The Digital Personal Data Protection Act of India, or DPDP Act, acknowledges individuals’ right to protect their personal data while at the same time acknowledging its use for lawful purposes. It includes exemptions that protect future India and its sovereignty and integrity, security of state functions, friendly relations with foreign States, as well as maintaining public order. As the technology evolves, it’s highly recommended that individuals of the nation know and understand the data protection law in India.

India’s latest attempt at data privacy legislation – the Digital Personal Data Protection Bill of 2023 – contains encouraging requirements for companies to obtain individual consent and safeguard data rights and provisions that would expand government access to personal data. On 11 August 2023, this personal data protection bill in India that aims to strike a balance between protecting citizens while still permitting legitimate business activity received permission from the President of India and became a law.

Significance of The New Data Protection Law in India

The DPDP Law provisions grant individuals their right to information, correction, and erasure of personal data and grievance redressal. Furthermore, it outlines data fiduciaries’ responsibilities and penalties for violations and breaches. It created the Data Protection Board of India to adjudicate instances of noncompliance with applicable data protection standards. Referring to a well-defined cyber security & data privacy course in India can help you understand the benefits and the downsides of the DPDP act.

A Data Protection Board of India will monitor and enforce compliance. This body can impose penalties or direct data fiduciaries to take remedial steps as appropriate; additionally, this new Board may also instruct to appoint an independent Data Protection Officer. Furthermore, under the Act, there will also be a National Data Protection Tribunal set up, which adjudicates disputes that cannot be settled before Data Protection Board of India.

Key Elements of The New Data Protection Law

Below discussed are the key elements of the New Data Protection Law. However, If you are unsure about the DPDP law and want to have your cyber law compliance audit which includes privacy law compliance audit, contact Cyberra Legal Services now!

Data Minimization

By collecting only what data they need for their operations, a business builds consumer trust while protecting itself from having to adhere to future regulations that may arise. The new data protection law mandates companies obtain individual consent, disclose a privacy policy, and protect individual data rights. Furthermore, it imposes requirements such as data breach notifications and transparency with prior notice and privacy policies that outline processing practices that allow consumers to give, withdraw, or manage consent easily and interoperably.

Purpose Limitation

The law requires data fiduciaries to inform individuals whose personal information they collect about its intended use (the principle of purpose limitation). Furthermore, this act restricts companies from processing this data for purposes inconsistent with those originally identified when collecting it. Furthermore, under this new law government cannot opt out from most provisions on grounds like sovereignty and integrity concerns, friendly relationships with foreign states, or maintaining public order without providing specific reasons.

User Consent

User consent plays a vital role in the New Data Protection Law. The consent process should be clearly mentioned, proposed, and given to the users before mining their data. The consent should be clear and unambiguous. New Data Protection Law also provisions for Consent Manager which is a unique approach for user consent management. It also requires proper log management for consent records.

Data Subject Rights

The bill provides rights to individuals whose personal information is being processed, including receiving information regarding processing activities, seeking correction or erasure of data, and grievance redressal. Furthermore, the law stipulates that data fiduciaries notify both data principals and DPBI in case of breaches in data processing practices. The law does not mandate data localization but allows sector-specific regulations for it to occur under certain conditions. This new legislation has established the Data Protection Board of India with many details still unspecified and its jurisdiction unclear. Future notifications and rules will make it clear soon.

Security and Accountability

The new framework establishes roles for data fiduciaries (similar to data controllers) and data principals and includes an expansive definition of personal data breaches with significant monetary penalties for breaches. Furthermore, a notification regime with significant penalties has also been instituted. The law requires companies designated as SDFs (Significant Data Fiduciaries) to appoint a DPO (Data Protection Officer), implement a privacy management program, and provide for grievance redressal mechanisms.

Penalties for Non-Compliances

The new law introduces sanctions for noncompliance, such as regulatory fines and service interruption. Penalties up to humungous amount of INR 250 Crores are specified for different violations in the New Data Protection Law of India. Therefore, understanding and practicing this new law is not just an obligation for an individual or a company; it becomes an essential step to safeguard a company’s interest.

Impact of the New Data Protection Law

DPDP Act – Right to Privacy

When it comes to the data privacy laws in India, the Digital Personal Data Protection Act (“DPDP Act”) governs digital personal data processing within India or related to offering goods or services within India, setting out rights and obligations for data principals and fiduciaries alike – including having clear consent obtained in an informed, unambiguous fashion – as well as restrictions on children’s data use, as well as having a verifiable mechanism set up to withdraw consent if necessary.

The central Government can exempt itself and its agencies from law provisions on limited grounds, such as safeguarding India’s sovereignty and integrity, maintaining security within the state, maintaining friendly relations with foreign states, or maintaining public order. They may also exempt notified private entities (such as start-ups) by giving notice.

DPDP Act – Right to Security

After years of deliberation and numerous revisions, the Digital Personal Data Protection Bill of 2023 finally received the President’s assent, laying the strong foundation for future India. Key provisions include protecting sensitive information with an effective privacy policy while setting high financial penalties for noncompliance. It also creates a “Data Protection Authority,” with the authority to investigate grievances and violations while increasing responsibilities on “Data Fiduciaries,” who specifically handle children’s data.

Other crucial features include the security of personal data, the right to access and correct or erase it if necessary, and designated representatives who will exercise those rights on one’s behalf in case of death or incapacity. The central Government also has the authority to restrict data transfers outside India, while the DPDP Act stipulates that companies must notify individuals in case of breaches.

DPDP Act – Right to Access

While many provisions of the personal data protection bill in India are similar to global regulations, there are notable distinctions. For instance, while previous drafts of the law included data localization requirements, this Act simply stipulates that governments may restrict through notification the transfer of personal data to specific foreign countries or territories without specifying criteria under which this action will take place. This law is defined to safeguard the Right to access of the citizens (netizens) of India and their interests.

DPDP Act – Right to Erasure & Deletion

The Right to Erasure, commonly referred to as ‘the Right to be Forgotten,’ requires organizations that process digital personal data on individuals who request its deletion to delete it promptly if any individual makes this request, and no exemptions apply. Once received, companies should comply within one month of receiving it and communicate this to the individual involved. However, a reasonable administrative cost fee may apply when processing these requests.

DPDP Act – Right to Exemptions

The Bill provides various exemptions for processing data on grounds of public interest, providing legitimate access by the Government. However, it also places obligations upon data fiduciaries who use these grounds – they must obtain consent openly and transparently as well as provide explicit details about any data being collected. Furthermore, this Bill prohibits tracking and behavioral monitoring of children to protect their privacy.

Data principals may designate someone they trust to exercise their rights upon death or incapacity – further strengthening accountability and transparency. The Bill empowers data principals to file complaints against data fiduciaries for noncompliance with the Act while simultaneously creating a dispute resolution mechanism through the data protection laws.

DPDP Act – Right to Portability

Data portability enables individuals to move their digital personal data freely between service providers without having to recreate it again, an especially crucial benefit for children, who represent a key customer group for many tech firms. The Act defines “personal data” as any data that can be used to directly or indirectly identify an individual, including data that they actively and knowingly provide and observe while using products and services.

The legislation also mandates companies known as data fiduciaries to implement safeguards to protect digital personal information and provide users with an easy interface for managing it. Any companies not fulfilling this obligation will face fines, increasing penalties for repeat offenders. Also, consultative meetings should take place so users thoroughly understand how their data will be utilized.

DPDP Act –  Right to Enforcement

India’s new data protection law places strict rules and penalties for noncompliance on entities handling personal data. Furthermore, it creates far-reaching obligations such as creating narrowly defined lawful bases for processing personal data in digital format (removing flexibility that was available prior to this law to justify activities outside consent with legitimate purposes) as well as purpose limitation obligations with their accompanying requirements to delete it when its original purpose has been fulfilled.

The Law retains certain provisions that could impact privacy professionals, including notice requirements for fiduciaries, recognition of additional obligations regarding children’s data, and classification requirements for significant data fiduciaries. Furthermore, it expands harm construction beyond bodily injury or emotional distress to include more aspects.

Key Takeaways

After years of debates, postponements, and negotiations, India’s comprehensive data privacy law finally passed. On 11 August, President granted her assent for publication of the Digital Personal Data Protection Act 2023 in the official gazette. Organizations should begin assessing their exposure immediately so as to develop compliance strategies efficiently.

India’s Data Protection Law regulates digital personal data processing within and transfers outside India unless restricted by law. If your company is concerned about its privacy and security practices or curious to know more about data privacy law compliance in India, get in touch with Cyberra Legal Services to understand all you need to know about the data privacy laws in India.