In Data Privacy

Key Takeaways From India’s Digital Personal Data Protection Bill, 2023

On August 9, India’s Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) passed both houses of the Indian Parliament and now awaits Presidential assent. In 2017, India’s Supreme Court mandated that privacy is a fundamental human right. Since that time, India has been working to pass data protection legislation. The DPDP Bill is India’s fifth draft of the bill.

The DPDP Bill only applies to the processing of digital personal data in India, where the personal data is either (i) collected in digital form; or (ii) collected in a non-digitized format and subsequently digitized. Personal data is defined as any data about an individual who is identifiable by or in relation to such data.

Some of the key elements of the DPDP Bill include:

Legal basis: Digital personal data may only be processed with the consent of the data subject (called the data principal). Companies will likely need to obtain new consent, even if they previously obtained consent from the data principal. Companies will be required to cease processing of the digital personal data within a reasonable time frame if consent is withdrawn. In certain circumstances, a data controller (called the data fiduciary) may rely on “legitimate use” instead of consent as an appropriate legal basis for processing, including when data: (i) has been provided by an individual voluntarily; or (ii) relates to a government benefit or service; a medical emergency; or employment.

Data transfers: The DPDP Bill allows transfer of personal data outside India, except to countries restricted by the Indian government. The government has not yet provided a list of restricted countries.

Data Breaches: The DPDP Bill requires mandatory reporting of personal data breaches to impacted data principals and the Data Protection Board of India. The DPDP Bill defines ‘personal data breach’ to mean any unauthorized processing, disclosure, use, alteration, or loss of personal data that compromises the confidentiality, integrity, or availability of the data. The obligation to report under the DPDP Bill does not alter any existing obligations to report under India’s existing Cert-In Rules.

Data Principal Rights: Individuals are granted certain rights under the DPDP Bill, including the: (i) right to access; (ii) right to request correction or deletion; (iii) right to register grievances with the data fiduciary; and (iv) right to nominate another individual to exercise rights on their behalf.

Significant Data Fiduciaries: The DPDP Bill may designate an organization as a ‘significant data fiduciary’ based on factors including the volume of personal data processed, the nature and sensitivity of such data, and the risk to the rights of the data principal. If an organization receives this designation, it will need to comply with additional requirements including having a Data Protection Officer in India, appointing an independent data auditor, and conducting periodic data protection impact assessments.

Children’s Data: The DPDP Bill requires verifiable parental consent for any processing of data of children under 18 years old. Certain processing of children’s data is generally prohibited, even with consent, including processing that is likely to harm a child, tracking, behavior monitoring, and targeted advertising.

The penalties for noncompliance include significant fines ranging from Rs 200-250 crore (which is roughly $24 million to $30 million). However, per the DPDP Bill, such fines are reserved for multiple and repeat violations related to the processing of children’s data or significant control failures.

The DPDP Bill also authorizes the creation of an independent body whose key functions will include: (i) monitoring compliance with the DPDP Bill; (ii) imposing penalties; (iii) providing directions for remediating or mitigating data breaches; (iv) inquiring into data breaches; and (v) hearing grievances.

Key Takeaways

The DPDP Bill does not include specific timelines for compliance, but does clarify that it will only apply prospectively. Businesses offering goods and services to individuals in India should take actions to prepare for the potential new law, including assessing their data flows out of India, identifying the legal basis for the collection and processing of personal data, reviewing key policies, procedures, and vendor and data processing agreements. If you have any questions, or if you need help evaluating the applicability of the DPDP Bill to your organization, reach out to any of the Baker McKenzie attorneys listed below or your regular Baker McKenzie contact.

Co-authored by Manisha Reddy and Rachel Ehlers.

Author Flavia Amaral

Flavia is a partner at Trench Rossi Watanabe* and is based in São Paulo. She has more than 15 years of experience in the areas of intellectual property, franchise, technology transfer, social media and unfair competition. *Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.

Author Vinod Bange

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author Kritiyanee Buranatrevedhya

Kritiyanee joined Baker McKenzie in 2013 and is a partner in the Intellectual Property and Technology practice. She has experience in data protection, cyber security, and complex technology matters.

Author Ken Chia

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators. His practice focuses on IT, telecommunications, intellectual property, trade and commerce, and competition law matters.

Author Cynthia Cole

Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.

Author Magalie Dansac Le Clerc

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author Elisabeth Dehareng

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author Dominic Edmondson

Dominic is Special Counsel in Baker McKenzie's Intellectual Property and Technology Practice Group in Hong Kong.

Author Rachel Ehlers

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author Dr Lukas Feiler

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author Francesca Gaudino

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author Brian Hengesbaugh

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author Marcia Lee

Marcia Lee is a special counsel in Baker McKenzie's Intellectual Property and Technology group based in Hong Kong. She focuses on privacy/data protection, technology, media & telecommunications, internet regulatory issues, consumer law protection, e-commerce, and healthcare.

Author Dr Michaela Nebel

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author Pattaraphan Paiboon

Pattaraphan Paiboon is a Partner at Baker McKenzie's office in Bangkok. Pattaraphan focuses on telecommunications, broadcasting, IT/Communications, cybersecurity, data privacy and protection, and e-commerce law.

Author Anne Petterd

Anne is a partner based in Sydney. Her practice focuses on IT and telecommunications supply arrangements; understanding regulatory issues for online, telecommunications and IT businesses (in particular for data management); and trade regulatory and commercial contracting advice.

Author Manisha Reddy

Manisha is an associate in the Data Privacy and Security practice group based in Chicago, advising global organizations on privacy and data security compliance requirements, as well as data security incident response.

Author Kensaku Takase

Kensaku Takase is a partner in Baker McKenzie’s Tokyo office and is the Group Leader of the office's IP/IT/EC Practice Group. Mr. Takase is bilingual (Japanese and English) and focuses on intellectual property law, media law, and information technology law since 1999. He has assisted many companies in various industries with cross-border transactions in the trademark, copyright and design fields.

Author Florian Tannen

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author Alex Toh

Alex Toh is a senior associate in Baker McKenzie's Singapore office.

Author Carlos Vela-Trevino

Carlos is one of Mexico's most active privacy, data protection and information security lawyers. He has implemented privacy management compliance programs for over 100 companies, including several Fortune 500 companies. He advises on corporate and commercial matters where privacy is an issue, including e-discovery, FCPA investigations, e-commerce, direct marketing, privacy in the workplace, litigation and M2M communications.

Author Jo-Fan Yu

Jo-Fan Yu is a partner and member of Baker McKenzie Information, Technology, Communications (IT/C) and Telecoms, Media, and Technology (TMT) groups in Taipei. Jo-Fan focuses her practice on ITC, media, telecom and dispute resolution.

Key Takeaways

Related Posts

U.S. Prohibits Data Brokers from Making U.S. Sensitive Data Available to Foreign Adversaries

Kentucky is Off to the Races: Bluegrass state is 15th to Pass Comprehensive Privacy Law

M&A, Professional Perspective – AI: Real Money, Light Representations & Light Deal Certainties