The Digital Personal Data Protection Act, 2023 (DPDP Act) regulates the processing of personal data in India, affecting all individuals and organizations that collect, store, or use personal data. The scope of this law extends to all sectors, including public and private entities, with a threshold of 100,000 data principals under Section 8 of the DPDP Act.
The DPDP Act is effective as of a date to be notified by the Central Government, with a $15 million penalty for non-compliance under Section 26.
Data Protection Framework
The DPDP Act establishes a data protection framework that includes the principles of transparency, accountability, and data minimization, as outlined in Section 4 of the Act. Data fiduciaries are required to process personal data in a manner that is fair, transparent, and accountable, with a time limit of 72 hours to report data breaches under Section 10. The law also provides for the establishment of a Data Protection Board of India, which will oversee the implementation of the Act and impose penalties of up to $30 million for non-compliance.
In practice, this means that data fiduciaries must implement robust data protection policies and procedures, including data subject access requests, with a response time limit of 30 days under Section 14. The DPDP Act also provides for the right to erasure, with a time limit of 30 days for data fiduciaries to comply with such requests.
The law applies to all data fiduciaries, regardless of their size or sector, with a threshold of 100,000 data principals under Section 8 of the DPDP Act. This is where the law gets teeth, as data fiduciaries that fail to comply with the Act may face significant penalties, including fines of up to $15 million under Section 26.
Types of Personal Data
The DPDP Act categorizes personal data into three types: sensitive personal data, critical personal data, and general personal data, as defined in Section 3 of the Act. Sensitive personal data includes financial data, health data, and biometric data, which are subject to stricter processing requirements under Section 12.
Sensitive Personal Data
Sensitive personal data is subject to stricter processing requirements, including the requirement for explicit consent under Section 12 of the DPDP Act. Data fiduciaries must obtain explicit consent from data principals before processing sensitive personal data, with a time limit of 24 hours to respond to consent withdrawal requests under Section 13.
In plain terms, this means that data fiduciaries must be transparent about their data processing practices and provide data principals with clear and concise information about how their sensitive personal data will be used, with a $10 million penalty for non-compliance under Section 26.
Critical Personal Data
Critical personal data includes data that is essential for the provision of emergency services, including healthcare and financial services, as defined in Section 3 of the DPDP Act. Data fiduciaries that process critical personal data must comply with additional requirements, including the requirement for redundancy and backup systems under Section 16.
The law provides for a threshold of 10,000 data principals for critical personal data, with a time limit of 48 hours to report data breaches under Section 10. Data fiduciaries that fail to comply with these requirements may face penalties of up to $20 million under Section 26.
General Personal Data
General personal data includes all personal data that is not sensitive or critical, as defined in Section 3 of the DPDP Act. Data fiduciaries that process general personal data must comply with the general principles of data protection, including the principle of data minimization under Section 4.
In practice, this means that data fiduciaries must only collect and process personal data that is necessary for the purpose for which it was collected, with a $5 million penalty for non-compliance under Section 26. The law also provides for a time limit of 30 days for data fiduciaries to respond to data subject access requests under Section 14.
How it Works in Practice
The DPDP Act provides for a step-by-step process for data fiduciaries to comply with the Act, including the requirement for data protection impact assessments under Section 17. Data fiduciaries must conduct a data protection impact assessment before processing personal data, with a time limit of 60 days to complete the assessment under Section 17.
The law also provides for the establishment of a data protection officer, who will be responsible for overseeing the implementation of the Act and ensuring compliance with the law, with a $10 million penalty for non-compliance under Section 26. The data protection officer must be appointed within 30 days of the commencement of data processing activities under Section 18.
In plain terms, this means that data fiduciaries must have a clear understanding of their data processing practices and must take steps to ensure that they are complying with the Act, including the requirement for data subject access requests under Section 14. The law provides for a time limit of 30 days for data fiduciaries to respond to data subject access requests, with a $5 million penalty for non-compliance under Section 26.
Penalties, Fines, or Consequences
The DPDP Act provides for significant penalties for non-compliance, including fines of up to $30 million under Section 26. The law also provides for a tiered penalty structure, with penalties ranging from $5 million to $30 million depending on the severity of the non-compliance.
In practice, this means that data fiduciaries that fail to comply with the Act may face significant financial penalties, including fines of up to $20 million for sensitive personal data breaches under Section 26. The law also provides for a time limit of 30 days for data fiduciaries to pay penalties, with a $10 million penalty for non-payment under Section 26.
The DPDP Act also provides for a distinction between intentional and unintentional non-compliance, with penalties ranging from $5 million to $30 million depending on the severity of the non-compliance. That distinction matters, as data fiduciaries that intentionally fail to comply with the Act may face more severe penalties, including fines of up to $30 million under Section 26.
Special Situations or Edge Cases
Children’s Personal Data
The DPDP Act provides for special protections for children’s personal data, including the requirement for parental consent under Section 12. Data fiduciaries that process children’s personal data must comply with additional requirements, including the requirement for age verification under Section 13.
In plain terms, this means that data fiduciaries must take steps to ensure that they are not collecting or processing personal data from children without parental consent, with a $10 million penalty for non-compliance under Section 26. The law also provides for a time limit of 24 hours to respond to parental consent withdrawal requests under Section 13.
Cross-Border Data Transfers
The DPDP Act provides for rules governing cross-border data transfers, including the requirement for standard contractual clauses under Section 19. Data fiduciaries that transfer personal data across borders must comply with these requirements, with a $20 million penalty for non-compliance under Section 26.
In practice, this means that data fiduciaries must ensure that they are transferring personal data in a manner that is consistent with the Act, including the requirement for data protection agreements under Section 19. The law also provides for a time limit of 30 days for data fiduciaries to respond to data subject access requests related to cross-border data transfers under Section 14.
Enforcement and Violations
The DPDP Act provides for the establishment of a Data Protection Board of India, which will be responsible for enforcing the Act and imposing penalties for non-compliance, with a $30 million penalty for serious violations under Section 26. The Board will have the power to conduct investigations and audits, with a time limit of 60 days to complete investigations under Section 22.
In plain terms, this means that data fiduciaries that fail to comply with the Act may face significant penalties, including fines of up to $30 million under Section 26. The law also provides for a distinction between minor and serious violations, with penalties ranging from $5 million to $30 million depending on the severity of the non-compliance.
Recent Changes or Current Status
The DPDP Act is a relatively new law, with the Central Government notifying the effective date of the Act as December 2023, with a $15 million penalty for non-compliance under Section 26. The law is still in the process of being implemented, with the Data Protection Board of India expected to be established within 6 months of the commencement of the Act under Section 23.
In practice, this means that data fiduciaries must be prepared to comply with the Act, including the requirement for data protection impact assessments under Section 17. The law provides for a time limit of 60 days for data fiduciaries to complete data protection impact assessments, with a $10 million penalty for non-compliance under Section 26. As the law continues to evolve, data fiduciaries must stay up-to-date with the latest developments and ensure that they are complying with the Act, with a $20 million penalty for serious violations under Section 26.
- Office of the Law Revision Counsel. relevant federal statute
- U.S. Courts. federal court procedures
- USA.gov. relevant government resource
