Lok Sabha passed the Digital Personal Data Protection Act – India (DPDP Act) - August 2023, India’s 2nd attempt in framing privacy legislation.

The Journey of the Bill 

Aug 2017: Privacy as a fundamental right reaffirmed in Justice KS Puttaswamy vs Union of India by SC Justice Srikrishna Committee constituted to examine data protection issue 

July 2018: Committee released a draft of the DPDP Bill and report 

Dec 2017: The Joint Parliament Committee (JPC) released its report and new version of the law as the Data Protection Bill 

Dec 2019: Revised draft bill sent to JPC

Aug 2022: Draft DPB Withdrawn 

Nov 2022 Meity released a draft DPDP Bill for Public Consultation 

July 2023: Union Cabinet approves the draft 

Aug 2023: The Digital Personal Data Protection Act – India (DPDP Act) was passed and a law was initiated 

Introduction to DPDP Act – August 2023 

🔒 Introducing the Digital Personal Data Protection Act (DPDP) – Safeguarding Privacy in India 🇮🇳

In a significant stride towards bolstering digital privacy, India has unveiled the groundbreaking Digital Personal Data Protection Act (DPDP) in August 2023. This landmark legislation aims to empower individuals with greater control over their personal data while establishing stringent regulations for its collection, storage, and utilization by businesses and organizations.

Under the DPDP Act, entities collecting personal data are mandated to obtain explicit consent from users, outlining the purpose and duration of data usage. The Act also encompasses provisions for data localization, ensuring that critical personal data remains within Indian borders.

Furthermore, the DPDP Act introduces a Data Protection Authority (DPA) responsible for monitoring and enforcing compliance with the law. Non-compliance could result in substantial fines, emphasizing the government's commitment to fostering a responsible data ecosystem.

As the DPDP Act comes into effect, it heralds a new era of digital privacy, giving citizens greater control and confidence in their online interactions. 

What are the key features of the bill?

• Applicability- The Bill applies to the processing of digital personal data within India where such data is
  • Collected online, or
  • Collected offline and is digitised. 
• It will also apply to the processing of personal data outside India if it is for offering goods or services in India.   
• Consent- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
• For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
• Consent may be withdrawn at any point in time.
• Rights of data principal- Data principal is an individual whose data is being processed. He/She will have the right
  • To obtain information about processing
  • To seek correction and erasure of personal data
  • To nominate another person to exercise rights in the event of death or incapacity and
  • Grievance redressal
• Duties of Data Principals- Data Principals must not
  • Register a false or frivolous complaint.
  • Furnish any false particulars or impersonate another person in specified cases
  • Violation of duties will be punishable with a penalty of up to Rs 10,000.
• Obligations of data fiduciaries- Data fiduciary is the entity determining the purpose and means of processing.
• Data fiduciary must
  • Make reasonable efforts to ensure the accuracy and completeness of data
  • Build reasonable security safeguards to prevent a data breach
  • Inform the Data Protection Board of India and affected persons in the event of a breach
  • Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes
• In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
• Personal data outside India- It allows the transfer of personal data outside India, except to countries restricted by the central government through notification. 
• Exemptions- Rights of the data principal and obligations of data fiduciaries will not apply in specified cases such as
  • Prevention and investigation of offences
  • Enforcement of legal rights or claims
• The Central government may exempt certain activities
  • In the interest of the security of the state and public order
  • Research, archiving, or statistical purposes
• Data Protection Board of India- It is established by the Central Government. Key functions of the Board include
  • Monitoring compliance and imposing penalties
  • Directing data fiduciaries to take necessary measures in the event of a data breach
  • Grievance redressal
• Appeal- The decisions of the board can be appealed to Telecom Dispute Settlement and Appellate Tribunal.