The Indian government has for the first time enacted the special law on protection of personal data. The Digital Personal Data Protection Act, 2023 (also called as “DPDP Act”), was enacted in August 2023 and has come into force from 1st September, 2023.
Until the enactment and implementation of the DPDP Act other Acts such as, the Information Technology Act, 2000 (IT Act), along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), have been the foundation for data protection in India.
The DPDP Act is framed taking the backdrop of privacy laws around the world, such as the European Union’s GDPR, and thus deals with privacy and protection obligations concerning personal data.
The said Act is applicable to those organizations that process digital personal data and collect the processed data in digital form.
The Act is applicable to organizations processing personal data either within the territory in India or outside India for activity offering goods or services to individual in India. Therefore, the Act is applicable to processing of personal data of Indian citizens, even if the data is processed outside of India.
However, the Act does not apply to personal data that is processed for law enforcement or national security or for journalism or artistic expression.
The Act also defines personal data as “any data that relates to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.”
The DPDP Act is based on six key principles such as the personal data must be processed lawfully, fairly, and transparently only with the consent of the data principals or for certain specified legitimate uses. Secondly personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The personal data must be accurate and kept upto date and must be kept in a form which permits identification of data. Lastly, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
While the DPDP Act provides certain guidelines based on which the data must be processed, it also lays down certain rights granted to the individual with respect to their personal data. These rights are similar to those under the GDPR for data subjects (i.e., rights of access, correction and rectification, data portability, or erasure), they will also benefit from a number of new rights which are unique to the Act, i.e., the right to a readily available and effective means of grievance redressal (e.g., via a grievance redressal officer), and the right to nominate an individual who will be able to exercise the rights of the data principal in the event of death or incapacity of the data principal.
The Act further mandates for organisations to conduct “Data Protection Assessments” for any activities that may pose a high threat to the privacy of individuals. These assessments are aimed at analysing the necessity, proportionality and compliance of the companies with the data privacy laws. By means of these assessments, companies that collect data can take active measures to identify any data privacy risks and address those risks before they result in major breaches.
Further while processing the data, organizations must obtain explicit consent from the user and that the consent must be free, unconditional, unambiguous, specific and informed. The user has the right to revoke their consent anytime.
In cases where individuals voluntarily provide personal data to the data fiduciary does not necessarily imply that they do not want their data to be processed. This may involve providing data for the purpose of receiving a product, obtaining customer support, or similar situations.
The Act also allows free data transfers outside of India unless the government has ruled that data shall not be transferred to a specific country or organization.
Lastly, penalties for non-compliance under the Act ranges from INR 500 million (Euro 5.7 million) to INR 2.5 billion (Euro 28 million). The Data Protection Board is also empowered to impose urgent remedial or mitigation measures in the event of a personal data breach.
The DPDP Act is a significant piece of legislation that will have a profound impact on the way that organizations collect, use, and share personal data in India. The Act provides individuals with greater control over their personal data and imposes stricter obligations on organizations that process personal data. Organizations should take steps to ensure that they are in compliance with the Act.
Introduction India has seen tremendous growth in the past few years, also because of foreign investments into the country. FDI has seen a sharp inflow especially on account of the government boost in the manufacturing sector. India comprises of various states and union territories, one such upcoming state for investments related opportunities in Chhattisgarh. The
INTRODUCTION When purchasing a property in India, the Indian Legal system provides for regulations that govern the procedure in which property in India can be sold and/or purchased. One of the most important Act called as the Transfer of Property Act, 1882 is a considerable body of law that guides the transfer of property in
INTRODUCTION As per the statistics, India is notably the second-largest franchise market of the world and every year more than 300 companies start franchising. Currently, India has 4600 active franchise operators, operating more than 200,000 franchises. From the data records, regional brands make up 50% of the franchise industry in India, while national brands make
