India Enacted its new Digital Personal Data Protection Act
16 August 2023
On August 11, 2023, India has enacted its new privacy law – the Digital Personal Data Protection Act, 2023 (“DPDP Act“).
The DPDP Act will replaced the Information Technology (IT) Act from 2000. It applies to the processing of digital personal data, which is broadly defined as any information linked to an identifiable individual and is collected in digital form or in a non-digitized format and subsequently digitized.
Similarly to the European General Data Protection Regulation, the DPDP Act applies on an extraterritorial basis, including to businesses operating from outside India that offer their goods or services to data subjects who reside in India.
The specific date of the entry of the DPDP Act into force is subject to a formal notification by the Indian Central Government, which is authorized to determine different dates of entry into force to various provisions of the act.
The DPDP imposes various obligations on data controllers (or “data fiduciary”, as defined by the act) processing digital personal data, including:
- Legal Basis: Processing of digital personal data requires the consent of the data subject, subject to certain exceptions where a “legitimate use” can be relied upon (e.g., in cases of voluntary data provision, government benefits, medical emergency, or employment data). The required consent should be “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of [the data subject’s] personal data for the specified purpose, and be limited to such personal data as is necessary for such specified purpose“.
- Data Transfers: The DPDP Act permits the transfer of digital personal data outside of India, except to countries restricted by Indian authorities. The list of restricted countries is yet to be provided.
- Data Breaches: Reporting of personal data breaches (which include unauthorized data processing, disclosure, alteration, loss, or actions compromising data confidentiality, integrity, or availability) is mandatory, both to affected data subjects and the regulatory authority (the Data Protection Board of India). It should be noted that the reporting obligations under the DPDP Act complement the existing reporting obligations under India’s CERT-In Rules.
- Data Rights: Similarly to comprehensive data protection laws in various jurisdictions, the DPDP Act grants certain data rights to data subjects, including the right of access, data correction, deletion and grievance.
- Children’s Data: The DPDP Act requires verifiable parental consent for the processing data of children under 18. Certain forms of processing involving children’s data (such as online tracking, behavioral/targeted advertising) are strictly prohibited.
The DPDP Act provides, in certain specified circumstances, exemptions to data controllers from specific obligations, such as the requirement for notice and consent. These include instances where the processing of digital personal data is essential for the enforcement of legal rights or claims; processing by Indian courts, tribunals, or other bodies; processing in the interest of preventing, detecting, investigating, or prosecuting offenses or law violations; processing necessary for approved merger/amalgamation arrangements by competent courts, tribunals, or authorities; and exemptions granted by the Central Government in specific circumstances, such as state security or the maintenance of public order.
The DPDP Act empowered an independent body – the Data Protection Board of India – to oversee compliance, impose penalties, address data breaches, conduct investigations, and resolve grievances.
The potential penalties for noncompliance with the DPDP Act could reach as high as 250 crore Rupees (approximately $30 million).
Companies processing personal data of Indian residents should review their data privacy procedures and address the applicable requirements.
Feel free to contact us if you have any questions about the effect of the DPDP Act on your organization’s data processing operation and the practical steps that should be taken.