DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


India Passes the Digital Personal Data Protection Act

india passes the digital personal data protection act

On August 11, 2023, The Indian Parliament passed the Digital Personal Data Protection Act (The Act). The act will replace relevant provisions of the Information Technology Act of 2000, IT Act amendments of 2008, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, and Digital Personal Data Protection Bill of 2022.

Effective Date

The government of India announced that the Act will be effective within 10 months (June 2024), but enforcement date is yet to be determined.

Rights of Data Subjects

The Act is very similar to GDPR and US privacy laws when it pertains to data subjects. The Act rights include the right of access, data correction, deletion, and grievance redressal.

Application and Scope

The Act does not have a monetary or volume threshold. The Act governs the processing of digital personal data within India in two scenarios:

(i) when such data is collected from data principals in digital format; or

(ii) when initially collected in non-digital form and subsequently digitized. Thus, the Act shall not apply to processing of personal data in non-digitized form.

The Act could potentially touch any company of any size if it collects digital data of consumers.

Key Features and Additional Scope

Consent – Data controllers require the consent of data subjects to process their digital personal data, subject to certain “legitimate use” exceptions (e.g., the voluntary provision of data, to avail of government benefits, in case of medical emergencies, or employment-related data). Consent should be “free, specific, informed, unconditional and unambiguous” and should be communicated through clear affirmative action signifying agreement to the processing of the data subject’s personal data for the specified purpose, and shall be limited to only such personal data as is necessary for such specified purpose. Such consent may also be withdrawn by the data subject.

Consent Manager – The Act envisages a “consent manager” who should be registered with the Data Protection Board of India, and who would act as a point of contact to enable a data subject to give, manage, review, and withdraw their consent.

Extra-Territorial Application – The Act applies to the processing of digital personal data in India, and outside India if such processing is in connection with offering goods or services to data subjects who reside in India.

Notice – In order to obtain consent, data controllers should provide the data subjects with a notice specifying what personal data is to be collected, the purposes for which data will be processed, how the data subjects can exercise their rights in respect of such data and the contact details of the relevant data protection officer or other responsible person at the data controller who will be responsible for responding to data subjects’ request to exercise their rights.

Recordkeeping – Data controllers will have to demonstrate that notice and consent requirements were met and will need to maintain relevant records.

Data of Children and Persons with Disabilities – Before processing personal data of a child or a person with disabilities who has a lawful guardian, data controllers are required to obtain verifiable consent of the parent or guardian. Certain forms of processing involving children’s data (such as online tracking, behavioral/targeted advertising) are strictly prohibited.

Exemptions of the State – The State, and agents of the State, are exempt from seeking consent (and other obligations under the DPDP Act including erasure of personal data in its records). Personal Data collected by data fiduciaries to the State under a legal obligation is seen as a “legitimate use”. This broad exemption may create an issue to any EU agency or international corporation conducting an impact assessment for data transfers to India.

Penalties – This might come as a shock that corporations can’t prepare for. The DPDP Act does not prescribe a maximum penalty. The penalty can be levied on a person or entity and prescribes penalties for each offence, which could then be aggregated while determining the maximum penalty that applies.

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
2023 US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?

CONTACT

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

    •   888-252-5653