India’s new Digital Personal Data Protection Act is now in effect. The country’s first comprehensive digital privacy law includes rules that grant companies up to 18 months to meet compliance requirements and give consent managers 12 months to secure registration with regulatory agencies, Business Standard reports.

Key provisions of the act that you need to know about:

  • Explicit, informed consent must be secured by companies before collecting or processing personal data, and individuals may withdraw consent at any time;
  • Data principal rights: Users can access, correct, and erase their data and request clarity on how it is being processed;
  • Data fiduciary obligations: Firms must disclose the purpose of data collection, ensure secure processing, and report breaches promptly;
  • Non-compliance invites heavy fines, with failure to maintain data safeguards carrying penalties of up to INR 25 bn;
  • Scope: The law covers all digital personal data in India and applies extraterritorially when overseas processing involves goods or services for users in India.

How does this work? Users can withdraw consent anytime or report violations to the new, digitally-operated Data Protection Board in New Delhi.

New obligations for intermediaries: Intermediary firms handling personal data must delete user information promptly unless otherwise required by law. Consent managers must maintain continuous compliance with the regulatory framework to avoid suspension. The intermediaries are categorized by service, defining when and how data must be erased and consent be managed.

Strict breach-reporting regime: In the event of a data breach, companies must notify both the user and the regulators within 72 hours, detailing the nature of the breach, scale of exposure, consequences, mitigation steps, and user safeguards.

Tags: