Cracking the Code: Understanding India's Digital Personal Data Protection Act, 2023​

Introduction to the Presentation

In August, 2023 India formally passed the Digital Personal Data Protection Act, 2023 (DPDPA), which is the country’s first dedicated legislation dealing with data protection and privacy of personal data. This comes nearly 6 years after the Supreme Court of India had passed a landmark judgement in August 2017, recognizing that the “right to privacy” is a fundamental constitutional right of Indian citizens and had urged the lawmakers to accordingly legislate on this matter.

We have summarized key principles and aspects of the DPDPA in this Presentation (See the pdf). A few highlights of the new legislation are as follows:

(1) The effective date of implementation of the DPDPA is not notified, and neither is there clarity on any transition period for entities to prepare and be compliant with the new legislation.

(2) The Government of India has been vested with extensive powers, ranging from grant of exemption from the applicability of the DPDPA (in whole or in part) to rule making powers. In the absence of these rules, the extent of changes and conditions for compliance remain unclear.

(3) The Data Principal is at the front and centre of the law and the key principles for collecting and processing their data is “consent” or for “legitimate uses” (without consent). (See Slides 6 and 7).

(4) A new regulator, the Data Protection Board has been constituted with Government appointees, which is intended to oversee compliance with the DPDPA by data fiduciaries, consent managers and digital intermediaries (Slides 13 to 16).

(5) However, businesses can take a few steps towards preparing for compliance with the DPDPA, as identified on Slide 22.

For any questions on specific provisions, or the impact of the DPDPA on your operations or on the operations of portfolio companies, please feel free to let us know if you’d like to schedule further discussions.