Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
- Chine – Personal Information Protection Law (PIPL)
- Indonesie – Personal Data Protection Law (PDPL)
- Singapour – Personal Data Protection Act (PDPC)
- Viêt Nam – Personal Data Protection (DPDP)
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
Since the Supreme Court of India declared the “right to privacy” a fundamental right in a landmark 2017 judgment and urged the national government to establish a data protection regime, policymakers have worked toward passing central legislation to protect privacy. As a result of this effort, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was finally passed on August 11th 2023.
The DPDPA replaces a set of rules made under section 43A of the Information Technology Act, 2000 — which superficially resemble a data protection law.
The DPDPA aims at regulating the processing of digital personal data in a manner that recognizes both the rights of individuals to protect their personal data and the need to process such personal data for lawful purposes.
GDPR and DPDPA
The DPDPA has been partially modelled off the GDPR and data protection laws in Singapore and Australia.
While the GDPR employs an extraterritorial approach, meaning it applies to businesses worldwide that process personal data of EU data subjects, regardless of their geographical location and grants extensive rights to individuals (including the right to data portability, the right to erasure, the right to rectification, and the right to object), the DPDPA primarily focuses on data collected, processed, and stored within India. It has a national scope and applies to Indian citizens, as well as foreign companies processing their data.
Philosophically, the GDPR is grounded on the principles of fundamental individual rights, especially the right to privacy. It places data protection as a fundamental right of the individual and centers the importance of preserving the confidentiality of personal data. Conversely, the Indian approach highlights data sovereignty and the need to promote the economic development of the country. It seeks to strike a balance between personal data protection and the country’s development interests, including facilitating business and fostering innovation and the digital economy.
In summary, the GDPR focuses on safeguarding fundamental individual rights and the preservation of privacy, while the DPDPA emphasizes data sovereignty and striking a balance between data protection and economic development. These differences reflect the values and priorities unique to each region, but both regulations share the common goal of ensuring the protection of personal data.
Summary of the DPDPA
|India Digital Personal Data Protection Act 2023
Expected to come into effect in early 20244
|Data Protection Board of India (DPBI)
|• Any entity that processes digital personal data within Indian territory.
• Extraterritorial jurisdiction: covers data processed outside of India, if done with the intent to offer goods and services to individuals within India.
Exclusion: does not apply to Indian companies providing outsourcing services. Processing of data in India but these data have been collected abroad and does not affect data principal from India.
|Concept of personal data
|• The DPDPA applies uniformly to all types of personal data — defined as “any data about an individual who is identifiable by or in relation to such data.”
• The DPDPA does not contain any provisions on special category data (i.e. sensitive data)
But “significant data fiduciary” (classified as such based on volume and sensitivity of the personal data and other prescribed criteria) is subject to higher compliance burden.
• Non-digitised data. Unlike the GDPR, the DPDPA does not seek to regulate a processing operation or activity that is wholly manual or non-automated
• Personal data processed for personal or domestic purposes or aggregated personal data collected for research and statistical purposes which is not used for any decision specific to a data
• Personal data made publicly available
|Parties involved in data processing
|Data fiduciary: any person that decides on the purposes and means of processing of data (data controller)
Can be significant data fiduciary
Data processor: any person who processes personal data on behalf of the data fiduciary
Data principal: individual to whom personal data relates (data subject)
Unlike the GDPR, the DPDPA does not impose obligations directly on the data processor but instead expects data fiduciaries to ensure compliance by data processors they engage through data processing agreements.
|Rights and duties of data subjects
|• Right to access
• Right to correction
• Right to erasure
• Right to grievance redressal
• Right to nominate
• Not to impersonate another person
• Not to suppress material information
• To furnish only verifiably authentic information
• Not to make frivolous complaints.
Unlike the GDPR, no right of data portability.
Indian citizens can exercise their rights by the methods prescribed by the data fiduciaries.
Data fiduciary must establish an effective mechanism for grievances by data personals.
|While it doesn’t impose strict localisation requirements, it grants the government powers to mandate local storage for certain types of data in the interest of national security.
|Power of the state
|• Disclosure of personal data by data fiduciaries to the State/agents of the State (“State”) under a legal obligation: ‘legitimate use’, no consent or intimation required.
• State exempted from seeking consent (and other obligations under the DPDP Act, including that of erasure of personal data in its records) while processing personal data for the performance of any legal function, is in the interest of security, sovereignty and integrity of India or is to maintain public order.
• Indian government responsible for the appointment of the members of the DPBI.
The DPDP Act does not include conditions covering contractual necessity or legitimate interests. A previous version of the DPDP bill contained an exemption for processing in the public interest, but this has since been modified to only apply to the State.
|Data controller must implement reasonable security safeguards and appropriate technical and organisational measures to ensure compliance with the DPDPA and prevent personal data breaches.
|Requirement for consent
|Data processing requires explicit users’ consent, unless data can be processed based on another legal basis.
Consent must be:
• Free: The data principal must not feel coerced or pressured to give consent.
• Unconditional: The consent cannot be made conditional on anything else, such as providing a product or service.
unambiguous: The data principal must be clear about what they are consenting to.
• Specific: The consent must specify the purpose for which the data is being collected and processed.
• Informed: The data principal must be given enough information about how their data will be used so that they can make an informed decision about whether to consent.
Data fiduciary must issue notice explaining purpose and means of data processing. Data fiduciary shall give the data principal the option to access the contents of the notice in English or any of the 22 languages specified in the Eighth Schedule to the Constitution
Data principal has the right to revoke their consent at any time.
Processing of children’s (below 18 years of age) data requires the verifiable consent of a parent or a guardian. Any tracking and behavioural monitoring of children or targeted advertising towards children is prohibited.
|Impact assessment on data processing
|Only the significant data fiduciaries are required to conduct a Data Protection Impact Assessment (DPIA).
|Cross-Border transfer of data and impact on assessment on overseas transfer
|Unlike the GDPR, transfer of personal data for processing outside India is generally permitted under the DPDPA.
The Indian government can identify specific countries to which data transfers are prohibited. At present, the government has not given any indication of the countries that may feature on this list.
If the PDPDA provisions on international data transfer conflict with other Indian laws, the law which provides a higher degree of protection or restriction on cross-border transfers will prevail (i.e. sector-specific regulations, such as the RBI’s data localisation mandate with respect to payment system data, will continue to apply)
|1. Report a breach to the DPB within 72 hours of becoming aware of the breach
2. Information of the data principals affected by the breach
3. Data principals who are harmed by a data breach may be able to sue the data fiduciary in breach for damages
• Failure by a data controller to take reasonable security measures: fines up to INR 250 crore (Euro 2,800,000)
• Failure to notify a personal data breach or comply with children’s data protection requirements: fines up to INR 200 crores (Euro 2,240,000)
Fines are determined by the DPB, depending on the nature of the offense.