India’s New Personal Data Protection Law

India’s Digital Personal Data Protection Act, 2023 is set to enforce strict data protection laws that apply to both domestic and international businesses dealing with Indian consumers. Key features include consent requirements for data processing, obligations for notifying data breaches, and regulations governing cross-border data transfers. The act introduces the concept of “Consent Managers” to help individuals manage their consent for data usage. Significant Data Fiduciaries face enhanced compliance obligations, and businesses must prepare for potential data localization rules. Overall, the DPDPA emphasizes transparency, accountability, and robust data security measures.

Compliance Requirements

• Businesses must comply with consent and notice obligations.

• Data Fiduciaries must provide clear data collection notices.

• Personal data breaches must be reported promptly.

Extraterritorial Reach

• DPDPA applies to entities outside India if they target Indian consumers.

• Similar to the EU’s GDPR, it governs global data processing activities.

Key Concepts

• Consent Managers: New entities to help manage user consent.

• Significant Data Fiduciaries (SDFs): Subject to stricter regulations based on data volume and sensitivity.

  
  

Cross-Border Data Transfers

• DPDPA allows data transfer outside India with potential restrictions.

• Businesses must stay updated on government notifications regarding data transfers.

Data Localization

• SDFs may face requirements to store data within India.

• This could affect multinational operations and data processing.

Penalties

• Non-compliance can result in substantial fines, ranging from USD 6 million to USD 30 million.