India finally has a legislative framework for personal data protection in place after the President gave assent to The Digital Personal Data Protection Bill, 2023 on August 11, 2023.
The bill was passed by Lok Sabha and Rajya Sabha on August 7 and 9 respectively. Subsequent to the assent from the President, The Digital Personal Data Protection Act (DPDP Act) has been published in the Official Gazette and will be effective from the date the Central Government may notify.
The DPDP Act, once implemented, will repeal Section 43-A of the Information Technology Act, 2000 (IT Act) and the corresponding rules that provided a data privacy regime under the IT Act.
Timelines for DPDP Act, 2023
| Digital Personal Data Protection Act, 2023 | |
| Introduced as a bill in Lok Sabha | August 4, 2023 |
| Passed in Lok Sabha | August 7, 2023 |
| Introduced as a bill in Rajya Sabha | August 9, 2023 |
| Passed in Rajya Sabha | August 9, 2023 |
| Received the assent of President | August 11, 2023 |
| Effective | To be notified |
Applicablity of DPDP Act
The processing of digital personal data in India, when it is collected in digital form; or collected in a non-digitized format and subsequently digitized will have to comply with the requirements of the enactment. In other words, the DPDP Act is not applicable to processing of personal data in non digitized form.
For example: This law does not impact housing societies or commercial complexes where visitor data is recorded in physical registers only.
The DPDP Act has extra territorial application, i.e., it applies to the processing of personal data outside India (irrespective of the location of the entity processing) in connection with offering goods or services to individuals who are located within the territory of India.
The legislation, however, exempts data processing by an individual for domestic or personal purposes or to personal data that has been made publicly available by the data subject or by another person based on an obligation under Indian law. The DPDP Act has several illustrations such as the below:
X, an individual, while blogging her views, has publicly made available her personal
data on social media. In such case, the provisions of thE DPDP Act shall not apply.
Basis for processing personal data
The DPDP Act states that personal data of a data principal may only be processed in cases where:
- the data principal has given their consent; or
- for certain legitimate uses.
The law also mandates entities to notify their existing users / data principals about the new law and their rights as soon as reasonably practicable once the law is implemented.
Significant compliance parameters will be detailed through rules by central government and the matters subject to the delegated legislation include the notice requirements; functions of the consent manager; procedure for data breach notifications; parental consent for children’s data; grievance; exemptions for processing of personal data; redressal procedures.
A memorandum to the bill as introduced in the Lok Sabha clarified that matters delegated to the central government are matters of detail and accordingly it is not practicable to provide them in the bill. Therefore, the practical implementation aspects will be much clear once the rules are notified.
Cross border data transfers
The DPDP Act permits transfers of personal data outside India, but the central government may specify a negative list of countries where data cannot be transferred.
Penalties under data protection law, 2023
The Data Protection Board of India (“Board”) is proposed to be the adjudicatory body for enforcement of the DPDP Act. The Board may impose penalties on data fiduciaries for failure to comply with the requirements of the enactment. A maximum penalty of Rs 250 crores is prescribed for failure of data fiduciary to take reasonable security safeguards to prevent personal data breach. Telecom Disputes Settlement and Appellate Tribunal is designated as appellate forum in relation to appeals from orders, directions of the Board.