The Digital Personal Data Protection Act (DPDPA) and DPDP Rules mark a watershed moment in India’s Data Protection history. The nuances it brought to the digital protection ecosystem regarding an individual’s right to privacy and a business’s need to process data for legitimate purposes are very novel.
With such an experiment, the government might be engaging in a subtle effort to go beyond the EU GDPR and take even more novel steps. The act will take 2028 to get fully implemented, as the buffer period for revamping was a necessity.
The Act governs the management of digital personal data in India when personal data is collected in digital form or converted from non-digital to digital form. It also applies to digital personal data handled outside India if it relates to goods or services for individuals in India. However, the Act does not cover personal data processed by individuals for personal or household purposes, nor does it apply to data publicly disclosed by the individual it pertains to or by any entity legally required to disclose such data in India.
After this legislation, the Data Protection Board will play the role of an institutional regulator in this sector, just like SEBI, and, in economic terms, such institutional regulators promise stability even to outside investors.
DPDPA introduces various novel concepts, such as the Consent Manager, Data Fiduciary, and Data Principal. To dive deeper, prima facie, a person or layman involved in a digital ecosystem is the data principal; this is where the story starts. It is the data principal’s data that giants like Facebook, Aamazon and Google have. Hence, the data principal is you or me, or anyone whose data is taken by a Data Fiduciary. i.e., anyone who takes or collects the data. A caveat to remember here is that a data fiduciary is different from a data processor, who processes (external player) data for these data fiduciaries. Consent Manager is a registered person with the Data Protection Board and acts as the Data Principal’s point of contact/interoperable platform for giving and withdrawing consent. Most of these Data fiduciaries benefit from this potentially in the form of property and remuneration opportunities.
The following categories of entities may be included under the definition of “person”:
- An individual
- A Hindu undivided family
- A company
- An association
- The state
- Any other artificial juristic person.
The new legislation has transformed the bureaucratic structure by establishing Data Boards, which serve as a framework to facilitate significant changes in the law as a whole. This new setup aims to enhance the overall infrastructure that governs data protection regulations. There will also be a data protection board with the powers of a Civil court for any matter.
Now, an interesting point is that the data, which has to be processed for lawful purposes, is divided into 2 parts: firstly, with consent, and secondly, for certain legitimate uses. And this term “legitimate use” is going to be a lawyer’s paradise in this piece of legislation. Now the question comes, what about notice requirements? Surely, before obtaining consent, this will be a mandatory procedure; the data fiduciary will have to explain the purpose, the manner in which the data principal can exercise their rights, and the means by which the data principal can complain to the board. Additionally, the Data Fiduciary is authorised to continue processing the personal data unless the Data Principal withdraws her consent and if the data principal (i.e your customer or employee) wants it to be in English or whichever language he/she wants from 22 scheduled languages, then it has to in the language that he had asked for.
Notice Requirements:
- Should be in plain and clear language to enable the data principal to give specific and informed consent.
- Itemised description of personal data
- Specific purpose behind the as and relevance with respect to the goods and services provided
- Communication link for accessing the website or app of data fiduciary, through which the data principal could withdraw her consent, exercise her rights, and make a complaint to the board.
Consent:
Consent from the Data Principal must be free, specific, informed, unconditional, and distinct, indicating agreement to process her personal data for a designated purpose, limited to what is necessary. For instance, if Raj downloads an app, and gives consent for both processing his data for services and accessing his contact list, the consent should only cover the necessary data for the services. Any part of the consent that infringes this Act or relevant laws will be invalid. Additionally, the waiver of rights to complain to DP board shall also be invalid. Hence, the consequences of withdrawal that fall on the Data Principal, won’t affect the legality of processing that occurred before withdrawal.
If the Data Principal withdraws her consent, the Data Fiduciary must cease processing her personal data within a reasonable time unless required by law. For example, if Raj’s telecom provider, Kartel, has consent to email bills. but Raj opts to receive them via app instead, Kartel must stop processing his data for emails. the Data Fiduciary must prove that proper notice was given, and consent was obtained in compliance with the Act.
Legitimate Use:
Section 7 of the Act provides for legitimate uses clause and lists down various situations where such a use of data is legitimate and no consent is required. Some of these are when you voluntarily provide the data, or for the state and its instrumentalities to use it for welfare or state purposes, this can be through enrolment or directly by state intervention. Additionally, it can be used for law and order compliance with judgments, emergency situations, public health care, such as the COVID-19 situation, disaster relief, and employment purposes. The last thing here covers a variety of things; regular HR requirements don’t require Consent and notice, even in situations where the employer’s loss, liability, and confidentiality are involved.
Consent Manager:
The conditions to become a consent manager (CM) are stipulated in Part A, First Schedule, of the DPDP Rules. The applicant for the same has to be a company incorporated in India. It should have sufficient technical, financial and operational capacity. The applicant’s net worth should be at least 2 crore Indian rupees. The management should have a good reputation. Eg- Raj using Platform P to give access to the Bank account statement to the XYZ company. Now, in this process, the consent manager “platform P” shall ensure that the manner of making available the data or its sharing is such that the contents thereof are not readable by it, i.e. the Consent Manager should ensure that personal data is shared in a way that makes its contents unreadable to it. It maintains a record on its platform that includes consents given, denied, or withdrawn by the Data Principal, notices regarding consent requests, and the sharing of personal data with transferee Data Fiduciaries. The Consent Manager is required to provide the Data Principal with access to this record and to furnish the information in a machine-readable format upon request, and to keep the record for at least seven years, or longer as agreed upon or required by law.
Additionally, the Consent Manager must develop and maintain a website or app for Data Principals to access its services, and it is prohibited from sub-contracting its obligations under the Act and rules. It must also implement reasonable security measures to prevent personal data breaches while acting in a fiduciary capacity towards the Data Principal, avoiding conflicts of interest with Data Fiduciaries.
To prevent conflicts, the Consent Manager should ensure that its directors and senior management do not have conflicting relationships with Data Fiduciaries. Finally, it must publicly disclose accessible information about its promoters, directors, key managerial personnel, and anyone holding more than 2% of its shares on its website or app.
The CM will also have in place an effective audit mechanism to review, monitor, evaluate and report the outcome of such audit to the board. Additionally, the control of the company registered as CM will not be sold, merged or otherwise transferred, except with the prior permission of the DP Board. The DP Board also has the power to suspend or cancel the Consent manager’s registration.
Roles of Data Fiduciary:
A Data Fiduciary is obliged to comply with the relevant data protection laws and rules, regardless of any agreements with the Data Principal. They can engage a Data Processor through a valid contract to handle personal data. When processing data that may affect the Data Principal or be shared with others, the Data Fiduciary must ensure its accuracy and consistency. They are required to implement security measures to protect personal data and must inform both the Board and affected Data Principals in the event of a data breach. If a Data Principal withdraws consent or if the purpose of data processing is no longer valid, the Data Fiduciary must erase the data unless retention is legally required. They should also provide contact details for a Data Protection Officer and establish a mechanism for addressing Data Principals’ grievances. The central government will also notify a few data fiduciaries as Significant data fiduciaries (SDF) based on the scale of their operations, and the factors listed in section 10 of the said act. They will have to perform varied duties, such as appointing a data protection officer who will represent them and be responsible to the Board of Directors, conducting an impact assessment, controlling grievance redressal, etc. SDF has to ensure that the data specified by the government is processed in accordance with the government’s restrictions and not transferred outside India.
Children:
Before processing any personal data of a child or a person with a disability who has a lawful guardian, a Data Fiduciary must obtain verifiable consent from the child’s parent or lawful guardian in accordance with prescribed guidelines. It’s important to note that a child’s consent includes the consent of the lawful guardian when applicable. Additionally, a Data Fiduciary should refrain from processing personal data that could negatively affect a child’s well-being. Tracking or behavioural monitoring of children, as well as targeted advertising directed at them, is strictly prohibited. However, there may be specific classes of Data Fiduciaries or purposes for which these rules do not apply, subject to certain conditions. The Central Government has the authority to exempt Data Fiduciaries from these obligations if it finds that their processing of children’s personal data is conducted safely, and may specify an age limit for such exemptions.
Data fiduciary (DF) shall adopt measures to obtain verifiable consent of the parent and observe due diligence for checking the individual identifying as the parent by reference to details voluntarily provided or through a virtual token mapped with such details provided by an authorised entity, e.g., Digi locker consent by LinkedIn.
Due diligence for the guardian of PWD has to be done, and it should be seen that the guardian appointed by the court has to do so for PWD.
Rights and Duties of Data Principal:
They will have the right to obtain the data that they have given consent to. Upon such a request, they may receive a summary of their personal data, the identities of all other data fiduciaries/companies and data processors with whom the data was shared. They will have the right to correct erroneous data and the right to erasure of the data. They will also have a right to grievance redressal. The agency responsible has to respond within the period prescribed from the date of its receipt, and that period must be reasonable. They also have the right to nominate someone to handle their data in the event of incapacity or death, along with the duty to not fake or impersonate anything.
Security:
A data breach refers to unauthorised access to data or the accidental disclosure of information that compromises the integrity of personal data.
The Data Fiduciary has to protect the personal data by taking reasonable security safeguards, through encryption, obfuscation, masking, or by the use of virtual tokens, etc. They should have appropriate measures to control access to the computer resources and should also take reasonable measures for continued processing in the event of confidentiality and integrity of the said data being compromised e.g., back-ups.
Intimation of any data breach must be made via the registered contact details without delay to the data principal. The intimation should include a description of the breach, its nature, extent, and timing. Additionally, the data fiduciary has to inform them of all the consequences, measures implemented till now, and the details of POC for any queries.
Breaches must be reported to the Data Protection Board without any delay. The data fiduciary has to file the following things before the board within 72 hours of the breach:
- Updated and detailed information in respect of such description.
- The broad facts related to the events, circumstances and reasons leading to the breach.
- Measures implemented or proposed, if any, to mitigate risk;
- Any findings regarding the person who caused the breach;
- Remedial measures taken to prevent recurrence of such breach; and
- A report regarding the intimations given to the affected Data Principal
Data fiduciary shall erase the data unless the retention period is necessary for compliance with any law, for the time given in the 3rd schedule of the rule (2025) if unapproached by the data principal. 48 Hours before erasure, the data fiduciary must inform the data principal about the same. The data fiduciary shall retain data, in respect of any processing of personal data undertaken by it or by the data processor, for a minimum of one year from the date of such processing or as specified in the 3rd schedule of the DPDP rules. The 3rd schedule categories the Data fiduciaries in 3 classes 1)Data Fiduciary who is an e-commerce entity having not less than two crore registered users in India. 2)Data Fiduciary who is an online gaming intermediary having not less than fifty lakh registered users in India. 3)Data Fiduciary who is a social media intermediary having not less than two crore registered users in India.
The time given is 3 years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest, for all purposes, except :(a) Enabling the Data Principal to access her user account, access to virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services.
Other Central Provisions & Exemptions:
The Central Government can restrict the transfer of personal data by a Data Fiduciary to specified countries outside India, without overriding existing laws that offer greater protection. Certain exemptions apply, such as when processing is necessary for legal enforcement, judicial functions, or the prevention and investigation of crimes. Additional exemptions include processing personal data related to contracts with entities outside India, corporate restructuring such as mergers, or assessing the financial status of loan defaulters, provided it complies with disclosure laws. There exists an exemption for research, archiving and statistical purposes too.
Some state entities, as defined by the Government, are also exempt in cases related to national security or public order. Moreover, specific provisions may not apply to certain Data Fiduciaries, including startups recognised under Government-set criteria. Lastly, the Central Government can exempt certain Data Fiduciaries from provisions of the Act for designated periods within the first five years after its implementation.
The Central Government, for the functioning of the state and its instrumentalities, require any Data Fiduciary or intermediary to furnish such information as may be called for, within the specified period.
Board for Data Protection:
Data Protection Board of India shall be established for the purposes outlined in this Act. This Board will possess the authority of a corporate entity, maintaining perpetual succession and a common seal. The Board shall observe a prescribed procedure for holding meetings and conducting business, including through digital means, and must authenticate its orders, directions, and instruments accordingly. In instances where the Chairperson is unable to fulfil her responsibilities due to absence, illness, or other reasons, the senior-most member will temporarily assume the Chairperson’s functions until she is able to resume her duties.
Powers and functions of the Board include- direct remedial in case of breach, impose penalties, upon complain the Board will conduct an enquiry, for the effective discharge of its functions under the provisions of this Act after giving the person concerned an opportunity of being heard and after recording reasons in writing, issue such directions as it may consider necessary. Additionally, on a reference made by the Central Government, the board may modify, suspend, withdraw or cancel such direction and, while doing so, impose conditions. The Board shall function as an independent body and, as far as practicable, as a digital office. The Board shall determine whether there are sufficient grounds to proceed with an inquiry. In case the Board determines that there are insufficient grounds, it may, for reasons to be recorded in writing, close the proceedings; if not, then enquire into the affair. The Board shall conduct such inquiry following the principles of natural justice and shall record reasons for its actions during such inquiry. It will have the same powers as are vested in a civil court under the Code of Civil Procedure, 1908 (5 of 1908). Appeals will be heard by the tribunal, which shall record its reasons in writing for not disposing of the appeal within that period, without prejudice to the provisions of section 14A and section 16 of the Telecom Regulatory Authority of India Act, 1997.
Conclusion:
The DPDP Act and Rules aim to shape the digital ecosystem into a more accountable system by taking steps that increase surveillance and place control over the data being processed in the hands of the data principal. Establishment of a dedicated DP board and tribunal makes the DATA handling an entirely bifurcated ecosystem from the electronics and digital ecosystem. It will raise awareness among the citizens, as well as new-age data crimes could be brought under surveillance. In the past, there have been many instances of data leaks, and the government has banned a few foreign apps due to such data concerns.
Steps such as the consent manager and data processor will increase data houses and cloud computing in India, making us decreasingly reliant on global giants, as data handling is also important for diversifying supply chain management and for the Atmanirbhar Bharat mission. There surely are a few concerns regarding the interference of the government, and why the end-to-end encryption clause was not brought into the picture. But this is fairly new legislation, and it will take time to be properly implemented. A few years down the line, we will be able to see the changes that the act has brought to the everyday lives of consumers and employees. Data affects almost everyone, and how safe the data space becomes, and how efficient these laws will be for the companies that are data fiduciaries, needs to be seen. In the end, it should not hamper the business environment in the digital ecosystem and should not slow down the growth.
New businesses will emerge due to this piece of legislation. Well-funded business houses will be able to serve as data processors and consent managers. A new market might rise with these consent managers and the data processors. Fresh applications are yet to start, and a lot of things remain to be seen.
Authored by:
Mr. Rajkiran Pichakewar
Edited by:
Adv. Akshada Thakare Gudadhe