Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
With presidential assent granted on August 11, 2023, for India’s Digital Personal Data Protection Act, 2023 (“DPDA” or the “Act”), India joined the ranks of dozens of jurisdictions globally that have enacted comprehensive data protection laws, including Australia, Brazil, California, China, the 27 European Union (EU) Member States, Japan, Korea, Mexico, Quebec, and the United Kingdom. In the face of this onslaught of new and expanding data protection laws, implementing a relatively uniform, global data protection compliance program for human resources (HR) data has become increasingly challenging.
Fortunately, many of the DPDA’s compliance requirements will be familiar to global employers and are in line, or less stringent than, the requirements imposed by other data protection laws. Consequently, U.S. multinational employers should be able to wrap compliance with the Act relatively easily into their existing global compliance program for HR data. Nonetheless, global employers with operations in India will still need to consider certain unique requirements. This Insight will highlight the steps U.S. multinational employers will need to take to address the DPDA’s requirements within their global data protection compliance program.
DPDA Primary Compliance Requirements Measured Against The EU’s GDPR
Scope – The scope of the DPDA is narrow in comparison to the GDPR’s
The DPDA is more limited in substantive scope than the EU’s General Data Protection Regulation (GDPR). While the GDPR applies to all forms of personal data, the DPA applies only to personal data in digital form or non-personal data that is digitized subsequently. Theoretically, this could provide some compliance relief by removing paper records; however, in practice, there will be no relief for multinational employers that operate in a paperless world.
The Act’s geographic scope is similar to GDPR’s. Any subsidiary in India, like any subsidiary in the EU for GDPR, will be required to comply with the Act when processing the personal information of its own prospective, current, and former employees (“HR Data”) as well as when processing HR Data received from other jurisdictions — for example, a manager in India handling HR Data for subordinates in the United States.
Also, like the GDPR, the Act generally will not apply directly to the extraterritorial U.S. parent corporation. The DPDA applies to the processing of personal data outside India only if that processing relates to offering goods or services to “Data Principals” (a/k/a data subjects) in India. The GDPR has an almost identical clause. Importantly, the Act’s extraterritoriality provision applies only to consumers’ personal information and not HR Data.
Compliance Recommendation: Ensure that processing HR Data by any subsidiary in India is added to any current inventory or data map of electronic databases that process personal data.
Legal Basis for Processing Personal Data — The DPDA is more permissive than the GDPR in allowing processing to occur
The DPDA is far more permissive than the GDPR with regard to lawful grounds for processing HR Data. The Act specifically allows employers to process HR Data, without consent, “for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.” The GDPR does not provide employers with a similar blanket allowance to process HR Data.
However, the precise contours of this permissible ground for processing must await further guidance. For example, India’s Data Protection Board (DPB) could construe this ground narrowly to apply only to processing HR Data by the employing entity in India. In that event, this permissible ground would not encompass, for example, the transfer of HR Data to the United States to allow the parent corporation to engage in global workforce management, to create a global succession plan, to address complaints submitted to a global ethics hotline, or to conduct cross-border investigations. Global employers concerned about a possible narrow construction could mitigate that risk by obtaining employees’ consent to such processing.
The Act mirrors the GDPR’s high standard for consent. In particular, consent must be “free, specific, informed, unconditional and unambiguous” and given with an affirmative action by the data subject. However, while reliance on consent in the employment context is disfavored in the EU, employers in India routinely rely on employees’ consent.
Compliance Recommendation: Assess whether any subsidiary in India processes HR Data other than “for the purpose of employment” of the subsidiary itself and whether data processing by the U.S. parent corporation falls within scope of that lawful basis for processing HR Data.
Notice — The DPDA requirements are more discrete than the GDPR’s
Similar to the GDPR, the Act mandates specific notice requirements, but the requirements are less extensive. Specifically, the DPDA requires that notice: (1) identify the categories of personal data processed; (2) the purpose of the processing; and (3) the methods to (a) submit a request to exercise individual data rights; (b) withdraw consent to processing; (c) submit an internal grievance related to the processing of personal data; and (d) make a complaint to the DPB.
Of administrative significance, the DPDA requires that employers give employees the option to access the notice in English or in any of India’s 22 other official languages (Assamese, Bengali, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Malayalam, Manipuri, Marathi, Nepali, Odia, Punjabi, Sanskrit, Sindhi, Tamil, Telugu, Urdu, Bodo, Santhali, Maithili, and Dogri). Consequently, when deciding whether to distribute a relatively brief, India-specific notice or a broader and lengthier global notice, employers should assess the likelihood that employees will request access in languages other than English, triggering the burden of translations.
Compliance Recommendation: Adapt the current GDPR-compliant or global notice for compliance in India by confirming factual accuracy and consider whether to delete extraneous content to reduce burdens of translation.
Individual Rights — The DPDA does not grant as extensive rights to data subjects
The DPDA provides for individual rights that overlap with GDPR’s and most comprehensive data protection laws, such as the right to know, correct, update, and/or delete personal data. However, the Act does not go so far as to provide the GDPR’s more comprehensive rights, such as the right to data portability, the right to object to processing, or the right to restrict processing. Furthermore, the rights conferred by the Act appear to apply only when the data subject “has previously given consent” to the processing and not when the data is processed without consent for purposes of employment or other legitimate purposes, such as to comply with legal obligations.
The only rights that appear to apply to all data subjects, regardless of reliance on their consent, is the right to file a grievance with the employer. Notably, the Act requires that data subjects exhaust any available internal grievance procedure before submitting a complaint to the DPB. Employers, therefore, should address any internal grievance diligently in an effort to resolve the issue before a complaint is filed with the DPB.
Compliance Recommendation: Review any existing policy and/or procedure addressing management of individual data rights requests to incorporate India’s relatively narrow requirements.
Cross-Border Data Transfers — There currently is no significant restriction on the transfer of personal data to the United States or other countries outside of India
The DPDA takes an opposite approach to cross-border data transfers from the GDPR and many other comprehensive data protection laws. Rather than requiring India’s central government to issue an adequacy decision for the third country or requiring employers to establish adequate protection for transferred personal data by data transfer agreement or some other mechanism, the Act does not regulate the transfer of personal data outside of India. Instead, the Act authorizes the Indian central government to blacklist countries from receiving transfer of personal data from India. The Act requires the blacklisting to be publishing in the Official Gazette.
Compliance Recommendation: While it is highly unlikely that India would blacklist the United States, U.S. multinational employers should periodically check for any blacklisting to determine whether transfers of personal data to other countries with corporate group members must be curtailed.
Data Breach — The requirements currently are not nearly as developed as those under the GDPR
The DPDA’s definition of data breach is similar to the GDPR’s definition, i.e., “any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.” In the event of a data breach, the controlling entity must inform both the DPB and the data subject. The Act confers on the central government the authority to flesh out these requirements. Given the prevalence of data breaches, the potential damage to a business’ reputation, and the potential harm to impacted data subjects, data breach seems a likely area for regulation in the near term, including, for example, content requirements for the notice to the DPB and to data subjects and timing requirements for those notifications.
Compliance Recommendation: Update any internal security incident response protocol to cover potential notification obligations in the event of a security breach in India and continue to monitor developments in India for any clarifying regulations or guidance.
Data Protection Officer — Narrower than the GDPR and probably unlikely to apply
An organization is required to formally appoint a data protection officer (DPO) only if it qualifies as a Significant Data Fiduciary. Only organizations designated as such by the central government in the Official Gazette qualify. When deciding whether an organization should be designated as a Significant Data Fiduciary, the central government must consider whether the organization’s processing may impact the sovereignty and integrity of India, create risk to electoral democracy, or jeopardize the security of the state, among other factors. It is unlikely that an Indian subsidiary of a U.S. multinational would be designated under these criteria.
For organizations that the central government does not designate, the Act requires only the identification of a point of contact who is authorized to respond to any communications from data subjects regarding the processing of their personal data. This person is not required to fulfill the extensive responsibilities which the Act assigns to a DPO.
Compliance Recommendation: Confirm that the individual and/or team designated to respond to individuals about corporate data privacy practices and polices is trained and prepared to respond to inquiries from data subjects in India.
Penalties — Not as high as those under GDPR
The Act authorizes the DPB to impose penalties only for “significant” violations. Penalties under the DPDA can be hefty. The maximum penalty of up to 250 crore rupees ($30 million) can be imposed for failure to implement information security measures necessary to mitigate the risk of a personal data breach. For most other violations, the maximum penalty is 200 crore rupees ($24 million). For large U.S. multinationals, these maximums compare favorably to the GDPR, which allows for penalties reaching up to 4% of annual turnover for the entire corporate group. The Act does not provide for individual liability, for a private right of action, or for criminal sanctions.
Forecasting Government Implementation of the DPDA
The DPDA’s effective date has not yet been set, but it is anticipated that the government will implement the law within 10 months of its enactment. Historically, the central government has implemented comprehensive legislation like the DPDA in phases. Many questions of form and manner are left largely open ended in the DPDA and will need to be prescribed by the central government. In fact, the Act authorizes the central government to issues regulations on more than two dozen aspects of the DPDA.
Furthermore, the DPDA provides for the creation of the Data Protection Board that will be formed at the federal level as the exclusive administrative body. Specifically, the DPB will, among other things, resolve grievances, address non-compliance, and issue penalties. Consequently, until the DPB is established, enforcement cannot occur.
Next Steps for U.S. Multinational Employers
U.S. multinational employers with a subsidiary in India should consider taking the initial compliance steps described above. These measures should align with current compliance documents and not require a substantial investment of resources. Global organizations may also want to monitor developments as the Indian central government implements the DPDA because additional compliance steps will likely be required.