and is expected to trigger significant changes in how companies subject to
Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for
the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after: (i) an independent agency
responsible for enforcing the DPDPA — the Data Protection Board of India (the Data Protection Board) — is established; and (ii) the Indian government has framed
the subordinate rules (which are expected to provide interpretative guidance on procedural steps and enforcement methodology). The DPDPA is “umbrella”
legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is
not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.
The DPDPA is triggered when digital personal data is processed within India. The law also has an extraterritorial effect in that it applies to digital personal data
processing outside of India if such processing relates to the offering of goods or services to individuals (known as “data principals”, which are equivalent to “data
subjects” under the EU and UK General Data Protection Regulations (the GDPR)) within India. The DPDPA follows broadly similar principles to those set out in the
GDPR and specifies rules for data fiduciaries (equivalent to “controllers” under the GDPR) and data processors, and rights for data principals (equivalent to “data
subjects” under the GDPR). Penalties for non-compliance under the DPDPA range from INR500 million (€5.7 million) to INR2.5 billion (€28 million). The Data
Protection Board is also empowered to impose urgent remedial or mitigation measures in the event of a personal data breach.
Practical Impact on Existing Privacy Compliance Programmes
The DPDPA signals a major change in the way personal data is processed in India. Organisations operating in or targeting individuals in India should consider
preemptive steps to bring their privacy compliance in line with the DPDPA, including as regards data collection and consent mapping practices. Key differences
between the DPDPA and the GDPR include:
• Scope: The DPDPA regulates the processing of digital personal data, i.e., personal data collected in digital form, or collected in non-digital form and
subsequently digitised. Whilst the DPDPA’s personal data definition is similar to that provided under the GDPR, it excludes from its scope personal data made
publicly available by the data principal or by any other person under a legal obligation to make that data publicly available.
• Legal basis for processing of personal data: The DPDPA provides that data fiduciaries may lawfully process personal data only with the consent of the
data principals or for certain specified “legitimate uses”. Such legitimate uses include: processing of personal data voluntarily shared by the data principal for
a specified purpose (provided that the data principal does not object); processing to comply with the law or court orders; for employment purposes; or to
respond to medical emergencies, epidemics, or disasters. The DPDPA’s consent standard is similar to that of the GDPR, requiring consent to be “free,
specific, informed, unconditional and unambiguous with a clear affirmative action” and, unlike the GDPR, it does not permit processing under the lawful bases
of contractual necessity or legitimate interests.
• Data principal rights: Whilst data principals will have certain rights similar to those under the GDPR for data subjects (i.e., rights of access, correction, or
erasure), they will also benefit from a number of new rights which are unique to the DPDPA, i.e., the right to a readily available and effective means of