India’s DPDPB — What You Need to Know

India’s new Digital Personal Data Protection Bill (DPDPB) was passed by the country’s two houses — the Lok Sabha and Rajya Sabha — this week. The bill replaces the previous Personal Data Protection Bill, which was withdrawn by the government in August 2022. 

The new law adopts wording of the draft DPDPB published last November, despite criticisms from some MPs and members of the Parliamentary Standing Committee for IT, as well as privacy rights groups. 

The Seven Principles of the DPDPB

A press release issued by India’s Ministry of Electronics & IT outlines the seven principles of the DPDPB. 

1. Consented, lawful and transparent use of personal data
2. Purpose limitation (using data only for the specified purpose)
3. Data minimization (collecting only that information required for the purpose)
4. Data accuracy (ensuring data is correct and updated) 
5. Storage limitation (storing data for a restricted period, determined by its purpose)
6. Reasonable security safeguards
7. Accountability (through breach notification requirements and associated penalties)

These principles align closely with similar legislation of other jurisdictions, including Europe’s GDPR.

Privacy Rights and the DPDPB

There are concerns among privacy rights groups that the exemptions provided in the bill dilute individuals’ privacy rights and contradict their constitutional right to privacy. 

The bill grants exemptions for government and its agencies, as well as law enforcement, for a range of purposes including when “in the interest of security, sovereignty, public order, etc.; to enforce legal rights and claims; and to prevent, detect, investigate or prosecute offences.”

Further the law effectively amends the Right to Information Act, 2005 by granting the government powers to refuse requests made by individuals under the act. 

The Internet Freedom Foundation claims that the legislation “puts in place a regime to facilitate the data processing activities of state and private actors.”

Complying with the DPDPB

When the DPDPB received formal assent from President Draupadi Murmu, organizations operating in India and those elsewhere providing goods and services to Indian residents will need to comply with the new law. 

Identifying the personal information of Indian citizens and residents held across all business systems is the first step in that process. 

Find out how data discovery forms the foundation for privacy compliance in our free white paper. Download your copy today.