India Digital Personal Data Protection Act (DPDP Act): An Overview

India’s Digital Personal Data Protection Bill was tabled in 2022, and was finalized as India’s Digital Personal Data Protection Act (DPDP Act) when it received approval from both houses of Parliament and the assent of the President in August 2023. The law came into effect August 11, 2023 and covers personal data collected in digital format, or collected by other means and later digitized. The law is intended to protect personal information for citizens in the world’s most populous country, and increase accountability for organizations that handle a lot of such data, including those with online operations and that run mobile apps.

The law is in line with the standards of many global data privacy regulations, taking influence from China’s Personal Information Protection Law (PIPL) and the European Union’s General Data Protection Regulation (GDPR). We look at important requirements of the DPDP Act, key definitions, enforcement, and more. (Note: the state-level Delaware Personal Data Privacy Act in the United States also uses the initialism “DPDPA”, so we will mostly use “the DPDP Act”.)

The DPDP Act is a federal law in India that regulates the processing of the digital personal data of its citizens. The law aims to strike a balance between the recognized need to process personal data for various purposes, and individuals’ right to control and protect it.

Like many data privacy laws around the world, the DPDP Act is extraterritorial, and so applies to organizations operating both inside and outside of India, if they are offering goods or services to Indian citizens, and in doing so processing personal data. The Act does allow for legal bases for data processing in addition to consent of the data principal, but consent is required for many processing purposes.

The definitions of key terms outlined in the DPDP Act are consistent with many data privacy laws, though some of the terms are different, e.g. “data fiduciary” instead of “data controller”. The definition of a person is also quite broad, as it can include the Indian State, a family, or a firm, for example.

A person covers a variety of entities, not just individual people, and refers to:

• an individual
• a Hindu undivided family
• a company
• a firm
• an association of persons or a body of individuals, whether incorporated or not
• the State
• every artificial juristic person, not falling within any of the preceding sub-clauses

Personal data refers to any data about an individual who is identifiable by or in relation to such data. The personal data can be collected and processed in digital format, or collected in another format and later digitized. The Act does not provide a list of examples of personal data (e.g. name, phone number, financial information, etc.) like some data privacy laws do.

Processing in the context of personal data means “a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”.

A data principal’s consent must be: “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose”.

A child is defined as a person who is 18 years old or younger.

This term refers to any individual to whom personal data being processed relates, and includes an individual who is a child (also, then, including the child’s parents or lawful guardians) or an individual who has a disability (also, then, including the person’s lawful guardian, acting on their behalf). Also known as a data subject under some other laws.

“Data fiduciary” means any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. Also known as a data controller under some other laws.

A “Significant Data Fiduciary” refers to any data fiduciary or class of data fiduciaries as may be notified by the Central Government.

A data processor is any person who processes personal data on behalf of a data fiduciary.

For the purposes of the Act, “Consent Manager” does not refer to software such as a consent management platform, but instead refers to a person or organization registered with the Data Protection Board. This entity acts as the point of contact to enable an individual, here the “data principal”, to provide, manage, review, and/or withdraw her consent via a platform that is “accessible, transparent and interoperable”. A consent manager serves as a middleman for businesses to help facilitate compliance with the DPDP Act.

The law applies to entities that collect and process digital personal data in India in the course of offering goods and services. It also applies to the processing of personal data outside of India if the processing is connected with an activity relating to offering goods or services to Indian citizens.

Data principals have some of the rights common under other global data privacy laws, but not all of them. These include:

• Right of access – to obtain information from the data fiduciary about their personal data, the processing of it, and identities of any third-party data fiduciaries or data processors with which it has been shared
• Right to correction – to get errors or omissions corrected or personal data updated as quickly as is reasonable (with some exceptions)
• Right to erasure – to have personal data deleted as quickly as is reasonable, including data held by and/or processed by a third-party data processor, upon request (with some exceptions)
• Right of grievance redressal – to have a readily available means to report a grievance, provided by the data fiduciary or consent manager, and have the grievance responded to within a reasonable amount of time from the date of receipt (with some exceptions)
• Right to nominate an agent – to have someone represent the data principal to exercise their rights under the Act on their behalf in the event of death or incapacitation

It should be noted that the right to erasure is not a full “right to be forgotten” as under the GDPR. Additionally, data principals do not have the right to data portability, to opt out of automated decision-making, or private right of action — the ability to sue a data fiduciary in the event of a breach — though they may seek compensation for a breach from responsible parties, and the Act does provide a schedule of penalties for different types and degrees of violation or negligence.

Data principals have several duties under the DPDP Act, especially with regards to exercising their rights, including:

• complying with other applicable laws and their provisions
• not impersonating another person while providing personal data for a specific purpose
• not suppressing any material information while providing personal data for documents, proof of identity, proof of address, etc.
• issued by the State
• not registering any false or frivolous grievance or complaint with a data fiduciary or the Data Protection Board (the Board may issue
• a warning or impose costs on a complainant if a complaint brought by them is determined to be frivolous)
• providing only verifiably authentic information when exercising the right to correction or erasure

Requests made to a data principal for consent to process personal data must be preceded by or accompanied by a notice from the data fiduciary providing information about:

• the personal data requested
• the purpose for processing
• how the data principal can exercise their rights
• how the data principal can make a complaint to the Data Protection Board

Valid consent must be “free, specific, informed, unconditional and unambiguous, with a clear affirmative action”. Consent signifies an agreement for processing of personal data for a specified purpose, and is limited to the personal data that is necessary to fulfill that purpose.

A data principal can withdraw their consent at any time, and it must be as easy to do so as to give consent. At the point when consent is withdrawn, the data fiduciary (or data processor) must stop processing their personal data. If requested, and if legally possible, that personal data must also be deleted.

The DPDP Act does not contain specific clauses outlining requirements for or prohibiting the processing of personal data for marketing or advertising purposes for adults, including data use for targeted advertising or profiling. Targeted advertising to children is prohibited, however.

A data fiduciary must obtain verifiable consent from a parent or guardian before processing any personal data from a child or person with a disability. Additionally, data fiduciaries must not track or engage in behavioral monitoring of children or targeted advertising directed at children.

Entities have responsibilities on several fronts under the Act, including to data principals, with regards to the data itself, and if they engage the services of any third-party data processor, which can only be done under contract. The data fiduciary is ultimately responsible under the law for actions taken on its behalf by any data processor contracted to it, or in the event of a data breach involving the data processor. Data fiduciaries must also keep records of processing activities, including the purposes of processing, categories of data principals, and data transfers.

Personal data may be processed only when the data principal has given consent, or for certain legitimate uses (“legitimate interest” under the GDPR). Applications of legitimate use are significantly restricted. They include, under current Indian law:

• personal data voluntarily provided by the data principal to the data fiduciary for a specified purpose (and they have not indicated that they do not consent to the use of the data)
• processing by the state to enable issuing benefits, services, licenses, etc. when the data principal’s consent has been received before or the personal data is already available digitally in a database or other repository maintained by the State.
• fulfillment of a legal obligation, judgment, or order
• compliance with legal judgment or order relating to contractual or civil claims
• providing lifesaving medical care or in responding to a life-threatening medical emergency
• providing medical treatment or health services during an epidemic, disease outbreak, or other threat to public health
• ensuring the safety of or providing assistance or services to any individual during a disaster or breakdown of public order
• for employment or to safeguard employers from loss or liability resulting from the actions of a data principal who is an employee

Entities that collect and process personal data have several responsibilities, including:

• maintaining the completeness, accuracy, and consistency of the data
• taking reasonable technical and security measures to protect the data
• deletion of the data once the purpose for which it was collected and processed is complete

In conjunction with data principals’ rights, data fiduciaries also need to:

• provide information about personal data in their possession and about processing to data principals upon reasonable request
• correct or delete personal data when notified (with some exceptions)
• address complaints levied by data principals regarding issues relating to the data processing and the stipulations of the law

The Central Government, upon assessment, may notify a data fiduciary that they have been determined to be “significant”. This is based on factors like:

• volume and sensitivity of personal data processed
• risk to the rights of data principals
• potential impact on the sovereignty and integrity of India
• risk to electoral democracy
• security of the State
• public order

There are a number of requirements for data fiduciaries determined to be Significant Data Fiduciaries, including:

• appointing a Data Protection Officer who will represent the SDF under provisions of the DPDP Act and who is:
  • based in India
  • responsible to the SDF’s Board of Directors or comparable governing body
  • the point of contact for the SDF’s grievance redressal mechanism under the Act
• appointing an independent audit to carry out data audits to evaluate the SDF’s compliance with the Act
• undertaking periodic data protection impact assessments (DPIA), which include:
  • describing the rights of data principals
  • purposes of personal data processing
  • assessment and management of risks to data principals’ rights, etc.
• undertaking periodic data audits
• other prescribed measures consistent with provisions of the Act

The DPDP Act allows for transfers of personal data outside of India, except to countries that have been notified by the Central Government. Concerns have been expressed that this mechanism may not ensure adequate evaluation standards for data protection in the countries where data transfers are allowed.

The Central Government may notify a data fiduciary to restrict transfers of personal data for processing to a country or territory outside of India. Any Indian law currently in force will supersede the Act if it allows for a higher degree of protection for personal data, or restriction on transfers of personal data.

The Act requires that requests for data principals’ personal data be preceded by or accompanied by a notice about the personal data requested, the purpose of processing, how the data principal can exercise their rights, and how they can make a complaint to the Data Protection Board.

The Act specifies that every consent request or other notice to data principals must be presented in “clear and plain language”, and accessible in English or any constitutionally recognized language. Where applicable, contact details for a Data Protection Officer must be included, or for any other person authorized by the data fiduciary to respond to communications from data principals to exercise their rights under the DPDP Act.

The Act does not specifically reference a privacy policy or notice, e.g. as can be found on many websites.

When required, data fiduciaries must appoint a Data Protection Officer and must publish business contact information for this person in a prescribed manner. Or they must be able to provide contact details for a person who can provide answers to inquiries and information on behalf of the data fiduciary if data principals inquire about the processing of their personal data.

Data fiduciaries can engage data processors to process personal data on their behalf for any activity related to offering goods or services to data principals. However, this can only be done under a valid contract. Data fiduciaries are ultimately responsible for the actions of any data processors they engage.

The Central Government may exempt government agencies from DPDP Act provisions in the interest of national security, public order, and prevention of offenses. This option includes quite a few agencies. It is possible that exempt agencies could collect, process, and retain personal data beyond what is necessary in such cases. The government can also exclude categories of organizations in the future, like startups, which raises concerns about privacy oversight.

Exemptions also include processing publicly available personal data, processing data for research purposes, and in some circumstances, processing personal data of non-Indian citizens.

The Act does not apply to personal data processed by an individual for personal or domestic purposes, for journalistic purposes or artistic expression, or to personal data that is made or caused to be made publicly available by the data principal to whom the data relates, or any other person with an obligation under current Indian law to make that personal data publicly available.

The Central Government is the ultimate authority, though management and enforcement of the DPDP Act will fall to the Data Protection Board they appoint. The Act also makes it very clear what mechanisms data principals have to register complaints about personal data processing or breaches, how those must be handled and by whom, and what the potential penalties are for confirmed violations.

The DPDP Act defines a personal data breach as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data”.

India’s Central Government will establish a Data Protection Board to adjudicate on issues of noncompliance with the DPDP Act. Board members and the Chairperson will be appointed by the Central Government for two-year terms and are eligible for re-appointment.

Board members will be individuals who possess “special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board, and at least one among them shall be an expert in the field of law”.

With approval from the Central Government, the Board may appoint officers and employees necessary to perform its functions under the Act. The text of the DPDP Act also notes that, the Board and the Appellate Tribunal (which handles data principal appeals of Board decisions) shall function as an independent body, and, as far as practicable, as a digital office, meaning functions like receiving complaints, making inquiries, announcing decisions, etc. should be set up digitally by design.

In addition to publishing contact information for a representative of the data fiduciary or a Data Protection Officer, data fiduciaries must establish an “effective mechanism to redress the grievances of data principals”. Typically this includes a phone number, email address, online form, etc.

A data principal can make a complaint regarding a personal data breach by a data fiduciary to the Board or to a Consent Manager (which will then liaise with the Board), which will make inquiries regarding the breach and impose penalties where relevant. The Board will make decisions regarding whether there are sufficient grounds with a complaint to proceed with an inquiry. For the purposes of inquiries, the Board will have the same powers as a civil court regarding summoning people, receiving evidence, inspecting documents, etc.

An entity under investigation relating to a compliance complaint under the DPDP Act can offer a voluntary undertaking at any stage of the inquiry. This is a voluntarily offered commitment to achieve compliance with DPDP Act provisions. The undertaking can include specific actions to be taken, not taken, or ceased. The data fiduciary makes this offer to the Data Protection Board, which has the authority to accept, modify, or reject it, and to make it publicly known if the entity will commence with the undertaking.

If accepted, a voluntary undertaking provides legal protection from penalties related to the alleged violation of the Act, as long as they do not fail to meet the terms of the undertaking. If they do fail to achieve compliance, the Board can impose penalties.

If a complainant is unsatisfied with a decision by the Board, they can file an appeal within 60 days of receiving the Board’s decision. A fee may be charged for this filing. Appeals are handled by the Appellate Tribunal, and must be dealt with within six months under most cases, and if this is not possible, the reasons must be recorded.

Data fiduciaries are responsible for appropriate technical, organization, and security measures to ensure compliance with the DPDP Act and protection of any personal data in their possession. The data fiduciary is also responsible for the actions of third-party data processors contracted to it, or in the event of a data breach occurring with such a third party.

In the event of a personal data breach, the data fiduciary must notify the Data Protection Board and each affected data principal in a way determined by the Board. Upon notification of a breach or alleged breach, the Board will direct urgent remedial or mitigation measures, as well as performing inquiries regarding the breach and imposing penalties.

The Data Protection Board will have responsibility for determining penalties for violations and amounts of those penalties. Considerations for the severity of penalties imposed upon a data fiduciary will include:

• nature, gravity, and duration of the breach
• type and nature of the personal data affected by the breach
• repetitive nature of the breach
• whether the person, as a result of the breach, has realized a gain or avoided loss
• whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action
• whether the monetary penalty to be imposed is proportionate and effective (particularly regarding the need to enforce compliance with the Act and deter other violations)
• likely impact of the imposition of the monetary penalty on the person

Sums received as penalties will be credited to the Consolidated Fund of India. The schedule of monetary penalties for a breach as outlined in the DPDP Act are as follows:

*crore = 10,000,000, so 250 crore rupees equals 2.5 billion rupees, equivalent to ~US $30 million or ~€ 27.7 million.

India’s Digital Personal Data Protection Act brings data protections to over 17% of the world’s population, and introduces compliance requirements to businesses wanting access to very large markets since it applies extraterritorially.

For organizations familiar with or already compliant with established data privacy laws like the GDPR, the DPDP Act does not bring too many diversions or surprises. However, organizations should consult with qualified legal counsel and/or a data privacy expert to ensure compliance needs are met.

In many cases, organizations can achieve compliance by requesting data principals’ consent before collecting or processing personal data. This must be done with clear and simple language, and explain what data would be collected, for what purpose(s), what the data principal’s rights are, and how they can lodge complaints. The data must also be deleted once the purpose for processing is completed in most cases.

Organizations aiming to use legitimate interest as a legal basis for data processing need to be very careful and consult legal counsel, as the use of this option is quite restricted. Some organizations will also need to engage a Data Protection Officer, and others will just need to ensure there is an easily accessible contact person for data principals to engage with regarding exercising their rights. Organizations should also ensure they have a robust data breach response process in place.

A consent manager can help with achieving and maintaining compliance, and a consent management platform like Usercentrics CMP could be a valuable tool administered by a consent manager for enabling obtaining and managing consent from data principals. The DPDP Act does apply to the use of cookies and other tracking technologies on websites and apps.

Organizations need to ensure contractual agreements are in place before engaging data processors. They need to be aware that they are responsible for the actions of third parties they have contracted, so data processing partners should be selected carefully after due diligence.

If you have questions about how India’s Digital Personal Data Protection Act may affect your business, or more generally about consent management for websites and apps, we’re happy to help. Contact one of our experts!

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.