Zscaler and India’s Data Protection Laws
Introduction
After a long (seven-year) gestation period, India has enacted the Digital Personal Data Protection Act of 2023 (“DPDPA”), a comprehensive data protection law that provides a framework for regulating the collection, processing and storage of personal data. While the DPDPA was signed into law on August 12, 2023, implementing regulations for the DPDPA have not yet been issued. The DPDPA will replace the privacy rules applicable under Section 43A of India’s Information Technology Act.
This overview describes key provisions of the DPDPA and how Zscaler will comply with it.
- Definition of personal data. Personal data is broadly defined to include any data relating to a natural person who is either (i) identifiable or (ii) could be made identifiable through direct or indirect means. This encompasses a wide range of information, including names, addresses, financial data, online identifiers, and geolocation data.
- Legal basis for processing. The DPDPA allows data processing only for "lawful purposes" based on consent or other specific grounds. Consent must be "free, specific, informed, unconditional, and unambiguous," with clear affirmative action signifying consent. Additional lawful bases include public interest, legal obligations, contractual necessity, and vital interests of the data subject.
- Individual rights. The DPDPA grants individuals (referred to as “data principals”) extensive rights over their personal data. These rights (which align with the rights granted to data subjects under the GDPR) include: (i) right to access (individuals can request a copy of their personal data held by an entity); (ii) right to correction (individuals can request that inaccuracies in their data be corrected; (iii) right to erasure (individuals can request deletion of their data in certain circumstances); (iv) right to restrict processing (individuals can object to or restrict the processing of their data); and (v) right to data portability (individuals can request transfer of their data to another entity).
- Security measures. The DPDPA imposes obligations on "data fiduciaries" (entities that control and process personal data, similar to “controllers” under the GDPR) to implement appropriate security measures to protect personal data from unauthorized access, disclosure, or destruction. These measures must be commensurate with the nature of the data and the risks involved.
- Security breach requirements. In case of a data breach, data fiduciaries must notify the Data Protection Board of India and affected individuals without undue delay. They must also take necessary steps to contain the breach and mitigate its potential harm. Details as to what breaches trigger the notification requirement, and the timeframe for reporting breaches, will follow in the DPDPA regulations.
- Extraterritorial scope. The DPDPA applies to the processing of personal data of individuals in India, regardless of the location of the data fiduciary. This extraterritorial application extends to entities offering goods or services in India, even if they are not physically present in the country.
- Outsourcing. In recognition of the importance of the Business Processing Outsourcing (“BPO”) industry in India, the DPDPA provides certain exemptions in the context of cross-border BPO activities. In particular, when personal data of individuals not within India is processed by an India-based entity pursuant to a contract entered into with an entity outside of India, that processing is not subject to obligations imposed on data fiduciaries (including Significant Data Fiduciaries) or with respect to cross-border transfers or individual rights; however, the security measure obligations remain applicable.
Concept of “Significant Data Fiduciaries”
The DPDPA introduces the novel concept of Significant Data Fiduciaries (“SDFs”). SDFs are data fiduciaries that process a large volume of personal data, particularly sensitive data, that may pose significant risks to the rights and freedoms of individuals. The India Government has the power to designate any data fiduciary (or class of fiduciaries) as an SDF based on various factors, including: (i) volume and sensitivity of personal data processed; (ii) nature of the processing activities; (iii) risk of harm to data subjects; (iv) financial turnover or market share of the fiduciary; and (v) impact of the processing on national security or public order.
SDFs face additional obligations compared to regular data fiduciaries, such as:
- Appointing a Data Protection Officer (“DPO”): SDFs must have a dedicated DPO responsible for data protection compliance.
- Conducting Data Protection Impact Assessments (“DPIAs”): SDFs must conduct DPIAs for high-risk processing activities to identify and mitigate potential risks.
- Appointing an independent data auditor: SDFs must appoint an independent auditor to regularly assess their data protection practices.
- Implementing stricter security measures: SDFs must implement stronger security measures commensurate with the risks involved in their processing activities.
These additional obligations ensure that SDFs, which handle particularly sensitive and large amounts of data, prioritize data protection and minimize risks to individuals' privacy.
Restrictions on Cross-Border Data Transfers
The DPDPA regulates the cross-border transfer of personal data, seeking to ensure adequate levels of protection in the receiving country. While cross-border transfers are generally permitted (i.e., the DPDPA contains no data localization requirements), the India Government has the power to restrict them to certain countries or territories through notification. Further regulations are expected to clarify the criteria and procedures for such restrictions.
Zscaler Compliance with India’s Data Protection Laws
In its role as a processor of customer data that may be subject to India’s data protection laws, Zscaler is committed to meeting its compliance obligations, including as follows:
- Legal basis for personal data processing. Zscaler ensures that it satisfies the requirements of the DPDPA for personal data processing, including by requiring its customers to obtain all necessary consents and only processing personal data for the purpose of providing its services and products to the customer.
- Security measures. Zscaler has adopted reasonable security safeguards to prevent personal data breaches. These safeguards include establishing internal personal data management policies and procedures, applying appropriate technical security measures such as cryptography and anonymization, conducting training, and creating contingency plans.
- Data breaches. In the event of a data breach, Zscaler will promptly notify its customers as well as the Data Protection Board of India as required under the DPDPA and any applicable regulations.
- Rights of data subjects. Consistent with the requirements of the DPDPA, Zscaler assists its customers in fulfilling their obligations to allow data principals to exercise their data protection rights, including rights of access, correction, and erasure of personal data.
- Cross-border transfers. Zscaler will continue to comply with its obligations to protect personal data under the DPDPA with respect to any transfers of personal data from India to a third country. Further, Zscaler will monitor and comply with any country-specific restrictions that may be imposed by the Data Protection Board of India.
- Outsourcing exemptions. To the extent that Zscaler outsources any personal data processing to an India-based service provider, Zscaler is aware of and will take advantage of the BPO exemptions specified in the DPDPA. In any event, Zscaler will take appropriate steps to ensure that its India-based service providers maintain the security of any outsourced personal data.
- Significant Data Fiduciaries. If any Zscaler client is designated as an SDF, Zscaler will take reasonable measures to assist that client in complying with its SDF obligations.
Zscaler will update this overview once the DPDPA’s implementing regulations and enforcement mechanisms have been approved and issued.
Helpful Links Regarding India Data Protection Laws
Text of the DPDPA: https://dpdpa.co.in/
India Ministry of Electronics and Information Technology: http://www.cac.gov.cn/2016-11/07/c_1119867116.htm
NOTE: While this site is designed to help organizations understand India’s data protection laws in connection with Zscaler's services and products, the information contained herein should not be construed as legal advice. Organizations should consult with their own legal counsel with respect to interpreting their unique obligations under India’s data protection laws.