Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 36
36
Hogan Lovells
India
substantive provisions of the DPDP Act have
Comprehensive data protection regulation has
been exempted where personal data of data
been a long time coming in India. Following
subjects outside India is processed in India
the passage in August 2023 of the Digital
Personal Data Protection Act (DPDP Act), which pursuant to a cross-border contract. This
effectively exempts the processing of foreign
has yet to come into force, in January 2025,
personal data by the offshore/outsourcing
the Ministry of Electronics and Information
industry
from the new law.
Technology (MEIT) released a draft of the
Digital Personal Data Protection Rules (Draft
“Data fiduciaries” and “Significant
Rules) that seeks to implement the DPDP Act.
data fiduciaries”:
The Draft Rules invited comments from the
The DPDP Act would regulate “data fiduciaries”,
public which ended March 2025. We expect
which are defined in similar terms as “data
these feedback to be taken into consideration
controllers” under GDPR. The DPDP Act
by the government. It is anticipated that the
would
require that data fiduciaries assessed
DPDP Act will be implemented by the end of
to be “significant” (based on various factors
this calendar year following finalization of
such as the volume and sensitivity of data
the Draft Rules.
processed) to appoint an India-based data
protection officer responsible for advising the
Key elements of the DPDP Act include:
organization on its compliance with the law
and for being a principal point of contact in
A dedicated authority:
relation to compliance matters, amongst other
The DPDP Act would establish the Data
accountability obligations.
Protection Board of India (“DPBI”), which
would be responsible for enforcement. The
Basis for processing:
move to a dedicated data protection authority
is an important one, as it has been an important The DPDP Act requires the free, specific
informed, unconditional, unambiguous, and
indicator of how strict enforcement will be
affirmatively indicated data subject consent
under a new data protection law. That said, the
to the processing of personal data, subject
DPBI has only adjudicatory powers, and the
to prescribed exceptions, including “certain
rule making powers under the law have been
legitimate
uses” such as where data subjects
entrusted with the government.
have voluntarily provided their personal data
to the data fiduciary in circumstances in which
Extra-territoriality:
they have not indicated to the data fiduciary
Drawing inspiration from GDPR, the DPDP
that they do not consent to the use of their
Act would regulate all digital personal data
personal data. As the exemptions are fairly
collected or processed within the territory of
limited and there is no “legitimate use” type
India, processed by any Indian organisation
of ground under the law, consent would be
and to the processing of digital personal data
the
main ground for processing personal data.
outside India, provided such processing is
Further, given the manner in which consent is
undertaken in connection with any activity
defined and requirements of privacy policies/
related to the offering of goods or services to
notices, the standard for consent would be
individuals in India. An earlier draft of the
more or less the same as under GDPR.
DPDP Act had made reference to
extra-territorial monitoring of the behaviour
Data subject rights:
of individuals in India, but this aspect of GDPR
was dropped in the final draft. It is also relevant In addition to rights to correct and have
personal data erased, the DPDP Act would
to note that the applicability of almost all
