Data is everywhere. It, nor its implications, can be avoided by anyone any longer, and that includes national governments. India is the latest country to announce action on the matter through a new data protection law, creatively titled the Personal Data Protection Act (DPDP). Read on as we delve into the story behind the legislation and outline what it means for organizations that do business in India.
Indias Privacy Law – Announcement Of Rapid Implementation In Under A Year.
A Background On the Digital Personal Data Protection Act (DPDP)
Drafted in 2022 by the Ministry of Electronics and Information Technology (MeitY), the Digital Personal Data Protection Bill (DPDP) represents India’s first meaningful step forward with respect to data privacy regulation. The framework was introduced in an effort to bring what is now the world’s most populous country up to speed with emerging digital trends and risks. Other regions, most notably the European Union, have had regulations governing the use of their citizens’ personal information in place for years.
This new initiative out of India borrows many fundamental concepts from the EU’s General Data Privacy Regulation (GDPR), including specific responsibilities for entities that process individuals’ data. It has been revised a number of times over the years to reflect lawmakers’ changing views on what should and shouldn’t be enforced on a national scale. Read more about the GDPR in our article: What is the GDPR legislation ?
In fact, the DPDP was almost deferred for committee review again this summer by opposition parties, only to be pushed through in a concerted effort from the Indian government. The lower house (Lok Sabha) passed the Bill on August 7th to pave the way for its passage into the upper house (Rajya Sabha) on the 9th. It now awaits a signature from President Droupadi Murmu, which according to officials, could come any day now.
While notable for being a first-of-its-kind law in India, the DPDP has also garnered attention for its unusually short timeline. Lawmakers have set out a schedule of only 10 months for everything to come into place – that works out to a projected implementation in early summer 2024. While that may seem like a lot, it pales in comparison to the approaches taken by other countries and regions, which plan out adoptions and changes to their data privacy laws years in advance and often through a phased schedule. The government of the Canadian province of Quebec, for example, is only set to implement Phase 2 of its new Law 25 in September of 2023 – two years after it was first adopted in 2021. Read more about it in our article: Quebec law 25 and cookie consent.
Why India has opted to take such a rushed approach to implement its law remains unclear. There’s no denying the growing pressure its government, along with those of countless other countries, is facing in the face of an increasingly interconnected and privacy-conscious world. Lawmakers have even gone as far as to say that 10 months is a ‘guesstimate’ – implementation may be a reality within six. Still, they’ve promised a thorough process through and through to ensure that companies and organizations are prepared for the transition.
What Companies Need to Know About the Digital Personal Data Protection Bill (DPDP) Going Forward
The Indian government has done both itself and data managers a favor by keeping its framework in close alignment with the EU GDPR. That world-renowned law effectively sets the standard for privacy around the world, so not too many changes should be needed to comply with the DPDP.
While the official document has yet to be released, we know some basic things about what its regulations will look like and who they will apply to.
Most importantly, businesses should know that any private entities that collect citizens’ personal data will be subject to the law, regardless of how much revenue they make. Their responsibilities are broad, including not only the obligation to obtain a user’s consent (for example cookie consent) before processing information, but also to respect their rights when it comes to transparency, disclosure, and the right to opt out of data processing.
There will be some exceptions for government entities and smaller organizations, although again, the details remain unclear. India’s DPDP will be enforced by a soon-to-be-established Data Protection Board (DPB) with the power to impose penalties of up to 2.5 billion rupees ($30 million) upon non-compliant organizations.
The law is still in its infancy, but businesses need to start preparing now; they can do so by conducting data protection audits, developing internal policies and processes in line with the DPDP’s requirements, and investing in training for their personnel. It’s a lot of work, but work that’s ultimately necessary in the data-rich landscape we live in today.