India’s Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant milestone in the nation’s approach to data privacy, aligning with global standards and addressing the unique challenges of its digital ecosystem. Enacted on August 11, 2023, the DPDP Act establishes a comprehensive framework for the processing of digital personal data, balancing individual privacy rights with the legitimate needs of data processing.
2017: Justice Srikrishna Committee Formation
• The Indian government constituted the committee to draft a data protection framework after the landmark Supreme Court judgment declaring privacy a fundamental right.
2018: Draft of Personal Data Protection Bill (PDP Bill)
• The committee submitted the first draft of the Personal Data Protection Bill.
2019: Personal Data Protection Bill Introduced
• The PDP Bill was introduced in Parliament and referred to a Joint Parliamentary Committee (JPC) for review.
2021: JPC Report Submitted
• The JPC recommended extensive changes, resulting in the reintroduction of an updated version of the Bill.
2022: Withdrawal of the Bill
• The 2019 Bill was withdrawn, with thegovernment stating it would introduce a new and simplified data protection law.
2023: Introduction of the Digital Personal Data Protection Bill
• A revised version, the Digital Personal Data Protection Bill, was introduced in Parliament.
August 11, 2023: DPDP Bill Passed by Parliament
• The Bill was passed in both houses of Parliament and subsequently received Presidential assent.
August 2023: Law Enacted
• The DPDP Act was officially enacted.
Implementation Timeline (Expected in2024)
• The Indian government is expected to notify the phased enforcement of provisions in 2024.
• Exact dates for full implementation and compliance deadlines will be determined through government notifications.
• This phased approach allows businesses and regulators to prepare for the law’s requirements, ensuring smoother adoption.
The DPDP Act introduces several critical provisions:
• Scope and Applicability: The Act governs the processing of digital personal data within India and extends to entities outside India if they process data related to offering goods or services within the country. This includes data collected both online and offline that is subsequently digitized.
• Rights of Data Principals: Individuals, referred to as Data Principals, are granted rights to access their personal data, correct inaccuracies, erase data when it is no longer necessary, and nominate a representative to act on their behalf in cases of incapacity ordeath. They also have the right to file grievances and are obligated to avoid submitting false complaints or impersonating others, with penalties applicable for violations.
• Obligations of Data Fiduciaries: Entities processing personal data, known as Data Fiduciaries, are required to implement robust security measures to prevent breaches and inform the Data Protection Board of India and affected individuals in case of data breaches. They must also delete personal data when its retention is no longer justified for legal purposes.
• Data Protection Board of India: The Act establishes the Data Protection Board of India, an adjudicating body responsible for overseeing compliance, addressing grievances, and imposing penalties for violations.
The DPDP Act imposes several obligations on businesses operating in India:
• Compliance Requirements: Businesses must ensure that their data processing activities comply with the principles of lawful processing, purpose limitation, data minimization, and data accuracy. This necessitates revising data handling practices and implementing appropriate security measures.
• Consent Management: Obtaining explicit consent from individuals for data processing becomes crucial. Businesses need to establish transparent consent mechanisms and provide clear notices regarding data collection and usage.
• Data Breach Response: In the event of a data breach, businesses are obligated to notify the Data Protection Board of India and affected individuals promptly, outlining the nature of the breach and remedial actions taken.
• Penalties for Non-Compliance: The Act prescribes significant financial penalties for non-compliance, with fines up to₹500 million (approximately USD 6 million) for certain violations. This underscores the importance of adhering to the prescribed data protection norms.
1. Scope and Applicability
• Applies to the processing of personal data in digital format.
• Covers both online and offline data that is digitized.
Applicable to:
• Entities within India.
• Entities outside India processing personal data related to offering goods or services in India.
2. Rights of Data Principals (Individuals)
• Right to Information: Access information on how their data is being processed.
• Right to Correction: Correct inaccuracies in personal data.
• Right to Erasure: Erase data no longer required for processing purposes.
• Right to Nominate: Nominate representatives to exercise rights on their behalf in cases of incapacity or death.
• Grievance Redressal: File complaints with Data Fiduciaries or the Data Protection Board of India.
• Obligations for Data Principals:
o Avoid false complaints or impersonation.
o Penalties for misuse.
3. Obligations of Data Fiduciaries (Entities Processing Data)
• Lawful Processing: Process personal data only with consent or under legal obligations.
• Purpose Limitation: Collect data only for specified, clear, and lawful purposes.
• Data Minimization: Collect only as much data as required for the purpose.
• Retention Period: Delete personal data when it is no longer necessary.
• Data Security: Implement robust security measures to prevent data breaches.
• Consent Management:
o Obtain explicit and informed consent from Data Principals.
o Provide clear and concise notices on data processing.
• Notification of Breach: Inform both the Data Protection Board of India and affected individuals in the event of a data breach.
4. Processing of Children’s Data
• Requires verifiable parental consent for processing data of individuals under 18 years.
• Prohibits tracking, profiling, or targeted advertising based on children’s data.
5. Cross-Border Data Transfers
• Permits cross-border transfers to specific countries or territories approved by the government.
• Entities transferring data must ensure compliance with legal safeguards.
6. Data Protection Board of India
• Role: Adjudicates disputes, addresses grievances, and ensures compliance.
• Powers:
o Impose penalties for violations.
o Monitor adherence to data protection norms.
o Address grievances from individuals and organizations.
7. Penalties for Non-Compliance
• Fines for specific violations:
o Up to ₹250 crore (USD ~30 million) for not implementing security safeguards.
o Up to ₹500 crore (USD ~60 million) for breaches of the Act.
o Emphasizes strict adherence to obligations to avoid penalties.
8. Exemptions
• The government can exempt certain entities or data processing activities from specific provisions in the interest of:
o National security.
o Public order.
o Sovereignty and integrity of India.
This comprehensive framework ensures a balanced approach to individual privacy rights and legitimate data use by businesses and governments.
The Digital Personal Data Protection Act, 2023, represents a pivotal development in India’s data privacy landscape. By delineating clear rights for individuals and responsibilities for businesses, it aims to foster a culture of responsible data management. For businesses, this necessitates a proactive approach to compliance, ensuring that data processing activities are transparent, secure, and aligned with the new legal requirements.
.svg)
India’s Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant milestone in the nation’s approach to data privacy, aligning with global standards and addressing the unique challenges of its digital ecosystem. Enacted on August 11, 2023, the DPDP Act establishes a comprehensive framework for the processing of digital personal data, balancing individual privacy rights with the legitimate needs of data processing.
2017: Justice Srikrishna Committee Formation
• The Indian government constituted the committee to draft a data protection framework after the landmark Supreme Court judgment declaring privacy a fundamental right.
2018: Draft of Personal Data Protection Bill (PDP Bill)
• The committee submitted the first draft of the Personal Data Protection Bill.
2019: Personal Data Protection Bill Introduced
• The PDP Bill was introduced in Parliament and referred to a Joint Parliamentary Committee (JPC) for review.
2021: JPC Report Submitted
• The JPC recommended extensive changes, resulting in the reintroduction of an updated version of the Bill.
2022: Withdrawal of the Bill
• The 2019 Bill was withdrawn, with thegovernment stating it would introduce a new and simplified data protection law.
2023: Introduction of the Digital Personal Data Protection Bill
• A revised version, the Digital Personal Data Protection Bill, was introduced in Parliament.
August 11, 2023: DPDP Bill Passed by Parliament
• The Bill was passed in both houses of Parliament and subsequently received Presidential assent.
August 2023: Law Enacted
• The DPDP Act was officially enacted.
Implementation Timeline (Expected in2024)
• The Indian government is expected to notify the phased enforcement of provisions in 2024.
• Exact dates for full implementation and compliance deadlines will be determined through government notifications.
• This phased approach allows businesses and regulators to prepare for the law’s requirements, ensuring smoother adoption.
The DPDP Act introduces several critical provisions:
• Scope and Applicability: The Act governs the processing of digital personal data within India and extends to entities outside India if they process data related to offering goods or services within the country. This includes data collected both online and offline that is subsequently digitized.
• Rights of Data Principals: Individuals, referred to as Data Principals, are granted rights to access their personal data, correct inaccuracies, erase data when it is no longer necessary, and nominate a representative to act on their behalf in cases of incapacity ordeath. They also have the right to file grievances and are obligated to avoid submitting false complaints or impersonating others, with penalties applicable for violations.
• Obligations of Data Fiduciaries: Entities processing personal data, known as Data Fiduciaries, are required to implement robust security measures to prevent breaches and inform the Data Protection Board of India and affected individuals in case of data breaches. They must also delete personal data when its retention is no longer justified for legal purposes.
• Data Protection Board of India: The Act establishes the Data Protection Board of India, an adjudicating body responsible for overseeing compliance, addressing grievances, and imposing penalties for violations.
The DPDP Act imposes several obligations on businesses operating in India:
• Compliance Requirements: Businesses must ensure that their data processing activities comply with the principles of lawful processing, purpose limitation, data minimization, and data accuracy. This necessitates revising data handling practices and implementing appropriate security measures.
• Consent Management: Obtaining explicit consent from individuals for data processing becomes crucial. Businesses need to establish transparent consent mechanisms and provide clear notices regarding data collection and usage.
• Data Breach Response: In the event of a data breach, businesses are obligated to notify the Data Protection Board of India and affected individuals promptly, outlining the nature of the breach and remedial actions taken.
• Penalties for Non-Compliance: The Act prescribes significant financial penalties for non-compliance, with fines up to₹500 million (approximately USD 6 million) for certain violations. This underscores the importance of adhering to the prescribed data protection norms.
1. Scope and Applicability
• Applies to the processing of personal data in digital format.
• Covers both online and offline data that is digitized.
Applicable to:
• Entities within India.
• Entities outside India processing personal data related to offering goods or services in India.
2. Rights of Data Principals (Individuals)
• Right to Information: Access information on how their data is being processed.
• Right to Correction: Correct inaccuracies in personal data.
• Right to Erasure: Erase data no longer required for processing purposes.
• Right to Nominate: Nominate representatives to exercise rights on their behalf in cases of incapacity or death.
• Grievance Redressal: File complaints with Data Fiduciaries or the Data Protection Board of India.
• Obligations for Data Principals:
o Avoid false complaints or impersonation.
o Penalties for misuse.
3. Obligations of Data Fiduciaries (Entities Processing Data)
• Lawful Processing: Process personal data only with consent or under legal obligations.
• Purpose Limitation: Collect data only for specified, clear, and lawful purposes.
• Data Minimization: Collect only as much data as required for the purpose.
• Retention Period: Delete personal data when it is no longer necessary.
• Data Security: Implement robust security measures to prevent data breaches.
• Consent Management:
o Obtain explicit and informed consent from Data Principals.
o Provide clear and concise notices on data processing.
• Notification of Breach: Inform both the Data Protection Board of India and affected individuals in the event of a data breach.
4. Processing of Children’s Data
• Requires verifiable parental consent for processing data of individuals under 18 years.
• Prohibits tracking, profiling, or targeted advertising based on children’s data.
5. Cross-Border Data Transfers
• Permits cross-border transfers to specific countries or territories approved by the government.
• Entities transferring data must ensure compliance with legal safeguards.
6. Data Protection Board of India
• Role: Adjudicates disputes, addresses grievances, and ensures compliance.
• Powers:
o Impose penalties for violations.
o Monitor adherence to data protection norms.
o Address grievances from individuals and organizations.
7. Penalties for Non-Compliance
• Fines for specific violations:
o Up to ₹250 crore (USD ~30 million) for not implementing security safeguards.
o Up to ₹500 crore (USD ~60 million) for breaches of the Act.
o Emphasizes strict adherence to obligations to avoid penalties.
8. Exemptions
• The government can exempt certain entities or data processing activities from specific provisions in the interest of:
o National security.
o Public order.
o Sovereignty and integrity of India.
This comprehensive framework ensures a balanced approach to individual privacy rights and legitimate data use by businesses and governments.
The Digital Personal Data Protection Act, 2023, represents a pivotal development in India’s data privacy landscape. By delineating clear rights for individuals and responsibilities for businesses, it aims to foster a culture of responsible data management. For businesses, this necessitates a proactive approach to compliance, ensuring that data processing activities are transparent, secure, and aligned with the new legal requirements.
.svg)
.svg){kind=icon}
.svg)
