Key Legislations On The Horizon – An Overview Of Incoming Legislations 

1. New Personal Data Protection Regime

India has recently enacted a new data protection law. The Digital Personal Data Protection Act, 2023 (“DPDPA”) rehauls existing data protection practices in the country. While comparable to the GDPR, the DPDPA diverges from many international data protection laws by focusing on a consent-centric framework. This will require businesses to restructure their global privacy framework for India-related data processing activities. Penalties for non-compliance may extend up to INR 250 crores (~ 30 million USD). While the law is not yet in effect, companies have already commenced their compliance operations. Read our detailed summary of the new law and its impact on businesses here. 

2. A Proposed Framework To Regulate Information Technology

The Indian government seeks to revamp its decades-old IT law under its ‘Digital India’ initiative. A proposed “Digital India Act” will regulate the open internet, online safety, accountability and quality of services, and emerging technologies, while establishing a new adjudicatory mechanism. Through the regulation of internet intermediaries, developers of emerging technologies, and internet users, the Digital India Act aims to establish non-discriminatory internet access through sanctions on digital harms such as impersonation, privacy violations, misinformation, doxing, and cyber-attacks. Fines for non-compliance are expected to extend up to INR 500 crores (~60 million USD) and will include criminal penalties as well. A draft version of this law has not yet been officially published. 

3. Increased Penalties For Non-Compliance With Cybersecurity Requirements

In 2022, India’s nodal cybersecurity regulator issued a set of directions that, among other cybersecurity obligations, requires businesses to report cybersecurity incidents to the regulator within six hours of knowledge of occurrence. Penalties for non-compliance include both, fines of up to INR 1 lakh (~1,200 USD) and imprisonment of up to one year. While there have been no public instances of penalties being imposed since these directions went into effect, the Indian government has recently enacted an amendment to increase the fine to a maximum of INR 1 crore (~120,000 USD), which significantly increases risks associated with non-compliance with the stringent directions. This amendment is not yet in effect.