On August 9, 2023, India’s upper house (i.e., Rajya Sabha) passed the Digital Personal Data Protection Bill (“DPDPB”), two days after India’s lower house (i.e., Lok Sabha) passed the legislation. The DPDPB now heads to India President Droupadi Murmu for signature.
The final text of the DPDPB as passed has not yet been released, but India’s Ministry of Electronics & Information Technology released a description of the DPDPB’s “salient features” which include:
- Obligations of “data fiduciaries” (i.e., persons, companies and government entities who process data), including as to security safeguards, data breach notification, data minimization, data erasure, responding to “data principal” (i.e., the person to whom the data relates) grievances, audits, data protection impact assessments, and children’s data;
- Rights of data principals, including rights of access, correction, erasure, grievance redressal including by the data fiduciary and then by “Data Protection Board”, and to nominate a person to exercise rights in case of death or incapacity; and
- Financial penalties for breach of rights, duties and obligations.