Deciphering India's new data protection law

9 minute read

India’s Parliament passed the Digital Personal Data Protection Act in August 2023. It is India’s first comprehensive and cross-sector data privacy law. The act will be effective upon notification in the Gazette of India.[1] Provisions may be brought into effect on different dates, implying a phased approach toward implementation.

The act is a principles-based legislation incorporating concepts such as lawfulness, fairness, data minimization, purpose limitation, integrity, and confidentiality of personal data. It governs data fiduciaries (data controllers), data principals (data subjects), and data processors. While the act is comparable to the EU’s General Data Protection Regulation (GDPR), it differs in crucial areas, such as the limited powers granted to the supervisory authority and expansive exemptions afforded to public entities. Key provisions of the act would be characterized and defined through subsequent rules to be issued by the central government, and the manner in which the act would be operationalized and enforced would determine whether the act adheres to or takes a different path from GDPR.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field