top of page
Search

India's New Data Privacy Law: Key Features and Implications

  • Writer: BRB Legal
    BRB Legal
  • Aug 16, 2023
  • 3 min read


India has recently joined the club of nations enacting comprehensive data privacy legislation. The Digital Personal Data Protection Act, 2023, passed by the Indian Parliament, aims to regulate individuals' personal data processing (Data Principals). This is expected to impact both individuals and businesses handling user data


Here are some of the key features of the Act:

  • Applies to the processing of personal data collected digitally within India and data collected in India and processed overseas if related to offering goods/services to Indian residents. Exemptions apply for domestic processing and research, etc.

  • Requires consent of the individual for processing personal data, which must be informed, specific, clear, and able to be withdrawn. Provisions for child consent are also included.

  • Imposes transparency, accuracy, storage limitation and security obligations on entities handling personal data (Data Fiduciaries). Breaches must be notified.

  • Gives rights to individuals to access and correct their data and grievance redressal. They can also nominate someone to exercise their rights after their death.

  • Significant Data Fiduciaries have additional obligations like appointing a Data Protection Officer. The govt can notify significant fiduciaries.

  • Establishes a Data Protection Board to monitor compliance, inquire into violations, impose penalties, etc. Appeals against Board orders lie with Telecom Tribunal.

  • Provides for penalties up to Rs 250 crore for major contraventions regarding security safeguards, data breaches, and child privacy. Lower penalties for other violations.

  • Makes the Board a digital body as far as possible, to make the processes online/digital.


Let's examine some salient aspects of this important law:


Consent and Individual Rights:


At its core, the new law emphasizes consent - processing of personal data will require voluntary and informed consent from individuals. Consent can also be withdrawn. Several rights are accorded to data principals, like the right of access and correction, data erasure, nomination for data handling after death, grievance redressal, etc. Provisions for child consent are included.


Obligations on Data Fiduciaries:

Entities controlling or processing personal data, termed Data Fiduciaries, will now have transparency, security, storage limitation and data accuracy responsibilities. Data breaches must be notified. Significant data fiduciaries like large companies face additional obligations like appointing a Data Protection Officer, external audits, impact assessments, etc.


Regulatory Architecture:


A Data Protection Board is established to monitor compliance, inquire into violations, and impose substantial penalties reaching up to Rs. 250 crores for major violations. Appeals against board orders lie before the Telecom Disputes Settlement Appellate Tribunal. The Board will function digitally as far as feasible.


Government Powers:

While empowering individuals, the law also grants significant powers to the government for oversight, framing exemptions, seeking information, and blocking access to data in public interest. Some aspects of the Digital Personal Data Protection Act indicate a potential for government overreach:


  • The Central Government can notify any entity as a 'Significant Data Fiduciary' based on vague criteria like volume of data, risk to sovereignty, etc. This gives significant discretionary power to the government.

  • Exemptions can be granted to government agencies from certain provisions related to processing for security, public functions, etc. There is scope for misuse.

  • The government can direct data fiduciaries to provide any information requested by it. There are no checks on this power.

  • If the Data Protection Board recommends, the government can block public access to any information to 'protect general public interest'. This could be misused to censor online content.

  • Some provisions allow government agencies to access personal data for prevention, investigation, etc., of undefined terms like 'security of state', 'public order', etc.

So while the Act does enhance individual privacy in many ways, it also provides ample scope for the government to override that in the name of larger public interest objectives. Checks and balances against misuse of such powers appear limited. So there are definitely concerns about potential government overreach that need deliberation. But overall, the Act seems a step in the right direction if implemented judiciously.


Analysis:


The law enhances privacy safeguards while providing for reasonable exemptions. But effective implementation poses challenges - drafting subordinate rules, ensuring the feasibility of compliance for startups and SMBs, capacity building, etc. There are also worries about government overreach and impact on innovation.



Overall, the Digital Personal Data Protection Act of 2023 is a milestone for India's digital policy landscape. While strengthening individual privacy, its success will depend on how it is enforced. As India's first comprehensive data privacy law, it sets the stage for enhanced regulation around the use of personal data in the digital economy.


 
 
 

Comments

  • LinkedIn
  • Instagram
  • X

info@brb-legal.com

+91 11 4058 2711

Z29, Block Z, Hauz Khas, New Delhi, Delhi 110016, India

©2025 BRB Legal.

 

Disclaimer: The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation.
This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship.

bottom of page