Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.
While the Act adopts several principles from global data protection frameworks such as the EU and UK General Data Protection Regulation (the “GDPR”) and US data protection laws like the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”)—including (i) free, purpose-specific, informed consent, based on transparent notice and (ii) technical and organizational measures (“TOMS”) and appropriate security practices (to secure data)—it has several distinctive aspects, including a flat definition of “Personal Data”, a remarkably consent centric regime (leaving private entities with few other lawful bases for processing), a requirement to demonstrate necessity even where consent has been obtained, statutory data retention thresholds and a potential “black list” of jurisdictions to which transfers may be restricted.
In this blog post, jointly authored by Cleary Gottlieb and Cyril Amarchand Mangaldas, we analyze the Act against relevant US data protection laws and GDPR, particularly with respect to (i) coverage, (ii) notice, consent and purpose and (iii) minors’ data. We also recommend actionable items for organizations to determine next steps for compliance with the Act, and highlight opportunities to leverage existing compliance processes and procedures to minimize the costs of once again revisiting obligations with respect to personal data processing.