DATA PROTECTION
India enacts a new comprehensive data protection law.
India is the new, large country on the international chessboard to have an organic data protection law.
Today, after approval by the Upper House of the Patlament, the proposed "Digital Personal Data Protection Act" has concluded its approval process and now awaits presidential assent to enter into force.
After years of attempts, aborted at the last mile, the DPDPA now sees the light. The DPDPA covers both "personal data" (a definition that coincides with that of the GDPR) and "data" (a definition that coincides - in part - with that of the EU Digital Decade laws: "any represnentation of information, facts, concepts, opinions or instructions suitable for communication, processing or interpretation by human beings or by automated means"). Moreover, the data protection Indian law regulates the digital sphere, as if the GDPR also includes the (long overdue) data protection rules now governed by Directive 2002/58.
The DPDPA is a modern law (also respecting "gender": the pronoun "her" is specified to be used regardless of the gender of the data subject). The concpets of Data Controller ("Data Fiduciary") and Data Processor coincide with those of the GDPR.
The DPO is also provided, even if mandatory only for "Significant Data Fiduciary" notified by the Central Government (e.g.: holders handling large volumes of data or "sensitive" categories of data, etc.).
Interesting is the figure - unknown to the GDPR - of the "Consent Manager" who can be appointed by the data subject (called Data Principal) to manage the provision of consent (a similar figure is found in the DGA, Reg. 2022/868 for so-called "data altruism").
Echoes of the GDPR are heard in the rules on data subjects' rights, data breach management, and international transfer of data outside India.The law establishes the Indian Data Protection Board and provides for penalties (in a specific annex) of up to about €30 million.
Today, after approval by the Upper House of the Patlament, the proposed "Digital Personal Data Protection Act" has concluded its approval process and now awaits presidential assent to enter into force.
After years of attempts, aborted at the last mile, the DPDPA now sees the light. The DPDPA covers both "personal data" (a definition that coincides with that of the GDPR) and "data" (a definition that coincides - in part - with that of the EU Digital Decade laws: "any represnentation of information, facts, concepts, opinions or instructions suitable for communication, processing or interpretation by human beings or by automated means"). Moreover, the data protection Indian law regulates the digital sphere, as if the GDPR also includes the (long overdue) data protection rules now governed by Directive 2002/58.
The DPDPA is a modern law (also respecting "gender": the pronoun "her" is specified to be used regardless of the gender of the data subject). The concpets of Data Controller ("Data Fiduciary") and Data Processor coincide with those of the GDPR.
The DPO is also provided, even if mandatory only for "Significant Data Fiduciary" notified by the Central Government (e.g.: holders handling large volumes of data or "sensitive" categories of data, etc.).
Interesting is the figure - unknown to the GDPR - of the "Consent Manager" who can be appointed by the data subject (called Data Principal) to manage the provision of consent (a similar figure is found in the DGA, Reg. 2022/868 for so-called "data altruism").
Echoes of the GDPR are heard in the rules on data subjects' rights, data breach management, and international transfer of data outside India.The law establishes the Indian Data Protection Board and provides for penalties (in a specific annex) of up to about €30 million.
