In a crucial development that influences the global data privacy landscape, the Indian parliament recently implemented the Digital Personal Data Protection Act of 2023 (DPDPA). This major step towards revising the country’s data privacy laws has been the subject of debate and discussion for nearly six years since a landmark 2017 Supreme Court decision declared privacy a fundamental right. Now, with presidential consent, the Act, modelled after the EU’s General Data Protection Regulation (GDPR), has become law. You can read more about the genesis and evolution of this law on JD Supra.
Despite initial suggestions that the DPDPA would impose more stringent requirements than the GDPR, the finalized form aligns closely with its EU counterpart. This synchronization not only simplifies compliance for multinational corporations operating in both jurisdictions, but also firmly places India among the global community of nations adhering to leading privacy standards.
How this new law impacts corporate and legal landscapes remains largely a matter of interpretation and practice. Unlike its predecessors, the DPDPA introduces a comprehensive framework for data handling, encompassing collection, storage, processing and transfer. It also establishes consent as a rule rather than an exception, provides multilayered security requirements, and devises comprehensive mechanisms for enforcement.
In summary, the advent of the DPDPA attests to India’s growing commitment to aligning with global data privacy standards, facilitating a smoother adaptability for multinational corporations. Equally important, it underscores the emphasis on upholding individual users’ rights in an increasingly digital world, a factor crucial to both corporate and government stakeholders. The full implications will become clearer as the Act is implemented and tested in the everyday operations of Indian businesses and corporations.