India enacted its new Digital Personal Data Protection Act last year.

Here are some key takeaways regarding the law, courtesy of Sajai Singh, a partner at J. Sagar Associates in India. Singh spoke recently at Alpine Privacy Days in Switzerland.

  • Does not apply to:
    • Offline data
    • Publicly available information (Hello scraping public information!)
    • Domestic use. Employee data for employment purposes
  • Adopts key FIPs like: Data minimization, purpose limitation, accuracy, information security, retention limitation.
  • Applies to non-Indian businesses that offer services to individuals in India or data of such individual if in hands of their nominee (even if the individual has died or if the nominee lives outside of India).
  • Only legal basis is consent. Consent has to be active. Introducing concept of “consent manager” to give consent for you (probably some organization). Consent is revocable only going forward.
  • Consent should be taken in advance. Aka consent for credit card to be charged whenever used for payment, not for each processing.
  • Informed consent also includes what happens when you have a grievance with respect to the data processing (and this applies to employees too)
  • Exceptions to consent: legal obligation, contractual obligation, vital interest (but if you state in the contract that you will do targeted advertising, that would probably count in the contractual necessity).
  • Children = under 18.
  • Employee = deemed consent. Not for selling employee data, but yes for biometrics and facial recognition.