"Consent is still the primary justification for the processing of personal data under the DPDPA. The DPDPA also allows controllers to process information for the ‘purposes of employment’, and while some clarification was expected in the DPDPRs, this has unfortunately not been forthcoming."
- Srijoy Das, Counsel, G&W Legal
How would you compare the stringency of India’s new data privacy law, the DPDPA with those of other countries in Asia that lululemon operates in?
Cecilia Chan (lululemon): lululemon supports all attempts in furtherance of providing individuals with an actionable right to privacy. We strive to meet or exceeded all applicable privacy and data protection laws in the regions in which we operate, and we will do the same with the DPDPA. We are taking the necessary steps for this and are working with internal cross-functional partners to understanding the measures we will need to take to comply both in letter and in spirit.
The DPDPA presents some novel propositions, such as Consent Managers (independent third parties that enable data subjects to manage their consent), mentions of virtual tokens as a tool potentially to be used to prevent breaches, and the potential use of digital locker services. It was also somewhat unexpected in some quarters to see provisions inserted that can be viewed as a potential data localisation requirement. That being said, we are already subject to several very stringent data privacy statutes, such as in Korea and the EU, and will most certainly work diligently to be ready in time to take up our responsibilities of complying with the DPDPA as well.
We are led to believe there may still be some changes to the final delegated legislation, and we await final provisions to amend plans that we already have underway. We are committed to achieving success in the Indian market!
What immediate steps should one be taking in order to prepare to comply with new regulations in India?
Cecilia Chan (lululemon): The first and most immediate item is a full understanding of the law and the requirements it places on a company like lululemon. It would be important to consider, for example, what justifications may be used for accessing and processing data, the rights to be offered to Indian data subjects, the appointment of statutorily required officers (if any), the moulding of internal privacy policies in alignment with the requirements of the DPDPA and training of employees to be sufficiently privacy-conscious. The last item is something that we always sensitise our employees to in line with what we hold as important here at lululemon.
This new law emphasizes the critical importance of a robust privacy program that builds a culture of trust and transparency, benefiting both the organization and its stakeholders. By continuously striving to enhance our privacy practices, we can adapt to new challenges and take responsibility for safeguarding data and being accountable for its security.
What should one be doing pre-emptively to comply? When does the law become effective?
Dhruv Singh (G&W Legal): The DPDPA was passed by the Indian Parliament in August 2023 but is yet to become enforceable without subordinate legislation that is required to put in place a data protection authority (DPA) as well as procedural aspects of how the law will operate.
In an attempt to cover these procedural aspects, the government published the Digital Personal Data Protection Rules (DPDPR) on 3 January 2025 with the intention of gathering stakeholder input till 18 February 2025 (thereafter extended till the 5th of March). Thus, the DPDPA has still not come into effect or become enforceable and will not till a final version of the DPDPR is published pursuant to the consultation.
In their current form, the operative part of the DPDPR that concerns obligations for compliance with the DPDPA contemplates a further date to be notified by the government even after the final version of the rules is published post-consultation. Thus, it is reasonable to assume that the law will only become truly enforceable at least 6 months down the line, as this has been the expectation floated by the Indian government in the past.
As far as compliance with the DPDPA is concerned, the first step that any organisation should take is, of course, to understand and appreciate the full nature of the personal data that it has at its disposal. It will need to find out whether it has consent for the use of this data (which is complicated by the fact that consent was not necessarily needed for processing non-sensitive personal data under the SPDI Rules, the statute that the DPDPA is replacing) and whether it truly needs access to the personal data in question.
The DPDPA places a number of obligations upon data controllers (referred to in the Indian context as data fiduciaries. The terms data controller and data fiduciary have been used interchangeably herein). These include ensuring completeness, ensuring data security measures and having legitimate grounds for processing personal data- just to name a few. There are additional and more stringent obligations on a category of data controllers referred to as significant data fiduciaries, the threshold for which may be notified by the government on the consideration of a number of factors, including the risks involved for data subjects (referred to in the DPDPA as Data Principals) and the sheer volume of data involved. The DPDPRs provide no input on what this threshold is expected to be.
Accordingly, internal data handling policies, processes, consent notices and privacy notices will almost certainly need to be reconsidered in light of the new law.
Given the Indian government’s apparent intention to make the law effective, organisations would be prudent to carry out a mapping process to fully appreciate of the personal data at their disposal.
India’s new privacy law reportedly has strict data localisation mandates. How far-reaching are these rules, and what are the practical implications for companies handling Indian data?
Srijoy Das (G&W Legal): In the primary legislation, the DPDPA, there are provisions that allow the government of India to notify specific countries or territories outside India where personal data may not be transferred. The intention appeared to have been to account for a ‘blacklist’ of territories which could pose a threat to national security or the privacy of Indian citizens.
In a move that is regarded by some to be in stark contrast with the aforementioned provisions within DPDPA, the DPDPRs appear to have gone significantly further than the parent legislation to include a provision that allows the Indian government to specify conditions on which any personal data may be transferred outside the territory of India.
Does the law apply equally to both foreign entities and Indian businesses, and under what circumstances can personal data of Indian individuals (as customers or employees) be accessed?
Srijoy Das (G&W Legal): The DPDPA applies wherever there is the processing of digital personal data of individuals located within the territory of India, irrespective of whether the party processing the data is located within India or abroad.
The practical aspects of how monetary penalties under the DPDPA would be enforced against data controllers who do not have any presence in India remain unclear. The DPDPA allows for the Indian Government to, on the recommendation of the DPA, issue a blocking order for a computer resource that allows the data controller to provide goods or services to data subjects located in India. This could mean that a website or an application would become unavailable to Indian data subjects as a result of such an order.
Additionally, as has been well publicised, the DPDPA allows for the imposition of significant monetary penalties, though quite how effective a remedy these fines will be against corporations that do business in India but have no physical presence remains to be seen.
Consent is still the primary justification for the processing of personal data under the DPDPA. This has not changed with the DPDPRs. The DPDPA also allows controllers to process information for the ‘purposes of employment’, and while some clarification was expected in the DPDPRs, this has unfortunately not been forthcoming. Accordingly, the latter justification should rightly be read narrowly- applicable only to individuals employed by an organisation and permitting processing only directly in furtherance of the purposes of such employment.
In your opinion, is this law a game-changer or will enforcement be business as usual? Are we looking at serious enforcement, or is there room for companies to manoeuvre?
Dhruv Singh (G&W Legal): This is a particularly challenging issue to address. The provisions of law in the DPDPA, big picture, look like a much-needed upgrade to India’s data privacy law – something that the Indian Supreme Court recognized the need for a while ago. Respect for an individual’s right to privacy is something that is of paramount importance, and it is a responsibility that falls squarely upon lawmakers. The DPDPA is a significant step in this direction, and it needs to be applauded.
This does not mean that the law is without flaws. No right for data subjects to claim compensation, vague obligations for seeking verifiable parental consent, and recently proposed restrictions on cross-border transfers all remain points of concern for Indian citizens and businesses alike. We expect precedents will develop through the decisions and interpretations of the law by the DPA and Indian courts, which will likely lead to a smoothening over of many of the areas of uncertainty about the law.
Rarely, if ever, can a law be drafted without any ambiguity, and this is no different with the DPDPA. To reiterate, the penalties are severe, and with the Indian public becoming more and more privacy conscious, the PR consequences of breaching the law can be every bit as devastating as the fines in the statute. Accordingly, it would be prudent for businesses to start taking steps towards compliance as soon as possible.
About Cecilia Chan:
Cecilia Chan graduated from The University of Hong Kong with a Postgraduate Certificate in Laws (PCLL) and earned an EMBA from Ivey Business School at Western University. Cecilia has 25 years of legal experience. She first began her career as a Corporate Lawyer in a law firm and worked as an in-house lawyer in different industries throughout her career. 2017 marked as a major turning point in Cecilia’s life when lululemon found her, where she was given the incredible opportunity to build and lead the coolest Legal Team in lululemon in such a fast-growing business for the region. She leads a team of lawyers and legal professionals located in Hong Kong, Melbourne, India and Korea.
With over 7 years at lululemon, Cecilia has navigated a career filled with challenges, possibilities, resilience and gratitude. She has developed a profound understanding of the retail industry and a strong commitment in promoting wellbeing, living and embodying lululemon’s values fully. With a heart filled with Love and Giving, Cecilia’s purpose is “To inspire women to get in touch with their souls to live their lives to their fullest potential fearlessly with Love.” Cecilia is an advocate for Women in Leadership and is actively supporting women in their leadership journey. She is also passionate about coaching and is an Internal Coach for lululemon. She is now also deep in the work of promoting wellbeing through yoga to legal professionals.
About Srijoy Das:
Srijoy Das is Senior Counsel at G&W Legal, bringing almost three decades of experience advising both domestic and multinational corporations on legal matters related to doing business in India. With a focus on commercial law and cross-border transactions, Srijoy has developed a particular expertise in the retail sector, where he has advised some of the world’s leading brands on M&A, strategic alliances, corporate governance, technology transfers, sponsorship deals, and commercial contracts.
Known for his ability to help global businesses scale and expand their operations in India, Srijoy serves as a trusted advisor and holds directorial positions on the boards of several Indian affiliates of multinational corporations, including major apparel and food and beverage brands.
A globally recognized legal practitioner, Srijoy has earned acclaim for his expertise, including being featured in WWL’s (now Lexology) Thought Leaders Global Elite for over 10 years.
About Dhruv Singh:
Dhruv Singh is a Partner at G&W Legal, bringing a wealth of experience from both in-house and law firm environments. Specializing in data privacy, tech and media law, he has expertise in advising on issues such as data breaches, intermediary liability, and privacy regulations. Dhruv also plays a key role in G&W Legal’s dynamic M&A practice, providing valuable counsel on corporate transactions with a focus on privacy and technology law.
Before joining G&W Legal, Dhruv served as product counsel for a leading global social media platform, where he had close interaction with India’s Ministry of Information and Technology on content moderation and data protection concerns. His work in the tech space spans a broad spectrum, having represented leading global companies on a variety of privacy, tech, antitrust and media issues.
A passionate advocate for public policy, Dhruv is dedicated to shaping legislation that fosters innovation while ensuring legal frameworks support business growth and industry evolution.
