1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross border investigations?
After many versions of a proposed data privacy law were circulated over the last several years, India recently enacted the Digital Personal Data Protection Act 2023 (the DPDPA). Although notified in the Official Gazette as ‘law’, the DPDPA, as of September 2023, has not been officially implemented. The relevant government department will notify the date of implementation of the DPDPA (different dates may be appointed for different provisions) in due course – likely after the setting up of the Data Protection Board, as many provisions of the DPDPA rely extensively on the setting up of the Board.
Once implemented, the DPDPA will regulate, among other things, the processing of ‘digital’ personal data in India. (‘Processing’ itself is defined in a similar fashion as the General Data Protection Regulation (GDPR) and subsumes ‘collection’ of personal data as well.)
The DPDPA defines data fiduciaries (that is, entities determining the purpose and means of processing of personal data – akin to ‘data controllers’ under the GDPR); data processors (that is, entities processing personal data, including those on behalf of data fiduciaries) and data principals (that is, individuals to whom the personal data relates to), and outlines their obligations, rights and duties. Further, the DPDPA also provides the Indian government the power to regulate transfers of personal data outside India, which is relevant for cross-border investigations.
A quick note on the pre-DPDPA laws: the DPDPA, upon implementation, seeks to replace the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules), which were framed under the Information Technology Act 2000 (IT Act) and served as the primary data privacy law in India up until now, albeit with very limited scope. Until the implementation of the DPDPA, the SPDI Rules are likely to be applicable at least in some capacity and thus continue to remain currently relevant.