Digital Personal Data Protection Act – India (DPDP Act) - August 2023
Lok Sabha passed theDigital Personal Data Protection Act – India (DPDP Act) - August 2023, India’s 2nd attempt in framing privacy legislation.
The Journey of the Bill
Aug 2017: Privacy as a fundamental right reaffirmed in Justice KS Puttaswamy vs Union of India by SC Justice Srikrishna Committee constituted to examine data protection issue
July 2018: Committee released a draft of the DPDP Bill and report
Dec 2017: The Joint Parliament Committee (JPC) released its report and new version of the law as the Data Protection Bill
Dec 2019: Revised draft bill sent to JPC
Aug 2022: Draft DPB Withdrawn
Nov 2022 Meity released a draft DPDP Bill for Public Consultation
July 2023: Union Cabinet approves the draft
Aug 2023: The Digital Personal Data Protection Act – India (DPDP Act) was passed and a law was initiated
Introduction to DPDP Act – August 2023
🔒 Introducing the Digital Personal Data Protection Act (DPDP) – Safeguarding Privacy in India 🇮🇳
In a significant stride towards bolstering digital privacy, India has unveiled the groundbreaking Digital Personal Data Protection Act (DPDP) in August 2023. This landmark legislation aims to empower individuals with greater control over their personal data while establishing stringent regulations for its collection, storage, and utilization by businesses and organizations.
Under the DPDP Act, entities collecting personal data are mandated to obtain explicit consent from users, outlining the purpose and duration of data usage. The Act also encompasses provisions for data localization, ensuring that critical personal data remains within Indian borders.
Furthermore, the DPDP Act introduces a Data Protection Authority (DPA) responsible for monitoring and enforcing compliance with the law. Non-compliance could result in substantial fines, emphasizing the government's commitment to fostering a responsible data ecosystem.
As the DPDP Act comes into effect, it heralds a new era of digital privacy, giving citizens greater control and confidence in their online interactions.
What are the key features of the bill?
Applicability- The Bill applies to the processing of digital personal data within India where such data is
Collected online, or
Collected offline and is digitised.
It will also apply to the processing of personal data outside India if it is for offering goods or services in India.
Consent- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
Consent may be withdrawn at any point in time.
Rights of data principal- Data principal is an individual whose data is being processed. He/She will have the right
To obtain information about processing
To seek correction and erasure of personal data
To nominate another person to exercise rights in the event of death or incapacity and
Duties of Data Principals- Data Principals must not
Register a false or frivolous complaint.
Furnish any false particulars or impersonate another person in specified cases
Violation of duties will be punishable with a penalty of up to Rs 10,000.
Obligations of data fiduciaries- Data fiduciary is the entity determining the purpose and means of processing.
Data fiduciary must
Make reasonable efforts to ensure the accuracy and completeness of data
Build reasonable security safeguards to prevent a data breach
Inform the Data Protection Board of India and affected persons in the event of a breach
Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes
In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
Personal data outside India- It allows the transfer of personal data outside India, except to countries restricted by the central government through notification.
Exemptions- Rights of the data principal and obligations of data fiduciaries will not apply in specified cases such as
Prevention and investigation of offences
Enforcement of legal rights or claims
The Central government may exempt certain activities
In the interest of the security of the state and public order
Research, archiving, or statistical purposes
Data Protection Board of India- It is established by the Central Government. Key functions of the Board include
Monitoring compliance and imposing penalties
Directing data fiduciaries to take necessary measures in the event of a data breach
Appeal- The decisions of the board can be appealed to Telecom Dispute Settlement and Appellate Tribunal.
Rs 200 crore
Non fulfilment of obligations for children
Rs 250 crore
Failure to take security measures to prevent data breaches