Extract from Epiq’s article, “How Does India’s New Law Fit into the Global Data Privacy Landscape?”
Changes to India data privacy laws have been a long time coming. A 2017 Supreme Court decision sparked legislative overhaul when concluding that privacy is a fundamental right. A bill was introduced soon thereafter leading to years of review, multiple versions, and debate. In August, India’s Digital Personal Data Protection Act of 2023 (DPDPA) received presidential assent. The law was modeled after the EU’s General Data Protection Regulation (GDPR). It was originally poised to be stricter than the GDPR but that did not come into fruition, as the final version of the law was scaled back.
Positioned as one of the largest open internet markets and a major hub for offshore outsourcing projects, the India law will likely make a lot of waves and significantly influence global policy. Those coming under the DPDPA’s purview need to understand compliance obligations quickly, as it is anticipated to become effective next summer. A firm date is yet to be set.
Here are ten key provisions to help organizations get started on their compliance journey.
1. Collection and processing activities of Indian residents applies to both organizations located in-country and those in other countries that offer goods and services to India data subjects. Consumers have the typical rights seen in other laws including the right to know, access, correct, and erase.
2. There are no separate provisions applying to sensitive data processing. This is different from the GDPR and some state laws in the U.S., such as Utah.