India\u2019s Digital Personal Data Protection Bill was tabled in 2022, and was finalized as India\u2019s Digital Personal Data Protection Act (DPDP Act)<\/a> when it received approval from both houses of Parliament and the assent of the President in August 2023. The law came into effect August 11, 2023 and covers personal data collected in digital format, or collected by other means and later digitized. The law is intended to protect personal information for citizens in the world\u2019s most populous country, and increase accountability for organizations that handle a lot of such data, including those with online operations and that run mobile apps.<\/p>\n The law is in line with the standards of many global data privacy regulations<\/a>, taking influence from China\u2019s Personal Information Protection Law (PIPL)<\/a> and the European Union\u2019s General Data Protection Regulation (GDPR)<\/a>. We look at important requirements of the DPDP Act, key definitions, enforcement, and more. (Note: the state-level Delaware Personal Data Privacy Act in the United States also uses the initialism \u201cDPDPA\u201d, so we will mostly use \u201cthe DPDP Act\u201d.)<\/p>\n\n\n The DPDP Act is a federal law in India that regulates the processing of the digital personal data of its citizens. The law aims to strike a balance between the recognized need to process personal data for various purposes, and individuals\u2019 right to control and protect it.<\/p>\n Like many data privacy laws around the world, the DPDP Act is extraterritorial, and so applies to organizations operating both inside and outside of India, if they are offering goods or services to Indian citizens, and in doing so processing personal data. The Act does allow for legal bases for data processing in addition to consent of the data principal, but consent is required for many processing purposes.<\/p>\n\n\n The definitions of key terms outlined in the DPDP Act are consistent with many data privacy laws, though some of the terms are different, e.g. \u201cdata fiduciary\u201d instead of \u201cdata controller\u201d. The definition of a person is also quite broad, as it can include the Indian State, a family, or a firm, for example.<\/p>\n A person covers a variety of entities, not just individual people, and refers to:<\/p>\n Personal data refers to any data about an individual who is identifiable by or in relation to such data. The personal data can be collected and processed in digital format, or collected in another format and later digitized. The Act does not provide a list of examples of personal data (e.g. name, phone number, financial information, etc.) like some data privacy laws do.<\/p>\n Processing in the context of personal data means \u201ca wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction\u201d.<\/em><\/p>\n A data principal\u2019s consent must be: \u201cfree, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose\u201d.<\/em><\/p>\n A child is defined as a person who is 18 years old or younger.<\/p>\n This term refers to any individual to whom personal data being processed relates, and includes an individual who is a child (also, then, including the child\u2019s parents or lawful guardians) or an individual who has a disability (also, then, including the person\u2019s lawful guardian, acting on their behalf). Also known as a data subject under some other laws.<\/p>\n \u201cData fiduciary\u201d means any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. Also known as a data controller under some other laws.<\/p>\n A \u201cSignificant Data Fiduciary\u201d refers to any data fiduciary or class of data fiduciaries as may be notified by the Central Government.<\/p>\n A data processor is any person who processes personal data on behalf of a data fiduciary.<\/p>\n For the purposes of the Act, \u201cConsent Manager\u201d does not refer to software such as a consent management platform, but instead refers to a person or organization registered with the Data Protection Board. This entity acts as the point of contact to enable an individual, here the \u201cdata principal\u201d, to provide, manage, review, and\/or withdraw her consent via a platform that is \u201caccessible, transparent and interoperable\u201d. A consent manager serves as a middleman for businesses to help facilitate compliance with the DPDP Act.<\/p>\n\n\n The law applies to entities that collect and process digital personal data in India in the course of offering goods and services. It also applies to the processing of personal data outside of India if the processing is connected with an activity relating to offering goods or services to Indian citizens.<\/p>\n\nWhat is the India Digital Personal Data Protection Act (DPDP Act)?<\/h2>\n\n\n
Key definitions in the Indian Personal Data Privacy Law<\/h2>\n\n\n
What is a person under the DPDP Act?<\/h4>\n
\n
What is personal data under the DPDP Act?<\/h4>\n
What is processing under the DPDP Act?<\/h4>\n
What is the definition of consent under the DPDP Act?<\/h4>\n
Who is defined as a child under the DPDP Act?<\/h4>\n
Who is a data principal under the DPDP Act?<\/h4>\n
Who is a data fiduciary under the DPDP Act?<\/h4>\n
Who is a data processor under the DPDP Act?<\/h4>\n
What is a consent manager under the DPDP Act?<\/h4>\n
Who has to comply with the Indian data privacy law?<\/h2>\n\n\n