India has finally published the Digital Personal Data Protection Act (DPDPA). It’s taken two years for the Bill to progress since it was first published in 2021. The Indian President finally signed the Act into law on 11 August 2023. The Act regulates the processing of digital personal data and has steep penalties for non-compliance. On this page, we provide you with a summary of the DPDPA and we highlight some of its key features.

Who does the DPDPA apply to?

The DPDP Act applies to a wide range of entities and individuals who handle personal data within India. It is designed to protect the privacy and data rights of Indian citizens, regardless of whether the data processing takes place within or outside the country. Anyone who offers goods or services to data subjects within the territory of India, will be bound by the DPDPA.

What are the key features of the DPDPA?

Like most data protection laws around the world, the DPDPA is similar in many aspects, but it does vary in interesting ways. For example, unlike other countries, the DPDPA has different references for controllers and data subjects.

  • Data Fiduciaries are controllers, and they include businesses, government agencies, and any other entity that collects and processes personal data.
  • Data Principals are data subjects and is defined as the individuals whose personal data is being processed.

Here are some of the other nuances of the DPDPA:

  • Data localisation: The DPDPA requires controllers to store and process certain categories of sensitive personal data only within the borders of India.
  • Consent requirements: Data fiduciaries must obtain explicit and informed consent from data principals before collecting and processing their personal data. Consent must be clear, specific, and revocable at any time.
  • Data Minimisation: The law requires organisations to limit the collection and retention of personal data to what is necessary.
  • Data portability: Data principals can request the transfer of their personal data from one data fiduciary to another. This provision promotes data accessibility and competition in the market.
  • Data Protection Impact Assessment (DPIA): Certain data processing activities, especially those involving high risks to data privacy, require a DPIA to assess and mitigate potential risks.
  • Data Protection Authority: The DPDPA establishes an independent regulatory authority responsible for overseeing and enforcing compliance with the law. The Authority can impose fines and penalties for violations.
  • Cross-Border Transfers: The DPDPA allows controllers to transfer data outside India if they meet certain requirements. The law lays down conditions for the transfer of personal data outside of India, including the requirement of a transfer impact assessment.
  • Data Principals’ rights: Data principals have various rights, including the right to access their data, the right to correction, and the right to be forgotten.
  • Data breach notification: Once the DPDPA is fully operational, data fiduciaries must promptly report data breaches to both the Data Protection Authority and affected data principals.

Legal bases for processing

Make sure that you reference the current version of the DPDPA. Because a key difference between the current version and earlier drafts concerns legal bases for processing. Controllers can process personal data under two circumstances: consent or “certain legitimate uses”. So, they have done away with the term “deemed consent”. “Certain legitimate uses” include things like employment purposes or response to a medical emergency.

Actions you can take

  • Join our programme to learn about data protection laws of the world and how it impacts your operations.
  • Ask us for a quote for a detailed report on the DPDPA.
  • Follow this page to keep updated on all DPDPA developments.
  • Dive into the details by reading the web-based version of the DPDPA that we’ll soon launch.