Last Updated: October 2023
On 12 Aug., Indian President Droupadi Murmu signed the Digital Personal Data Protection Act into law, covering all India-based organizations and extending to certain international entities. Considering India is now the most populated country in the world at 1.4 billion, and in view of the role the country plays in highly globalized industries such as financial services, health care, and the like, the law will undoubtedly have wide impact on organizations and individuals around the world.
Given the global importance and scope of this new data privacy law, the IAPP has launched a six-part series on the "Top operational impacts of the DPDPA." Jointly written by leading Indian privacy law experts, the series will serve as a walkthrough of the most important components of the DPDPA. Its goal is to provide a view of this landmark legislation in actionable terms and in ways that foster a baseline understanding of its salient features.
Articles in the series are focused on the DPDPA’s scope, key definitions, and lawful processing of data; individual rights; obligations of data processing entities; cross-border data transfers; enforcement and the Data Protection Board; and a comparative analysis with the EU General Data Protection Regulation and other major data privacy laws.
Access articles in series
- Part 1: Scope, key definitions and lawful data processing
- Part 2: Individual rights
- Part 3: Obligations of data processing entities
- Part 4: Enforcement and the Data Protection Board
- Part 5: Cross-border data transfers
- Part 6: Comparative analysis with the EU General Data Protection Regulation and other major data privacy laws
The DPDPA has been met with both praise and criticism. While lauded by its makers for being globally competitive and contemporary, others, such as Justice B.N. Srikrishna (previous chair of the Expert Committee on Data Protection that proposed the original 2018 version of the bill), have commented that the provisions granting exemptions to the government and government bodies in the law "cause great concern."
The DPDPA was introduced in the Lok Sabha, the lower house of Parliament, on 3 Aug. after the Parliamentary panel on Communications and Information Technology endorsed its passage “without any undue delay.” The Rajya Sabha, the upper house of Parliament, passed the legislation on 9 Aug. 2023.
The law has been many years in the making, reaching back to a 2017 decision of the Supreme Court of India that found a constitutional right to privacy. The first draft of an Indian data protection bill followed in 2018, with lawmakers wrestling with a host of different versions before agreeing upon what is now the DPDPA.
Today’s DPDPA is not the end of the road, however. The DPDPA is still subject to further rulemaking, which will be important, if not determinative, as to how key provisions in the DPDPA come to life from an operational compliance perspective. As a start, the Indian government has begun to take steps towards formulating regulations and setting up the Data Protection Board, which will be tasked with investigating complaints and issuing fines. Another big thing to watch out for is the rollout of the parental consent system aimed at securing children’s privacy.
While the ink is not yet dry on the DPDPA, getting a firm grip on what the law says, what it means, what it might mean, and what trends and developments might shape how organizations approach compliance will all be imperative for privacy pros. The upcoming articles in this series will serve as a first dip into these unchartered waters.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.