This note provides an overview of the Digital Personal Data Protection Act, 2023 that was published in the official gazette pursuant to a notification dated August 11, 2023. The Act will become effective from the date(s) notified by the Central Government, and different dates may be notified for different provisions. Also, rules may be notified in future, not inconsistent with the provisions of the Act, to carry out the purposes of the Act. The Act seeks to overhaul the current legal framework governing personal data in India. Accordingly, the Act establishes a legal framework to protect digital personal data, including by prohibiting the unauthorized use, alteration or sharing of information in a way that compromises the confidentiality, integrity and/or accuracy of such data. In this regard, the Act distinguishes among a data principal, data fiduciary and data processor, and provides rights for data principals and imposes obligations on data fiduciaries. The Act applies to consent managers as well.
Month: August 2023
Decoding “Ordinary Course of Business” in M&A Transactions
Despite frequent usage of the phrase “ordinary course of business” in numerous legislations and acquisition agreements, its interpretation remains a matter of debate. This note analyzes the meaning of such phrase in the context of Indian and UK case law and highlights certain relevant factors.
Secondment: An Endless Battle with the Tax Authorities!
Secondment of employees, as an approach, has become a common practice followed by multinationals to utilize their skilled resources with an ambition of geographical expansion. The tax implications at the time of re-imbursement of salary costs to secondees under a secondment arrangement has been a controversial issue which has led to protracted litigation between the tax authorities and the assessees. The courts have delivered plethora of judgements over the past many years depending upon the facts and circumstances of each case. This note discusses the principles emerged from various judicial precedents.
’22/’23 Vision: Because India’s 2022 Draft Data Protection Law is so Last Year
A new version (the “23 Draft”) of India’s long-awaited Digital Personal Data Protection law (“DPDP”) is being moved for consideration and passing in the Lok Sabha today, i.e., Monday, August 7, 2023.
India has made several attempts over the last few years, including in terms of parliamentary tabling (and withdrawal), to introduce a comprehensive legal framework for data protection. However, the 23 Draft of DPDP was introduced in the Lok Sabha only late last week.
As such, it is a revised version of a previous DPDP draft that was released in November last year for public comments (the “22 Draft”). While the revised version contains several incremental changes compared to the 22 Draft, some such differences may prove significant in the long run.
A detailed analysis of the 23 Draft, along with an in-depth review relative to its prior iterations, will soon follow. Meanwhile, a few key takeaways from the current version in light of the changes made to the 22 Draft are highlighted here.
Accordingly, this note comprises two parts. Part I discusses the legislative status and possibilities with respect to DPDP’s 23 Draft. Part II provides a summary of key changes made to the 22 Draft, as currently reflected in the 23 Draft.
How Much and How Bad? Significant Others in India’s New Data Regime
According to a document dated August 1, 2023 made available today in respect of the list of business scheduled for the Lok Sabha’s coming calendar, the government will introduce an as-yet unreleased Union Cabinet-approved draft of the Digital Personal Data Protection Bill (“DPDP”) in India’s parliament tomorrow.
Despite stiff opposition, a parliamentary standing committee managed to adopt a favorable report on the revised 2023 version of DPDP, tabling it yesterday across both Houses and recommending an expeditious passage into law.
While DPDP is largely modeled on GDPR, India’s bespoke legislation may include a few key changes relative to the EU’s – such as in respect of significant data fiduciaries (“SDFs”), where the government is authorized to classify any entity as an SDF based on its own assessment of factors such as informational sensitivity, volume and the risk of harm.
Our last note on SDF parameters focused on sensitivity alone. Here, we address considerations related to ‘volume’ and ‘harm’, respectively. Since special obligations apply to SDFs (over and above those which all data fiduciaries must comply with), certain procedural aspects of impact assessments, automated processing and individual profiling may follow a GDPR-like template via bespoke regulation, as framed under DPDP later. Further, India’s existing SPDI Rules, as well as past and present legislative proposals, including the proposed Digital India Act and prior DPDP iterations, may provide indicative guidance.