India Digital Personal Data Protection Act (DPDP Act)

Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India).

Highlights

Territorial Scope:

Applies to the processing of digital Personal Data:

• within the territory of India where the Personal Data is collected: (a) in digital form; or (b) in non-digital form and digitized subsequently; and
• outside the territory of India to the extent that such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.

Exemptions:

The India DPDP Act does not apply to Personal Data processed by an individual for any person or domestic purpose or Personal Data that is publicly available. The Act also contains broad exemptions for Indian governmental entities as well as exemptions for certain types of processing, such as for the investigation or prosecution of crimes; national security; certain employment related purpose; and for research, archiving, or statistical purposes if the Personal Data is not being used to take any decision specific to a Data Principle.

Data Fiduciary and Data Processor Obligations:

• Only process the Personal Data of a Data Principal in accordance with the India DPDP Act, for a lawful purpose, and for which the Data Principal has given consent or for certain legitimate uses.
• Provide notice to the Data Principal prior to requesting consent, informing the Data Principal of: (i) the Personal Data and the purpose for processing; (ii) the manner in which the Data Principal may exercise their rights; and (iii) the manner in which the Data Principal may make a complaint to the Board.
• If a Data Principal withdraws consent, cease processing the Personal Data and require the Data Processors to cease processing the Personal Data unless otherwise required by law.
• Execute a contractual agreement with Data Processors governing the processing activities.
• Ensure the Personal Data is complete, accurate, and consistent.
• Implement appropriate technical and organizational measures to ensure effective observance of the India DPDP Act.
• Protect Personal Data by taking reasonable security safeguards to prevent Personal Data Breaches.
• Erase Personal Data upon withdrawal of consent or when the data is no longer needed for the specified purpose unless retention is necessary for compliance with applicable law.
• Publish the business contact information of a data protection officer, if applicable, or a person who is able to answer a Data Principal’s questions on behalf of the Data Fiduciary.
• Establish an effective mechanism to redress grievances and requests submitted by Data Principals.
• Obtain verifiable consent of the parent of a child, or of the lawful guardian of a person with disability, prior to processing any Personal Data.
• Not track, conduct behavioral monitoring, or conduct targeted advertising directed at children.

Additional Obligations of Significant Data Fiduciaries:

• Appoint a data protection officer who will represent the Significant Data Fiduciary, be based in India, be responsible to the board of directors, and be the point of contact for the grievance redressal mechanism.
• Appoint an independent data auditor to complete a data audit to verify compliance with the India DPDP Act.
• Undertake periodic data protection impact assessments.
• Undertake periodic audits.

Data Principal Rights:

The India DPDP Act provides Data Principals with the following rights:

• Right to access information about Personal Data;
• Right to correction of Personal Data;
• Right to erasure of Personal Data;
• Right of grievance redressal;
• Right to nominate any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal.

Cross-border Data Transfers to Countries or Territories Outside India:

The Indian government may, by notification, restrict the transfer of Personal Data by a Data Fiduciary for processing to such country or territory outside India.

Personal Data Breach Notification:

In the event of a Personal Data Breach, the Data Fiduciary shall give the Data Protection Board of India and each affected Data Principal, intimation (notice) of such breach in such form and manner as may be prescribed.

More Details

Definitions:

• Data: A representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.
• Data Fiduciary: Any person who, alone or in conjunction with other persons, determines the purpose and means of processing of Personal Data.
• Data Principal: The individual to whom the Personal Data relates; this term includes the individual’s lawful guardian when such individual is a child or a person with disability.
• Data Processor: Any person who processes Personal Data on behalf of a Data Fiduciary.
• Personal Data: Any Data about an individual who is identifiable by or in relation to such Data.
• Personal Data Breach: Any unauthorized processing of Personal Data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to Personal Data, that compromises the confidentiality, integrity, or availability of Personal Data.
• Significant Data Fiduciary: Any Data Fiduciary or class of Data Fiduciaries as may be notified by the Indian government, based on an assessment of factors, which may include: (1) the volume and sensitivity of Personal Data processed; (2) the risk to the rights of Data Principals; (3) potential impact on the sovereignty and integrity of India; (4) risks to electoral democracy; (5) security of the state; and (6) public order.

Penalties:

The India DPDP Act also contains a schedule listing out various categories of violations and the maximum penalty amount for each type of violation. For example, the maximum penalty for failure to take reasonable security safeguards to prevent Personal Data Breaches can be up to 250 crore rupees. The maximum penalty for failure to provide required notice to the Data Protection Board of India and/or an affected Data Principal can be up to 200 crore rupees.

Effective Date:

As of October 1, 2023, the Indian Government has yet to announce the effective date.