India is the second-largest internet market in the world, with more than 760 million active internet users. The Supreme Court of India recognized the right to privacy in a 2017 verdict and in August 2023, the Indian Parliament passed a comprehensive data protection bill, the Digital Personal Data Protection (DPDP) Act.
This article provides an overview of the Digital Personal Data Protection (DPDP) Act, the evolution of data privacy laws in India, and the rights, responsibilities, and obligations set forth in the proposed bill.
What Is India's Digital Personal Data Protection (DPDP) Act?
The Digital Personal Data Protection (DPDP) Act, passed in August, is legislation in India that balances the rights of individuals to protect their personal data with the necessity of processing such data for lawful purposes. The Act imposes obligations on Data Fiduciaries, those processing data, and outlines the rights and duties of Data Principals, individuals to whom the data pertains. It also introduces financial penalties for breaches.
The DPDP follows India’s Personal Data Protection Bill (PDPB) Bill 2022, India's most recent attempt to create a comprehensive data privacy law. The Bill was part of a group of legislation including the National IT Governance Framework Policy and a new Digital India Act.
According to draft legislation, the aim of PDPB 2022 was “to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.”
A Brief History of India’s Privacy and Personal Data Protection Laws
Prior to 2022, India did not have a comprehensive privacy law. In 2017, the Supreme Court of India recognized the right to privacy as a constitutionally protected right in the Puttaswamy judgement, also known as the Right to Privacy verdict. The court also noted India’s lack of a comprehensive privacy law and the limitations of the existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules or SPDI Rules, implemented in 2011.
Following the Right to Privacy verdict, the government of India developed draft legislation designed to protect the privacy of Indians. Earlier versions of the Personal Data Protection Bill received significant scrutiny and were ultimately unsuccessful, including the Data Protection Bill 2021, which beared some similarities to the European Union’s General Data Protection Regulation (GDPR). It was withdrawn in August 2022.
On November 18, 2022, the Ministry of Electronics and Information Technology proposed the Digital Personal Data Protection Bill 2022, which was slated to replace some parts of existing law (Section 43A of the IT Act) and the SPDI Rules.
Scope of India’s Digital Personal Data Protection (DPDP) Act
India’s DPDP Act applies to digital personal data processed in the territory of India and excludes any personal data that’s not digitized and offline personal data.
The DPDP, like the GDPR and similar data privacy laws, also applies to any entity that processes personal data outside the territory of India that relates to any data principal within the territory of India.
The Data Protection Board of India
The DPDP created the Data Protection Board of India (DPB), the first regulatory body in India focused on protecting personal data privacy. Like similar regulatory bodies, the goal of the DPB is to oversee compliance and impose penalties on non-compliant organizations.
Rights of Data Principals
India’s Digital Personal Data Protection establishes numerous rights of citizens, known as Data Principals in the Act. These include:
- Know what personal data is being collected about them: Individuals have the right to be informed about the personal data that is being collected about them, the purpose for which it is being collected, and third parties with whom it is being shared.
- Access their personal data: Individuals have the right to access their personal data that is being processed by an organization.
- Correct or delete their personal data: Individuals have the right to correct any inaccuracies in their personal data or to delete their personal data in certain circumstances.
- Object to the processing of their personal data: Individuals have the right to object to the processing of their personal data in certain circumstances.
- Port their personal data to another organization: Individuals have the right to port their personal data to another organization in certain circumstances.
- File a complaint with the Data Protection Board (DPB): Individuals have the right to file a complaint with the DPB if they believe that their personal data has been processed in a manner that is not in compliance with the DPDP Act.
Responsibilities of Data Principals and Organizations
The DPDP Act assigns restrictions and obligations to organizations that process personal data, including:
- Obtain consent from individuals before processing their personal data: Organizations must obtain consent from individuals before processing their personal data, unless an exemption applies.
- Use personal data only for the purposes for which it was collected: Organizations must use personal data only for the purposes for which it was collected, unless they have obtained consent from the individual for further processing.
- Protect personal data from unauthorized access, use, disclosure, alteration, or destruction: Organizations must take appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction.
- Respond to individual’s requests for access, correction, deletion, and objection: Organizations must respond to individual’s requests for access, correction, deletion, and objection within a reasonable time.
- Report data breaches to the DPB: Organizations must report data breaches to the DPB within 72 hours of becoming aware of the breach.
Additional Responsibilities for Organizations
In addition to the above obligations, organizations that process data can take the following steps to help them better prepare for compliance:
- Assess their data processing activities: Organizations should assess their data processing activities to identify any areas where they may need to change their practices to comply with the DPDP Act.
- Develop a data protection policy: Organizations should develop a data protection policy that sets out their commitment to protecting personal data and outlines their data processing practices.
- Appoint a data protection officer or DPO: Organizations that process personal data on a large scale are required to appoint a DPO. The DPO will be responsible for overseeing the organization’s compliance with the DPDP Act.
- Appoint an independent auditor to conduct periodic audits to ensure ongoing compliance
Penalties for Noncompliance
Violations of the requirements - in particular for the failure to implement information security measures necessary to mitigate the risk of a personal data breach - could result in fines of up to 250 crore INR/$30 million.
The penalty is less severe than 2022's legislation, which wanted to impose a fine of up to approximately INR 500 crore (approximately $61 million).
Status of India’s Digital Personal Data Protection Act
India passed the Digital Personal Data Protection (DPDP) Act, 2023, applying to the governing of how entities who process digital personal data, on August 9. The DPDP Act built upon its predecessor, the Digital Personal Data Protection Bill, 2022 released in November, 2022.
Frequently Asked Questions
Has the Personal Data Protection Act been passed in India?
Yes, the Digital Personal Data Protection Act was finally passed on August 9, 2023.
What is a data subject in the Digital Personal Data Protection Act?
India’s Digital Personal Data Protection Act uses the term “data principals” rather than “data subjects,” referring to individuals “to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.”
Is data privacy a human right in India?
While the Constitution does not explicitly state the right to privacy, the Supreme Court of India recognized the right to privacy in the Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union Of India & Ors. (2017) verdict, which is also known as the Right to Privacy verdict.
The verdict was a landmark decision by a bench of nine judges who unanimously agreed that the right to privacy is a fundamental right under Articles 14, 19, and 21 of the Constitution of India.
The order issued by the Supreme Court of India states, “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”