Changes to India data privacy laws have been a long time coming. A 2017 US Supreme Court decision sparked legislative overhaul when concluding that privacy is a fundamental right. A bill was introduced soon thereafter leading to years of review, multiple versions, and debate. In August, India’s Digital Personal Data Protection Act of 2023 (DPDPA) received presidential assent. The law was modelled after the EU’s General Data Protection Regulation (GDPR). It was originally poised to be stricter than the GDPR but that did not come into fruition, as the final version of the law was scaled back.

Positioned as one of the largest open internet markets and a major hub for offshore outsourcing projects, the India law will likely make a lot of waves and significantly influence global policy. Those coming under the DPDPA’s purview need to understand compliance obligations quickly, as it is anticipated to become effective next summer. A firm date is yet to be set.

Overview

Here are ten key provisions to help organisations get started on their compliance journey.

1.    Collection and processing activities of Indian residents applies to both organisations located in-country and those in other countries that offer goods and services to India data subjects. Consumers have the typical rights seen in other laws including the right to know, access, correct, and erase.

2.    There are no separate provisions applying to sensitive data processing. This is different from the GDPR and some state laws in the U.S., such as Utah.

3.    There are no extra requirements for international data transfers with the exception of a few restricted countries. The central government will release a list of these countries. Other laws like GDPR make it harder by requiring adequacy decisions, transfer impact assessments, or contractual clauses for cross-border activity. 

4.    There are limited exceptions including publicly available data, merger-related transfers, and restructuring transfers.

5.    Organisations need explicit consent before processing data, which is a unique feature as other laws like GDPR offer several options. Users can withdraw consent whenever they desire. There are narrow exceptions, including processing for medical emergencies and employment purposes.

6.    Organisations must implement reasonable security safeguards to prevent personal data breaches.

7.    Data fiduciaries must designate and publish contact information for a data protection officer that can address any questions or concerns about processing activities.

8.    An organisation may receive a significant data fiduciary designation that carries more obligations. Factors for making this determination include volume of data processed, sensitive nature, security, public order, risk to electoral democracy, and more. Significant data fiduciaries must appoint an India-based data protection officer and independent data auditor. They also must conduct assessments at regular intervals.

9.    The new enforcement authority will be the Data Protection Board of India. Duties include mitigation oversight, consumer complaint handling, and investigations. Monetary penalties for noncompliance can reach up to the equivalent of $30 million USD per violation.

10.    After a data fiduciary gets fined two or more times, the Data Protection Board can advise blocking access to information in their systems.

This is just a snapshot of responsibilities and as always, organisations must review the law in full to understand all compliance obligations. The central government also plans to release supplemental rules that will provide further guidance and provide a better grasp on the DPDPA’s reach.

Compliance Tips

The growing global privacy landscape creates new and sometimes conflicting responsibilities. When more obligations arise, it is crucial to know where overlap and divergences exist in order to maintain a compliance program that meets the requirements of all applicable laws. For those organisations subject to India’s new legislation that already have GDPR-centred programmes, there will be a fair amount of overlap making the transition smoother. However, as demonstrated above, there are significant differences with India consumer data handling to consider. A provider with data privacy expertise that can implement information management tools, detect security shortcomings, and orchestrate thorough compliance plans is a beneficial resource to help internal teams.

For now, to be best prepared it is imperative to review data collection and processing practices to identify anything that is not up to par with the new law. After identifying deficiencies, organisations can explore ways to bolster security, policies, and notice efforts. A big focus should be on addressing ways to receive adequate consent from data subjects, as this is a major feature of the law differing from other global directives. If and until the central government issues rules clarifying this provision, most processing activities will require explicit consent. Other areas to monitor for further guidance include how an organisation’s India outsourcing activities creates new obligations and rights, how significant data fiduciary designations unfold, and enforcement trends.

Challenges

Also keep in mind that each law not only brings its own set of compliance obligations, but also challenges. The India law provides a lower bar for international transfers which could affect where companies based in the US or other countries with a less defined privacy landscape decide to conduct business activities. In China, there is a large focus on national security which makes it difficult for international organisations dealing with confidential client data to conduct routine business operations. For example, a law firm may be required to disclose client data to the government or be blocked from transferring data to employees situated in other office locations.

These are just a few examples of the nuanced challenges organisations need to account for when setting compliance objectives and making strategic business decisions. The overall takeaways? Knowing the laws, partnering with experts to guide compliance, and understanding unique obstacles each law presents will help navigate the ever-changing global privacy landscape.