Privacy Laws In India: What's The Status?

does india have privacy laws

India's first comprehensive data protection law, the Digital Personal Data Protection Act 2023 (DPDPA), came into effect on September 1, 2023. The DPDPA establishes guardrails for how organisations handle personal data and offers Indian citizens more control over their personal information. The DPDPA is enforced by the Data Protection Authority of India (DPA), an independent body that investigates complaints, issues fines, and mandates compliance with the Act. This new law is a significant development in India's privacy landscape, as it replaces the previous lack of standalone legislation governing data protection.

Characteristics Values
Year of passing the privacy law 2023
Date of effect 1 September 2023
Name of the law Digital Personal Data Protection Act (DPDPA)
Previous data protection laws Section 43A and 87(2)(ob) of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Applicability Indian entities which engage in the processing of personal data, foreign entities that offer goods and services to Data Principals located within India
Non-applicability Personal data used by an individual for personal or domestic purposes, personal data made publicly accessible by the data principal or by any other individual or entity mandated by law
Compliance requirements Consent of the user, notice to the user about the personal data to be processed, purpose of processing, opt-out rights, complaint process
Additional compliance requirements Appointment of a Data Protection Officer, appointment of an Independent Data Auditor, periodic Data Protection Impact assessments
User duties Not to suppress any material information, not to register frivolous complaints or grievances
Establishment of the Board Data Protection Board of India, a government body with members possessing knowledge or experience in data governance, consumer protection laws, ICT, and the digital economy
Board responsibilities Overseeing mitigation measures in the event of a personal data breach, handling consumer complaints/grievances, conducting investigations, imposing monetary penalties
Section 37 Allows the government to block the public's access to any information that enables a data fiduciary to provide goods or services in India, based on two criteria: the board has imposed penalties on such data fiduciaries on two or more prior occasions, and the board has recommended a blockage
Data principal rights Rights of access, correction, or erasure, right to a readily available and effective means of grievance redressal, right to nominate an individual to exercise the rights of the data principal in the event of death or incapability

lawshun

India's 2023 Digital Personal Data Protection Act

Prior to the DPDP Act, India did not have a standalone law specifically dedicated to data protection. The foundation of the country's data protection framework revolved around the Information Technology Act, 2000 (IT Act), which included the Privacy Rules of 2011. However, in 2017, a significant development took place when the Supreme Court of India upheld that privacy is a fundamental right, entrenched in the Constitution of India. This pivotal moment set in motion a process to formulate a dedicated and comprehensive data protection law.

The DPDP Act introduces several key provisions and obligations for entities handling digital personal data. Firstly, it applies not only to Indian entities but also to foreign entities offering goods and services to individuals located in India, processing personal data in connection with such activities. Secondly, the Act mandates that personal data must be processed lawfully, fairly, and transparently, with user consent being a key requirement for processing. Users must be provided with notices detailing the personal data being processed, its purpose, and their opt-out rights.

The DPDP Act also imposes obligations on data fiduciaries, who are responsible for determining the purpose and means of processing. These obligations include ensuring data accuracy, implementing security safeguards to prevent data breaches, notifying the Data Protection Board of India and affected individuals in the event of a breach, and adhering to storage limitations by retaining data only as long as necessary. Additionally, significant data fiduciaries must appoint a Data Protection Officer based in India and independent data auditors to evaluate compliance.

Another notable aspect of the DPDP Act is its approach to cross-border data transfers. While it allows for the transfer of personal data outside India, the Indian Government retains the authority to restrict such transfers to specific countries. This provision offers more flexibility compared to previous iterations of the bill, which allowed data transfers only to a restricted set of countries.

In conclusion, India's 2023 Digital Personal Data Protection Act represents a significant step forward in the country's data protection and privacy landscape. By establishing clear guidelines for data handling and providing individuals with enhanced control over their personal data, the Act aims to safeguard the fundamental right to privacy while fostering innovation and commerce. The effectiveness of the DPDP Act will ultimately be determined by its implementation and the regulatory developments that follow in the coming years.

lawshun

The role of the Data Protection Board of India

India passed a data protection law in August 2023, which governs how entities process users' personal data. This law, the Digital Personal Data Protection Act (DPDP Act), establishes guidelines for how organisations should handle personal data and offers citizens control over the personal data collected about them.

The Data Protection Board of India (DPBI) is a government body that is being set up under section 18 of the DPDP Act. The board consists of a Chairperson and members who will be appointed as per the extant rules. The DPBI is responsible for protecting and regulating the use of personal data of the data principal and adherence to the provisions of the DPDP Act. The board will also handle consumer complaints and grievances related to the processing of personal data, conduct investigations, and impose monetary penalties when appropriate.

The DPBI will also have the power to direct any urgent remedial or mitigation measures in the event of a personal data breach and to inquire into such breaches. The DPDP Act introduces several compliances with respect to the collection, processing, storage, and transfer of digital personal data. For example, the Act mandates that companies may only process users' personal data with the user's consent or for certain legitimate uses. The Act also allows the Indian government to restrict the transfer of personal data outside of India.

The DPBI is intended to be an independent body, free from government control. However, its independence has been questioned due to excessive executive control in appointing the Chairperson and members of the board. The effectiveness of the board hinges on its independence, and it remains to be seen whether the DPBI will have the necessary teeth to enforce the provisions of the DPDP Act effectively.

lawshun

Privacy as a fundamental right

India passed a data protection law in August 2023, which governs how entities handle users' personal data. This law, known as the Digital Personal Data Protection Act (DPDP Act), establishes guidelines for organisations handling personal data and gives citizens control over their personal data.

The development of this law was prompted by a 2017 ruling of the Supreme Court of India, which affirmed the right to privacy as a fundamental right under Article 21 (Right to Life and Liberty) of the Indian Constitution. This ruling, known as the Justice K.S. Puttaswamy v. Union of India case, recognised that privacy is a fundamental right, intrinsic to life and personal liberty.

The DPDP Act introduces several compliances regarding the collection, processing, storage, and transfer of digital personal data. It applies to Indian entities processing personal data as well as foreign entities offering goods and services to individuals located in India. The Act mandates that companies may only process user data with the user's consent or for specific legitimate purposes. It also requires companies to notify users of the personal data being processed and the purpose of such processing.

While the DPDP Act is a significant step towards protecting privacy rights in India, further actions by the government are needed to ensure its effective implementation. Additionally, it is important to ensure that the exercise of sovereign control is legitimate and does not infringe on privacy, commerce, and innovation. The regulatory developments and institutional arrangements in the coming years will determine the effectiveness of personal data privacy protection in India.

lawshun

Compliance for foreign companies

India's Digital Personal Data Protection Act, 2023 (DPDPA or DPDP Act) is the country's first comprehensive data privacy law. It sets out clear rules for collecting, storing, and using personal data, with new obligations around user consent, cross-border transfers, security safeguards, and grievance redressal.

The DPDPA applies to any foreign entity that offers goods and services to individuals located in India and processes personal data in connection with such activities. This means that US-based companies must comply with the law when processing data from Indian users.

Foreign companies should be aware that the DPDPA has been influenced by global frameworks like the EU General Data Protection Regulation (GDPR), but there are several key differences. For example, while the DPDPA is similar to the GDPR in its definition of a 'Data Fiduciary' or 'Data Controller', it takes an opposite approach to cross-border data transfers, being more permissive.

The first step to compliance is understanding what data you collect, how you collect it, and where it goes. Foreign companies should conduct a thorough data inventory to identify the categories of personal data collected from Indian users and map how this data flows through their systems.

To avoid legal risks and ensure smooth operations, international companies should put in place a structured data privacy compliance program tailored to Indian legal requirements. This includes implementing appropriate technical and organisational measures, adopting reasonable security safeguards to prevent personal data breaches, and facilitating the exercise of data principal rights.

Penalties for non-compliance can be severe, with significant monetary fines of up to INR 250 crore (approximately USD 30 million) for failing to protect personal data and up to INR 200 crore (approximately USD 24 million) for breaches involving children's data.

lawshun

Sensitive personal information

India's new data protection law, the Digital Personal Data Protection Act, 2023 (DPDP Act), has brought about a significant shift in the country's data privacy landscape. This law establishes a framework for the collection, use, and management of personal data.

The DPDP Act is applicable to Indian entities that process personal data, as well as foreign entities offering goods and services to individuals located in India. Notably, it does not apply to personal data used for personal or domestic purposes or data that is deliberately made publicly accessible.

The Act introduces several compliances regarding the collection, processing, storage, and transfer of digital personal data. It mandates that companies may only process user data with the user's consent or for specific legitimate purposes. Users must be notified about the personal data being processed, the purpose of such processing, and their opt-out rights.

The DPDP Act also addresses sensitive personal data, which is defined by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). According to the SPDI Rules, sensitive personal information includes passwords, financial information, physical and mental health conditions, sexual orientation, medical records, and biometric information.

To protect sensitive personal data, the DPDP Act requires explicit written consent before collecting such data. Additionally, the retention of sensitive data is limited to the period necessary for its intended purpose. If consent is withdrawn or the data is no longer needed, the data should be erased.

The DPDP Act also establishes the Data Protection Board of India, a government body responsible for overseeing mitigation measures in the event of a personal data breach and handling consumer complaints related to data processing. This board has the authority to impose monetary penalties when appropriate.

Frequently asked questions

Yes, India passed its first comprehensive data protection law, the Digital Personal Data Protection Act (DPDPA) in August 2023. The DPDPA came into effect on September 1, 2023, and applies to all organisations that process personal data of individuals in India.

The DPDPA establishes guardrails for how organisations handle personal data and offers Indian citizens more control over their personal data. It introduces several compliances with respect to the collection, processing, storage, and transfer of digital personal data.

Personal data is defined under the DPDPA as "any data that relates to a natural person who can be identified, directly or indirectly, in particular by reference to a name, identification number, location data, or online identifier". This includes sensitive personal information such as passwords, financial information, health records, and biometric information.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment