India has passed the Digital Personal Data Protection Act, 2023, which is a comprehensive data protection law aimed at safeguarding the rights and privacy of Indian residents. The Act applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized.
The Act grants several rights to data principals, including the right to know what personal data is processed, the right to data deletion, the right to data portability, and the right to restrict or object to processing. The Act also establishes a Data Protection Authority of India, which will be responsible for enforcing the Act and ensuring compliance. The Act replaces a much more limited data protection framework.
The Digital Personal Data Protection Act is a game-changer for India's data protection landscape. The Act introduces several compliance requirements for the collection and processing of personal data.
Some key provisions of the Act include:
The Act applies to the processing of digital personal data, which is broadly defined as data in digital form (whether collected in digital or non-digital form).
The Act requires entities to obtain consent from data principals before processing their personal data.
The Act grants data principals several rights, including the right to know what personal data is processed, the right to data deletion, the right to data portability, and the right to restrict or object to processing.
The Act requires entities to implement appropriate technical and organizational measures to protect personal data.
The Act establishes a Data Protection Authority of India, which will be responsible for enforcing the Act and ensuring compliance.
The Act grants the Government the power to block public access to any information processed within India that is deemed to be in the “interests” of the country.
Foreign companies operating in India will also be subject to the Digital Personal Data Protection Act if they process personal data of Indian residents. The DPDA applies to the processing of personal data outside India only if that processing relates to offering goods or services to “Data Principals” in India, or if the processing is related to profiling of Indian residents.
Therefore, foreign companies operating in India will need to comply with the DPDA by obtaining consent from data principals before processing their personal data, implementing appropriate technical and organizational measures to protect personal data, and complying with other requirements of the Act. Failure to comply with the DPDA can result in significant penalties, including fines and imprisonment.
In conclusion, the Digital Personal Data Protection Act is a significant step towards protecting the privacy and rights of Indian residents. The Act introduces several compliance requirements for entities processing personal data and establishes a Data Protection Authority of India to enforce the Act. Foreign companies operating in India will also need to comply with the Act if they process personal data of Indian residents.
It is important for businesses operating in India to prepare for the Act by conducting a data audit, appointing a data protection officer, and implementing appropriate technical and organizational measures to protect personal data.
