Update: On August 11, 2023 President Droupadi Murmu signed the Digital Personal Data Protection Bill after it was passed by both the house of the parliament. Several nations praised India’s Digital Personal Data Protection Act once it was passed, according to The Economic Times of India. A representative from Norway’s Datatilsynet, which oversees data protection, suggested that it may “mirror” parts of the DPDPA’s rules in order to protect minors from behavioral advertising. Success of the measure, according to a representative of South Africa’s Information Regulator, “will be tied to how the Data Protection Board functions.”

Despite a potential hiccup with opposition attempting to refer India’s Digital Personal Data Protection Bill (DPDPB) to a committee for further review, the upper house (Rajya Sabha) has passed the legislation on August 9th with a verbal vote following passage by the lower house (Lok Sabha) on August 7th. After being previously tabled for years, the bill just needs to be signed by President Droupadi Murmu, which we anticipate will happen shortly, to become law and is projected to be implemented in just 10 short months. Summer of 2024 is not a long time to prepare for such a momentous privacy law in a geography that is hugely important to most US companies!

Truyo’s Director of Product Engineering, based out of Pune, Maharashtra, India said, “This represents a significant achievement in preserving the privacy rights of Indian citizens by creating a framework for managing sensitive data. Additionally, it strengthens India’s reputation as a reliable data hub and preferred offshore destination.”

About the Digital Personal Data Protection Bill (DPDPB)

While the final text is yet to be released, we know that the foundation is GDPR adequacy and has yet to set a definitive effective date. Here are key elements as the Bill stands today:

• The DPDPB will apply to private firms, with no revenue threshold, that collect data online, with exceptions for government and law enforcement agencies, but will not be applicable to publicly available personal data.
• The Bill defines data processors as data fiduciaries which can be anybody, including public and private entities, that collect and process personal data.
• Data Fiduciaries must obtain consent to process data, within the parameters of the law, and requires notices that outline what data is collected, why, and how it will be used
• DPDPB scope includes third parties with which data fiduciaries share consumer information.
• The law sets up the Data Protection Board (DPB), appointed by the central government, to inquire into data issues and enforce via proposed penalties of up to 2.5 billion rupees ($30 million) for violations and non-compliance.
• Consumers are given the right to withdraw consent, right to know with whom data has been shared, and requests for deletion/modification/updates to data held.
• Exemptions for a certain class of data fiduciaries, including startups, are outlined with room for additional extensive exemptions which has been the opposition’s concern.
• A user’s data cannot be transferred to countries that will be listed as restricted by the government, which is yet to be seen.

Speaking about the landmark bill, Union Minister of Electronics and Information Technology Ashwini Vaishnaw said, “We have started work on implementation. This kind of legislation will require a 6-10 month kind of frame. We will take every step with proper checks and balances. It is a guesstimate. We might do it faster than that.”

Data Fiduciary Responsibilities for Digital Personal Data Protection Bill (DPDPB)

The relatively novel obligations of the Data Fiduciary responsibilities (that is, persons, companies, and government entities who process data) for data processing (that is, collection, storage, or any other operation on personal data) revolve around the seven principles:

• The principle of consented, lawful and transparent use of personal data;
• The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
• The principle of data minimization (collection of only as much personal data as is necessary to serve the specified purpose);
• The principle of data accuracy (ensuring data is correct and updated);
• The principle of storage limitation (storing data only till it is needed for the specified purpose);
• The principle of reasonable security safeguards; and
• The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).

What’s Next?

We await the signature of India’s president, which at this point is a formality, and extremely likely to happen sooner than later. We could see modifications as full operating rules have yet to be released, much like California and Colorado. Opposers of the Bill have expressed concern over this new legislation weakening the 2005 Right to Information Law and potential government overreach with agency access to PII of individuals who won’t have given their consent.

We will continue to update you as the course of this wide-reaching law unfolds. If you want to determine if your organization is in scope or have questions about compliance with this upcoming law, reach out to hello@truyo.com.