Support Centre

India

Summary

Law: The Digital Personal Data Protection Act, 2023 ('the Act')

Regulator: Data Protection Board of India established under the Act (website currently unavailable).

Summary: Data protection has been of growing concern in India since the Supreme Court of India declared privacy a fundamental right in the Puttaswamy case in 2017. Following the Supreme Court's decision, from 2018 to 2022 there were multiple legislative attempts to enact a comprehensive data privacy law.

The Indian legislator's efforts culminated with the enactment of the Act in August 2023. The Act regulates the processing of digital personal data and provides for a maximum penalty of INR 250 crore (approx. $31 million) for the breach of its provisions. Importantly, the entry into force of the Act is to be announced by the Indian Government via notification in the Official Gazette.

Notably, the Act only applies to digital personal data, imposes obligations on entities that qualify as 'data fiduciaries', establishes data subject rights for 'data principals', and generally allows outwards transfers of data from India. In line with international standards, the Act establishes lawful grounds for data processing, data subject rights, and introduces requirements including the appointment of a consent manager, vendor management, and data security.

The Act is accompanied by other legislation which provide personal data protections, namely the Information Technology Act, 2000 ('the IT Act'), as amended by the Act, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules') issued thereunder.

Insights

In part one of this series on India's Digital Personal Data Protection Act, 2023 (the Act), we look into the Act's scope and application. In part two, Rachit Bahl, Rohan Bagai, and Neha Agarwal, from AZB & Partners, delve into consent and legitimate uses.

India finally enacted its data privacy law, the Digital Personal Data Protection Act (DPDPA), in August 2023. The law is yet to come into force, but the Government has indicated that it plans to implement the law in about 6 months. Stephen Mathias, Senior Partner and Co-Chair of the Technology Law Practice at Kochhar & Co, examines the key issues of the DPDPA, and its impact on stakeholders regarding implementation and compliance.

The Digital Personal Data Protection Act, 2023 (the Act) was passed by both houses of the Indian Parliament and has received Presidential assent. One of the key considerations of the Act is its impact on cross-border data transfers. While the Act is yet to come into force, and the rules that will prescribe further clarity on the implementational aspects are awaited, Varsha Rajesh and Huzefa Tavawalla, from Nishith Desai Associates, assess the potential impact on cross-border transfers of personal data under the new regime.  

In part one of this series on the India Digital Personal Data Protection Act, 2023 (the Act), Rachit Bahl, Rohan Bagai, and Shubham Parkhi, from AZB & Partners, delve into its scope and application.

In this Insight article, Aparna Gaur and Varsha Rajesh, from Nishith Desai Associates, delve into the realm of consent managers and their role in India's data privacy landscape.

The Government of India has recently enacted the Digital Personal Data Protection Act, 2023 (the Act) after multiple consultations and deliberations over the years. With the passing of the Act, the collection, processing, storage, and transfer of personally identifiable information of an individual, i.e., personal data in digital format, is regulated. The Act, in its current form, lays down a skeletal framework, leaving much to be prescribed by the Government in the form of rules and regulations. Although the Act was enacted on August 11, 2023, its provisions are yet to be notified to come into force.

In this Insight article, Mathew Chacko, Aadya Misra, and Ada Shaharbanu, from Spice Route Legal, delve into India's new data protection law, uncovering its hidden commercial implications and shedding light on the challenges and opportunities it presents for businesses operating in the country.

The EU's General Data Protection Regulation (GDPR) is often touted as the 'gold-standard' for personal data protection and has been in force for more than five years. In August 2023, India enacted the much-awaited Digital Personal Data Protection Act, 2023 (the DPDP Act)1. While the DPDP Act may not be as granular as the GDPR in many aspects, it signifies a crucial milestone in India's journey towards upholding digital data protection. Harsh Walia, Supratim Chakraborty, Shobhit Chandra, Sumantra Bose, Sanjuktha Yermal, Shramana Dwibedi, and Vanshika Lal, from Khaitan & Co., provide a comparison between the GDPR and the DPDP Act and their approaches to areas such as data processor obligations, children's data, and cross border data transfers.

The absence of a comprehensive data protection law has affected India's progress towards becoming a global leader in business, technology, and outsourcing. The enactment of the Digital Personal Data Protection Act, 2023 (the Act), brings with it a promise of enabling the processing of personal data in a way that respects both individual rights and the legitimate needs of businesses to process data for lawful purposes. But what are the key implications businesses need to be aware of? Since the Act is yet to take effect and will likely be rolled out in phases, readiness to comply will be paramount. 

In this Insight article, Harsh Walia, Partner at Khaitan & Co., explores the implications of the Act for businesses, offering guidance on how to navigate the new obligations. This proactive approach will not only ensure adherence to legal requirements but also cultivate a culture of responsible data practices in this digital age.

On August 11, 2023 the Digital Personal Data Protection Act, 2023 (the Act) received the assent of the President of India and was published in the Official Gazette, representing a landmark in India's long journey towards the adoption of a comprehensive privacy framework. In particular, the Act aims to regulate the processing of digital personal data in a manner that balances the need to lawfully process data with the rights of individuals regarding the protection of their personal data.

In this Insight article, OneTrust DataGuidance Research provides an overview of the Act, highlighting its key requirements.

The Ministry of Electronics and Information Technology of the Government of India ('MeitY') published the draft Digital Personal Data Protection Bill, 2022 ('the Draft Bill') on 18 November 2022 for public consultation, which was open until 2 January 2023. Aaron Kamath and Varsha Rajesh, from Nishith Desai Associates, discuss the content of the draft Bill and its potential impact on businesses.  

After various legislative predecessors, on 18 November 2022, the Ministry of Electronics and Information Technology ('MeitY') issued the Digital Personal Data Protection Bill, 2022 ('the Bill') for public consultation.

In this Insight article, Supratim Chakraborty, Harsh Walia, Shobhit Chandra, Sumantra Bose, Tashi Gyanee, Sanjuktha Yermal, and Shramana Dwibedi, from Khaitan & Co., discuss key differences and similarities between the Bill and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Feedback