After several iterations of the Data Protection Bill, the Indian government finally enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law in August last year. It established a comprehensive national framework for the processing of digital personal data within the territory of India. While the effective dates for the law are yet to be notified, we expect it to be enforced in the upcoming months with phased timelines for implementation.
The Digital Personal Data Protection Act will supersede and repeal the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000, which presently acts as the primary general data protection law in India.
This article aims to provide an overview of the material and territorial applicability of the DPDPA and provides practical tips for businesses to determine whether the new data protection law in India applies to them.
The DPDPA regulates “data fiduciaries”, “data principals”, and in limited circumstances, “consent managers” and “intermediaries”. The DPDPA also recognises “data processors” but does not regulate them directly. A “data fiduciary” determines the purpose and means of processing personal data (either alone or in conjunction with others). A “data processor” is any person who processes personal data on behalf of a data fiduciary, and a “data principal” is the individual to whom the personal data relates.
An “intermediary”, as defined under the Information Technology Act, 2000, is any person (with respect to any electronic record) who on behalf of another person receives, stores, or transmits that record or provides any service concerning that record, such as telecom service providers and online market places. The central government has reserved the power to issue directions for the blocking of any information processed by intermediaries under the DPDPA.
The DPDPA also introduces an additional category of “significant data fiduciaries”. The central government is empowered to designate entities as significant data fiduciaries, depending on the volume of personal data processed, the sensitivity of such data, the risk of harm posed to the rights of data principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, security of the State, and public order. The designated significant data fiduciaries will be held to satisfy enhanced obligations to remain compliant.
Separately, the DPDPA also introduces the concept of “consent managers”, who are intended to be independent entities registered with the Data Protection Board of India, and who act on behalf of data principals to manage their consent preferences.
The Digital Personal Data Protection Act excludes certain processing activities and types of data from its ambit. Particularly, it exempts (a) personal data made publicly available by the data principal or any other person who is under an obligation under any law to make such data publicly available; (b) non-digital personal data; (c) personal data used for personal or domestic purposes; (d) processing by state instrumentalities identified by the Indian government for public interest purposes; and (e) processing for research, archival, and statistical purposes. Additionally, it exempts the processing of personal data on the following:
The DPDPA applies to the processing of “digital personal data” within the territory of India, where the personal data is collected in (a) digital form or (b) non-digital form but is digitised subsequently. Much like data protection acts found in the European Union and the United States of America, the Digital Personal Data Protection Act is also applicable extraterritorially to the processing of personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to individuals within the territory of India.
With the enactment of the Digital Personal Data Protection Act, businesses are recommended to undertake a comprehensive data compliance exercise to determine the scope of their personal data processing activities and the extent of applicability of the DPDPA on its operations. The DPDPA acts as the overarching regulation for data laws in India and is applicable extraterritorially. Consequently, multinational companies must, during their global data reviews, perform assessments of their Indian presence to determine whether the DPDPA will be applicable to their Indian operations. If businesses suspect that their operations may be regulated by the DPDPA, they may take additional steps to prepare for compliance, including:
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.