Excerpt from India Briefing Article – Published on Sep18, 2023

In a landmark move, India has officially enacted the Digital Personal Data Protection Act of 2023, following approval by both houses of Parliament and the President’s assent. This significant legislation, previously known as the Digital Personal Data Protection Bill of 2022, is now in full effect, marking a pivotal moment in India’s digital landscape.

The Digital Personal Data Protection Act (DPDP) is poised to redefine how digital personal data is managed and safeguarded within the country. It applies not only to data collected in digital formats but also encompasses data originally collected in non-digital formats and subsequently digitized. Importantly, the DPDP Act provides the government with the discretion to exempt state agencies from its provisions.

This comprehensive legislation seeks to enhance data protection and accountability for a wide range of entities, including internet companies, mobile apps, and businesses responsible for handling citizens’ data. It’s crucial to note that the DPDP Act holds implications for India’s international trade negotiations, as it aligns with global data protection standards, drawing inspiration from models such as the EU’s GDPR and China’s PIPL.

At its core, the DPDP Act aims to establish a higher level of accountability and responsibility for entities operating within India. This includes robust regulations for the collection, storage, processing, and transfer of personal data in the digital realm. The Act places a strong emphasis on the “Right to Privacy,” ensuring transparency and accountability in how entities handle personal data.

Key provisions of the DPDP Act include:

Definitions: The Act introduces terms such as data fiduciary (similar to a data controller), data processor, data principal (equivalent to a data subject), and consent manager, among others.

Applicability: The DPDP Act applies to all data, both digital and non-digital, collected within India’s borders and even extends to digital personal data processing activities abroad.

Individual Consent and Rights: Personal data can only be processed with explicit consent from individuals, except in specific circumstances related to national security and law enforcement.

Data Protection Board: An independent regulator responsible for addressing privacy-related grievances and enforcing compliance with the Act’s provisions.

Penalties: Data fiduciaries face significant penalties for non-compliance, including fines of up to INR 2.5 billion.

India’s Digital Personal Data Protection Act is a critical step toward ensuring data privacy and security in a digital age, positioning the country in line with global data protection norms. Companies operating in India must now take proactive measures to comply with this comprehensive data protection framework, safeguarding the privacy of Indian citizens and meeting their legal obligations.

To delve deeper into this topic, please read the full article on India Briefing.