India
Summary
Law: The Digital Personal Data Protection Act, 2023 ('the Act')
Regulator: Data Protection Board of India established under the Act (website currently unavailable).
Summary: Data protection has been of growing concern in India since the Supreme Court of India declared privacy a fundamental right in the Puttaswamy case in 2017. Following the Supreme Court's decision, from 2018 to 2022 there were multiple legislative attempts to enact a comprehensive data privacy law.
The Indian legislator's efforts culminated with the enactment of the Act in August 2023. The Act regulates the processing of digital personal data and provides for a maximum penalty of INR 250 crore (approx. $31 million) for the breach of its provisions. Importantly, the entry into force of the Act is to be announced by the Indian Government via notification in the Official Gazette.
Notably, the Act only applies to digital personal data, imposes obligations on entities that qualify as 'data fiduciaries', establishes data subject rights for 'data principals', and generally allows outwards transfers of data from India. In line with international standards, the Act establishes lawful grounds for data processing, data subject rights, and introduces requirements including the appointment of a consent manager, vendor management, and data security.
The Act is accompanied by other legislation which provide personal data protections, namely the Information Technology Act, 2000 ('the IT Act'), as amended by the Act, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules') issued thereunder.