Tag: Regulatory

Unlike the EU’s GDPR (which allows non-consensual data processing under various circumstances), India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”) relies heavily on consent as a ground for processing personal data. Other than a few ‘legitimate uses’ specified in the DPDP Act, consent will be the only legal basis for processing digital personal data in India once the law enters into force. This note discusses the role of consent managers and the potential of notice-and-consent management platforms (both inhouse and outsourced) to help entities comply with their obligations under the DPDP Act.

Although India’s newly published Digital Personal Data Protection Act, 2023 (the “DPDP Act”) is not yet in force, it is likely to take effect soon. Accordingly, while entities wait for the government to notify discrete provisions of the DPDP Act along with specific rules under it, they could use this transitional phase to align themselves to the requirements of the new regime and prepare for future obligations. Before anything else, organizations could draw up a compliance roadmap, the starting point of which should include a comprehensive data mapping exercise.
Organizational databases are likely to contain vast volumes of digitized information, not all of which may be considered ‘personal’ data. This note discusses the main features of the data mapping process, including the determination of, and the processual prerogatives with respect to, personal information contained in mixed datasets – where organizational data inventories are likely to comprise both personal and non-personal data.

The Digital Personal Data Protection Act, 2023 (the “DPDP”) is poised to (re)define India’s legal framework with respect to the processing of digital personal data.
This new regime is designed to be an overarching one, irrespective of data category (in terms of sensitivity) or entity type. While provisions of the DPDP are likely to be notified soon, all organizations need to check whether and to what extent the DPDP applies to them and their operations.

This note provides an overview of the Digital Personal Data Protection Act, 2023 that was published in the official gazette pursuant to a notification dated August 11, 2023. The Act will become effective from the date(s) notified by the Central Government, and different dates may be notified for different provisions. Also, rules may be notified in future, not inconsistent with the provisions of the Act, to carry out the purposes of the Act. The Act seeks to overhaul the current legal framework governing personal data in India. Accordingly, the Act establishes a legal framework to protect digital personal data, including by prohibiting the unauthorized use, alteration or sharing of information in a way that compromises the confidentiality, integrity and/or accuracy of such data. In this regard, the Act distinguishes among a data principal, data fiduciary and data processor, and provides rights for data principals and imposes obligations on data fiduciaries. The Act applies to consent managers as well.

A new version (the “23 Draft”) of India’s long-awaited Digital Personal Data Protection law (“DPDP”) is being moved for consideration and passing in the Lok Sabha today, i.e., Monday, August 7, 2023.
India has made several attempts over the last few years, including in terms of parliamentary tabling (and withdrawal), to introduce a comprehensive legal framework for data protection. However, the 23 Draft of DPDP was introduced in the Lok Sabha only late last week.
As such, it is a revised version of a previous DPDP draft that was released in November last year for public comments (the “22 Draft”). While the revised version contains several incremental changes compared to the 22 Draft, some such differences may prove significant in the long run.
A detailed analysis of the 23 Draft, along with an in-depth review relative to its prior iterations, will soon follow. Meanwhile, a few key takeaways from the current version in light of the changes made to the 22 Draft are highlighted here.
Accordingly, this note comprises two parts. Part I discusses the legislative status and possibilities with respect to DPDP’s 23 Draft. Part II provides a summary of key changes made to the 22 Draft, as currently reflected in the 23 Draft.

According to a document dated August 1, 2023 made available today in respect of the list of business scheduled for the Lok Sabha’s coming calendar, the government will introduce an as-yet unreleased Union Cabinet-approved draft of the Digital Personal Data Protection Bill (“DPDP”) in India’s parliament tomorrow.
Despite stiff opposition, a parliamentary standing committee managed to adopt a favorable report on the revised 2023 version of DPDP, tabling it yesterday across both Houses and recommending an expeditious passage into law.
While DPDP is largely modeled on GDPR, India’s bespoke legislation may include a few key changes relative to the EU’s – such as in respect of significant data fiduciaries (“SDFs”), where the government is authorized to classify any entity as an SDF based on its own assessment of factors such as informational sensitivity, volume and the risk of harm.
Our last note on SDF parameters focused on sensitivity alone. Here, we address considerations related to ‘volume’ and ‘harm’, respectively. Since special obligations apply to SDFs (over and above those which all data fiduciaries must comply with), certain procedural aspects of impact assessments, automated processing and individual profiling may follow a GDPR-like template via bespoke regulation, as framed under DPDP later. Further, India’s existing SPDI Rules, as well as past and present legislative proposals, including the proposed Digital India Act and prior DPDP iterations, may provide indicative guidance.

It appears that India’s Digital Personal Data Protection Bill (“DPDP”) is poised for consideration during the Lok Sabha’s ongoing monsoon session. Present reports about such proceedings suggest that despite strong dissent from the minority, a standing committee managed to adopt a draft report on DPDP just yesterday through a majority vote. Other pressing matters notwithstanding, since the monsoon session is scheduled to last until August 11, the government may get the draft law passed, after all.
Pursuant to Section 11 of DPDP, the central government (“CG”) can classify any company or other entity as a ‘significant data fiduciary’ (“SDF”) based on its own assessment of certain listed factors, which include the volume and sensitivity of personal data processed, as well as the risk of harm to individuals related to such data (“Factors”).
Importantly, special obligations apply to SDFs, in addition to the ones which all data fiduciaries must abide by. Thus, understanding the implications of each prescribed Factor becomes important. However, DPDP itself does not provide much clarity. With regard to ‘sensitivity’, for example, neither does DPDP define the term nor separately explain ‘sensitive personal data/information’ (“SPDI”).
Nevertheless, concerned entities could interpret the term in light of provisions related to SPDI under other laws and proposals – including the SPDI rules and DPDP’s past avatars. Further, given that GDPR had heavily influenced such prior drafts, the EU’s provisions may provide additional interpretive guidance.