India’s Move to Safeguard Data Privacy of Citizens
India's DPDP Act 2023 enforces data privacy with strict consent, cross-border data rules, data principal rights, and heavy penalties for non-compliance.
In August 2023, India made a significant move forward to uplift the country’s cyber laws by passing the Digital Personal Data Protection Act, 2023. While the Act is yet to be enforced but it puts India’ data privacy rules on par with international laws.
The DPDP Act addresses the growing concerns over data misuse and breaches. The Act's emphasis on consent, data fiduciaries, localization, and stringent penalties positions it as a robust framework for data protection. Although it shares similarities with the GDPR, particularly in safeguarding privacy and regulating data handling, key differences in scope, consent management, and cross-border data flow highlight the distinct approach India has taken in ensuring digital privacy for its citizens.
Here’s a bullet-point summary of the key points of this Act:
Data Fiduciaries:
Entities that determine the purpose and means of processing personal data.
Must obtain explicit consent, ensure transparency, and protect personal data.
Significant Data Fiduciaries (SDFs):
Designated based on factors like the volume of data processed and potential risk to privacy.
Must appoint a Data Protection Officer (DPO), conduct Data Protection Impact Assessments (DPIAs), and undergo regular audits.
Data Protection Board of India:
Established to oversee compliance, adjudicate complaints, and enforce the DPDP Act.
Appointment of Data Protection Officer (DPO):
Mandatory for Significant Data Fiduciaries.
Ensures compliance and serves as a contact point for the Data Protection Board.
Privacy Rights of Individuals (Data Principals):
Consent: Personal data can only be processed with explicit, informed consent.
Right to Notice: Individuals must be informed about the purpose, duration, and type of data being collected.
Right to Access: Data principals can request access to their data and know how it’s being processed.
Right to Correction: Individuals can request corrections if their data is inaccurate.
Right to Deletion: Data principals can request deletion of personal data if no longer necessary.
Right to Grievance Redressal: Individuals can file complaints if their data rights are violated.
Explicit Consent vs. Deemed Consent:
Explicit Consent: Data processing requires clear, informed permission.
Deemed Consent: Allows data processing in specific situations like legal obligations or emergencies without explicit consent.
Cross-Border Flow of Data:
Sensitive personal data can be transferred outside India only with government approval.
Emphasizes data localization, requiring certain data to be stored in India.
Penalties:
Violations can result in fines between ₹50 crore and ₹250 crore, depending on severity.
Data Minimization:
Organizations must only collect the minimum amount of data necessary for the specified purpose.
As the use of digital platforms and services expands, this legislation seeks to create a structured framework to regulate how organizations handle personal data. The DPDP Act aims to provide clarity on data processing practices while balancing innovation and user privacy.
Did you find this article useful? Share your thoughts on DPDP Act, 2023 with us. Join us on Discord or WhatsApp.