Intellectual Property
Data Privacy
Khaitan & Co., Mumbai
Luthra & Luthra Law Offices, Mumbai
For a list of select transactions, please contact the individual lawyer
National Law University, Jodhpur (B.Sc. LL.B., 2010)
Delhi, India (2010)
Navigating Data Minimization Requirements under India’s DPDP Act
While the provisions of India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its rules are yet to be notified, organizations need to prepare for a new set of compliance obligations and plan ahead. In large part, the DPDP Act follows global regulatory templates like the EU’s GDPR and embodies similar overarching principles such as data minimization and purpose limitation. The procedural implications of such principles reflected in the DPDP Act will translate into specific obligations and practices related to data collection, processing, sharing, and storage, especially in the context of Big Data analytics – including through the use of artificial intelligence and machine learning techniques.
This note analyzes the principle of data minimization under the DPDP Act, its interface with other laws (including with respect to consumer protection), and discusses potential learnings from other jurisdictions, including for the purpose of implementing such principle at an operational level.
Draft Digital Personal Data Protection Rules, 2025
A long-anticipated draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”) was released by the Central Government (“Government”) on January 3, 2025 for public consultation and comments, along with an explanatory note on the contents on the Draft Rules. Once brought into effect, these rules will enable implementation of the Digital Personal Data Protection Act, 2023 (the “DPDP Act” or the “Act”), which was published in the Official Gazette on August 11, 2023, although not yet in force. The consultation process on the Draft Rules will continue until February 18, 2025. The rules under the DPDP Act are proposed to be implemented in a staggered manner.
To recap, the DPDP Act lays down the law for processing of digital personal data (any data in digital form about an individual who is identifiable by or in relation to such data) in a manner that recognizes both the rights of individuals to protect their personal data and the need to process such data for lawful purposes and for connected or incidental matters. For an overview of the provisions of the DPDP Act, please see our notes here and here.
This note analyzes certain key aspects introduced or further clarified under the draft rule.
The Implications of India’s New Data Protection Law on Internal Investigations
Internal investigations may need to be carried out in India by employers in relation to a wide range of issues and/or situations. In case of Indian subsidiaries of MNCs, investigations may be carried out for the purpose of satisfying compliance requirements under law(s) applicable to the parent entity, like the Foreign Corrupt Practices Act of 1977 of the US or the UK’s Bribery Act 2010.
In the course of such internal investigations, large amounts of personal data related to accused persons and other relevant individuals may need to be processed by the employer – either by itself or through its advisors and agents. Accordingly, an informed assessment of the rights of such individuals, as well as the obligations of the employer and its advisors/agents, becomes crucial from the perspective of applicable data protection law.
This note specifically discusses the processing of personal data in the context of internal investigations, including with respect to allegations or suspicions of economic and criminal offences. While necessary rules under the Digital Personal Data Protection Act, 2023 are yet to be notified, provisions of this new law, as published in August 2023, indicate key considerations for employers (each of which is likely to be treated as a “data fiduciary”), including with respect to consent, legitimate use and potential exemptions.
India’s New Data Protection Regime: Tracking Updates and Preparing for Compliance
The Digital Personal Data Protection Act, 2023 (the “DPDP Act”), published in India’s official gazette last year, is a new law regulating the collection, storage, use and processing of personal data. The DPDP Act will take effect from the date(s) notified by the Indian Government, and different dates may be notified for different provisions of the DPDP Act. Further, several provisions of the DPDP Act require specific rules which are yet to be notified.
According to a recent statement made by the new union minister of the Ministry of Electronics and Information Technology, the new rules are in advanced stages of drafting and are expected to be released for industry-wide consultation in the near future. Given that both rules and provisions of the DPDP Act are likely to be notified over the next few months, all entities need to check whether and to what extent the DPDP Act applies to them and their operations.
For the purpose of preparing for, and complying with, obligations under the DPDP Act, it would be advisable for all organizations to undertake data mapping exercises and data audits inter alia in order to facilitate the identification and determination of ‘personal’ information from mixed or legacy databases and/or organizational datasets.