Homedata privacyIndian Data Protection Law, 2023: Key Highlights

Indian Data Protection Law, 2023: Key Highlights


India finally has a legislative framework for personal data protection in place after the President gave assent to The Digital Personal Data Protection Bill, 2023 on August 11, 2023.

The bill was passed by Lok Sabha and Rajya Sabha on August 7 and 9 respectively. Subsequent to the assent from the President, The Digital Personal Data Protection Act (DPDP Act) has been published in the Official Gazette and will be effective from the date the Central Government may notify.

The DPDP Act, once implemented, will repeal Section 43-A of the Information Technology Act, 2000 (IT Act) and the corresponding rules that provided a data privacy regime under the IT Act.

Timelines for DPDP Act, 2023

Digital Personal Data Protection Act, 2023
Introduced as a bill in Lok Sabha August 4, 2023
Passed in Lok Sabha August 7, 2023
Introduced as a bill in Rajya Sabha August 9, 2023
Passed in Rajya Sabha August 9, 2023
Received the assent of President August 11, 2023
Effective To be notified


Applicablity of DPDP Act

The processing of digital personal data in India, when it is collected in digital form; or  collected in a non-digitized format and subsequently digitized will have to comply with the requirements of the enactment. In other words, the DPDP Act is not applicable to processing of personal data in non digitized form.

For example: This law does not impact housing societies or commercial complexes where visitor data is recorded in physical registers only.

The DPDP Act has extra territorial application, i.e., it applies to the processing of personal data outside India (irrespective of the location of the entity processing) in connection with offering goods or services to individuals who are located within the territory of India.

The legislation, however, exempts data processing by an individual for domestic or personal purposes or to personal data that has been made publicly available by the data subject or by another person based on an obligation under Indian law. The DPDP Act has several illustrations such as the below:

X, an individual, while blogging her views, has publicly made available her personal
data on social media. In such case, the provisions of thE DPDP Act shall not apply.

Basis for processing personal data

The DPDP Act states that personal data of a data principal may only be processed in cases where:

  1. the data principal has given their consent; or
  2. for certain legitimate uses.

The law also mandates entities to notify their existing users / data principals about the new law and their rights as soon as reasonably practicable once the law is implemented.

Significant compliance parameters will be detailed through rules by central government and the matters subject to the delegated legislation include the notice requirements; functions of the consent manager; procedure for data breach notifications; parental consent for children’s data; grievance; exemptions for processing of personal data; redressal procedures.

A memorandum to the bill as introduced in the Lok Sabha clarified that matters delegated to the central government are matters of detail and accordingly it is not practicable to provide them in the bill. Therefore, the practical implementation aspects will be much clear once the rules are notified.

Cross border data transfers

The DPDP Act permits transfers of personal data outside India, but the central government may specify a negative list of countries where data cannot be transferred.

Penalties under data protection law, 2023

The Data Protection Board of India (“Board”) is proposed to be the adjudicatory body for enforcement of the DPDP Act. The Board may impose penalties on data fiduciaries for failure to comply with the  requirements of the enactment. A maximum penalty of Rs 250 crores is prescribed for failure of data fiduciary to take reasonable security safeguards to prevent personal data breach. Telecom Disputes Settlement and Appellate Tribunal is designated as appellate forum in relation to appeals from orders, directions of the Board.

Related articles:

Data Protection Act and its impact on processing employee data

The data protection law finally became a reality when...

Data Protection Board to be notified soon: MeiTY MoS Rajeev Chandrashekhar

The government will soon notify the Data Protection Board...

Google Announces Cybersecurity Action Team for Public and Private Organizations

On October 12th, Google announced the Google Cybersecurity Action...

14,000 Gmail users notified after APT28 attacks

14000 Gmail users have received email notifications that they...

OWASP releases updated top 10 on 20th anniversary

The Open Web Application Security Project (OWASP) celebrated its...