This article has been written by Devesh Sharma, a final year law student at UPES, Dehradun.
Abstract
This article examines the Digital Personal Data Protection (DPDP) Act, 2023, which is India’s first comprehensive law on personal data protection, passed after years of debate. The article questions if this extensive discussion period led to a well-balanced law that protects individuals’ privacy without placing an undue burden on businesses. It outlines the Act’s main features, such as user rights, data fiduciary obligations, and exemptions, comparing these aspects with earlier versions to assess if the current law effectively meets its goals. Key aspects of the DPDP Act include data protection rights for individuals, responsibilities for data-handling entities, and exceptions for certain activities, like national security. The article highlights best practices for corporate compliance, including data audits, privacy policies, security measures, and grievance mechanisms. Additionally, it explores the concept of “data fiduciary” and considers how this may be interpreted by Indian courts as a trust-based responsibility, potentially leading to civil or criminal liabilities for data misuse. The article concludes that while the DPDP Act lays a solid foundation, the effectiveness of data privacy protections will largely depend on future government actions and regulatory developments.
Introduction
The Changing Scope of Corporate liability Under the 2024 Data Protection Act.[1] This new law is India’s first comprehensive rule for protecting personal data across all sectors and was passed after more than five years of discussions.[2]
The main question this article explores is whether the long period of debate led to a “good” law—one that effectively protects personal data. It also considers whether the law achieves a fair balance between “the right of individuals to protect their personal data” and “the need to process this data for legitimate purposes,” as stated in the law’s preamble.
The article begins by outlining the main aspects of the law, then compares these features to earlier versions, particularly focusing on the previous official bill that the government presented in Parliament in 2019. This analysis helps address whether the law meets its intended goals.[3]
In the second part, the article analyses the DPDP Act from two angles: it first identifies some potentially concerning aspects of the law and their impact on consumers, businesses, and the Indian state. It then looks at the law within the broader developments and discussions of the past five years. The third part considers the main factors likely to shape data protection regulations in India over the coming years. The 2023 Act marks the second time the bill has been introduced in Parliament and is actually the fourth version overall. The process began in 2018, when a committee of experts prepared an initial draft and shared it for public input. In 2019, the government introduced its own version in Parliament, called the Personal Data Protection Bill, 2019. This bill was then reviewed by a parliamentary committee, which released its report in December 2021.[4]
Before these four drafts, India’s Supreme Court delivered a significant judgment in 2017 in the case Justice K.S. Puttaswamy and Anr. v. Union of India and Ors[5]. This ruling established that the right to privacy is a fundamental aspect of the right to life in India, which includes the right to informational privacy. However, the judgment did not outline the exact scope of informational privacy or specify the ways in which this right should be protected.
In December 2019, the government introduced the first version of the Personal Data Protection Bill, aimed at establishing broad, economy-wide rules for data protection across sectors. The bill proposed creating a Data Protection Authority (DPA) with significant oversight powers to enforce these regulations. It set up a preventive framework[6] that imposed several requirements on companies handling personal data. These included notifying individuals and obtaining their consent before collecting data, ensuring that data is accurate, securely stored, and used only for specified purposes. Businesses also had to delete data once it was no longer needed, while giving individuals rights to access, erase, or transfer their data. Additionally, the bill required companies to maintain security measures, follow transparency rules, and adopt “privacy by design” principles. To assist in managing consent, it introduced the concept of “consent managers”—intermediaries who would facilitate consent on behalf of individuals.[7]
Key features of DPDP Act, 2023
Applicability to Non-residents – The DPDP Act covers both Indian residents and businesses that collect data from them. Notably, it also extends to non-citizens residing in India if their data is processed outside the country in relation to goods or services offered to them.[8] For instance, this means that a U.S. citizen living in India and receiving digital services from a foreign provider would also be protected under this law.
Rights of Users/Consumers of Data-Related Products and Services – The DPDP Act establishes specific rights and responsibilities for individuals.[9] People have the right to receive a summary of all their collected data, as well as details about other data fiduciaries and processors who have received their data, including a description of what was shared. Additionally, individuals can request correction, updating, completion, or deletion of their data. They are also entitled to seek redress for any issues and have the option to designate someone to manage their data on their behalf.
Obligations on Data Fiduciaries – Under the DPDP Act, entities tasked with collecting, storing, and processing digital personal data, called data fiduciaries, have specific duties. These include (a) implementing security measures; (b) keeping personal data complete, accurate, and reliable; (c) notifying the Data Protection Board of India (DPB) in case of a data breach; (d) erasing data when consent is withdrawn or when the purpose is fulfilled; (e) appointing a data protection officer and establishing grievance redress systems; and (f) obtaining consent from a parent or guardian for processing data of children under 18. Additionally, the law forbids any processing that could negatively impact a child, including tracking, behavioural monitoring, and targeted ads aimed at minors.[10]
Exemptions From Obligations Under the Law – The law fully exempts certain purposes and entities from its scope[11], including:
- National Interests: Data processing related to India’s sovereignty, state security, relations with other countries, public order, or preventing certain offenses, allowing investigative and security agencies to operate outside this law’s reach.
- Research and Archiving: Data processing for research, archiving, or statistics is exempt if it doesn’t involve decisions specifically affecting individuals.
- Government-Designated Exemptions: The government can exempt specific types of data fiduciaries, like startups, from requirements such as providing notice, ensuring data accuracy, and erasing data.
Additionally, the government holds a significant discretionary power: it may, within five years from the Act’s commencement, exempt any data fiduciary or class of data fiduciaries from specific provisions for a specified time. However, this authority lacks guidelines on the criteria, scope, or duration for such exemptions.
Responsibilities of Corporate Bodies
Ensuring compliance with the DPDP Act may seem challenging, but a structured approach combined with an understanding of the law’s key principles can simplify the process. For businesses of all sizes, adopting specific best practices can help meet legal requirements and promote a culture of data protection.
A vital first step is conducting a thorough data audit. This audit provides clarity on the types of data your organization handles, whether it’s customer details, employee information, or third-party data. Using tools like Endpoint Protector, companies can monitor data inflows and outflows, categorize data by sensitivity, and ensure that no critical information goes unaccounted for. These advanced tools scan databases and provide a comprehensive view of data transfers, allowing businesses to manage data effectively and prevent unintended disclosures.
Another essential measure is appointing a Data Protection Officer (DPO). This dedicated role ensures a consistent focus on data protection within the organization. Depending on the company’s size, this could mean hiring an internal DPO or contracting the role externally. The DPO should be knowledgeable about data protection laws and experienced in handling data compliance issues, making them a central figure in maintaining the organization’s adherence to regulations.
Updating privacy policies and user agreements is also crucial. Transparency is a cornerstone of the DPDP Act, and stakeholders—especially users—need clear information on how their data is used. Revising these documents to align with legal requirements, using accessible language, and outlining users’ rights help build trust and ensure compliance.
Implementing strong security measures is non-negotiable. Effective data protection begins with a well-rounded Data Loss Prevention (DLP) strategy. DLP technology, like Endpoint Protector, monitors, detects, and blocks the transmission of sensitive data, ensuring that personal information is safeguarded whether in transit, in use, or stored. Endpoint Protector allows for comprehensive endpoint monitoring, real-time alerts for unauthorized data transfers, and targeted employee training using detailed reports. This system provides ongoing cybersecurity assessments to identify potential vulnerabilities and maintain robust protection against data breaches.
Setting up a grievance redressal mechanism is another important compliance step. Quickly addressing user concerns about data use demonstrates responsibility and builds trust. Organizations should establish a clear process for managing grievances, designating specific teams or individuals to resolve issues, and promptly communicating solutions to users.
Finally, staying updated and training your teams is essential in a constantly evolving data landscape. Regularly reviewing updates to the law in the official gazette and conducting periodic training sessions keep staff informed on the latest requirements and best practices.
Overall, compliance with the DPDP Act involves more than meeting legal requirements; it’s about cultivating a workplace culture that respects and prioritizes data privacy. By following these practices, businesses can not only avoid penalties but also strengthen trust and foster lasting relationships with their stakeholders.
Trust and accountability in data protection
Under the GDPR, data controllers may prioritize their “legitimate interests,” even when those interests clash with the rights of data subjects. This approach can undermine the trust expected in a fiduciary relationship. In India, the term “data fiduciary” suggests that data handlers have a responsibility akin to trust, possibly beyond what the Digital Personal Data Protection (DPDP) Act itself outlines. Indian courts may interpret this fiduciary role to encompass a higher standard of accountability, seeing “trust” as a binding equitable obligation for data fiduciaries.
For example, the case of Dhanraj Sharma, involving companies like Gametion Technologies (creator of Ludo King), Facebook, and Google, implies that Indian data protection law envisions these companies as “trustees” of personal information. Should there be a breach of this trust, courts might extend the principles of fiduciary duty from traditional law to cases of data misuse, although the specific implications of such a trust-based relationship under data law remain to be clarified.
The Data Protection Board of India, enforcement agencies, or even constitutional courts could interpret the role of data fiduciaries as carrying a fiduciary obligation to data subjects. This interpretation may lead to either civil or criminal consequences for data mismanagement or non-compliance with the DPDP Act’s requirements. Civil liability could include financial damages, reflecting the fiduciary breach’s impact on the affected individual. The DPDP Act, though outlining the Board’s powers, doesn’t specifically address fiduciary breaches by corporate officers or data protection officers.
While the Act restricts civil courts from addressing matters under the Data Protection Board’s jurisdiction, it does not eliminate all forms of civil liability. Courts may still grant damages or other remedies if they determine a breach of fiduciary duty has occurred, even if the case falls outside the Board’s authority. These issues might also be addressed by other regulatory bodies, such as consumer forums, which could be appropriate venues for certain types of claims.
Criminal liability could also arise in cases where data is misused in a dishonest manner. Under Section 405 of the Indian Penal Code and Section 316 of the Bhartiya Nyaya Sanhita, a “criminal breach of trust” occurs when someone entrusted with property misappropriates it or uses it in violation of a legal obligation or contract. If data fiduciaries breach trust by mishandling data, these criminal provisions could apply alongside remedies under the DPDP Act.
The DPDP Act functions in conjunction with India’s broader legal system, and breaches of trust could trigger criminal penalties if the criteria under Section 405 of the IPC or the Bhartiya Nyaya Sanhita are met. Thus, the Act leaves room for a multifaceted approach to handling data breaches, incorporating both civil and criminal responses for severe violations of data fiduciary responsibilities.
Conclusion
The DPDP Act represents the culmination of more than five years of discussion and deliberation, introducing India’s first statutory framework for personal data protection. Yet, this law marks only the beginning; how data privacy evolves will largely depend on future regulatory developments and the institutional structures established over the coming years. While the Act provides a foundational framework, it alone may not be enough to ensure robust data privacy.
There is an ongoing debate about whether previous versions of the bill might have offered stronger privacy safeguards. Still, the evolution of the Act’s contents reflects a shift in the government’s approach to privacy protection. Notably, the current version imposes fewer financial burdens on Indian businesses compared to earlier drafts, which is a positive development.
The DPDP Act takes a balanced, practical approach, which is welcome. However, in some areas, its modesty may come at the cost of privacy interests. Significant discretionary power on critical matters rests with the central government, meaning the extent to which privacy is protected will largely depend on the government’s commitment to upholding these protections.
[1] The Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Gazette of India, August 11, 2023, https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
[2] Starting with the Supreme Court’s judgment declaring privacy to be a fundamental right in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. (10 SCC 1, Supreme Court of India, 2017).
[3] The Personal Data Protection Bill, 2019 (Bill No. 373 of 2019), accessed December 16, 2019, http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.
[4] “Report of the Joint Committee on the Personal Data Protection Bill, 2019,” 17th Lok Sabha Secretariat, December 16, 2021, https://eparlib.nic.in/bitstream/123456789/835465/1/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf.
[5] Justice K.S. Puttaswamy and Anr. v. Union of India and Ors.
[6] Anirudh Burman, “Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth?,” Carnegie India, March 9, 2020, https://carnegieindia.org/2020/03/09/will-india-s-proposed-data-protection-law-protect-privacy-and-promote-growth-pub-81217.
[7] Ibid
[8] The Digital Personal Data Protection Bill, 2022. Section 3.
[9] ibid., Sections 11–14
[10] Ibid., Sections 8 and 9
[11] Ibid., Section 17(2)