FBI Care

Category: Data Privacy & Protection Laws

  • What are the key obligations for data fiduciaries under the new Indian data protection rules?

    Introduction
    Under the Digital Personal Data Protection Act (DPDPA), 2023, which is set to become fully enforceable by 2025, the Government of India has laid out specific responsibilities for entities called data fiduciaries. A data fiduciary is any person, company, or organization that determines the purpose and means of processing personal data. These obligations are designed to ensure accountability, transparency, and the protection of individual privacy. All businesses that handle personal data in digital form must comply with these obligations, whether they collect it directly or receive it from another party.

    Obligation 1: Obtain Valid and Informed Consent
    Data fiduciaries must obtain clear, informed, and specific consent from users before collecting their personal data. The consent must be given voluntarily and must be based on clear information about what data will be collected and for what purpose. Consent should not be obtained by default or as a precondition for accessing unrelated services. Users should also have the right to withdraw their consent at any time.

    Example
    If a shopping website like Flipkart wants to collect data to send promotional emails, it must show users a checkbox asking for their consent. It cannot automatically assume consent or make it a hidden part of the terms and conditions.

    Obligation 2: Purpose Limitation
    Personal data must be collected only for specific, lawful, and stated purposes. A business cannot collect data for one reason and then use it for another unrelated purpose without obtaining additional consent from the user.

    Example
    If a travel site like MakeMyTrip collects a user’s passport number for flight booking, it cannot later use this information for unrelated services like insurance marketing unless it gets separate consent.

    Obligation 3: Data Minimization
    Only data that is strictly necessary for fulfilling the stated purpose should be collected. Businesses should avoid asking for excessive or irrelevant information from users.

    Example
    An app that delivers groceries should only ask for name, address, contact number, and payment information. It should not ask for personal details like marital status or religion unless required by law or a specific service.

    Obligation 4: Storage Limitation
    Data fiduciaries must not retain personal data longer than necessary. Once the purpose for which the data was collected is fulfilled, the data should be deleted or anonymized. Businesses must set internal retention timelines and ensure old or unused data is cleared periodically.

    Example
    If an online learning platform like Byju’s collects user data for course access, it should delete the data once the course ends and the student no longer needs the service.

    Obligation 5: Accuracy of Data
    Data fiduciaries are required to keep personal data accurate and up-to-date. They must provide a mechanism for individuals to review and correct their data.

    Example
    If a user’s delivery address changes on Amazon, the platform must allow the user to update their information and ensure the new address is used for all future orders.

    Obligation 6: Implement Security Safeguards
    Businesses must implement reasonable technical and organizational security measures to protect personal data from unauthorized access, disclosure, or breach. These include encryption, firewall protection, access controls, employee training, and breach detection systems.

    Example
    A financial app like PhonePe must ensure that user data is encrypted, login credentials are securely stored, and regular security audits are conducted to detect vulnerabilities.

    Obligation 7: Grievance Redressal Mechanism
    Data fiduciaries must provide an effective and responsive grievance redressal system. Users should be able to file complaints related to their data, consent, deletion requests, or misuse, and businesses must resolve these within the time specified by law.

    Example
    If a user contacts Paytm with a complaint about unauthorized data sharing, Paytm must investigate the issue and provide a formal resolution within the legal time frame.

    Obligation 8: Enabling User Rights
    Data fiduciaries are responsible for enabling individuals to exercise their rights under the Act. These include the right to access personal data, the right to correct or delete it, the right to withdraw consent, and the right to be informed about how data is used.

    Example
    If a user of Swiggy wants to delete their account and associated data, Swiggy must allow the user to initiate the deletion request and confirm once the data has been removed from its systems.

    Obligation 9: Breach Notification
    In the event of a data breach, the data fiduciary must inform the affected individuals as well as the Data Protection Board of India. The notification must be made promptly, including details of the nature of the breach and steps taken to minimize its impact.

    Example
    If a cyberattack exposes customer emails and phone numbers at Ola, the company must immediately notify the affected users and report the incident to the Board with a full explanation.

    Obligation 10: Appointment of Data Protection Officer (for SDFs)
    Organizations that are classified as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process must appoint a Data Protection Officer (DPO). The DPO will be responsible for ensuring compliance, managing grievances, and acting as the point of contact with the Data Protection Board.

    Example
    A telecom company like Jio would be considered a Significant Data Fiduciary and must appoint a qualified DPO to oversee all data protection responsibilities within the company.

    Obligation 11: Conducting Data Protection Impact Assessments (DPIAs)
    SDFs must conduct regular assessments of the potential risks their data processing activities pose to individuals. These assessments help in identifying vulnerabilities and applying safeguards to reduce risk.

    Example
    An insurance company that uses automated algorithms to assess customer profiles must carry out DPIAs to ensure its system does not unfairly discriminate or expose users to harm.

    Obligation 12: Cross-Border Data Transfer Compliance
    Data fiduciaries can transfer personal data outside India only to countries approved by the central government. Even after the data is transferred, fiduciaries must ensure that the data continues to be processed in a manner that protects individual rights.

    Example
    A company like Google India can store or process user data on servers in the US only if the US is among the countries notified by the government and all protective safeguards are maintained.

    Obligation 13: Maintain Records and Audit Trails
    Data fiduciaries are required to maintain records of their data processing activities, including when consent was taken, how long the data was stored, who accessed it, and when it was deleted. This is important for audits and demonstrating compliance.

    Example
    A food delivery app like Zomato should keep an internal log of every user consent interaction, data sharing with delivery partners, and data deletion request history for verification purposes.

    Obligation 14: Accountability and Transparency
    Data fiduciaries must publish a privacy policy, clearly outline how personal data is handled, and be transparent about any data-sharing with third parties. They are also accountable for ensuring that all their third-party vendors or processors comply with DPDPA regulations.

    Example
    If Myntra outsources its customer support to a third-party agency, it must ensure that the agency handles personal data with the same level of security and compliance required under Indian law.

    Conclusion
    The DPDPA 2023 places significant responsibilities on data fiduciaries to manage personal data ethically, securely, and transparently. These obligations reflect a broader shift toward recognizing data privacy as a fundamental right in India. For businesses, this means redesigning data systems, rewriting privacy policies, setting up grievance redressal procedures, implementing technical safeguards, and ensuring organizational compliance. Non-compliance can attract penalties of up to ₹250 crore, reputational loss, and possible suspension of operations. Companies that embrace these changes proactively will not only avoid penalties but also build stronger relationships with users, win trust, and position themselves for sustainable success in a privacy-first digital economy.

  • How does India’s DPDPA 2023/2025 impact data handling practices for businesses?

    Introduction
    The Digital Personal Data Protection Act (DPDPA) 2023, expected to be fully implemented by 2025, is India’s first comprehensive law dedicated to governing the use, processing, and storage of digital personal data. It reflects a major shift in India’s digital regulatory framework, placing strong emphasis on the protection of individual privacy and personal data rights. The DPDPA is designed to create a balance between the rights of individuals (Data Principals) and the lawful interests of businesses (Data Fiduciaries). Inspired by global data protection frameworks such as the European Union’s GDPR, it sets out detailed requirements for how businesses should collect, handle, store, and process personal data in India.

    Core Principles of the DPDPA
    The DPDPA is based on important foundational principles including purpose limitation, consent-based data processing, data minimization, storage limitation, accuracy, accountability, and transparency. These principles are embedded throughout the Act and form the guiding standards for all data handling practices in India. Businesses must not only comply with these principles in letter but also in spirit, by redesigning internal processes and technologies.

    Requirement of Valid Consent
    The Act mandates that no personal data shall be processed without obtaining explicit, clear, and informed consent from the individual. Consent must be free, specific, informed, unambiguous, and given through affirmative action. Individuals must also have the ability to withdraw consent at any point.

    Impact on Businesses
    Businesses must redesign all user interfaces where personal data is collected—such as websites, forms, and mobile applications—to include transparent consent forms and options to revoke consent. The commonly used practices of passive consent or bundled terms and conditions are no longer allowed. Every business must track consent and show proof that it was legally obtained.

    Example
    If Flipkart collects user data for sending promotional emails, it must show a separate opt-in checkbox where users can agree or disagree. It cannot automatically enroll users in marketing communication by default.

    Obligations of Data Fiduciaries
    Under the DPDPA, all businesses that handle personal data are known as Data Fiduciaries and must follow legal obligations such as informing users about the purpose of data collection, processing data only for legitimate use, ensuring data accuracy, implementing security safeguards, and allowing users to exercise their rights. Fiduciaries are expected to build systems that support these requirements.

    Example
    An app like Practo that stores sensitive health data must now provide a mechanism for users to correct errors in their medical history or delete outdated records, while ensuring data is encrypted and protected from unauthorized access.

    Purpose Limitation and Data Minimization
    The DPDPA requires that data be collected only for specific and declared purposes. The purpose must be shared with the user at the time of consent, and businesses are expected to collect only data that is strictly necessary for the stated purpose. Collecting extra data “just in case” is not allowed under this law.

    Example
    A ticket booking platform like IRCTC can ask for the passenger’s name, age, and ID, but it cannot ask for income, education level, or religious beliefs unless that data is essential for the service being provided.

    Data Principal Rights
    The DPDPA introduces several important rights for individuals, including the right to access their data, the right to correct inaccuracies, the right to delete data, the right to be informed, and the right to withdraw consent. Businesses are obligated to create internal systems to allow users to exercise these rights efficiently.

    Example
    If a Zomato user decides to delete their profile and all order history, Zomato must comply with this request and confirm the deletion. They must not keep any data unless it is legally required (such as for tax records).

    Consent Managers
    DPDPA introduces the concept of Consent Managers—neutral platforms authorized by the government to help individuals manage their consents across platforms. These managers can help users view, withdraw, or provide consent for multiple services from a single dashboard.

    Example
    A financial app like PhonePe might integrate with a consent manager such as Sahamati, enabling users to manage their consents for data sharing with various banks, lenders, and apps.

    Children’s Data Protection
    Special provisions are made for protecting the personal data of children under the age of 18. Parental consent is mandatory before processing data of minors. Businesses are also restricted from conducting behavioral tracking or serving targeted advertisements to minors.

    Example
    EdTech platforms like Byju’s must collect verifiable parental consent before enrolling a child and must ensure no personalized ads or data tracking are done on children’s usage patterns.

    Cross-Border Data Transfer Rules
    The law allows data to be transferred to countries that the Indian government notifies from time to time. This is a more relaxed stance compared to earlier drafts that called for strict data localization. However, the receiving countries must have strong data protection standards in place.

    Example
    Amazon India may process some of its data using servers in the United States, provided the US is among the countries approved by the Indian government and Amazon ensures compliance with Indian laws.

    Data Breach Notification Requirements
    In the event of a data breach, businesses must inform both the affected individuals and the Data Protection Board of India. Timely reporting and transparency are emphasized to ensure users are not kept in the dark.

    Example
    If Paytm faces a cyberattack in which credit card details are leaked, the company must immediately notify all affected users, publish a disclosure, and report the incident to the Data Protection Board.

    Significant Data Fiduciaries (SDFs)
    Some businesses will be classified as Significant Data Fiduciaries (SDFs) based on factors such as volume and sensitivity of data handled, potential impact on user rights, and scale of operations. These businesses will be subject to enhanced obligations like data audits, privacy impact assessments, appointing Data Protection Officers, and publishing compliance reports.

    Example
    Jio, which manages sensitive call records and customer data, would likely be an SDF and must hire a full-time Data Protection Officer and regularly submit reports to the Data Protection Board.

    Penalties and Enforcement
    The DPDPA establishes a Data Protection Board that will monitor compliance, investigate complaints, and impose penalties. Financial penalties for non-compliance can go up to ₹250 crore for serious violations. The Board can also recommend remedial actions and initiate legal proceedings.

    Example
    If MakeMyTrip fails to provide a user with access to their personal data within the required time, or continues using deleted data, the company can be fined and investigated by the Board.

    Impact on Specific Sectors
    E-commerce platforms must be careful with recommendation engines and user profiling. They must collect only necessary data and obtain explicit consent for marketing. Healthcare organizations must follow data encryption and access control standards while allowing data corrections. Financial institutions will need robust security infrastructure and must implement customer-controlled consent flows. EdTech firms must ensure no behavioral tracking of minors. Startups will face compliance costs but can benefit from early adoption and user trust.

    Opportunities for Businesses
    While the DPDPA presents a strong compliance challenge, it also offers new business opportunities. Companies that proactively follow the law will earn customer trust, become eligible for international partnerships, and strengthen brand reputation. Businesses that prioritize data protection can turn compliance into a competitive advantage.

    Conclusion
    The DPDPA 2023/2025 is a transformative law that impacts every stage of data handling—from collection and storage to sharing and deletion. It requires Indian businesses to treat personal data with transparency, accountability, and respect. Although compliance will involve reworking policies, building consent mechanisms, training staff, and deploying secure technologies, the long-term benefits include increased user trust, reduced risk of data breaches, and enhanced global competitiveness. By embedding privacy-by-design and user rights into their systems, businesses can not only meet legal requirements but also lead the way in building a responsible digital economy in India.