India adopts a privacy law after years of delay

India has finally adopted a data privacy framework. The Digital Personal Data Protection Act 2023 received the assent of the President on 11 August and was published in the official gazette the following day.

The law includes a right to correction and erasure of personal data.

Amongst the exemptions is a controversial provision which excludes personal data from the Act’s scope if it is made or caused to be made publicly available by the data principal (the data controller is called the “data fiduciary” and the data subject is called the “data principal” in India’s law). The legislator gives an example of this situation - an individual, while blogging her/his views, has publicly made available their personal data on social media.

The law also applies to processing of digital personal data outside of India, ‘if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India’.

India’s Supreme Court held privacy as a fundamental right in 2017 in Justice KS Puttaswamy v Union of India, and the new Act may have to be measured against that standard. The first draft Bill was submitted soon after, and there have been three drafts since. The current law is a simplified version of parts of the previous Bills.

It does not include a date (or dates) when the law will enter into force.

The law creates the Data Protection Board of India which will be established by the Government with some claims to independence, but its members will be appointed by the Government with only two-year terms.

Graham Greenleaf, PL&B’s Asia-Pacific Editor, will provide a full analysis of the Act in the next issue of PL&B International Report.