On August 9, India’s Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) passed both houses of the Indian Parliament and now awaits Presidential assent. In 2017, India’s Supreme Court mandated that privacy is a fundamental human right. Since that time, India has been working to pass data protection legislation. The DPDP Bill is India’s fifth draft of the bill.
The DPDP Bill only applies to the processing of digital personal data in India, where the personal data is either (i) collected in digital form; or (ii) collected in a non-digitized format and subsequently digitized. Personal data is defined as any data about an individual who is identifiable by or in relation to such data.
Some of the key elements of the DPDP Bill include:
- Legal basis: Digital personal data may only be processed with the consent of the data subject (called the data principal). Companies will likely need to obtain new consent, even if they previously obtained consent from the data principal. Companies will be required to cease processing of the digital personal data within a reasonable time frame if consent is withdrawn. In certain circumstances, a data controller (called the data fiduciary) may rely on “legitimate use” instead of consent as an appropriate legal basis for processing, including when data: (i) has been provided by an individual voluntarily; or (ii) relates to a government benefit or service; a medical emergency; or employment.
- Data transfers: The DPDP Bill allows transfer of personal data outside India, except to countries restricted by the Indian government. The government has not yet provided a list of restricted countries.
- Data Breaches: The DPDP Bill requires mandatory reporting of personal data breaches to impacted data principals and the Data Protection Board of India. The DPDP Bill defines ‘personal data breach’ to mean any unauthorized processing, disclosure, use, alteration, or loss of personal data that compromises the confidentiality, integrity, or availability of the data. The obligation to report under the DPDP Bill does not alter any existing obligations to report under India’s existing Cert-In Rules.
- Data Principal Rights: Individuals are granted certain rights under the DPDP Bill, including the: (i) right to access; (ii) right to request correction or deletion; (iii) right to register grievances with the data fiduciary; and (iv) right to nominate another individual to exercise rights on their behalf.
- Significant Data Fiduciaries: The DPDP Bill may designate an organization as a ‘significant data fiduciary’ based on factors including the volume of personal data processed, the nature and sensitivity of such data, and the risk to the rights of the data principal. If an organization receives this designation, it will need to comply with additional requirements including having a Data Protection Officer in India, appointing an independent data auditor, and conducting periodic data protection impact assessments.
- Children’s Data: The DPDP Bill requires verifiable parental consent for any processing of data of children under 18 years old. Certain processing of children’s data is generally prohibited, even with consent, including processing that is likely to harm a child, tracking, behavior monitoring, and targeted advertising.
The penalties for noncompliance include significant fines ranging from Rs 200-250 crore (which is roughly $24 million to $30 million). However, per the DPDP Bill, such fines are reserved for multiple and repeat violations related to the processing of children’s data or significant control failures.
The DPDP Bill also authorizes the creation of an independent body whose key functions will include: (i) monitoring compliance with the DPDP Bill; (ii) imposing penalties; (iii) providing directions for remediating or mitigating data breaches; (iv) inquiring into data breaches; and (v) hearing grievances.
Key Takeaways
The DPDP Bill does not include specific timelines for compliance, but does clarify that it will only apply prospectively. Businesses offering goods and services to individuals in India should take actions to prepare for the potential new law, including assessing their data flows out of India, identifying the legal basis for the collection and processing of personal data, reviewing key policies, procedures, and vendor and data processing agreements. If you have any questions, or if you need help evaluating the applicability of the DPDP Bill to your organization, reach out to any of the Baker McKenzie attorneys listed below or your regular Baker McKenzie contact.
Co-authored by Manisha Reddy and Rachel Ehlers.
