Privacy Laws In India: A Comprehensive Overview

how are indian privacy laws

India's privacy laws have been evolving in recent years, with the country passing its first comprehensive data privacy law, the Digital Personal Data Protection Act (DPDPA), in August 2023. This law aims to regulate the processing of personal data and provide Indian citizens with greater control over their personal information. The DPDPA establishes guidelines for organizations handling personal data, including obtaining consent, limiting data collection, ensuring data accuracy, and preventing unauthorized access. It also addresses the protection of children's personal data and grants individuals rights such as access, correction, and deletion of their personal information. The Indian government has also released draft rules for public consultation, providing insights into the implementation of the DPDPA. These developments mark a significant shift in India's data privacy landscape, strengthening data security and privacy rights for its citizens.

lawshun

The Digital Personal Data Protection Act (DPDPA)

India's first comprehensive data privacy law, the Digital Personal Data Protection Act (DPDPA), was enacted in August 2023. The Act provides a framework for the processing of digital personal data, recognising both the right of individuals to protect their personal data and the need to process such data for lawful purposes. The DPDPA applies to Indian entities that process personal data and has extraterritorial applicability to foreign entities offering goods and services to Data Principals within India.

The DPDPA introduces several compliances regarding the collection, processing, storage, and transfer of digital personal data. It defines a personal data breach as any unauthorised processing or accidental disclosure, use, alteration, destruction, or loss of access that compromises confidentiality, integrity, or availability. The Act requires all breaches to be reported to affected data subjects and the Data Protection Board of India (DPBI). Additionally, the DPDPA prescribes safeguards for processing children's personal data, prohibiting targeted advertising and behavioural monitoring of minors.

The DPDPA grants individuals rights such as the right to access, correct, update, and delete their personal data, as well as the right to grievance redressal. It outlines the role of Significant Data Fiduciaries (SDF), with specific obligations including appointing a Data Protection Officer (DPO) based in India and conducting a data protection impact assessment (DPIA). The Act empowers citizens by providing data principal rights and imposing penalties of up to INR250 crore for non-compliance by data fiduciaries.

The DPDPA is a significant step towards strengthening India's data privacy regime and fostering a secure environment for citizens and businesses. While it has not yet come into force, organisations are encouraged to align with its provisions to the extent possible. The Act's simplicity and similarity to the EU's GDPR are notable, although differences exist in their scope and legal bases for data processing. The DPDPA's impact extends beyond India, potentially affecting North American companies doing business in the country.

lawshun

Extra-territorial applicability

India's first comprehensive data privacy law, the Digital Personal Data Protection Act ("DPDPA" or "DPDP Act"), was enacted in August 2023. The DPDPA introduces several compliances regarding the collection, processing, storage, and transfer of digital personal data.

The DPDPA has extra-territorial applicability, extending to entities established outside India that process personal data in connection with offering goods or services to individuals within India. This means that foreign entities offering goods or services to individuals in India and processing personal data in connection with these activities are subject to the DPDPA.

The scope of 'offering' is currently unclear, but the law is expected to apply to foreign data controllers involved in marketing goods and services to individuals in India. The DPDPA does not apply to personal data processed for personal or domestic purposes or data that has been made publicly available by the individual or by any person legally obligated to do so.

There is also a blanket exemption for personal data processed by a government agency for national security or crime prevention purposes, or when necessary for research, archival, or statistical reasons. The DPDPA clarifies that it will not limit the applicability of any other Indian law that provides a greater degree of protection for personal data.

The DPDPA is a significant step towards regulating the processing of personal data in India and has the potential to impact North American companies doing business in India due to its extra-territorial applicability.

lawshun

Data breach notifications

India's first comprehensive data privacy law, the Digital Personal Data Protection Act (DPDPA), was enacted in August 2023. The DPDPA introduces several compliances regarding the collection, processing, storage, and transfer of digital personal data.

The DPDPA requires data fiduciaries to protect personal data and take reasonable security measures to prevent a personal data breach. A personal data breach includes any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data, compromising the confidentiality, integrity, or availability of personal data. In the event of a personal data breach, a Data Fiduciary must inform each affected Data Principal and the Data Protection Board of India (DPBI). The DPDP Act prescribes reporting for all types of personal data breaches, regardless of their sensitivity or impact.

The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties Rules, 2013 (Cert-In Rules), along with the Cyber Security Directions, impose mandatory notification requirements on service providers, intermediaries, data centers, and corporate entities upon certain cybersecurity incidents. The Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), and Telecom Regulatory Authority of India (TRAI) are among the sector-specific regulators that have imposed compliance obligations on regulated entities to adopt cybersecurity and cyber resilience measures.

While the DPDPA does not prescribe any specific safeguards or measures, it requires all breaches to be reported to affected data subjects and the DPBI. The DPDPA does not include rights such as the right to data portability and the right to not be subjected to automated decision-making. The law also does not restrict data localization, but the government can notify a blacklist of countries to which data transfers would be restricted.

The DPDPA is a positive step towards enforcing data protection in India, the world's fifth-largest economy. It is simpler and less prescriptive than the GDPR, and organizations are expected to be given a reasonable timeframe to ensure compliance.

lawshun

Data localisation restrictions

India's Digital Personal Data Protection Act (DPDP) of 2023 has shifted the country's approach to data localisation. While the DPDP does not demand strict data localisation, it gives the government the power to restrict data flows to specific countries based on national security concerns. This represents a more moderate stance compared to the stricter limits on data flows imposed by the 2019 bill.

The DPDP introduces several compliances regarding the collection, processing, storage, and transfer of digital personal data. It applies to Indian entities that process personal data, as well as foreign entities offering goods and services to data principals located within Indian territory. The DPDP does not regulate non-personal and non-digital data.

The DPDP outlines specific requirements for obtaining consent, such as ensuring it is obtained willingly and without undue influence. It also defines sensitive personal information, which includes passwords, financial information, health conditions, sexual orientation, medical records, and biometric information. Additionally, the DPDP requires data controllers to provide privacy notices in English or 22 other languages recognised by the Indian Constitution.

To ensure compliance with the DPDP, businesses must understand its implications and implement necessary measures. The law mandates clear permission from individuals before using their data, and businesses must provide notices about the data being processed and why. Failure to comply with the DPDP can result in significant fines of up to $30 million and loss of trust.

While the DPDP has changed India's approach to data localisation, certain sector-specific agencies maintain their existing or future localisation requirements. For example, the Reserve Bank of India has localisation restrictions on payment and financial data, ensuring that data relating to payment systems is stored within India. Similarly, the Securities Exchange Board of India (SEBI) has issued an advisory for financial sector organisations, requiring them to store critical data sets, such as credit and liquidity risk data and market risk data, within India. These sector-specific regulations highlight the importance of businesses understanding the applicable localisation requirements to ensure compliance and maintain data security.

lawshun

Privacy impact assessments

India's data privacy laws have been described as minimal, with low privacy standards. In August 2023, the country passed its first comprehensive data privacy law, the Digital Personal Data Protection Act (DPDPA), which will regulate the processing of personal data. The DPDPA will establish guardrails for how organisations handle personal data and offer Indian citizens more control over their personal data. The Act will also apply to foreign entities that offer goods and services to data principals located in India.

The DPDPA outlines several compliance requirements regarding the collection, processing, storage, and transfer of digital personal data. Notably, it does not apply to personal data used by an individual for personal or domestic purposes or data that is already publicly accessible. The law also does not restrict the transfer of personal data outside of India, a provision that is more relaxed than previous iterations of the bill.

The DPDPA has introduced the need for privacy impact assessments and audits for Significant Data Fiduciaries (SDFs). These assessments will evaluate the rights of users and the management of risks related to processing their personal data. All data fiduciaries must also obtain parental or guardian consent before processing the data of children under the age of 18 or individuals with disabilities who have a lawful guardian. Additionally, data fiduciaries are prohibited from processing personal data that is likely to cause any detrimental effect on the well-being of a child and from engaging in targeted advertising and behavioural monitoring of children.

While the DPDPA is a significant step forward for data privacy in India, it does not provide a right to data portability or the right to not be subject to automated decision-making. The law also does not prescribe specific safeguards or measures for data breaches, requiring all breaches to be reported without any impact thresholds. However, the DPDPA clarifies that it will not limit the applicability of any other Indian law that provides a greater degree of protection for personal data.

Frequently asked questions

The Digital Personal Data Protection Act, also known as the DPDPA, is India's first comprehensive data privacy law. It was passed by the Indian Parliament on August 11, 2023, and published by the Government of India on the same day. The Act introduces several compliances regarding the collection, processing, storage, and transfer of digital personal data.

The DPDP Act applies to Indian entities that process personal data, as well as foreign entities offering goods and services to individuals located in India. It imposes stricter restrictions on cross-border data transfers and introduces the concept of consent managers to facilitate the management of consent between data principals and data fiduciaries. The Act also includes typical rights of data subjects, such as the right to access, correction, updating, and deletion of personal data.

The DPDPA defines a child as an individual under the age of 18. It prohibits targeted advertising and behavioural monitoring of children and mandates that data controllers obtain prior verifiable parental consent for processing children's personal data. This provision will have implications for companies with Indian minors as their consumers.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment