Logo
Media Centre

India Enacted its new Digital Personal Data Protection Act

Ariel Yosefi Or Noy

16 August 2023

On August 11, 2023, India has enacted its new privacy law – the Digital Personal Data Protection Act, 2023 (“DPDP Act“).

The DPDP Act will replaced the Information Technology (IT) Act from 2000. It applies to the processing of digital personal data, which is broadly defined as any information linked to an identifiable individual and is collected in digital form or in a non-digitized format and subsequently digitized.

Similarly to the European General Data Protection Regulation, the DPDP Act applies on an extraterritorial basis, including to businesses operating from outside India that offer their goods or services to data subjects who reside in India.

The specific date of the entry of the DPDP Act into force is subject to a formal notification by the Indian Central Government, which is authorized to determine different dates of entry into force to various provisions of the act.

The DPDP imposes various obligations on data controllers (or “data fiduciary”, as defined by the act) processing digital personal data, including:

  • Legal Basis: Processing of digital personal data requires the consent of the data subject, subject to certain exceptions where a “legitimate use” can be relied upon (e.g., in cases of voluntary data provision, government benefits, medical emergency, or employment data). The required consent should be “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of [the data subject’s] personal data for the specified purpose, and be limited to such personal data as is necessary for such specified purpose“.

 

  • Data Transfers: The DPDP Act permits the transfer of digital personal data outside of India, except to countries restricted by Indian authorities. The list of restricted countries is yet to be provided.

 

  • Data Breaches: Reporting of personal data breaches (which include unauthorized data processing, disclosure, alteration, loss, or actions compromising data confidentiality, integrity, or availability) is mandatory, both to affected data subjects and the regulatory authority (the Data Protection Board of India). It should be noted that the reporting obligations under the DPDP Act complement the existing reporting obligations under India’s CERT-In Rules.

 

  • Data Rights: Similarly to comprehensive data protection laws in various jurisdictions, the DPDP Act grants certain data rights to data subjects, including the right of access, data correction, deletion and grievance.

 

  • Children’s Data: The DPDP Act requires verifiable parental consent for the processing data of children under 18. Certain forms of processing involving children’s data (such as online tracking, behavioral/targeted advertising) are strictly prohibited.

 

The DPDP Act provides, in certain specified circumstances, exemptions to data controllers from specific obligations, such as the requirement for notice and consent. These include instances where the processing of digital personal data is essential for the enforcement of legal rights or claims; processing by Indian courts, tribunals, or other bodies; processing in the interest of preventing, detecting, investigating, or prosecuting offenses or law violations; processing necessary for approved merger/amalgamation arrangements by competent courts, tribunals, or authorities; and exemptions granted by the Central Government in specific circumstances, such as state security or the maintenance of public order.

The DPDP Act empowered an independent body – the Data Protection Board of India – to oversee compliance, impose penalties, address data breaches, conduct investigations, and resolve grievances.

The potential penalties for noncompliance with the DPDP Act could reach as high as 250 crore Rupees (approximately $30 million).

Companies processing personal data of Indian residents should review their data privacy procedures and address the applicable requirements.

Feel free to contact us if you have any questions about the effect of the DPDP Act on your organization’s data processing operation and the practical steps that should be taken.

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search