Implications of India’s New Data Protection Law for U.S. Multinational Employers

Key highlights

• The Indian data protection legal regime is proposed to undergo a major overhaul with the enforcement of the Digital Personal Data Protection Act.
• US multinational companies must assess and align their privacy and data protection strategies to ensure compliance as the law has unique aspects which differ from global benchmarks.
• In-house counsel may consider a range of internal strategies for compliance, including training of key stakeholders and conducting gap assessments.

For years, India’s approach to personal data protection was characterised by a fragmented and nascent legal framework, offering only a few safeguards for an individual’s privacy. 

In the absence of stringent enforcement, businesses were not under pressure to adopt robust data protection measures. However, this landscape is set to undergo a drastic transformation with the Digital Personal Data Protection Act 2023 (“DPDP Act”). 

In a related development, the Competition Commission of India (CCI) recently imposed a penalty of approximately USD 28 million on Meta.  CCI cited concerns over the implementation of WhatsApp's 2021 privacy policy and the methods used to collect and share user data with other Meta entities. 

This decision underscores the growing regulatory focus on data collection and sharing practices in India.

For multinational companies, compliance with the DPDP Act is critical due to its extraterritorial applicability. The law applies to personal data collected from data principals (akin to data subjects) in India, whether in digital form or in non-digital form that is subsequently digitised.

Additionally, the DPDP Act extends to the processing of digital personal data outside India if it relates to offering of goods or services to individuals in India. This means that even U.S. organisations without a physical presence in India must comply with the DPDP Act if they process personal data of Indian customers or users as part of their business operations. 

If a U.S. multinational company has India presence (through subsidiaries, affiliate entities, etc) that process personal data of individuals in India, such as customers, employees, vendors, service providers, prospective employees, compliance with the DPDP Act will be mandatory for those entities as well. 

Therefore, U.S. multinationals must ensure that their Indian entities, or any operations offering products or services in India, are fully aligned with the DPDP Act. 

Key features of the DPDP Act

1. Categorisation of personal data 

The DPDP Act applies to all personal data in digital form, with no categorisation into sensitive or critical personal data, as is often seen in other global privacy laws. This is a departure from present day Indian data privacy laws which require enhanced obligations in relation to collection and processing of sensitive personal data or information. 

This means that under the upcoming DPDP Act regime, U.S. businesses handling personal data of Indian residents must apply the same compliance standards to all personal data, regardless of its perceived sensitivity. 

2. Legal bases of processing personal data

Under the DPDP Act, broadly there are two primary legal bases for processing personal data by data fiduciaries in the private sector, which are briefly explained below. 

For clarity, “data fiduciaries” are entities that determine the purposes and means for personal data processing (akin to data controllers).

Consent: Personal data of data principals may be processed on the basis of consent. Several requirements have been prescribed for such consent including being informed, unambiguous and limited to such personal data as is necessary for a specified purpose for processing the personal data.

U.S. multinationals will need to establish robust mechanisms for obtaining, managing, and documenting consent for data processing activities involving Indian individuals. 

Legitimate Uses: Where obtaining consent is not feasible, personal data can continue to be processed if the purpose of such processing falls within the scope of “certain legitimate uses.” 
Two particular uses would be of interest to private entities. 

     i.    Voluntary provision of personal data: When an individual voluntarily provides personal data for a specific purpose and does not withdraw consent for such processing. For instance, if a person provides her name and phone number for a restaurant reservation, the data can be used to contact that person for that specific purpose and no other; and
 
     ii.    Purposes of employment: Personal data related to employment can be processed without prior consent. For example, processing employees' personal data for safeguarding the employer from loss or liability, preventing corporate espionage, maintaining confidentiality of trade secrets and intellectual property, or providing services or benefits to employees. Therefore, usually this large dataset that companies generally process (ie employees’ personal data) may be processed by placing reliance on “certain legitimate uses.”  Further clarity in this aspect may be received once the rules under the DPDP Act are issued. 

3. Privacy notice and handling of legacy personal data

Data fiduciaries are required to provide a privacy notice to data principals, when relying upon consent to process data. 

The notice is required to specify certain details such as the type of personal data being collected, the purpose of processing, and mechanism to withdraw their consent and to lodge complaints with the Data Protection Board of India (“Board”) (the supervisory authority proposed to be constituted under the DPDP Act). 

In cases where personal data of individuals was collected pursuant to consent prior to the DPDP Act's implementation, organisations must inform individuals about how their personal data is being used by way of furnishing of a privacy notice (as soon as it is reasonably practicable post implementation of the DPDP Act). No fresh consent is required in such cases though. 

Further, the DPDP Act presents a unique requirement to make available privacy notices and consent requests to individuals in local Indian languages specified in the Eighth Schedule to the Constitution of India (presently these are 22 languages), alongside English. 

Hence, US multinational organisations could begin exploring methods and modalities to meet this requirement.  

4.  Consent management and role of consent managers

The DPDP Act introduces a novel concept of “consent managers”, designed to serve as centralised points of contact for individuals to provide, manage, review, or withdraw their consent through an interoperable platform. 

This unique system aims to combat consent fatigue by offering individuals a streamlined, technology-driven platform to oversee their consents, withdrawals, and data rights. Organisations should begin  building the necessary capabilities to engage with consent managers effectively once the framework is fully implemented.

5. Obligations for significant data fiduciaries

Under the DPDP Act, the Central Government of India has the authority to designate certain data fiduciaries as “significant data fiduciaries” based on criteria such as volume and sensitivity of personal data processed, and potential risks to rights of individuals. 

Significant data fiduciaries are subject to additional compliance requirements such as appointment of a data protection officer based in India, appointment of an independent data auditor, and carrying out of periodic data protection impact assessments. 

As a result, larger U.S. multinational organisations, say those operating large social media platforms, may qualify as significant data fiduciaries, and therefore, will need to comply with the additional compliance requirements. 

6. Processing children’s personal data

The DPDP Act defines children as individuals under the age of 18 years. It mandates data fiduciaries to obtain verifiable consent from parents or legal guardians for processing the personal data of children and individuals with disabilities (who have legal guardians).

Moreover, the DPDP Act prohibits tracking or behavioural monitoring of children and conducting targeted advertisements on children. As a result, U.S. multinationals that offer products or services targeted at children will need to re-think behavioural tracking and their overall marketing strategy aimed at this segment. 

These requirements will likely necessitate significant adjustments to their existing operational and compliance frameworks.

7.  Breach notification requirements

Under the DPDP Act, any personal data breach must be reported both to the Board and to the affected data principals. 

Unlike many global data protection laws, the DPDP Act does not set a specific risk-based threshold for when a personal data breach must be reported. 

Such requirement will be in addition to existing reporting requirements, such as reporting of certain categories of cyber security incidents to the Indian Computer Emergency Response Team (within 6 hours of noticing such incidents). 

As a result, U.S. multinationals operating in India will need to navigate multiple, overlapping reporting requirements across different regulatory frameworks. 

8. Cross border transfer of personal data

Under DPDP Act, personal data can be freely transferred to all jurisdictions except those restricted by the Central Government of India. The Central Government is yet to release the negative list of jurisdictions. 

Also, in case any Indian law provides for enhanced requirements for transfer of personal data, such requirement will have to be complied with. 

Hence, U.S. multinationals may consider evaluating its existing cross-border transfer arrangements and develop contingency plans to ensure compliance with potential future restrictions. This will help mitigate operational disruptions.  

9. Accountability for data processors

Data fiduciaries will remain fully accountable for any data processing activity carried out by their data processors. While the DPDP Act does not impose specific compliance obligations on data processors themselves, data fiduciaries are required to engage processors under a valid and legally binding contract.

Given that data fiduciaries bear ultimate responsibility for compliance, including the actions of their processors, it is critical to ensure that these contracts are comprehensive and clearly define the roles, rights, and responsibilities of both parties. 

Beyond the contractual insulations, data fiduciaries should also implement robust audit mechanisms, enforce stringent cybersecurity practices, and consider securing cyber liability insurance to mitigate potential risks and ensure ongoing compliance.

10. Data principal rights

Data fiduciaries must enable data principals to exercise their rights in relation to personal data, including the right to access information about the processing of their personal data, details of entities with whom their personal data has been shared, and the associated processing activities. 

Data principals also have the right to correct, update, or erase their personal data, withdraw consent, and seek grievance redressal. 

Additionally, data principals have the unique right to nominate an individual to exercise these rights on their behalf in the event of death or incapacity, a provision not commonly found in many international data protection laws.

11.  Outsourcing exemption

The DPDP Act does not apply to personal data of individuals outside India when processed under a contract between a foreign entity and an entity based in India. 

This exemption is primarily designed to support the outsourcing industry. However, despite this exemption, the obligation to protect personal data from breaches remains intact. As a result, U.S. multinationals can leverage this provision to engage data processors in India for processing services related to data of individuals outside India. 

Implications for US multinationals in India

The requirements under the DPDP Act would warrant action by US multinationals in terms of compliance readiness. The structure of the DPDP Act is based on broad principles and not intended to be prescriptive. 

While more granular detailing is expected through rules to be issued under the DPDP Act on aspects such as consent mechanism, requirements on adopting organisational and security safeguards are largely left to be determined by the data fiduciary. 

The room for exemptions under the law is also very narrow. For instance, there are no exemptions for processing of personal data for private corporate M&A transactions (i.e. transactions not requiring court/tribunal approval). 

It is also worth considering that India already has certain legal requirements governing the processing of personal data. For example, entities which are regulated by sector regulators, such as India’s central bank (i.e. the Reserve Bank of India), existing privacy related obligations prescribed by rules and regulations of such regulators are expected to continue even post implementation of the DPDP Act.  

Risk management strategies for mitigating legal exposure

Although, many multinational entities may already be complying with US and other foreign data protection legislations, the DPDP Act introduces specific nuances that require careful consideration. 

While the DPDP Act shares broad privacy principles with global frameworks like the GDPR, it is far from being identical. 

For many multinational entities, an assessment of the additional/different obligations under the DPDP Act when compared with internally benchmarked global privacy best practices would be the first logical step. 

This will help identify areas that need to be additionally addressed or addressed differently, such as consent management, data breach reporting, and handling of children’s data.

It may be prudent to begin compliance efforts ahead of the full implementation of the law. The Indian Government is unlikely to offer an extended transition period, once the law takes effect. 

Therefore, businesses should ideally not wait for the final rules to be released, as the broad contours of the DPDP Act, including its key compliance obligations, are already clear. 

A prioritised action plan should be developed, focusing first on the most urgent compliance requirements. Once these critical obligations are addressed, organisations can initiate discussions and work towards more time-consuming compliance tasks. 

Conclusion

U.S. multinationals operating in India will need to fundamentally shift their approach to data protection and related compliances. The DPDP Act introduces several unique and specific requirements that may not be covered by their existing global compliance frameworks.

With India’s heightened focus on safeguarding personal data, U.S. organisations must re-evaluate their current policies and data protection practices in order to ensure alignment with the new law.

As the regulatory landscape in relation to data protection continues to evolve in India, the risk of non-compliance will only increase, bringing in potential penalties, reputational damage, and operational disruptions. 

Now more than ever, U.S. multinationals must prioritise data protection as a core part of their business strategy in India. To navigate this new landscape successfully, they must integrate the DPDP Act’s provisions into their broader global compliance strategies.

Authors: Supratim Chakraborty, Partner, Sumantra Bose, Counsel, and Shramana Dwibedi, Senior Associate (Khaitan & Co.)