Professional Documents
Culture Documents
Case law:
India’s rapidly evolving technology landscape may have reached a significant milestone with
the introduction and subsequent enactment of the Digital Personal Data Protection (DPDP)
Bill, 2022. The Union Cabinet approved this pivotal legislation on July 5, and it was
presented during the ongoing Monsoon Session of Parliament, which commenced on July 20,
2023. It swiftly passed through the legislative process, receiving approval in the lower house
(Lok Sabha) on August 7 and in the upper house (Rajya Sabha) on August 9. The DPDP Bill,
2022, officially became the Digital Personal Data Protection Act after receiving the
President’s assent on August 11, 2023 (official Gazette notification by the Government of
India—DPDP Act).
It is based on six principles of the data economy of which the first one talks about the
collection and usage of the personal data of citizens of India. The collection and usage of
personal data should be lawful, must be protected from breach and transparency should be
maintained. The second principle talks about data collection exercises that must be for a legal
purpose and the data should be safely stored till the purpose is served.
The next principle talks about data minimization which says that only relevant data should be
collected of individuals and serving the pre-defined purpose should be the only aim.
The fourth principle is regarding Data Protection and Accountability while the fifth talks
about the accuracy of data. The last principle lays down the rules regarding reporting a data
breach. In case of a data breach, it should be reported in a fair, transparent, and equitable
manner to the Data Protection Boards.
Also, it proposed legislation stipulates consent before collecting personal data and provides
for stiff penalties of as much as ₹500 crore on persons and companies that fail to prevent data
breaches including accidental disclosures, sharing, altering, or destroying personal data.
It applies to data fiduciaries i.e. all persons (individuals, companies, start-ups and government
entities) who alone or in conjunction with others, determine the purpose and means of
processing the personal data (including collection, recording, organisation, structuring,
storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure,
restriction, and erasure / destruction).
Considering the type and volume of personal data that is collected, processed, stored,
retained, and disposed of in India, the Act will have an effect on the majority of
organisational sectors, including legal, information security, IT, sales and marketing, human
resources, and finance.
The Act applies to the processing of digital and digitised personal data within India and also
applies to the processing outside India where such processing is in relation to offering goods
or services in India.
The Act does not apply where the processing is done for personal or domestic or purposes by
individuals or where the personal data made publicly available.
KEY FEATURES OF THE ACT
i. NOTICE: The Act requires notice to be sent to data principals before obtaining their
consent. This notice should provide information on what data is collected and for
what purpose, how the data principals can exercise their rights and how can they
make complaints to the Data Protection Board.
ii. CONSENT: The Act allows for processing of personal data only after obtaining
consent of the data principal. There are also certain legitimate uses under the Act
where the consent is not required such as voluntary disclosure by data principal,
medical emergency, employment, threat to public health, etc.
iii. CHILDREN’S DATA: The Act allows for the processing of children’s data (below
18 years of age) and persons with disability only after obtaining verifiable consent
from the parent or legal guardian. The Act also prohibits behavioural monitoring and
targeted advertisements towards children.
iv. OBLIGATIONS OF DATA FIDUCIRARIES: Data fiduciaries are obligated to
vi. RIGHTS & DUTIES OF DATA PRINCIPALS: The Act provides data principals
with 4 rights i.e.,
vii. CROSS-BORDER TRANSFER: Transfer of personal data has been allowed to all
countries except to those which will be notified by the government from time to time.
viii. EXEMPTIONS: The Act allows certain exemptions to which certain provisions of
the Act will not be applicable. These include:
ix. DATA PROTECTION BOARD: This Board will established to monitor compliance
with the Act and impose penalties. It will direct data fiduciaries to undertake measures
on occurrence of a data breach and hear grievances of the data principals. Appeals
from the decisions made by the board will lie to TDSAT.
x. PENALTIES: The Act imposes penalties
However, the DPDP Act is not immune from criticism. Some argue it could hinder
innovation due to perceived strictness, while others contend that it might not go far enough to
ensure individual privacy, primarily considering the discretionary power granted to the
Central Government in personal data processing. The forthcoming rules through delegated
legislation will play a vital role in shaping these aspects. A standardized process for rule
release, coupled with industry consultations as seen in amendments to Information
Technology Rules for online gaming, would establish a robust data protection framework
benefiting entire technology sector in India.
In conclusion, given that India is positioned as one of the largest data markets in the world, a
comprehensive data protection and governance regulation will certainly influence and greatly
contribute to the evolution of the global data governance landscape.
With the Digital Personal Data Protection Act, 2023 coming into picture, India’s digital
landscape has transformed to a robust Personal data protection regime. The Act's adoption is
set to strengthen user interactions and foster responsible innovation. With the Act being
implemented in a phased manner, timely creation of a robust implementation program for
data privacy and protection becomes of utmost importance for organisations under the
purview of this Act. In order to do so, they must review their current state of compliance with
the Act (including privacy policies, terms of service, consent forms, notices and other
documentations) and carry out the review of their legal measures to collect, process and
protect data to ensure that it not only complies with the Act but also the Rules which the
Central Government may publish from time to time.