After over a decade of anticipation, India has finally enacted the Digital Personal Data Protection Act 2023 (DPDPA), which received presidential approval following its swift passage through both houses of Parliament. This is a significant development, as India had long operated under the provisions of the Information Technology (IT) Act 2000 and its associated regulations. The DPDPA aims to establish guidelines for the processing of digital personal data, balancing individuals’ rights to protect their data with the lawful requirements for data processing. The law is yet to be officially notified by the central government, and different provisions will come into effect on various dates.
The groundwork for this legislation began in 2017 when the Supreme Court of India recognized the right to privacy as a fundamental right. A Committee of Experts on Data Protection, chaired by Justice B N Srikrishna, was formed in 2017 to address data protection concerns. This culminated in the introduction of the Personal Data Protection Bill 2019 (PDPB) in 2019, followed by a comprehensive review process by a Joint Parliamentary Committee, leading to the withdrawal of the bill by the government in 2022 for further refinement. The Draft Digital Personal Data Protection Bill was released for public consultation in 2022 and was eventually reintroduced and passed in Parliament in August 2023.
In essence, India’s new data protection law seeks to regulate the processing of personal data in the digital realm while respecting individual privacy rights and legitimate data usage.