Following a five-year legislative process, India’s Digital Personal Data Protection Act (DPDP) received presidential assent on 11 August 2023. Practically speaking, the DPDP is not yet enforceable as the government still needs to establish the Data Protection Board of India (Board), which will serve as the enforcement authority for the law. The Board, in turn, must implement certain legally binding rules before the DPDP becomes fully operational. This process is expected to unfold over the next 8-12 months, although it could take longer and the national elections in 2024 may further delay the DPDP’s implementation.
For now, US companies doing business in India should continue to comply with current privacy laws in India, which consist largely of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules). In parallel, companies should monitor implementation developments and, when more concrete details emerge, consider how they will leverage existing GPDR and CCPA compliance mechanisms to help gear up for when the DPDP formally replaces and supersedes the SPDI Rules.
Click here to read the full alert.
* * * * *
Copyright 2023 Bloomberg Industry Group, Inc. (800-372-1033) Reproduced with permission. India’s Digital Personal Data Protection Act: What Should US Companies Do Now?