Ipsita Mazumdar

India’s pursuit of a data protection law has nearly culminated after a decade. The Digital Personal Data Protection Bill, 2023 (DPDP Bill, 2023) officially became the Digital Personal Data Protection Act of 2023 after receiving the President of India’s assent on August 11, 2023. In an era where technology has emerged as the dominant force of the 21st century, India’s current Data Protection Act does a stellar job in highlighting the country’s commitment to establishing a robust system for safeguarding data privacy. It aligns with global data protection standards, taking inspiration from models of the European Union’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL).

The new DPDP Act of India strives to institute a heightened level of accountability and obligation for entities functioning within India, which includes internet companies, mobile applications, and businesses involved in the gathering, retention, and handling of individuals’ data. With a significant emphasis placed on the «Right to Privacy,» this legislation aims to ensure transparent operation of these entities and their responsibility in managing personal data in and of India, thus emphasizing the privacy and data protection rights of Indian residents.

The DPDP Act regulates the handling of digital personal data within India, whether acquired online or gathered offline and subsequently digitized. Moreover, it applies to the processing of digital personal data beyond India’s borders if it involves offering products or services to individuals within India. Further, by using the word “she” instead of “he”, the language of the legislation notably acknowledges women in Parliamentary law-making, and throws light on its progressive approach. It is formulated as a ‘legislation based on principles,’ relying on concepts that bear broad similarity to those found in EU’s GDPR. It regulates data fiduciaries (also known as data controllers), data processors (that obtain, hold, and process data), and data principals (referring to data subjects which provide their personal data). This new legislation is founded upon the following seven principles:

The principle of using personal data with consent, lawfulness, and transparency.
The principle of limiting the purpose (using personal data solely for the specified purpose stated at the time of obtaining the consent of the individual providing the data).
The principle of minimizing data (collecting only the necessary amount of personal data to fulfil the specified purpose).
The principle of ensuring data accuracy (verifying that the data is accurate and up-to-date).
The principle of limiting storage (retaining data only as long as necessary for the specified purpose).
The principle of implementing reasonable security measures.
The principle of enforcing accountability (via the adjudication of data breaches and violations of provisions, along with the imposition of heavy penalties for such breaches).

In contrast to the GDPR, the DPDP Act uniformly encompasses all categories of digital personal data without imposing additional regulations on the processing of sensitive personal data or critical personal data (as initially suggested in a prior version of the draft data protection law). This divergence from the GDPR is notable, given that the GDPR accounts for «special categories of personal data» (pertaining to racial/ethnic origin, political opinions, religious beliefs, sexual orientation, or genetic, biometric, or health data), allowing their processing only for specific purposes.

The below are some of the salient features of the DPDP Act:

The DPDP Act highlights the role of Significant Data Fiduciary, which the government will identify using the volume and sensitivity of personal data processed and risk associated. The specific obligations under this include appointing a data protection officer (DPO) based in India, appointing an independent data auditor and conducting a data protection impact assessment.
The Act will empower the citizens of the country to seek more information on how their data is processed, and the data fiduciary shall make this information available in a clear and understandable way. The individuals shall have the right to correct inaccurate/ incomplete data and erase data that is no longer required for processing.
Another salient feature of DPDP Act is the exorbitant penalty clause. There are penalties for non-compliance of the provisions by data fiduciaries up to INR 250 crore.
Parental consent must be obtained when processing data of all minors (under 18 years of age).
The DPDP Act allows for cross-border transfers to all countries unless specifically restricted by the Indian Government.
Personal data utilized for personal or domestic purposes or aggregated personal data amassed for research and statistical objectives, not impacting any specific decisions concerning a data principal, falls outside the scope of the DPDP Act. The Act excludes publicly accessible personal data from its purview as well.
Sharing of personal data by data fiduciaries with the State or its agents, under a legal obligation, is considered a ‘legitimate use’ under which consent from or notification to the relevant data principals is not required. Moreover, the State or its agents themselves are exempted from the requirement to obtain consent (and other obligations under the DPDP Act, including the erasure of personal data from their records) while processing personal data for the execution of any legal function, for the sake of India’s security, sovereignty, and integrity, or for the maintenance of public order.

This new Act provides the framework for a new data protection regime but it still needs to be supplemented by underlying Rules that are yet to be issued and notified by the Indian Government in due course. A Data Protection Board of India (“Board”) is also due be established as the adjudicatory body, with the power to determine non-compliance with the DPDP Act/ Rules and impose penalties.

The next few months will see a number of subordinate rules and regulations under the DPDP being formulated, and specified portions of the DPDP will be made operational in phases. It would be interesting to see how and when the Rules are brought into effect, and what mechanisms are put in place to ensure compliance.

The act is expected to have a significant impact on the majority of organizational areas, including legal, IT, human resources, sales and marketing, procurement, finance, and information security because of the type and volume of personal data that is collected, stored, processed, retained, and disposed of in India. The government recently announced in September 2023 that companies/entities may be given around a year’s time, and even some more to smaller organisations or startups, to comply with norms of the Act and the Rules. Thus it is imperative for organizations in these and related sectors particularly multi-national and foreign companies to develop a strong data privacy and protection implementation program in view of the DPDP Act 2023. The earlier the better, and now is the right time for companies to start working on creating specific policies within their teams and for their vendors and business partners, to ensure compliance to the new Act while also not compromising on the ease of doing business.