DPDPA Compliance

The Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data protection law. It governs the processing of digital personal data within India and the processing of personal data outside India where it relates to offering goods or services to individuals in India.

The DPDPA applies to any entity (Data Fiduciary) processing digital personal data in India, as well as entities outside India that process personal data in connection with offering goods or services to individuals in India. This gives the DPDPA extraterritorial reach similar to the GDPR.

While both are comprehensive data protection laws, key differences include: the DPDPA uses a consent-and-legitimate-use model rather than GDPR's six legal bases; the DPDPA applies only to digital personal data; cross-border transfers use a government blacklist approach rather than adequacy decisions; and the DPDPA does not include a right to data portability or a right to object to processing.

The DPDPA prescribes penalties of up to ₹250 crore (approximately $30 million) for the most serious violations, including failure to take reasonable security measures leading to a data breach. The Data Protection Board of India will adjudicate complaints and impose penalties.

The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries based on the volume and sensitivity of data processed, risk to data principals, and potential impact on sovereignty and security. Significant Data Fiduciaries face additional obligations including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and periodic audits.

The DPDPA takes a blacklist approach — personal data may be transferred to any country except those specifically restricted by the Central Government. This is simpler than the GDPR's adequacy and safeguard mechanisms, but the restricted country list has not yet been published, creating uncertainty for international businesses.