Discover the India Digital Personal Data Protection Act (DPDPA) 2023 – India's first comprehensive data protection law. Learn how it affects businesses, data principals, and more. Stay informed about the latest data privacy regulations.
Explore more privacy compliance insights and best practices
India, one of the most populous countries in the world and one of the world's largest economies, has a new personal data protection law. The law was published in the Official Gazette in August 2023 and will come into force in 2024.
The India Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data protection law.
It was published in the Official Gazette on 11 August 2023, but the exact date of its coming into force is yet to be announced by the government.
The India DPDPA applies to all businesses that operate from India and to all businesses that target Indian customers.
The DPDPA clearly states that the law applies to the processing of personal data within the territory of India, where the personal data is collected:
It also applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India.
It is important to note that the law does not apply to many Indian companies that provide outsourcing services. These companies process data in India, but it has been collected abroad and does not affect data principals from India. Therefore, it may not apply to them.
Here are some examples of businesses that are likely to be subject to the DPDPA:
Personal data is defined as "any data about an individual who is identifiable by or in relation to such data." This is the same definition of personal data that is used in other laws around the world.
Unlike these laws, however, the Indian one does not have a definition of sensitive personal data. As a result, it does not provide additional protection to such data.
The Indian data protection law also introduces the concept of a significant data fiduciary. This is defined as "any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10." The government has not yet announced which companies will be considered significant data fiduciaries, but it is likely that these will be big companies that process vast amounts of personal data.
Data fiduciaries have numerous obligations under the DPDPA. The most important of them include:
Data processors, on the other hand, must only process data on written instructions of the data fiduciary and remove data upon the data fiduciary's instructions.
Data principals have the following rights:
They can exercise their rights by the methods prescribed by the data fiduciaries. Once submitted, the data fiduciary must honor the request.
In addition to that, the data fiduciary must establish an effective mechanism for grievances by data principals.
The India DPDA requires obtaining explicit users' consent unless you can process the data based on another legal basis.
The consent must be:
The consent request must be in any of the official languages in India and written in plain language that is easy to understand.
The user has the right to revoke their consent at any time.
The other bases include cases where individuals voluntarily provide personal data to the data fiduciary and do not necessarily imply that they do not want their data to be processed. This may involve providing data for the purpose of receiving a product, obtaining customer support, or similar situations.
A consent manager is a person who acts as a single point of contact for individuals to give, manage, review, and withdraw their consent to the processing of their personal data. The consent manager must be registered with the Data Protection Board of India (DPB) and must meet the requirements prescribed by the DPB.
Here are some of the key functions of a consent manager:
Whether or not a company needs to appoint a consent manager will depend on the specific circumstances of the company and the nature of the data processing activities. However, it is generally advisable for companies to appoint a consent manager to ensure that they are compliant with the India DPDPA.
Not all businesses are required to appoint a Data Protection Officer (DPO). You only need to appoint one if you are a "significant data fiduciary," but we don't yet know what data fiduciaries will be considered to be significant.
Once we know more about this, the significant data fiduciaries will have to appoint a DPO who:
Only the significant data fiduciaries are required to conduct a Data Protection Impact Assessment (DPIA).
For all other organizations, it is a good practice that could lead to improved data protection for customers and reduce the risk of penalties.
The India DPDPA allows free data transfers outside of India unless the government has ruled that data shall not be transferred to a specific country or organization.
Unlike the GDPR, which prescribes that data must not be transferred abroad unless sufficient protections are guaranteed, Indian law allows all transfers as long as the government does not decide that a specific country could pose a risk. Understand the differences between the GDPR and DPDPA.
In the case of a data breach, companies must inform the DPB and the affected individuals about the breach. The DPB may then propose measures for mitigating the breach.
The DPB enforces the law. They investigate any violations and determine responsibility. The DPDP Act penalties can range from INR 10,000 (USD 120) to INR 250 crore (USD 30.2 million). The exact amount within this range is determined by the DPB, depending on the nature of the offense.
Here are some additional things to keep in mind about data breaches in India:
