The origins of India’s Digital Personal Data Protection Act (DPDPA) began in 2012 when a report from a committee headed by a former judge of the Supreme Court highlighted the need for a data protection framework for India and proposed a law to do so. That law was never enacted, but work did not stop to get something in place. In 2017, the Supreme Court of India ruled in the Right to Privacy case, acknowledging privacy as a basic right for Indian citizens. From there, work began in earnest in government, to draft, seek consultation, and final approval of India’s first comprehensive data protection law by August 2023.
The Legislation at a Glance
- DPDPA applies to processing of “digital personal data” within India
- DPDPA extends its jurisdiction to processing data outside India if it’s intended for offering goods or services within India
- DPDPA also regulates cross-border data transfers
- DPDPA establishes eight principles for responsible data handling by “data fiduciaries” (same as “controllers” under GDPR)
- DPDPA empowers India’s citizens (termed “data principals” by the DPDPA) with four rights over their data
- DPDPA creates a Data Protection Authority (DPA), the Data Protection Board of India, for oversight and enforcement
4 Rights for Citizens
- Right to access information about personal data: Data principals have the right to be informed about data collection, purpose, and sharing
- Right to correction and erasure of personal data: Data principals may request correction of inaccurate data and erasure under certain circumstances
- Right of grievance redressal: Data principals have the right to use readily available means of registering a grievance with a data fiduciary before escalating to the DPA
- Right to nominate: Data principals may nominate any other individual to exercise these rights in the case of incapacity or death
Duties of Data Principals
The DPDPA also outlines specific duties that citizens must comply with, including:
- Comply with the provisions of all applicable laws in India while exercising rights under the DPDPA
- Ensure not to impersonate another person while providing their personal data
- Ensure not to suppress any material information while providing their personal data for any document, unique identifier, proof of identity, or proof of address issued by the state
- Ensure not to register a false or frivolous grievance or complaint with a data fiduciary or the DPA
- Only provide such information as is verifiably authentic, while exercising the right to correction or erasure
5 Conditions for Lawful Data Processing
- Consent: Informed, free, and granular consent is required for most data processing activities
- Necessary for performance of contract: Data collection and processing must be necessary for fulfilling the contract between the data principal and the data fiduciary
- Legal obligation: Data processing must be mandated by law
- Legitimate interest: A balancing test applies for processing based on a data fiduciary’s legitimate interest while not unduly infringing on data principal’s rights
- Public interest: Public interest grounds for processing, such as national security, health, or scientific research
Cross-Border Data Transfers
- Personal data can be transferred outside India only with explicit consent or under specific exceptions (national security, public interest)
- Data may be transferred to whitelisted countries with adequate data protection standards without any additional requirements
- There are stringent requirements for data transfers to non-whitelisted countries
The DPDPA allows for the export of personal data to countries that have laws providing an adequate level of protection for personal information and has a list of those countries and any not on the list come with additional documented requirements (unlike South Africa’s PoPIA legislation, which puts all the responsibility on whoever intends to make a cross-border transfer).
Penalties for Non-Compliance
Fines can range from up to ₹20 crore (approximately $2.5 million) or 5% of annual turnover, whichever is higher. Data fiduciaries can be held liable for damages caused by data breaches, and in serious cases, data processing may be restricted or stopped entirely.
Examples of Notable Enforcement
It’s still early, but the DPA is expected to be increasingly active in addressing data breaches and non-compliance issues.
Compared to GDPR
- Similarities: Both establish similar rights for individuals, principles for data handling, and conditions for lawful processing
- Differences: DPDPA has stricter cross-border transfer rules, exemptions for government agencies, lower thresholds for penalties, and requires data fiduciaries to provide a tiered redressal process to establish relationships with aggrieved individuals
Update: August 2024
A year after the parliament passed a new law to safeguard the digital data of Indian citizens, the government is yet to issue rules under the new law preventing companies from taking any action with respect to preparing for compliance. Companies in India have resorted to reaching out to the government to urge them to expedite the release of the rules. A senior official with the Ministry of Electronics and Information Technology assured that the rules would be published “very soon—within the coming weeks,” and that, “The final draft will be published for public consultation, followed by any necessary alterations. Once finalized, there will be clearly defined compliance periods for companies,” the government official explained.
What’s Next for Privacy Law in India
Growing pains. Despite having come into law last year, there’s no confirmed timeline for enforcement with speculation nothing will materialize before 2026; there’s going to be a lot to learn both for those who are required to comply with the law, those in charge of enforcing it, and the citizens of India attempting to exercise the rights afforded to them by the DPDPA.
If you’re not sure where to start in creating your privacy strategy, we’re here to chat.
