On October 14, India’s Ministry of Electronics and Information Technology (MeitY) indicated at a meeting with stakeholders that companies should start complying with the Digital Personal Data Protection Act, 2023 (the “Act”). MeitY has also stated more recently that detailed rules (collectively, the “Rules”) under the Act will be published by the end of November 2024.

There are some challenges in complying with the Act:

• Pending Rules: Many of the Act’s provisions state that the Rules will/ may be prescribed, to elaborate on specifics. The Rules are expected to provide critical details on issues such as:

  • the form of privacy notice to be provided to data principals (data subjects whose personal data is being processed);

  • certain particulars in respect of data protection impact assessments; and

  • the manner of obtaining verifiable consent when processing the personal data of minors or those with disabilities, etc.

However, the Rules are yet to be published or notified under the Act.

• Possible public consultations, causing delays: Earlier, MeitY had indicated that the Rules would be open for public consultation. If this remains the case, depending on the duration of the consultation period, the extent and nature of responses received and the revisions (if any) that may be made by MeitY, there may be further delays in the final notification of the Rules.

• Constitution of Data Protection Board: The Data Protection Board of India (the “Board”) is yet to be constituted (through Rules under Section 18 of the Act). Enforcement of the Act and added guidance on how to comply with several aspects of the Act from the Board, similar to other jurisdictions, would be particularly helpful in a jurisdiction without a rooted culture of data protection.

The need to comply with a legislation lacking in specificity in several aspects, and where the enforcement authority is yet to be set up, does engender uncertainty. However, several steps can be taken by businesses to position themselves towards compliance, as elaborated below.

The Act broadly applies to businesses processing digital personal data either (i) in India; or (ii) in connection with offering goods and services to data principals in India.

Businesses would do well to prioritise reviewing the personal data they process, particularly in light of the following requirements under the Act:

• Bases for Processing: Consent is the primary basis for processing personal data under the Act. “Legitimate uses” are recognised as bases for processing in limited situations, including:

  • Voluntary provision of data by the data principal (data subject) to the data fiduciary (controller), limited to the specified purpose;

  • Processing to comply with legal obligations, judgments, decrees, etc.; and

  • Processing data for employment purposes or for safeguarding the employer from liability.

•  Data Minimisation: Data collection and processing should be limited to what is strictly necessary to achieve the specific purpose. Clear records should be kept of each data category, processing activity, purpose, and lawful basis.

• Privacy Notice: When obtaining consent, a clear privacy notice should be provided. It should include:

  • What personal data is processed or proposed to be processed;

  • The purpose for processing; and

  • How data principals may exercise their rights.

• Consent-Related Requirements: Consent obtained from Data Principals should be free, specific, informed, unambiguous and given through a clear affirmative action. Data fiduciaries should avoid bundling consent, i.e., seeking consent for necessary processing bundled together with processing for purposes that are not strictly necessary.

• Language of Notice: Data principals should be given the option to access the privacy notice in English or any language specified in the Eighth Schedule to India’s Constitution.

• Withdrawal of Consent: Data principals must be able to withdraw consent with similar ease to giving it.

• Data Security: Data fiduciaries should implement appropriate technical and organisational safeguards to protect personal data, including measures to prevent data breaches.

• Engaging Data Processors: Data fiduciaries can engage data processors only under a valid contract. Data fiduciaries remain responsible for complying with the provisions of the Act in respect of any processing undertaken on their behalf by processors.

• Consent for Minors: Data fiduciaries should obtain verifiable consent from a parent or guardian before processing personal data of children or individuals with disabilities.

• Record-Keeping: Data fiduciaries should be prepared to provide data principals with records of processing activities and details of data recipients upon request.

If your organisation already complies with Regulation (EU) 2016/679 (the “EU GDPR”) or other data protection regulations, you may be well-positioned to transition to compliance with the Act.

However, there are critical differences to consider, particularly regarding the definition of personal data under the Act, and, more significantly, the narrower bases for processing under the Act as compared to the EU GDPR. Specifically, businesses should carefully assess the applicability of any legitimate uses specified in the Act, before relying on them as bases for personal data processing.

In this context, it is also worth bearing in mind that the Act proposes significant penalties for breaches. With that said, even with the Rules pending and limited official guidance, conducting a fresh compliance review is advisable, especially for businesses processing data across multiple jurisdictions.

Companies should carefully evaluate data types, specified processing purposes, and legal bases for processing activities to ensure alignment with the Act. Conducting a gap analysis would be particularly helpful to identify compliance gaps, enabling prompt remediation.

It is also advisable to ensure that there is an overarching data protection compliance strategy to enable alignment of compliance between various applicable jurisdictions.

About the authors: Siddhartha George is a Partner (Corporate Advisory) and Harini Sudersan is a Partner (Data Protection) at Poovayya & Co.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.