DPDP Act: An Introduction to India's Data Protection Framework

I. Introduction

India has recently enacted its first comprehensive data protection legislation. The Digital Personal Data Protection Act, 2023 received Presidential assent on August 11, 2023, following years of legislative drafting, public consultation, and Parliamentary debate. The Act establishes a framework for the collection, storage, processing, and transfer of personal data of individuals in India, creates a new category of statutory obligation for organisations that handle such data, and constitutes a Data Protection Board of India as the regulatory authority responsible for enforcement.

The Act is, as of this writing, not yet in force. The Central Government has the power under Section 1(2) to appoint the date on which the Act comes into force by notification, and different provisions may be brought into force on different dates. The rules under the Act, which will provide the operational detail necessary for compliance, including the form and manner of consent notices, the security safeguards required of data fiduciaries, the breach notification timelines, and the criteria for designation of significant data fiduciaries, have not yet been notified. Organisations that process personal data of Indian residents should treat the period before the rules are notified and the Act is brought into force as a window for understanding their obligations and preparing their internal processes, rather than as a period in which data protection compliance can be deferred indefinitely.

This article provides an introduction to the Act's principal concepts and obligations. It examines who the Act applies to, the central distinction between data fiduciaries and data processors, the consent framework, the rights conferred on individuals, the obligations of significant data fiduciaries, the penalty framework, and the cross-border transfer regime. Where the Act leaves detail to the rules, this article notes what has been left open and what the rules are expected to address.

II. Scope and Applicability

The Act applies to the processing of digital personal data within India, and to the processing of digital personal data outside India if such processing is in connection with any activity related to offering goods or services to data principals within India. The territorial reach of the Act therefore extends to foreign organisations that serve Indian users, which is a significant expansion of the regulatory scope compared to the existing framework under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

"Personal data" is defined in Section 2(t) as any data about an individual who is identifiable by or in relation to such data. The definition is intentionally broad and does not create a separate category of sensitive personal data with heightened protections in the body of the Act itself, departing from the approach taken in the SPDI Rules. The Central Government has, however, the power under Section 16 to notify categories of personal data as attracting special obligations, which may in practice replicate the sensitive categories framework through subordinate legislation.

The Act does not apply to personal data processed by an individual for personal or domestic purposes, to personal data that is made or caused to be made publicly available by the data principal themselves, or to processing for purposes of prevention, detection, investigation, or prosecution of offences. The exemption for publicly available data will require careful interpretation in practice: data that a person has shared on a social media platform may have been made publicly available in a limited sense, but whether it has been made publicly available within the meaning of the Act will depend on the circumstances and the intentions of the data principal at the time of sharing.

III. Data Fiduciaries and Data Processors

The Act organises data protection obligations around two principal categories of actor. A data fiduciary is any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. A data processor is any person who processes personal data on behalf of a data fiduciary. The distinction maps broadly onto the controller and processor distinction in comparable international frameworks.

The significance of the distinction is that the Act's compliance obligations fall primarily on the data fiduciary. The data fiduciary is responsible for ensuring that personal data is processed lawfully and for the purposes for which consent was obtained. It must implement reasonable security safeguards to prevent breaches, notify the Data Protection Board and affected individuals in the event of a breach, and ensure that personal data is not retained beyond the period necessary for the purpose for which it was collected. A data processor, by contrast, processes data only on the instructions of the data fiduciary and under a contract with it. The Act does not impose direct statutory obligations on data processors in the same manner as it does on fiduciaries, though processors are required under Section 8(5) to implement reasonable security safeguards and will be subject to obligations specified in the rules.

For organisations that both receive personal data from other entities and process their own personal data, the question of whether they are acting as a fiduciary or a processor in a given context will require careful analysis. A cloud service provider that stores data on behalf of a client is a processor in relation to that data. The same provider, when it processes data about its own employees or its own customers, is a fiduciary in relation to that data. Many organisations will occupy both roles simultaneously in relation to different datasets, and their compliance programmes must reflect this.

IV. The Consent Framework

The primary lawful basis for processing personal data under the Act is consent. Section 6 provides that a data fiduciary may process personal data only for a lawful purpose for which the data principal has given consent. Consent must be free, specific, informed, unconditional, and unambiguous, and must be signified by a clear affirmative action. The Act expressly provides that consent given for processing that is bundled with consent for other processing not reasonably related to it does not constitute valid consent for the bundled element. This is a significant provision for organisations whose current consent mechanisms obtain omnibus consent for a range of processing activities in a single click-through.

Before seeking consent, the data fiduciary must provide the data principal with a notice in clear and plain language specifying the personal data sought to be collected and the purpose of processing. The notice must inform the data principal of their rights under the Act and of the manner in which a complaint may be made to the Data Protection Board. The form and manner of this notice will be prescribed by the rules, which are awaited, but organisations should begin reviewing their current privacy notices and consent mechanisms against the requirements of Section 5 to assess the changes that will be required.

The Act also provides for certain categories of deemed consent, referred to as legitimate uses, under Section 7. These include processing necessary for the performance of a function of the State, compliance with a judgment or order, response to a medical emergency, performance of employment-related functions, and processing for purposes of public interest. The deemed consent or legitimate use categories are intended to provide a lawful basis for processing in circumstances where obtaining individual consent is impractical, but the conditions attaching to each category will require the rules to specify before they can be relied upon with confidence.

The data principal has the right to withdraw consent at any time under Section 6(4). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Upon withdrawal, the data fiduciary must, within a reasonable time, cease processing the personal data unless processing is required under any law or order of a court. The ease with which consent can be withdrawn must be proportionate to the ease with which it was given, which has direct implications for the design of consent management systems.

V. Rights of Data Principals

The Act confers a set of rights on data principals that data fiduciaries must be able to facilitate. These rights are set out in Sections 11 to 14 and represent a significant expansion of individual rights compared to the existing framework under the SPDI Rules.

Section 11 provides the right to access information, being the right to obtain from the data fiduciary a summary of the personal data being processed and the processing activities undertaken. Section 12 provides the right to correction and erasure, being the right to have inaccurate or incomplete personal data corrected and to have personal data erased in specified circumstances. Section 13 provides the right of grievance redressal, being the right to have complaints about breaches of the Act addressed within a time period to be prescribed. Section 14 provides the right to nominate, being the right to nominate an individual who may exercise the data principal's rights in the event of the data principal's death or incapacity. This last right is distinctive to the Indian framework and reflects a broader cultural and legal approach to succession of rights.

Data fiduciaries will need to establish mechanisms for receiving and responding to these requests within the timelines that will be prescribed by the rules. The operational infrastructure required to handle access requests, correction requests, and erasure requests at scale is non-trivial, and organisations should begin assessing their current data mapping and access management capabilities against the likely requirements.

VI. Significant Data Fiduciaries

Section 10 of the Act empowers the Central Government to notify any data fiduciary or class of data fiduciaries as a significant data fiduciary, having regard to the volume and sensitivity of personal data processed, the risk to the rights of data principals, the potential impact on the sovereignty and integrity of India, and the risk to the security of the State. Significant data fiduciaries are subject to a set of additional obligations that go beyond those imposed on ordinary data fiduciaries.

A significant data fiduciary must appoint a Data Protection Officer who is based in India and who is responsible for ensuring compliance with the Act. It must appoint an independent data auditor to evaluate its compliance. It must undertake periodic data protection impact assessments and audits. The specific obligations of significant data fiduciaries, including the manner and frequency of audits and the scope of impact assessments, will be detailed in the rules. The designation of which entities will be notified as significant data fiduciaries has not yet been made and will likely follow the notification of the rules. Organisations that process large volumes of sensitive personal data, that operate significant digital platforms with a large user base in India, or that process data that could have national security implications should expect to be considered for designation and should prepare accordingly.

VII. Personal Data Breaches and the Notification Obligation

Section 8(6) of the Act requires every data fiduciary to notify the Data Protection Board of India and each affected data principal in the event of a personal data breach. The form, manner, and timeline for such notification will be prescribed by the rules. The Act does not specify a fixed notification window in its body, departing from the practice in several comparable jurisdictions of prescribing a specific number of hours or days within which notification must be given. Organisations should expect the rules to prescribe a specific timeline, likely in the range of twenty-four to seventy-two hours from the time the fiduciary becomes aware of the breach, based on international practice and the earlier drafts of the legislation.

The obligation to notify each affected data principal is operationally demanding, particularly for large organisations with millions of users. The Act does not currently provide a materiality threshold below which individual notification is not required, though the rules may introduce such a threshold. Organisations should begin building the internal incident response and notification infrastructure necessary to comply with this obligation, including maintaining up-to-date contact information for data principals and establishing protocols for assessing whether an incident constitutes a breach requiring notification.

VIII. Cross-Border Data Transfers

Section 16 of the Act empowers the Central Government to restrict the transfer of personal data to countries or territories outside India by notification. The framework adopted is a whitelist or blacklist approach: the Central Government may notify countries to which transfer is permitted or countries to which transfer is prohibited. The Act does not, in its current form, require a transfer mechanism such as standard contractual clauses or binding corporate rules of the kind found in comparable international frameworks. Transfer to a country not on any restricted list is permitted without additional mechanism.

This is a significant departure from the draft Personal Data Protection Bill, 2019, which had proposed data localisation requirements for certain categories of sensitive and critical personal data. The Act as enacted takes a more permissive approach to cross-border transfers, relying on country-level restrictions notified by the Central Government rather than instrument-by-instrument transfer assessments. The list of restricted countries has not yet been published, and until the rules and notifications under Section 16 are issued, organisations should proceed on the basis that cross-border transfers are permitted subject to the general consent and security obligations under the Act.

IX. The Penalty Framework

The Act provides for a significant penalty framework under Schedule 1. The Data Protection Board of India may impose financial penalties on data fiduciaries and data processors for contraventions of the Act and the rules. The penalties are graduated by the nature of the contravention. Failure to implement reasonable security safeguards to prevent a personal data breach may attract a penalty of up to two hundred fifty crore rupees. Failure to notify the Board and affected data principals of a breach may attract a penalty of up to two hundred crore rupees. Breach of obligations in relation to children's data may attract a penalty of up to two hundred crore rupees. Breach of additional obligations of significant data fiduciaries may attract a penalty of up to one hundred fifty crore rupees. Breach of any other provision of the Act or the rules may attract a penalty of up to fifty crore rupees.

The penalties are per contravention and not subject to an annual revenue cap, which means that a single significant breach could result in a penalty of two hundred fifty crore rupees. The Board has the power to determine whether a contravention has occurred and to impose penalties after giving the affected party an opportunity to be heard. Appeals from Board orders lie to the Appellate Tribunal to be established under the Act, and from the Tribunal to the High Court on questions of law. The detailed procedure for Board proceedings will be prescribed by the rules.

X. What Organisations Should Do Now

The period between the Act's enactment and its entry into force, which may extend into 2024 and beyond depending on when the rules are notified, is an opportunity for preparation rather than inaction. Organisations that process personal data of Indian residents should begin with a data mapping exercise to understand what personal data they hold, for what purposes it is processed, the legal basis on which it is currently collected, and how long it is retained. This exercise is a prerequisite for assessing compliance gaps against the Act's requirements and is a foundational step that will be necessary regardless of when the rules are finalised.

Organisations should also review their existing privacy notices and consent mechanisms against the requirements of Sections 5 and 6 of the Act. Current omnibus consent mechanisms, which obtain a single consent for multiple unrelated processing activities, will need to be redesigned. Organisations with significant digital platforms should begin assessing whether they are likely to be designated as significant data fiduciaries and should prepare for the additional obligations that designation will bring, including the appointment of a Data Protection Officer and the establishment of an audit and impact assessment programme.

Vendor and supplier contracts that involve the processing of personal data on behalf of the organisation should be reviewed to ensure they reflect the data processor obligations under the Act and can accommodate the security, notification, and audit requirements that the rules are expected to prescribe. Organisations that transfer personal data outside India should monitor the Central Government's notifications under Section 16 to ensure that transfers to specific jurisdictions remain permitted as the regulatory framework develops.

XI. Conclusion

The Digital Personal Data Protection Act, 2023 represents a foundational shift in India's approach to data protection. For the first time, the country has a comprehensive statute that establishes individual rights over personal data, imposes obligations on those who process it, creates a dedicated regulatory authority, and provides a significant penalty framework for non-compliance. The Act is directionally aligned with international data protection frameworks, though it differs from them in important respects, including its consent-centric approach, its whitelist-based transfer framework, and the absence of a general legitimate interests basis for processing.

Much of the operational detail necessary for compliance remains to be filled in by the rules, and the timeline for their notification is not yet known. Organisations should not allow this uncertainty to delay preparation. The framework is clear enough in its principal requirements, the consent obligation, the security safeguard requirement, the breach notification obligation, and the individual rights regime, that meaningful compliance work can begin now. When the rules are notified and the Act is brought into force, organisations that have prepared will be in a significantly better position than those that waited for complete regulatory clarity before acting.