India—the fifth largest economy in the world—just passed a comprehensive privacy law. On August 11, 2023, the Digital Personal Data Protection Act, 2023 (the "DPDP") was approved by the president of India, adding India to the list of global powers with a comprehensive privacy law. The law is expected to come into force in June 2024. Guest author Stephen Mathias, from Kochhar & Co., provides a detailed breakdown of the DPDP.
Like other major privacy laws, the DPDP has an extraterritorial reach: it applies to the processing of digital personal data outside India, 1 if the processing is in connection with any activity related to the offering of goods or services to individuals within India. Thus, even if a company's operations are not physically in India, it may still be subject to this law. Fortunately, for global companies that are already subject to the European Union General Data Protection Regulation ("GDPR") and the many comprehensive privacy laws in the United States, the DPDP can be harmonized with existing compliance programs. The new law shares many provisions with existing privacy laws, such as obligations to honor data privacy rights (access, correct, delete, redress, and opt-out), provide a privacy notice, protect personal data, provide notice of a data breach, enter into contracts with processors, and limit retention of personal data.
However, companies should note some of the differences between the DPDP and other privacy laws when conducting a gap analysis and developing policies and procedures to bridge those gaps. For example, unlike both the GDPR and US privacy laws, the DPDP places obligations on data subjects/consumers (called "data principals" under the DPDP). Further, unlike US privacy laws, the DPDP also has requirements relating to data transfers, data protection officer appointment and lawful basis for processing. Finally, unlike the GDPR, the DPDP is primarily a consent-based privacy law; processing in the absence of consent is possible for certain limited "legitimate uses," such as to fulfil legal or judicial obligations, or for the purposes of employment. That said, the DPDP's consent-based lawful basis for processing aligns with the growing trend in the European Union to obtain consent for certain processing activity, such as advertising and marketing, instead of relying on other grounds, following recent case law of the Court of Justice of the European Union in this respect.
Failure to comply with provisions under the DPDP may lead to fines of up to INR 250 crores (approximately USD 30 million).
For an overview of the similarities and differences among these laws, we provide the chart below.
Party Names
|
India |
EU |
US2 |
|
|
Determines Purposes and Means of Processing |
Data Fiduciary & Significant Data Fiduciary (per government notice) |
Controller |
Controller/Business |
|
Processes Data For Another |
Data Processor |
Processor |
Processor/Service Provider/Contractor |
|
Individual to Whom Data Relates |
Data Principal |
Data Subject |
Consumer |
Data Principal Rights
|
India |
EU |
US |
|
|
Access |
✓ |
✓ |
✓ |
|
Data portability |
✕ |
✓ |
✓ |
|
Delete |
✓ |
✓ |
✓ |
|
Correct |
✓ |
✓ |
✓ |
|
Opt-out/object |
✓ |
✓ |
✓ |
|
Not to be subject to profiling/automated decision making |
✕ |
✓ |
✓ |
|
Additional rights around sensitive data |
✕ |
✓ |
✓ |
|
Appeal/redress |
✓ |
✓ |
✓ |
Data Principal Obligations
|
India |
EU |
US |
|
|
Comply with applicable law |
✓ |
✕ |
✕ |
|
No impersonation of another person |
✓ |
✕ |
✕ |
|
No suppression of material information |
✓ |
✕ |
✕ |
|
No false or frivolous grievance or complaint |
✓ |
✕ |
✕ |
|
Furnish verifiably authentic information |
✓ |
✕ |
✕ |
Data Fiduciary Obligations
|
India |
EU |
US |
|
|
Lawful basis for processing |
✓ |
✓ |
✕ |
|
Data transfer requirements |
✓ |
✓ |
✕ |
|
Contracts with processors |
✓ |
✓ |
✓ |
|
Privacy policy |
✓ |
✓ |
✓ |
|
Security and breach notification |
✓ |
✓ |
✓ |
|
Data retention limitation |
✓ |
✓ |
✓ |
|
Appoint data protection officer |
✓ |
✓ |
✕ |
Footnotes
1. But note that the huge outsourcing industry in India, which processes so much of the world's data, is exempt from applicability of most of the law.
2. Because the United States has 11 comprehensive privacy laws (and 12 if you count Florida), we have applied the most stringent rights and obligations under all of these state privacy laws.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
