Data Privacy and Data Protection Act 2023 (DPDP Act) Explained

By

Data Privacy and Data Protection Act 2023 (DPDP Act)

The Data Privacy and Data Protection Act 2023 (DPDP Act) is the first comprehensive data protection law in India. It was passed by the Indian Parliament on August 11, 2023, and came into force on June 27, 2023.

The DPDP Act applies to all organizations that process personal data of individuals located in India, regardless of whether the organization is located in India or outside India. The Act defines personal data as any information that can be used to identify an individual, directly or indirectly.

The DPDP Act sets out a number of key principles for the processing of personal data, including:

  • Consent: Data fiduciaries (organizations that process personal data) must obtain the consent of individuals before processing their personal data.
  • Purpose limitation: Data fiduciaries must only process personal data for the purposes for which it was collected.
  • Data minimization: Data fiduciaries must only collect the personal data that is necessary for the purpose for which it is being processed.
  • Storage limitation: Data fiduciaries must only store personal data for as long as it is necessary for the purpose for which it is being processed.
  • Accuracy: Data fiduciaries must keep personal data accurate and up-to-date.
  • Integrity and confidentiality: Data fiduciaries must take appropriate security measures to protect the confidentiality of personal data.
  • Accountability: Data fiduciaries must be accountable for their compliance with the DPDP Act.

The DPDP Act also gives individuals a number of rights, including:

  • The right to access their personal data.
  • The right to correct their personal data.
  • The right to delete their personal data.
  • The right to object to the processing of their personal data.
  • The right to data portability.
  • The right to file a complaint with the Data Protection Authority of India (DPA).

The DPA is a statutory body that is responsible for enforcing the DPDP Act. The DPA has the power to investigate complaints, impose penalties, and issue directions to data fiduciaries.

The DPDP Act is a significant step forward in the protection of personal data in India. It is a comprehensive law that sets out clear rules for the processing of personal data and gives individuals strong rights. The DPDP Act is expected to have a major impact on the way that organizations collect, use, and store personal data in India.

Here are some of the key provisions of the DPDP Act:

  • Data fiduciaries: The DPDP Act defines a data fiduciary as an organization that "controls or processes" personal data. This includes organizations that collect, store, use, or share personal data.
  • Personal data: The DPDP Act defines personal data as any information that can be used to identify an individual, directly or indirectly. This includes information such as name, address, email address, phone number, and IP address.
  • Sensitive personal data: The DPDP Act defines sensitive personal data as personal data that is likely to cause harm to an individual if it is disclosed without their consent. This includes information such as religious beliefs, political opinions, health data, and biometric data.
  • Consent: The DPDP Act requires data fiduciaries to obtain the consent of individuals before processing their personal data. Consent must be freely given, specific, informed, and unambiguous.
  • Purpose limitation: Data fiduciaries must only process personal data for the purposes for which it was collected.
  • Data minimization: Data fiduciaries must only collect the personal data that is necessary for the purpose for which it is being processed.
  • Storage limitation: Data fiduciaries must only store personal data for as long as it is necessary for the purpose for which it is being processed.
  • Data portability: Individuals have the right to obtain a copy of their personal data in a structured, commonly used, and machine-readable format.
  • Right to be forgotten: Individuals have the right to request that data fiduciaries delete their personal data.
  • Data protection by design and default: Data fiduciaries must take appropriate measures to protect the confidentiality, integrity, and availability of personal data.
  • Accountability: Data fiduciaries must be accountable for their compliance with the DPDP Act.

The DPDP Act is a complex law, and there are still a number of questions about how it will be interpreted and enforced. However, it is clear that the DPDP Act is a significant step forward in the protection of personal data in India.