of individuals to protect their personal data" against "the need to process such personal data for lawful purposes."
The processing of personal data from individuals not situated in India, carried out under a contract with an entity outside India by an Indian-based entity, is exempt from the obligations imposed on Data Fiduciaries, including Significant Data Fiduciaries, cross-border transfer rules, and individual rights obligations. However, security provisions do apply.
Establishment of a Data Protection Board
A Centrally-appointed Data Board is proposed by the DPDP Act, 2023, tasked with investigating and adjudicating complaints, overseeing data breach notifications, and imposing substantial penalties, reaching as high as INR 250 Crores. Despite its quasi-judicial role, it's noteworthy that the entire Board is appointed by the Central Government, including the Chairperson and Members, with one Member required to be a legal expert. The Act lacks specific qualifications for Board members, leaving certain questions unanswered, possibly addressed in subsequent legislation. The centralized composition of the governing Board is particularly significant given the Act's nationwide scope and its jurisdiction over certain data activities located abroad.
Regarding "sufficient grounds" for inquiry, the Data Protection Board must determine whether there are grounds to proceed with an official inquiry upon receiving a complaint or data breach notification. The Act, however, lacks clarity on the criteria for determining sufficiency, suggesting the need for guiding principles, akin to those found in Section 11 of the TRAI Act, 1997, providing direction to the telecom regulator.
Consequential Rule-Making Powers
The Act grants substantial rule-making powers to the Central Government, notably allowing rules to restrict data transfer to foreign countries. While rules under Section 16 require Parliamentary approval, the extensive powers granted under Section 40, such as identifying significant data fiduciaries and setting conditions for Board members, don't seem subject to the same process, granting the government significant authority without stringent legislative oversight.
Centre’s Power of Blocking Data Fiduciaries
Under Section 37, the Central Government has the power to block public access to certain Data Fiduciaries upon referral from the Board. This authority allows the government to potentially shut down a service provider in India based on penalties imposed and the perceived "interests of the general public," raising concerns about the broad interpretation of public interest and the potential limitations of judicial review.
Before or at the time of seeking consent, a Data Fiduciary must furnish individuals with a detailed notice in simple language, outlining the types of personal data to be collected, the processing purposes, and how individuals can exercise their rights. If individuals have already consented before the Act's commencement, a similar notice must be provided as soon as reasonably practicable. The option to access the notice in English or any of the 22 languages specified in the Eighth Schedule to the Indian Constitution must be given to individuals.
No specific rights against Data Processors
The Act does not outline specific rights against Data Processors, leaving open questions about the enforceability of claims or complaints against them. While contractual consequences may exist, it remains uncertain if Data Processors could face primary sanctions for their actions.
Access, correction, and erasure rights must be granted, but the Act does not specify response timeframes or exceptions. Individuals can request data erasure if it's no longer needed for the original purpose, unless legal retention is necessary. A redress mechanism must be readily available, provided by the Data Fiduciary or the Consent Manager.
The requirement for obtaining consent from individual Data Principals before processing personal data may lead to "consent fatigue" due to repeated requests. This echoes the experience following the implementation of GDPR in 2018, where multiple consent notices and checkboxes proliferated, potentially impacting user experience and privacy.
Shrinking Internet for Children
Section 9 of the Act mandates verifiable consent from parents before processing the personal data of children, aiming to protect their well-being. However, this could lead to a restricted online environment for children as Data Fiduciaries may opt for heavy censorship, limiting available content to perceived "safe" options.
The Act introduces the concept of 'Consent Managers,' registered entities facilitating consent processes between Data Principals and Fiduciaries. While theoretically streamlining consent management, practical implementation remains unclear, potentially posing challenges and acting as a bottleneck for users accessing the Internet.
Data Fiduciaries must implement suitable technical and organizational measures to effectively comply with the Act. They are required to safeguard personal data in their possession, including data processed by them or on their behalf by a processor, through reasonable security measures to prevent breaches.
Data Breach Notification
In case of a personal data breach, the Data Fiduciary must inform the data protection authority and affected individuals. The Act lacks specificity on the trigger for notification or the reporting timeframe.
Disclosures to Processors
A Data Fiduciary can only engage a processor under a valid contract to process personal data on its behalf, related to offering goods or services to individuals.
The government may, through notification, restrict the transfer of personal data by a Data Fiduciary for processing to a country or territory outside India. Additionally, the Act does not limit the applicability of any existing Indian law that offers greater protection or restrictions on the transfer of personal data by a Data Fiduciary outside India concerning specific data or Data Fiduciaries or classes of Data Fiduciaries.
Apart from outsourcing, specific processing activities are granted exemptions from all aspects of the Act except for the security provisions. Examples include processing conducted in the interest of preventing, detecting, investigating, or prosecuting any offense or violation of law, processing necessary to enforce a legal right or claim, and processing essential for a corporate merger or sale.