The Data Wrap 3.0
The year 2024 has been a year of anticipation. On one hand the industry was looking forward to seeing the draft Digital Personal Data Protection Rules (“Draft DPDP Rules”) being issued and notified (post public consultations) and the government notifying the effective date for the Digital Personal Data Protection Act, 2023 (“DPDP Act”). On the other hand, the government issuing the draft of the Digital India Act (which would inter alia replace the current Information Technology Act, 2000) was eagerly awaited. But, not much of it came true that year.
However, the government has began the year 2025 with a bang! The draft DPDP Rules are finally out (albeit after 16 months of publication of the DPDP Act). This marks a significant step towards consolidating India’s data protection framework. The Draft DPDP Rules strike a positive balance — providing the much-needed clarity to stakeholders without adding unnecessary complexity.
For more on the Draft DPDP Rules, please see our note,[1] wherein we analyse the provisions of the draft DPDP Rules, provide an overview of the key provisions, and highlight the critical issues requiring further clarification. These Draft Rules are open for public consultations and stakeholders are to provide their comments by February 18, 2025.
DATA PROCESSOR OR DATA FIDUCIARY? WHO ARE YOU?
Since we are on DPDP Act, we thought of discussing one of the key contentious questions that we get asked viz., who are we? Data Fiduciary or Data Processor?
As we all know, the DPDP Act deals with three parties viz., Data Fiduciaries, Data Processors and Data Principals. The Data Fiduciary is the primary entity responsible for compliance and accountable for non-compliance under the DPDP Act, including any non-compliance by its engaged Data Processor[2]. Thus, understanding who you are in terms of your data processing is important to determine your responsibility and liability under the DPDP Act.
Data Fiduciary. The DPDP Act defines a Data Fiduciary as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data[3]. They are at the heart of data governance and bear significant obligations under the DPDP Act. These include (i) ensuring accuracy, consistency, and completeness of data[4] (if the personal data is likely to be (a) used to make a decision affecting the data principal or (b) disclosed to another Data Fiduciary), (ii) implementing robust security measures[5], (iii) ensuring the erasure of personal data once its purpose is fulfilled or if consent for processing is withdrawn by the Data Principal (unless required to be retained by law), (iv) appointing and publishing the details of a contact person to answer the queries of Data Principals with regard to their personal data[6], and (v) notifying the Data Protection Board of India (“DPB”) and affected Data Principals in the event of a personal data breach[7]. Further, they are accountable for the processing of personal data by Data Processors engaged by them[8].
Data Processor. A Data Processor refers to any person who processes personal data on behalf of a Data Fiduciary[9]. Their role is more operational, and their activities are strictly guided by the instructions of the Data Fiduciary. While they do not determine the purpose or means of processing personal data, Data Fiduciaries are tasked with ensuring that Data Processors are compliant with the DPDP Act, such as maintaining the confidentiality of personal data and reporting personal data breaches[10].
Are you a Data Processor or Data Fiduciary? Ultimately, the test to determine if an organisation is a Data Fiduciary or a Data Processor is to identify if they determine the purpose and means of processing. For example, an e-commerce platform that collects its customers personal data, such as names, addresses, and payment details, to process orders and deliver products will typically be categorised as a Data Fiduciary as it decides the purpose of collecting the data (e.g., to fulfil orders, send marketing emails, etc.) and how it will be processed (e.g., stored in its database to be shared with delivery partners). On the other hand, a cloud service provider engaged by said e-commerce platform which processes and stores the e-commerce platform’s customers personal data will typically be categorised as a Data Processor. This is since the cloud service provider does not decide why or how the data is collected or used. Instead, it processes and stores the data based on instructions from the e-commerce platform (e.g., securely storing the data, allowing access to the e-commerce platform’s team, regular data backups, etc.).
Are you steering the ship, or are you merely assisting with the journey? The answer defines your obligations and responsibilities under the DPDP Act.
GDPR vs. DPDP Act
Organisations that are compliant with GDPR often ask whether they still need to comply with the DPDP Act and what the differences are between the two statutes. While being GDPR compliant addresses some aspects of processing of Indian residents’ data, it is important to recognise that, despite some similarities, the DPDP Act has specific requirements that are distinct and must be followed by organisations. To help navigate these distinctions, the table below highlights key differences between the GDPR and the DPDP Act, identifying potential gaps that organisations may need to address to align their compliance strategies and prepare for the DPDP Act.
| Subject | GDPR | DPDP Act | Recommendations |
| Terminology and Key Actors | Contemplates the following actors: (i) data controllers; (ii) data processors; and (iii) data subjects. | In addition to the GDPR equivalent actors (data fiduciaries, data processors and data principals) the DPDP Act also contemplates (i) significant data fiduciaries; and (ii) consent managers. | Entities should evaluate their role under the DPDP Act to ascertain scope of compliance measures to be adopted. |
| Applicability and Scope | Applies to digital and non-digital personal data (including the sub-category of sensitive/special categories of data) within structured filing systems or intended to be part of a filing system.
| Applies only to digital personal data or non-digital personal data that has been digitised. Does not govern publicly available personal data. | Assess if personal data is digitised within the scope of the DPDP Act. |
| Territorial Scope | Extends to entities outside the European Union (“EU”) if they offer goods/services to or monitor behaviour of EU residents. | Covers all entities processing personal data in India or targeting Indian residents, including those located outside India. | Review cross-border data processing and service offerings to ensure compliance with the jurisdictional reach of each regulation. |
| Notice Requirements | Requires comprehensive and clear notices detailing, inter alia, the purposes of processing, legal basis, data retention, and rights of the data subject. | Notices must be provided as separate independent documents, which are distinct from other communications before or at the time of seeking consent. Such notice should not be bundled with terms of use or other communications and must inter alia specify the data collected along with the purposes for collection, while providing a clear mechanism for withdrawing consent. | Both DPDP Act and GDPR emphasize the importance of clear and accessible notices. However, DPDP Act explicitly requires the notices to be a standalone document unlike the GDPR. |
| Consent Mechanisms | Consent must be freely given, specific, informed, unambiguous, and indicated through affirmative action (through a signature or a checkbox mechanism). For special categories of data, ’explicit’ consent through a specific statement of consent is required. | Consent must be free, specific, informed, unambiguous, and unconditionally given. It must include a clear affirmative action and be limited to the specified purpose. | There is minimal difference between the consent requirements under GDPR and DPDP Act. |
| Exceptions to Processing with Consent | Permits processing without consent in cases of contracts, legal obligations, vital interests, public tasks, and legitimate interests, provided these do not override fundamental rights. | Permits processing of personal data without consent for certain specified legitimate uses such as state functions, legal obligations, emergencies, judicial orders, and specific employment-related activities. | Clearly document processing activities when relying on exception to consent requirements under the DPDP Act. Nature of exceptions to consent are more specific and exhaustive under the DPDP Act. |
| International Data Transfers | Permits cross-border data transfers under adequacy decisions, binding corporate rules, and specific safeguards like standard contractual clauses. | Empowers the Indian government to restrict transfers to certain countries through notifications. | Monitor updates on jurisdictions where data transfers are restricted and establish safeguards for international transfers. |
| Breach Notification | Mandates notification of high-risk breaches to supervisory authorities and affected individuals within 72 (seventy-two) hours. | Requires notification of all breaches to the DPB and affected individuals. The Draft DPDP Act Rules propose such breaches to be notified promptly with more details to be provided within 72 (seventy-two) hours. | Review existing data breach response and notification procedures to align with DPDP Act reporting requirements. |
AI EVERYWHERE!
2024 was the year of Artificial Intelligence (“AI”). AI has tremendous potential and everyone seems to want a piece of the AI pie, with every organisation either developing an AI system of their own or using a third-party AI system for its business. However, like every other technological development that has occurred in the past, AI is not perfect and has several issues (both technical as well as legal).
As companies increasingly adopt AI technologies, they must navigate a complex landscape of data protection laws, regulatory requirements, and emerging judicial precedents[11]. Recent legal developments across the world, including the DPDP Act, 2023, have further highlighted the importance of compliance in this regard. Failure to do so could expose companies to significant legal, financial, and reputational risks.
DPDP Act and its implications on AI
Consent and Lawful Processing. The DPDP Act requires Data Fiduciaries to lawfully process personal data viz., obtaining explicit consent from Data Principals (unless such processing is based on certain legitimate uses) and processing data for the purposes for which it was collected.[12] For companies deploying AI systems, this entails implementing mechanisms to secure and record informed and explicit consent for the use, storage, and transfer of personal data for AI training and operations, along with consent management tools that allow users to withdraw their consent for such processing at any time and such data no longer being utilised by the AI systems.
Data Minimization and Purpose Limitation. The DPDP Act mandates collection and processing of only such amount of personal data that is necessary to achieve the specific purpose for which the personal data was collected.[13] This data processing principle presents unique challenges in the context of AI systems, which are designed to process extensive datasets to enhance their performance. To adhere to this principle, companies must implement protocols that restrict the scope of processing of personal data collected for AI systems. This may involve anonymizing or pseudonymizing personal data before it is used for AI training and ensuring that all data collected aligns with predefined purposes of processing.
Managing Training Data. The datasets used to train AI systems are often obtained from diverse sources, raising concerns about unauthorised use of data and compliance with licensing requirements. Data Fiduciaries must ensure that all training datasets are legally acquired, appropriately licensed, and do not contain personal data without appropriate consents. Intellectual property rights infringement issues may also arise if copyrighted materials are included in the training data used by AI systems. This presents significant challenges as AI systems may inadvertently reproduce or generate outputs derived from copyrighted content within their training data, potentially leading to intellectual property infringement issues (one such example arose in the recent case of ANI v. OpenAI, where ANI alleged unauthorised use of its copyrighted content for training AI models).[14]
Ensuring Data Security. In addition to cybersecurity directions issued by the CERT-In under the Information Technology Act, 2000 (“IT Act”),[15] the DPDP Act imposes an overarching obligation on Data Fiduciaries to adopt appropriate technical and organisational measures to safeguard personal data while it is processed or stored.[16] This includes implementing encryption and access controls and conducting regular security audits to detect and mitigate potential vulnerabilities. For AI systems, data security concerns are particularly acute due to the volume and sensitivity of data processed.
Data Retention. Data Fiduciaries are required to delete personal data once the purpose for which it was processed has been achieved or when consent for its processing is withdrawn.[17] Considering the ‘black box’ nature of AI systems, it may be difficult to identify specific datasets once they have been incorporated within the AI system’s training database. To address this challenge, companies must adopt advanced data management techniques, including robust logging and tracking methodologies that can isolate personal data within the AI system’s databases. Regular audits should also be conducted to ensure compliance with data deletion requests from data principals and regulatory mandates.
The successful implementation of AI systems requires Data Fiduciaries to maintain a delicate balance between technological innovation and data protection compliance. While DPDP Act is not yet in force, companies must take proactive action to align with emerging regulatory standards in this rapidly evolving AI landscape. This approach will enable Data Fiduciaries to harness the benefits of AI technology while maintaining stakeholder trust and goodwill and meeting their legal obligations.
CYBERSECURITY INCIDENTS: HOW TO MANAGE?
With the increasing dependence on digital technologies (and also the fines prescribed under the DPDP Act), organisations face tremendous pressure to ensure safety of the personal data they process. Yet, no technology is infallible nor unbreachable. Cybersecurity incidents can lead to significant financial, reputational and legal consequences. Thus, entities (both Data Fiduciaries and Data Processors) need to be prepared to tackle any cyber-security incident that they are inflicted with in order to minimise the above consequences.
Below we provide some insights on best practices for managing cybersecurity incidents.
Being Prepared. Preparation is essential for effective cybersecurity incident management. Entities must have in place robust cybersecurity policies, breach protocol, and incident response plan which inter alia provisions for an incident response team, outlines their roles and responsibilities, etc. Additionally, employee having access to an entity’s data or systems should be regularly trained on the dos and don’ts to minimise any risks that may arise due to human error — most cyber incidents that occur involve an element of negligence or omissions on the part of employees and other internal stakeholders.
Deploy monitoring tools for detection. Early detection of cybersecurity incidents is critical for minimising damage. Entities should deploy tools and monitoring systems that are capable of identifying anomalies and potential breaches along with access logs that help map all activity on the compromised systems.
Containing the cybersecurity incident. The first step in dealing with a cybersecurity incident is containing the damage caused due to the incident. The damage control involves isolation of the systems, preservation of evidence etc. However, the entity should do the damage control in such a manner that it does not affect business continuity.
Investigation and Incident reporting. Along with containing the incident, the entity needs to investigate the cause of the incident, the data compromised etc., and accordingly make the regulatory prescribed reporting to the relevant stakeholders (within the timeframe prescribed under applicable laws). Do note, under the DPDP Act, one of the highest penalties that can be imposed is for failing to comply with the breach reporting obligations.
Post-Incident review. Post-incident reviews are essential for improving future response capabilities. From a legal perspective, this involves submission of post incident reports to the regulators, communicating appropriately to relevant affected stakeholders and revising internal policies (specifically the incident response plan) and assessing potential legal claims arising from the said incident.
Effective cybersecurity incident management is as much about legal strategy as it is about technical execution. Entities must proactively prepare for cybersecurity incidents by aligning their policies, practices and systems with the legal requirements. By doing so, not only can they mitigate the immediate impact of cyber incidents but also minimise the legal consequences.
DATA PRIVACY IN THE AGE OF INTERNET OF THINGS
The internet has become the global ‘nervous system’[18] of human civilization wherein individuals are more connected with each other than ever before. Our devices have not only become the synapses through which we connect to this vast human network but have also become the means for us to carry out our most mundane to complex tasks. Given the vital role that our devices play in our daily lives, it is only natural that we have briskly adopted technologies through which our devices (like us) connect with each other. With over 18 billion connected devices across the world[19] and such number only growing at lightning speed[20], we are now truly in the age of Internet of Things (“IoT”).
IoT, simply put, is a system of interrelated devices connected to the internet which send and receive data. IoT connects everyday ordinary objects, or “things,” to the internet, thereby allowing such objects to collect, transmit, and share data between one another.
Presently, IoT systems have found utility in diverse use cases from wearable electronics to our homes, vehicles and factory floors. An example of an IoT system is a smart home where ordinary home appliances such as air conditioners, alarm clocks, lights, smoke detectors etc., are interconnected so as to enable them to share data with one another to perform automated functions. Such data can also be accessed by a user through a mobile application or web platform to enable the user to control the devices remotely.
Different technologies such as wide local area networks (WLAN), Bluetooth, Zigbee, wide personal area networks (WPAN), wireless fidelity technology (Wi-Fi), and cellular networks are used to allow communication between devices for IoT system to operate. Interoperability among the devices is the most important feature of IoT, wherein data transfers between devices inter se and between IoT devices and back-end infrastructure is critical.
IoT systems are built on the premise that specific specialised devices (such as those with sensors, microphones, cameras, etc.,) collect data that can be utilised by such device and/or shared to another device for such device to perform its function. This necessarily entails large amounts of data being collected, stored, and shared. Such data is analysed for the benefit of the many stakeholders who are a part of the IoT ecosystem including the user, product manufacturer and network provider. It is relevant to note that since a diverse set of data is collected through multiple devices, the likelihood of collection of highly detailed and sensitive data, including personal data, is significantly higher. This is especially true for IoT use cases such as wearable electronics, medical devices, NFC payment systems, smart homes etc., as these systems necessarily involve handling of personal data that is sensitive in nature. Further, since it is the nature of IoT systems to collect, use and share data through multiple devices in close proximity to each other, it is relatively unchallenging for one to combine the data collected and to draw more specific inferences which may even be on a real-time basis.
With the ability to constantly collect high volumes of data coupled with enhanced data monitoring and analytical capabilities, IoT opens doors to many applications as outlined above. However, the same capabilities also hold the potential of such systems becoming the proverbial ‘Big Brother’ with there being several precedents of excessive and unauthorised data collection and its usage by IoT systems.[21]
Further, like any digital system, IoT systems too are fallible and can be a cause for concern from a data security and privacy point of view.[22] Since IoT systems are capable of collecting and analysing personal data in the manner as set out above, obtaining specific and informed consent (as required under the DPDP Act) from users could pose a challenge, and users may end up providing their personal data without being aware of where or how it will be used. Further, in an IoT environment, the data collected is generally stored and processed on cloud platforms, enabling such data to be accessible by third parties and introducing additional risks and vulnerabilities with respect to the privacy of users.
With the introduction of the DPDP Act, which is now supplemented by the recently published Draft DPDP Rules and the promise of a comprehensive Digital India Act, it appears that the privacy and data protection concerns as mentioned above will largely be allayed in the future. That said, it remains to be seen how the nuances of the measures prescribed under the DPDP Act and Draft DPDP Rules such as encryption, obfuscation, masking, use of virtual tokens mapped to personal data and adoption of strict access controls will impact IoT systems.
DPDP Act and EU AI Act for cross border data transfer
The European Union Artificial Intelligence Act (“EU AI Act”) is one of the first legislations governing AI in the world. It was first published by the European Union (“EU”) in the official journal on July 12, 2024, and it subsequently entered into force on August 01, 2024.1 The EU AI Act consolidates ex-ante and post-ante compliances an AI system is required to undertake throughout its lifecycle, including transparency obligations, impact assessments, and data privacy and protection obligations.
The EU AI Act is extraterritorially applicable to the operators including to (a) any provider placing, or otherwise putting into service, an AI system or general-purpose AI models (“GPAI”) in the EU, irrespective of whether the provider is established or located within the EU or in any third country; (b) any provider or deployer of an AI system that have their place of establishment or are located in a third country, if the output produced by the AI system is used in the EU; or (c) any authorised representatives of providers, which are not established in the EU.2
Accordingly, if any provider or deployer, located in a country other than EU, either (i) places any AI system or GPAI in the EU market; or (ii) an output produced by an AI system of such a provider or deployer is used in the EU, such provider or deployer will fall within the regulatory ambit of the EU AI Act. Such provider or deployer of an AI system or GPAI falling within the aforesaid categories will have to comply with the data protection obligations enumerated under the EU AI Act.
On the other hand, the DPDP Act is applicable to processing of personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to data principals within India.3 Section 2(b) of the DPDP Act defines ‘automated’ as a digital process which can operate automatically or a response to certain instructions for processing of data.4 ‘Data’ has been defined under the DPDP Act to include any form of information which is suitable for processing, communication or interpretation by an automated system.5 If such data is subjected to wholly or partly automated operation or set of operations, it will be covered under the term ‘processing’ as defined under the DPDP Act. In regulating processing by automated means, the DPDP Act becomes applicable to any processing of personal data for development or deployment of AI systems in India.
Consequently, any developer or deployer of an AI system processing any personal data through automated means in relation to any goods or services to be offered in India will be subjected to the compliance under the DPDP Act. That said, the DPDP Act exempts processing of publicly available personal data,6 thus, any AI system processing such personal data will be outside the purview of the DPDP Act.
The objective of the DPDP Act is to regulate data processing practices of all the entities operating within India or offering goods or services in India. The EU AI Act however is much narrower in scope in relation to data protection compliances and only sets out data protection compliance specific to AI systems and GPAIs. Both the statues set out similar data protection principles, but obligations of an entity will differ under both the statutes basis factors including its role in AI value chain, possible risks of an AI system, personal data it seeks to process, and manner of processing of such personal data. Given the extraterritorial applicability of the DPDP Act and the EU AI Act, the entities undertaking cross-border transfer of personal data while deploying an AI system will need to ensure that they first understand and identify their roles under the EU AI Act and DPDP Act based on the aforesaid factors and comply with the respective acts accordingly.
[1] Unpacking the Draft Digital Personal Data Protection Rules, 2025, available at https://induslaw.com/publication/935/Unpacking_the_Draft_Digital_Personal_Data_Protection_Rules_2025. Alternatively, write to us at data.queries@induslaw.com for a copy of the above note.
[2] Section 8(1) of the DPDP Act.
[3] Section 2(i) of the DPDP Act.
[4] Section 8(3) of the DPDP Act.
[5] Section 8(5) of the DPDP Act.
[6] Section 8(9) of the DPDP Act.
[7] Section 8(6) of the DPDP Act.
[8] Section 8(1) of the DPDP Act.
[9] Section 2(k) of the DPDP Act.
[10] Section 8 of the DPDP Act.
[11] One such example is the case of Mobley v. Workday, Inc., where a US court delivered the first-ever ruling holding an AI software vendor liable for employment discrimination caused by the use of its AI hiring tool. In this case, Derek Mobley, an African American man aged over 40 years who was rejected from over 100 jobs that he had applied for through Workday’s platform despite having the requisite qualifications, had filed a class action suit against Workday, Inc. alleging that Workday’s algorithm-based applicant screening tools discriminated against him and other similar candidates on the basis of race, age, and disability. The court held that Workday, which qualified as an agent of the employers because its AI tool performed a traditional hiring function, could not escape liability for such discrimination.
[12] Section 4 of the DPDA.
[13] Section 6 of the DPDA.
[16] Section 8(5) of the DPDA.
[17] Section 8(7) of the DPDA.
[18] https://blogs.cornell.edu/info2040/2015/10/23/humanity-gaining-a-nervous-system-the-internet/
[19] https://iot-analytics.com/number-connected-iot-devices/
[20] https://iot-analytics.com/number-connected-iot-devices/
[21] https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-doj-charge-amazon-violating-childrens-privacy-law-keeping-kids-alexa-voice-recordings-forever; https://fortune.com/2017/10/11/google-home-mini-data-privacy/; https://www.forbes.com/sites/kateoflahertyuk/2020/02/26/new-amazon-apple-google-eavesdropping-threat-should-you-quit-your-smart-speaker/
[22] https://www.weforum.org/stories/2024/05/internet-of-things-dark-web-strategy-supply-value-chain/ ; https://www.business-standard.com/technology/tech-news/amazon-alexa-google-home-top-privacy-risks-in-smart-home-devices-study-124061700257_1.html ; https://www.wired.com/story/google-home-chromecast-location-security-data-privacy-leak/
This article is for information purposes only. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Although we have endeavoured to accurately reflect the subject matter of this article, we make no representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this article. No recipient or reader of this article should construe it as an attempt to solicit business in any manner whatsoever.
