Today, data flows freely and is often described as the “new oil.” India is one of the top countries processing over 1.4 billion people’s data. With the need to protect that much personal data, the issue has become a critical concern for government, businesses, and individuals alike. Recognizing this, the Indian government passed the Digital Personal Data Protection Act (DPDPA) on 11 August 2023, aiming to provide comprehensive protection to the personal data of citizens. This landmark legislation is poised to transform the data protection landscape in India. In this blog, we’ll delve into the key provisions and implications of India’s Digital Personal Data Protection Act 2023.
The proliferation of digital technologies and the exponential growth of data-driven industries have given rise to concerns about how personal data is collected, processed, and shared. With the evolution of data breaches and privacy violations, individuals have become increasingly apprehensive about the safety of their personal information. In this context, the DPDPA seeks to address these concerns by establishing a robust framework for data protection.
Data Processing Principles: The DPDPA defines a series of principles that govern the processing of personal data. These principles include transparency, purpose limitation, data minimization, accuracy, storage limitation, and accountability. Organizations that collect and process personal data are required to adhere to these principles to ensure fair and lawful processing.
Data Principal Rights: The Act grants individuals a range of rights over their personal data, including the right to access, rectify, erase, and port their data. Data subjects can also withdraw consent for data processing at any time. This empowers individuals to have greater control over their personal information.
Data Protection Authority: The Act establishes the Data Protection Board, an independent regulatory body responsible for overseeing and enforcing data protection regulations. The Data Protection Board will have the authority to issue guidelines, conduct audits, and impose penalties for non-compliance.
Cross-Border Data Transfer: The DPDPAct allows data fiduciaries to transfer personal data for processing to any country or territory outside India, but it grants the central government the authority to impose restrictions through notifications. However, it does not prevent any other law from prescribing a higher threshold of data protection, such as the data localization requirements in relation to payment data imposed by the Reserve Bank of India (RBI). (Business restrictions imposed on American Express, MasterCard in the past by RBI)
Data Breach Notification: Organizations are required to report data breaches to the Data Protection Board and affected individuals within a stipulated time frame. This transparency ensures that individuals are promptly informed if their personal data is compromised.
Penalties for Non-Compliance: The Act prescribes severe penalties for non-compliance, including fines and imprisonment for data breaches and violations of data protection principles. This acts as a strong deterrent to organizations that may be lax in safeguarding personal data. The highest penalty declared so far is two hundred and fifty crore rupees.