Get to Know India’s Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)

Get to Know India's Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)
Estimated Reading Time: 5 minutes

The origins of India’s Digital Personal Data Protection Act (DPDPA) began in 2012 when a report from a committee headed by a former judge of the Supreme Court highlighted the need for a data protection framework for India and proposed a law to do so. That law was never enacted, but work did not stop to get something in place. In 2017, the Supreme Court of India ruled in the Right to Privacy case, acknowledging privacy as a basic right for Indian citizens. From there, work began in earnest in government, to draft, seek consultation, and final approval of India’s first comprehensive data protection law by August 2023.

The Legislation at a Glance

  • DPDPA applies to processing of “digital personal data” within India 
  • DPDPA extends its jurisdiction to processing data outside India if it’s intended for offering goods or services within India
  • DPDPA also regulates cross-border data transfers 
  • DPDPA establishes eight principles for responsible data handling by “data fiduciaries” (same as “controllers” under GDPR)
  • DPDPA empowers India’s citizens (termed “data principals” by the DPDPA) with four rights over their data 
  • DPDPA creates a Data Protection Authority (DPA), the Data Protection Board of India, for oversight and enforcement

4 Rights for Citizens

  • Right to access information about personal data: Data principals have the right to be informed about data collection, purpose, and sharing
  • Right to correction and erasure of personal data: Data principals may request correction of inaccurate data and erasure under certain circumstances
  • Right of grievance redressal: Data principals have the right to use readily available means of registering a grievance with a data fiduciary before escalating to the DPA
  • Right to nominate: Data principals may nominate any other individual to exercise these rights in the case of incapacity or death

Duties of Data Principals

The DPDPA also outlines specific duties that citizens must comply with, including:

  • Comply with the provisions of all applicable laws in India while exercising rights under the DPDPA
  • Ensure not to impersonate another person while providing their personal data 
  • Ensure not to suppress any material information while providing their personal data for any document, unique identifier, proof of identity, or proof of address issued by the state 
  • Ensure not to register a false or frivolous grievance or complaint with a data fiduciary or the DPA
  • Only provide such information as is verifiably authentic, while exercising the right to correction or erasure 

5 Conditions for Lawful Data Processing

  1. Consent: Informed, free, and granular consent is required for most data processing activities
  2. Necessary for performance of contract: Data collection and processing must be necessary for fulfilling the contract between the data principal and the data fiduciary
  3. Legal obligation: Data processing must be mandated by law
  4. Legitimate interest: A balancing test applies for processing based on a data fiduciary’s legitimate interest while not unduly infringing on data principal’s rights
  5. Public interest: Public interest grounds for processing, such as national security, health, or scientific research

Cross-Border Data Transfers

  • Personal data can be transferred outside India only with explicit consent or under specific exceptions (national security, public interest)
  • Data may be transferred to whitelisted countries with adequate data protection standards without any additional requirements
  • There are stringent requirements for data transfers to non-whitelisted countries

The DPDPA allows for the export of personal data to countries that have laws providing an adequate level of protection for personal information and has a list of those countries and any not on the list come with additional documented requirements (unlike South Africa’s PoPIA legislation, which puts all the responsibility on whoever intends to make a cross-border transfer). 

Penalties for Non-Compliance

Fines can range from up to ₹20 crore (approximately $2.5 million) or 5% of annual turnover, whichever is higher. Data fiduciaries can be held liable for damages caused by data breaches, and in serious cases, data processing may be restricted or stopped entirely.

Examples of Notable Enforcement

It’s still early, but the DPA is expected to be increasingly active in addressing data breaches and non-compliance issues.

Compared to GDPR

  • Similarities: Both establish similar rights for individuals, principles for data handling, and conditions for lawful processing
  • Differences: DPDPA has stricter cross-border transfer rules, exemptions for government agencies, lower thresholds for penalties, and requires data fiduciaries to provide a tiered redressal process to establish relationships with aggrieved individuals

What’s Next for Privacy Law in India

Growing pains. Having only come into law last year and with no confirmed timeline for enforcement outside probably sometime this year, there’s going to be a lot to learn both for those who are required to comply with the law, those in charge of enforcing it, and the citizens of India attempting to exercise the rights afforded to them by the DPDPA.

If you’re not sure where to start in creating your privacy strategy, we’re here to chat.

Ready to being your privacy journey?

Our team is here to help whenever you need us.

Author

  • Ash Lindley

    From a misguided beginning in media planning some 18 years or so ago, Ash Lindley has worked across much of digital including SEO, digital analytics, and cloud architecture everywhere from an upstart digital agency to unwieldy full-service media agency environments, and a stint client-side for curiosity’s sake. As Strategy Lead, Ash is primarily focused on Wardley Mapping at InfoTrust, along with anything and everything privacy related in his spare time.

Facebook
Twitter
LinkedIn
Email
Originally Published: February 26, 2024

Subscribe To Our Newsletter

February 26, 2024

Other Articles You Will Enjoy

Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today

Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today

It happens every day: marketing purchases a new platform with the promise of helping the organization meet and exceed business targets. When it comes…

7-minute read
Safeguarding Privacy: South Africa’s Protection of Personal Information Act (PoPIA)

Safeguarding Privacy: South Africa’s Protection of Personal Information Act (PoPIA)

South Africa’s Protection of Personal Information Act (PoPIA) empowers its citizens with enforceable rights over their personal information. The law establishes eight minimum requirements…

9-minute read
AdTech DNA Simplifies the Complex for Global Advertisers

AdTech DNA Simplifies the Complex for Global Advertisers

As a global advertiser, knowing what is happening across your organization is an endeavor wrought with complexity.  Are your advertising technologies implemented correctly?  Do…

3-minute read
HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

If you are a healthcare organization operating in the United States, you are likely aware of the significant increase in the focus on the…

9-minute read
A South Asian First: Sri Lanka’s Personal Data Protection Act

A South Asian First: Sri Lanka’s Personal Data Protection Act

I know I covered India’s DPDPA first, but, as it turns out, Sri Lanka beat them to the punch. Sri Lanka’s Personal Data Protection…

6-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.