Opinion

India – Digital Personal Data Protection Act receives Presidential assent

Published Date
Aug 18, 2023
The President of India gave assent for the Digital Personal Data Protection Bill 2023 on 11 August 2023, a matter of days after it had been passed by both the Lower and Upper House. The Digital Personal Data Protection Act (the Act) has now been published in the Official Gazette and will come into force by way of notification once issued by the Central Government.

The Act is India's first comprehensive law on the protection of personal data. Below is a brief overview of the key aspects of the Act. 

Scope

The Act applies to the processing of “digital” personal data (i.e. personal data in digital form): 

  • in India, when the data is (i) collected in a digital form or (ii) collected in a non-digital form and subsequently digitised; and
  • outside India, if the processing is connected with any activity related to offering of goods or services to data subjects in India. 

“Data” are broadly defined as a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means, and “personal data” means any data about an individual who is identifiable by or in relation to such data.

The Act does not apply to data processing by an individual for domestic or personal purposes or to personal data that has been made publicly available by the data subject or by another person based on an obligation under Indian law. 

Data Protection Board

The Act stipulates the establishment of the Data Protection Board, which will be tasked with hearing complaints of data subjects, monitoring compliance with the Act and giving directions to data controllers to take remedial or mitigating measures in case of data breaches. The Board may impose penalties of maximum INR 250 crore (approx. EUR 27 million).

Obligations of data controllers

The Act allows data controllers (referred to as “data fiduciaries”) to process personal data where they have received consent from the data subject or where the processing is based on legitimate purposes. 

The consent requirements are similar to those under the GDPR. Legitimate purposes include, among others: 

  • complying with the legal obligations;
  • employment purposes or for safeguarding the employer from loss or liability (such as prevention of corporate espionage, protecting trade secrets or intellectual property);
  • processing by the Indian government to provide services to data subjects or to perform its duties in the interest of sovereignty and security;
  • compliance with judgments or court orders under Indian law or execution of contractual and civil claims under laws outside India;
  • responding to medical emergency involving a threat to the life or immediate threat to health of the data subject or other individuals, or taking measures to provide health services to any individual during epidemics or other threat to public health; and
  • responding to any disasters or breakdowns of public order. 

Data controllers will be required to comply with various obligations, including transparency about data processing, implementation of reasonable security safeguards to prevent data breaches and notification of data breaches to the Data Protection Board and individuals.

Certain data controllers may be designated by the Indian government as "significant data fiduciaries", e.g. based on the volume and sensitivity of personal data processed, the risk to the rights of data subjects or due to considerations of public order, security and the sovereignty of India. Significant data fiduciaries will have additional obligations under the Act, such as appointing a data protection officer and an independent data auditor, as well as requirements to carry out data audits and periodic data protection impact assessments. 

Data subject rights

The Act grants data subjects the right to: 

  • correction, completion, updating and erasure of personal data processed on the basis of consent;
  • access personal data processed on the basis of consent;
  • have complaints redressed by the controller and by the Data Protection Board; and
  • nominate another individual to exercise the rights of the data subject in the event of death or incapacity. 

However, the Act does not include the right to data portability or the right to be forgotten.

Cross-border transfers

The Act allows transfers of personal data outside India, but the Indian Government may restrict the transfer of personal data to designated countries or territories from time to time. 

The press release of the Ministry of Electronics & IT, summarising the key features of the Act, is available here

The Act is available here.

 
Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger