Close
CONTACT US
Close

DPDP Act Compliance for ISPs: Handling Subscriber Data the Right Way

  • Home
    •  / 
  • Legal Blogs
    •  / 
  • DPDP Act Compliance for ISPs: Handling Subscriber Data the Right Way

INTRODUCTION

In today’s fast paced world, we see an exponential growth of Internet penetration in India which shows us the significance of Internet Service Providers (ISPs) that has reached unprecedented levels. Whenever an individual connects to the Internet streams multimedia content to indulge in social networking or sending an email, that individual leaves a vast volume of personal information and digital activity which is  transferred and handled by their ISP. This makes the ISPs as the custodians and conservers of significant volumes of personal and sensitive data which belongs to the millions of subscribers.

Especially in the past ten years, India has experienced a sharp rise in crimes involving unauthorised access, misuse, and manipulation of personal data by digital platforms, intermediaries, and even by some service providers. Crimes such as targeted advertising utilizing unauthorised data, unsolicited marketing messages and such actions breaches revealing sensitive personal information have raised significant concerns about data protection and privacy in this digitalising era. Such serious concerns were also highlighted in the landmark Supreme Court ruling, Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), in which it was held that the right to privacy is a fundamental right under Article 21 of the Indian Constitution.

Despite such Judicial pronouncement, there has been a lack of a dedicated and comprehensive statutory legal framework for digital personal data protection. Statutory enactments such as the Information Technology Act, 2000 provides only limited protection, which is inadequate to deal with the threats posed by advancing technologies and international data transfers. Acknowledging the need for digital personal data protection, the Parliament passed the Digital Personal Data Protection Act, 2023 also called the DPDP Act, 2023.

The DPDP Act laid down a certain set of duties and responsibilities in relation to the handling, management and transfer of digital personal data by organisations referred to as “Data Fiduciaries” under the act. ISPs because of their direct handling and management of the subscribers, usage records, and communication data, are designated as Data Fiduciaries under the DPDP Act. 

This article analyzes the compliance obligations placed on the ISPs by the DPDP Act, investigates the consequences of non-compliance and also cites the relevant Indian precedents and international precedents that establishes the importance of strict adherence to statutory requirements as established under the DPDP Act.

KEY DEFINITIONS UNDER THE DPDP ACT

For a better understanding of the duties and responsibilities placed on the ISPs, it is crucial to understand the meaning of the key terms used under the Act:
  1. Data Principal– It is the subscriber or customer of the ISP meaning that data principal is an individual to whom the personal data relates.
  2. Data Fiduciary– Any person or entity which alone or jointly defines the means and purpose of processing data. ISPs come under this category.
  3. Data Processor– Any person or entity that processes the personal data on behalf of a Data Fiduciary is known as Data Processor. For example, customer support operations etc.

APPLICABILITY OF THE ACT

The DPDP Act governs the process and handling of digital personal data in India but it also extends to the organizations outside India, if the processing is related to the offering of goods or services to individuals within the Indian subcontinent. For ISPs this implies that any subscriber related data which is gathered, kept, or analysed irrespective of India or on international servers must adhere to the provisions of the DPDP Act, 2023. Like any other statutory enactment, this Act also has certain exceptions or situation under which it is not applicable which are as follows:

  1. Personal data processed and handled by an individual for personal or domestic purposes.
  2. Personal data disclosed to the public by any individual or any entity as required by the law.

LEGAL COMPLIANCES FOR ISPs UNDER THE DPDP ACT, 2023

  • Notice to Data Principal 
This notice is given by the Data Fiduciary. Before gathering any personal data, an ISP as the Data Fiduciary is required to issue a notice to the subscriber who is known as the Data Principal detailing:
  1. i) Which personal data is intended to be gathered and the purpose behind such processing;
  2. ii) The ways through which the subscriber can exercise his/her rights under the Act;

iii) The process for filing a complaint with the Data Protection Board of India if any issue arises.

This notice should be clear and be provided in English or any language as listed in the Eighth Schedule of the Indian Constitution.

  • Consent Mechanism

Personal data cannot be without the subscriber’s free, specific, informed and clear consent. Consent should pertain solely to the data needed for the particular purpose. Therefore, the ISPs should create consent forms that are clear and easy to understand and are user friendly by nature. For example, when any subscriber registers, obtaining consent must clearly outline the reasons for collecting personal data such as name, phone number, address etc.

In a layman’s language, a subscriber can revoke consent or unsubscribe at any moment, and after this the ISPs and its data processors are required to stop the processing of the subscriber’s data within a particular period of time.

  • Rights of the Data Principal

The subscribers have various rights under the DPDP Act which are mentioned in the Chapter III of the Act and the ISPs are legally required to uphold the rights. The rights of the subscribers are as follows:

  1. Right to access information about personal data– Subscribers are entitled to access information about their personal data which is handled by the ISP, this includes data sharing with third parties and also information regarding the processing activities.
  2. Right to correction and erasure of personal data- Subscribers at any time can ask for amendments or update of their incorrect information and can also demand removal if the data is no longer important for the purpose for which the consent was given by the subscriber.
  3. Right of grievance redressal– Subscribers can file grievances with the ISP or its designated Consent Manager. If they are unsatisfied with the resolution they may approach the Data Protection Board.
  4. Right to nominate- Every subscriber has the right to nominate another individual who can exercise their rights in case of death or incapacity.
  • Data minimization and purpose limitation

Data minimization means that only the essential data should be collected which is required to fulfil a purpose. No collection of unnecessary data is allowed. While, purpose limitation is that data should only be collected for a legitimate purpose. In short, the ISPs are prohibited from gathering or retaining unnecessary data which does not align with the purpose.

  • Data security and breach management
The ISPs are also required to implement appropriate security measures in order to safeguard the personal data from unauthorised access. These consists of:
  1. Encryption of subscriber data.
  2. Securing the access control and authentication.
  3. Establishing policies for data retention and deletion.

When an event of breach of personal data arises, the ISPs must inform the Data Protection Board and also the impacted subscribers, detailing about the nature of the breach and also measures to be taken in order to reduce the harm.

  • Responsibility for data processors

The ISPs mostly utilize third party services such as customer support centres or payment processors to handle the data for them. The Act mandates that such a relationship should be based on agreements which ultimately ensures that the processor follows the same set of security and privacy responsibility as that the ISP also follows. But at the end, the ISP will be responsible for any violation or failures to comply with its data processors.

  • Processing of Children’s data

The DPDP Act imposes special safeguards for children. The ISPs are required to obtain verifiable consent from the parents prior to handling the data of individuals who are below 18 years of age. Due to the increasing amount of minors using the internet in today’s era, this compliance is very important in order to safeguard childrens and their data.

  • Cross border transfer of data

Many ISPs keep the subscriber data on servers which are located outside India. The Act permits the transmission of personal data across borders but only to those nations which are authorised by the Central Government. Prior to sending the data cross border the ISPs should verify that the receiving country has acknowledged it and also protection is established for the data.

DATA PROTECTION BOARD OF INDIA:

The Data Protection Board serves as the regulatory authority created under the DPDP Act to ensure its compliance. Some of the functions and powers of the board are as follows:
  1. In the event of a data breach direct measures can be taken.
  2. Investigate the complaints or violations of the Act.
  3. Impose monetary penalties.
  4. Oversee the registration and the conduct of the Consent Managers.

Alternate Dispute Resolution methods are also promoted by the Board in order to settle the disputes effectively. If anyone is not satisfied with the Board’s decision, they can further appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within the sixty days from the receipt of the order.

PENALTIES FOR BREACH:

The DPDP Act outlines a range of high value penalties related to violations which showcases seriousness of the nature and gravity of every single offence committed. Due to this, the Internet Service Providers (ISPs) must be very attentive in conducting their operations as Data Trustees / Data Fiduciaries under the Act. A penalty can be imposed of up to ₹250 crore if any kind of negligence occurs in establishing security measures. If there is any failure by an ISP to notify the Data Protection Board or to the users affected by the breach, on time, then the penalty may extend up to ₹200 crore. The data carrying information about children requires a special attention, as such violations also end up imposing a ₹200 crore penalty. The DPDP Act also includes general violations which are not classified in other categories can lead to penalties amounting ₹50 crore, establishing the importance of compliance even in minor constraints. Moreover, if a data principal reports a vague or hocus complaint, he/she shall be penalized to pay a fine up to ₹10,000. Many factors are considered by the Data Protection Board while making decision penalties for the various offences, such as, duration and severity of the breach, if it is recurring,type of the data involved in the offence, any corrective measures taken and any impact on the accountable party, relative to the offence. The penalties collected are deposited in the Consolidated Fund of India which not only highlights the regulatory importance but also the financial impact on ISPs for non compliance under the framework of DPDP Act.

PRECEDENTS:

Indian Precedents:

  1. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) – In this case, the Supreme Court held that the Right to Privacy is a fundamental right under the Article 21 of the Indian Constitution. This judgement laid the foundation for the DPDP Act.
  2. Karmanya Singh Sareen & Anr. v. Union of India (2016) – A PIL was filed against Whatsapp, which challenged its updated privacy policy which allowed sharing of the subscribers data with Facebook. The Supreme Court observed in this case that there is need for a proper legal framework in relation to data protection in India. This judgement also laid the foundation for the DPDP Act.

Foreign Precedents:

  1. Federal Trade Commission (FTC) v. Facebook, Inc. (2019) – The U.S. FTC attained a historic settlement of $5 billion with Facebook Inc. due to violations of consumer privacy, in July 2019. This case established a new legal framework emphasising board level responsibility for privacy protection in large tech companies.

REGULATORY AND STATUTORY FRAMEWORKS:

  1. General Data Protection Regulation (GDPR) (European Union)– This regulation has enforced monetary penalties for telecom and internet firms due to their inability to protect data and acquire valid consent. The penalties are imposed due to non compliance.
  2. ICO Decisions (Information Commissioner’s Office) (United Kingdom)– The United Kingdom has levied monetary penalties on companies that poorly manage the subscribers data. This emphasises that transparency and speedy action are essential elements of compliance.

CONCLUSION:

The DPDP Act outlines an innovative step in the realm of digital personal data protection in   India, specifically for the Internet Service Providers (ISPs) acting like data trustees, performing the duty of management of delicate user/subscriber information. The main objective of the Act is to provide a stage to well established privacy concerns via a clear explicit consent, strong security protocols, transparency in data handling and provision of concrete rights to the subscribers. Mere follow of  compliance is not just legal obligation but it is a core responsibility of a business to perform and maintain the same in their conduct, which if not followed, can raise serious risk factors of damage to reputation alongside financial distress and penalties caused because of that. On the basis of both Indian and international legal precedents and standards, a clear picture is laid out of a demand for proactive and accountable data regulation by ISPs in current scenarios. Proper adherence and follow-up on these obligations builds-up strong trust among the users in an increasingly connected society.

© Copyright 2020-2025 Utkrishtha Law Offices. All Rights Reserved.