What to know about India’s new data protection act
04 December 2023
The Digital Personal Data Protection Act, 2023 (DPDP Act), India’s first dedicated data protection legislation, will enter into force in June 2024. With its presidential assent on August 11, 2023, the new act marked the end of the country’s five-year quest for a dedicated data protection law.
According to the DPDP Act, personal data is “any data about an individual who is identifiable by or in relation to such data.” Moreover, processing has been defined as “wholly or partially automated operation or set of operations performed on digital personal data, and include operations such as collection, recording, organization, structuring, storage, adaptation retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”
Apart from laying down the consent requirements, the act also covers the grounds for processing digital personal data, the rights and duties of data principals and the obligations of data fiduciaries.
“To share data in compliance with the DPDP Act, businesses are required to enter into data sharing agreements (DSAs),” said Ankita Sabharwal, a senior associate at Chadha and Chadha in Bengaluru. “DSAs are legally binding contracts that govern how data is shared between two or more parties. According to the DPDP Act, data sharing agreements are required for all data sharing activities, regardless of whether the data is being shared within India or outside of India.”
Moreover, the act mandates stringent measures for obtaining consent before collecting, using, or sharing personal data, underscoring the importance of implementing robust security protocols to prevent unauthorized data sharing. Additionally, it introduces provisions for transferring personal data outside India, outlining specific compliance measures and granting authority to the central government to restrict transfers to certain countries.
With the new DPDP Act serving as a greater boon for the India’s IP ecosystem, businesses heavily reliance on IP monetization are bound to benefit from it.
“To establish transparency and data security, the legislature has mandated businesses to request a customer’s consent,” said Sabharwal. “While the DPDP Act places additional compliances on businesses while dealing with personal data of individuals, it aims at augmenting the transparency as well as accountability between users, brands or platforms.”
She added: “Specifically, with respect to IP assets, ensuring adequate compliances by companies also prevents potential threats or attacks from compromising sensitive information, which may cause immense loss to the business. Organizations that do not enforce privacy safeguards and eventually suffer infringements will lose trust, which in turn will result in lower revenues and fewer customers. Thus, while the compliances under the act may appear to impose additional burden on businesses, they, in fact, facilitate the emergence of a safer business ecosystem,” she said.
- Excel V. Dyquiangco