Final Rules for India’s Privacy Law Expected Soon

The final rules for India’s data privacy law, the Digital Personal Data Protection Act (DPDP 2023), have been finalized by the country’s government and are expected to be released for public consultation in the second or third week of August. 

The DPDP was passed in August of 2023 after receiving presidential assent, and it stood out as rather strict in nature, as compared to previous versions. Then, on September 20, 2023, India’s Minister of State for Electronics and IT, Rajeev Chandrasekhar, announced that the government was working to finalize the appointments for the Data Protection Board and the rules for the Digital Personal Data Protection Act (DPDP) in the following 30 days, however, the law still has not been enacted and there is no effective date in sight for the foreseeable future. 

Below we include a summary of the key points of the law: 

• Applicability: the law applies to “the processing of digital personal data within the territory of India where the personal data is collected in digital form; or in non-digital form and digitized subsequently” and also “to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.”
• Data subject rights: the right to access, the right to correct and delete personal information, the right to nominate another data subject to exercise data subject rights on their behalf in the event of death or incapacity, and the right of grievance redressal.
• Controller obligations: lawfulness of processing, providing a notice to data subjects before seeking consent for processing, making reasonable efforts to maintain the data they handle as accurate and complete as possible, making reasonable efforts to keep the data secure, informing the regulating authorities and affected data subjects in the event of a data breach, and observing purpose limitation.
• Enforcement: the regulating authority will be the Data Protection Board of India which will monitor compliance, enforce penalties, and investigate violations. The Board has not been established yet and to date, there is no deadline on when this will happen, but the plan is for this to be as soon as possible.
• Penalties can go up to $30 million for serious violations, but there is no criminal liability, the same as with previous versions of the law.
• Effective date: although the law is enacted, its effective date remains unclear. 

It is expected that once the current parliamentary session closes, the Rules will be announced. One topic that has been more in focus has been the issue of a child’s age and parental consent, since India’s law defines a child as any individual under the age of 18. Discussions about age-gating and age verification technologies have not resulted in any definitive course of action so it remains to be seen whether the Rules will be finalized and what the approach will be.