India—the fifth largest economy in the world—just passed a comprehensive privacy law. On August 11, 2023, the Digital Personal Data Protection Act, 2023 (the “DPDP”) was approved by the president of India, adding India to the list of global powers with a comprehensive privacy law. The law is expected to come into force in June 2024. Guest author Stephen Mathias, from Kochhar & Co., provides a detailed breakdown of the DPDP.
Like other major privacy laws, the DPDP has an extraterritorial reach: it applies to the processing of digital personal data outside India,1 if the processing is in connection with any activity related to the offering of goods or services to individuals within India. Thus, even if a company’s operations are not physically in India, it may still be subject to this law. Fortunately, for global companies that are already subject to the European Union General Data Protection Regulation (“GDPR”) and the many comprehensive privacy laws in the United States, the DPDP can be harmonized with existing compliance programs. The new law shares many provisions with existing privacy laws, such as obligations to honor data privacy rights (access, correct, delete, redress, and opt-out), provide a privacy notice, protect personal data, provide notice of a data breach, enter into contracts with processors, and limit retention of personal data.
However, companies should note some of the differences between the DPDP and other privacy laws when conducting a gap analysis and developing policies and procedures to bridge those gaps. For example, unlike both the GDPR and US privacy laws, the DPDP places obligations on data subjects/consumers (called “data principals” under the DPDP). Further, unlike US privacy laws, the DPDP also has requirements relating to data transfers, data protection officer appointment and lawful basis for processing. Finally, unlike the GDPR, the DPDP is primarily a consent-based privacy law; processing in the absence of consent is possible for certain limited “legitimate uses,” such as to fulfil legal or judicial obligations, or for the purposes of employment. That said, the DPDP’s consent-based lawful basis for processing aligns with the growing trend in the European Union to obtain consent for certain processing activity, such as advertising and marketing, instead of relying on other grounds, following recent case law of the Court of Justice of the European Union in this respect.
Failure to comply with provisions under the DPDP may lead to fines of up to INR 250 crores (approximately USD 30 million).
For an overview of the similarities and differences among these laws, we provide the chart below.
Data Principal Rights
Data Principal Obligations
Data Fiduciary Obligations