This week both Chambers of the Indian Parliament voted to pass the Digital Personal Data Protection Bill 'DPDPB,' which has some similarities with the GDPR, as well as noticeable differences. Some initial observations on the DPDPB include:

1. Data subjects (called 'data principals' under the DPDPB) have the right to access, correct and erase data, but only where that personal data is based on consent or voluntary disclosure. However, 'false or frivolous' complaints can result in a fine.

2. Data controllers are called 'data fiduciaries' under the DPDPB. Some larger data fiduciaries in India will have additional requirements, such as appointing a DPO (data protection officer), as well conducting DPIAs (data protection impact assessments) and other audits.

3. The DPDPB provides two lawful grounds for processing data: Consent and so-called 'certain legitimate uses.' The latter, surprisingly, does not include 'legitimate interest,' but does include where the personal data has been voluntarily disclosed, e.g. in a transaction.

4. Publicly available data is excluded from the purview of the DPDPB. This is likely to be welcomes by businesses seeking to train large-language model AIs. Processing for research and statistics is also generally excluded from the scope of the bill.

5. The DPDPB has broad extraterritorial effect, similar to that of the GDPR. It covers any person or entity outside of India that processes data 'in connection with any activity related to offering of goods or services [to people in India].' However, the DPDPB does not cover outsourcing companies in India that are processing the data of individuals outside India.

6. Unlike under the GDPR, international data transfers are permitted unless they are forbidden (rather than vice versa).

7. The DPDPB creates a new 'Data Protection Board of India' ('DPBI'), described as being 'independent.' However, it appears that under the DPDPB, the Central Government has the power to obtain personal data from Indian companies or from the DPBI, and to block public access to 'any computer resource.'

India is now the world's largest country by population; as its data protection regime develops, it is likely to serve as an example for other countries in the region as they formulate their own local data protection laws.

Originally published 21 August 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.