Law: The Digital Personal Data Protection Act, 2023 (the Act)

Regulator: Data Protection Board of India established under the Act (website currently unavailable).

Summary: The Digital Personal Data Protection Act, 3 (the Act) received Presidential assent and was published in the Official Gazette on August 11, 2023. Importantly, the entry into force of the Act is to be announced by the Indian Government via notification in the Official Gazette. Once the Act is enforced, it will replace Section 43A of the Information Technology Act, 2000 (the IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (the SPDI Rules).

The Act only applies to digital personal data and has an extraterritorial scope with respect to digital personal data outside India if the processing is in connection with the offering of goods or services to individuals within India. Further, the Act imposes obligations on entities that qualify as 'data fiduciaries,' establishes data subject rights for 'data principals,' and generally allows outwards transfers of data from India. However, the Act enables the Government to restrict the transfer of personal data to certain countries or territories outside India by way of a notification. The Act introduces a novel concept of 'consent managers' who are entrusted to manage the data subjects' consent and are intended to be independent entities distinct from data fiduciaries and data processors. The Act provides for a maximum penalty of INR 2.5 billion (approx. $31 million) for the breach of its provisions.

Notably, the Government is working on rules prescribed under the Act and the establishment of the Data Protection Board of India, which will be the main Regulator under the Act.