The Digital Personal Data Protection Act, 2023 – India’s Data Protection Revamp
Partners: Rahul Matthan, Nikhil Narendran, Jyotsna Jayaram, Counsels: Thomas J Vallianeth, Karishma Sundara, Senior Associates: Akshaya Parthasarathy, Krati Hashwani, Consultant: Shreya Ramann, Associates: Akanksha Singh, Karthik Rai, Pranay Jalan, Kuruvilla M Jacob, Sidharth Ray and Sarashika Eakambaram
On 9 August 2023, the Rajya Sabha passed the Digital Personal Data Protection Bill, 2023. Having already been passed by the Lok Sabha on 7 August 2023, it now just needs to receive the President’s assent before it becomes the Digital Personal Data Protection Act, 2023 (DPDP Act). Once in force, it will replace the data protection regulations contained in the Information Technology Act, 2000 to offer a comprehensive data protection regime for the country.
Briefly, the DPDP Act:
- applies uniformly to all digital personal data irrespective of sensitivity;
- prescribes consensual and non-consensual grounds for processing personal data;
- specifies obligations for data fiduciaries (called data controllers in the European Union (EU));
- designates certain data fiduciaries as significant data fiduciaries (SDF) with additional obligations;
- sets out the rights of data principals (called data subjects in EU) and their duties;
- permits cross-border data flows but allows the government to restrict data transfers to certain geographies;
- levies penalties of up to INR 250 crore (USD 30 million) for various significant contraventions;
- establishes a Data Protection Board (Board) to regulate and enforce the DPDP Act’s provisions with appeals lying before the Telecom Disputes Settlement and Appellate Tribunal (Appellate Tribunal).
Download PDF to read more