In a landmark move, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act) on August 11, 2023, marking a significant evolution in the nation’s data protection landscape.
This Act, emerging from the fifth iteration of proposed personal data protection legislation, aligns with the draft Bill released by the Ministry of Electronics and Information Technology on November 18, 2022, and reflects inputs from public consultations. The DPDP Act, focusing exclusively on digital personal data, will supersede Section 43A of the Information Technology Act, 2000, and the related 2011 Rules, once fully operational. This is the first cross-sectoral law in India on personal data protection.
Rules to implement the DPDP Act are being drafted currently. Once they are notified, the Act will be implemented.
Key Provisions of the DPDP Act
- Applicability (Chapter I, Section 3): The DPDP Act applies to digital personal data processed within India, and to data processed outside India if it is connected with offering goods or services in India. It excludes data processed for personal or domestic purposes and data publicly available under legal obligation.
- Obligations of Data Fiduciaries (Chapter II, Section 8): Data Fiduciaries must comply with the Act, including ensuring data accuracy and erasing personal data when no longer necessary or upon consent withdrawal.
- Significant Data Fiduciaries (Chapter II, Section 10): The Central Government may designate certain data fiduciaries as ‘Significant Data Fiduciaries’ based on their data processing volume and sensitivity, imposing additional compliance requirements.
- Rights of Data Principals (Chapter III, Section 11): Data Principals have rights to access, correction, and erasure of their personal data. Data Principals can also nominate individuals to exercise such rights posthumously or in cases of incapacity, ensuring continuous protection of their digital legacy.
- Special Provisions for Children (Chapter IV, Section 9): The Act requires verifiable parental consent for processing children’s personal data and prohibits detrimental processing practices targeting children. This aligns India's data protection framework with international standards on child data protection.
- Exemptions and Special Cases (Chapter IV, Section 17): The Act exempts certain data processing activities from its provisions, like processing for legal claims, research, or state security.
- Data Protection Board of India (Chapter V, Section 18): The Regulator under the Act is the Data Protection Board of India with responsibility to enforce the Act.
- Transfer of Personal Data Outside India (Chapter VII, Section 16): The Act allows the transfer of personal data outside India, except to countries or territories blacklisted by the Central Government, ensuring that cross-border data flow aligns with national data protection standards.
- Penalties for Breach (The Schedule): The Act prescribes substantial penalties for breaches, ranging up to INR 2.5 billion (~ USD 30 million), depending on the nature and severity of the violation.
The DPDP Act codifies data privacy law. It sets a new benchmark for data protection, balancing individual rights with the legitimate needs of digital commerce and governance. As businesses and individuals navigate this new landscape, the Act promises to enhance trust in digital services, fostering a safer and more secure digital environment for all.
What businesses need to do:
- Review Act's Scope: Understand the DPDP Act's provisions, focusing on how they impact you and your data processing practices.
- Update Policies: Revise data handling, storage, and processing policies to comply with the Act’s requirements.
- Enhance Data Security: Implement robust data security measures and conduct regular audits to prevent breaches.
- Appointing Data Protection Officer: For entities with significant data processing, appoint a Data Protection Officer (DPO) to oversee compliance.
- Employee Training: Train employees in the Act’s requirements and their roles in protecting personal data.
- Transparency with Data Principals: Communicate clearly with data subjects about their data rights and your data usage policies.
- Data Breach Preparedness: Establish a comprehensive response plan for potential data breaches.
- Review Third-Party Agreements: Ensure that contracts with third parties adhere to the DPDP Act's data protection standards.
- Stay Informed: Keep up to date with regulatory developments and guidelines related to the DPDP Act.
- Legal Advice: Seek expert legal advice for guidance and to ensure full compliance with the Act.