On August 11, 2023, the President of India gave his assent to the Digital Personal Data Protection Act, 2023 (DPDP Act) . India, as a tech-savvy nation with a booming digital economy, recognized the need for a structured data protection framework. It shall come into force on such date as the Central Government may notify in the Official Gazette. The DPDP Act is India’s first comprehensive piece of legislation that aims to safeguard individuals’ personal data while enabling the responsible use of data for various purposes. In this article, we delve into the key aspects of India’s DPDP Act and its implications for individuals, businesses, and the digital ecosystem as a whole Personal Data Protection Act.
Application of the DPDP Act Personal Data Protection Act
The DPDP Act applies to entities processing digital personal data as well as non-digital data that is digitized later, within the Indian territory. The law also applies outside the india business fax list Indian territory when the processing of personal data is related to offering goods or services to data principals, also known as data subjects under the GDPR, within India.
It also applies to all entities that process personal data, regardless of their size or location except if the Central Government makes an exemption. While the specifics of exemptions can vary and may change over time, here are some common areas where exemptions might apply:
- Processing of digital personal data for any personal or domestic purpose; and
- When personal data is made or caused to be made publicly available by the data principal to whom such personal data relates; or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
- Central government can also exempt itself and state bodies depending on their function including in matters of law enforcement;
- The Central Government may further, having regard to the volume and nature of personal data processed, notify certain data fiduciaries or class of data fiduciaries, including startups,
- Publicly available personal data, processing for research and statistical purposes, and;
- Processing the personal data of foreigners by companies in India under a contract with a foreign company.
With the DPDP Act the Central Government has more power to apply or exempt from the Act including the power to adopt a multitude of “rules” that detail the Act’s application.
Legal bases for processing digital personal data
The DPDP Act focuses mainly on two legal bases:
- Informed consent of the specifically, the gaming business is expect data principal remains the primary legal base for digital personal data in India, and;
- Certain permissible legitimate uses as under:
- The data principal voluntarily provides personal data to the Data Fiduciary and it is reasonably expected that the data principal would provide such personal data;
- Performance of any function under a law;
- Provision of service or benefit by the State;
- Medical emergency;
- Employment purposes; and
- Specified public interest purposes such as national security, fraud prevention, and information security.
Data Principal Rights and Duties
The DPDP Act provides a comprehensive framework for the protection of digital personal data and gives data principals several rights over their data, marketing list as follows:
Data Principal Rights
- Right to obtain information about processing;
- Seeking correction and erasure of personal data;
- Right to nominate another person to exercise rights in the event of death or incapacity, and;
- Grievance redressal.
Data Principal Duties
They must not:
- Register a false or frivolous complaint;
- Furnish any false particulars, suppress information, or impersonate another person in specified cases.
Violation of these duties will be punishable with a penalty of up to INR 10,000.
Substantial Changes in Data Fiduciary Duties
Apart from taking care of data principal rights the data fiduciary, also known as data controller under the GDPR, has to undertake certain other obligations when processing personal data, including:
- Ensure accuracy and completeness of data
- Storage limitation. Please note that the storage limitation requirement will not apply in case of processing by government entities.
The processing which means if the processing is riskier to the rights and freedoms of the data principals. When a data fiduciary is recognized as a significant data fiduciary, it has to fulfill additional obligations as follows:
- The appointment of a resident data protection officer (‘DPO’) responsible for grievance redressal;
- The appointment of an independent data auditor;
- conducting Data Protection Impact Assessments (‘DPIAs’); and (iv) such other compliances as may be prescribed.
Cross-border transfers
The Central Government may restrict the transfer of personal data to certain countries through a notification. This means it may create a list of adequate countries where it is safe and allowed to transfer the data from India. These transfers will be subject to prescribed terms and conditions by the Government.
Establishing the Data Protection Board of India
The Central Government will establish the Data Protection Board of India to oversee the implementation of the DPDP Act.
