India’s Digital Personal Data Protection Act, 2023 (DPDPA) has been a long time coming, culminating a seven-year journey that began with a landmark ruling by the Indian Supreme Court in 2017 recognizing the right to privacy as protected under the Constitution of India. This comprehensive privacy and data protection law aims to safeguard the personal data of individuals, known as data principals, during its processing for lawful purposes.
The DPDPA covers a wide range of provisions, including guidelines on consent, legitimate uses, breaches, responsibilities of data fiduciaries and processors, and rights of individuals over their data. The law applies to all types of data related to individuals, such as names, addresses, ID numbers, and behavioral information like location, web history, and preferences. However, it does not extend to data that is publicly available or data collected for personal, artistic, or journalistic use.
One of the key features of the DPDPA is the emphasis on the responsibilities of data fiduciaries and processors. Data fiduciaries are entities that collect and manage data from individuals and must specify the purpose of data collection, retention period, and permissible uses. Significant data fiduciaries are subject to additional requirements, such as appointing a data protection officer, conducting audits, and performing data protection impact assessments. On the other hand, data processors handle data on behalf of fiduciaries, such as cloud providers or services related to fraud detection.
The law also introduces a consent process whereby data fiduciaries must explain the data they intend to collect, individuals’ rights, and the process for lodging complaints. Special protections are in place for disabled individuals and children under 18, including restrictions on tracking and monitoring their online behavior. Data principals have the right to withdraw consent, inquire about data-sharing practices, and request the deletion or modification of their information.
Before the enforcement of the DPDPA, organizations are required to notify data principals about their data collection practices and customer rights. Various technical and organizational processes need to be implemented to facilitate consent, limit data usage, protect data, and address data breaches. Failure to comply with the law can result in fines ranging from 10,000 to 2.5 billion Indian rupees.
Comparing the DPDPA to the GDPR, both laws provide a comprehensive framework for data protection but have notable differences in terms of types of data covered, data sovereignty, definition of entities, and requirements related to children’s data. The DPDPA, unlike the GDPR, is more expansive in its coverage of personal data and introduces the concept of significant data fiduciaries with specific obligations.
Overall, the implementation of the DPDPA is expected to have a significant impact on businesses operating in India, requiring them to make adjustments to ensure compliance with the law. Businesses must navigate the balance between legitimate data usage and regulatory compliance, with some needing to make significant changes to their data management practices. It is essential for organizations to prepare for the transition by understanding the implications of the law and taking proactive measures to adhere to its provisions.