Indian Privacy Act Compliance Could be Onerous, Attorney Says
India's detailed Digital Personal Data Protection Act (DPDPA) will potentially be a substantial compliance burden for companies, Kochlar & Company technology attorney Stephen Mathias said in a Hogan Lovells podcast Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
International organizations have already been reviewing their policies based on the DPDPA, but for Indian companies, there's a "huge task ahead," Mathias said. He urged businesses not already reviewing their practices ahead of the act's implementation to start mapping their data and drafting new privacy policies for India.
The law was approved in 2023 but rules implementing it took effect in November (see 2511170002).
There are three implementation stages, Mathias said. First is the creation of the Data Protection Board of India. Second, provisions on consent management are effective Nov. 13, 2026, with the bulk of the DPDPA applicable May 13, 2027. The government recently announced it might bring the 2027 date forward a year, he noted.
Anyone who processes Indians' personal data, whether the business is inside or outside the country, will be subject to the law, said Mathias. However, if the personal data of people outside India is processed within the country, most of the law won't apply.
Consent is the main legal basis for processing and there's no provision for use of legitimate interests, Mathias said. Most data collection will require consent, and the EU's high standard on gathering consent is essentially what will be required in India. "We are pretty much going the GDPR way."
The DPDPA permits the use of a third-party consent manager, he noted. In June, the government published nonbinding business requirements for consent management systems (see 2506100008). Consent implementation will likely follow the GDPR's example, Mathias added.
The DPDPA doesn't require data localization, but the government can restrict data flows to certain countries, such as those with insufficient data protection standards, and those with hostile relationships with India, such as China and Pakistan, Mathias said.
Indian law will be stricter on data breaches than in most other countries, Mathias said. There are four levels of data breach notifications, including to the affected data subjects, the DPA and the Data Protection Board, and the reporting times are narrow.
The DPDPA appears to be AI-friendly, said Mathias. It doesn't require data minimization, but mandates that data be processed for reasons expressly mentioned in a company's privacy policy. If a data subject rejects a specific purpose, that data can't be used for AI training, he said.
Penalties for violations of the act aren't pegged to business revenue or profit, Mathias said. Instead, the law lists violations and maximum fines up to $30 million. Data subjects have no right to compensation under the law, he added.