DPDP Act Compliance • 7 minutes
DPDP Act 2023: Navigating Compliance in India's Electronics Revolution and Semiconductor Growth
India's rapid expansion in electronics manufacturing and its ambition to become a global chip hub, as underscored by the 'Make in India' initiative, brings forth significant opportunities and responsibilities. This growth, marked by rising electronic production and exports, means an increased necessity for stringent digital personal data processing. The Digital Personal Data Protection Act, 2023 (DPDP Act), establishes a comprehensive framework for safeguarding personal data, imposing crucial obligations on entities within this flourishing electronics value chain. Understanding and adhering to the DPDP Act is paramount for all Data Fiduciaries involved in India's evolving digital landscape.
Last updated:
India is witnessing an unprecedented surge in its electronics sector, aiming to build an entire electronics value chain and emerge as a global chip hub. Prime Minister Narendra Modi recently highlighted this momentum with the inauguration of the CG Semi Outsourced Semiconductor Assembly and Test (OSAT) facility in Sanand, Gujarat. This pivotal development marks the next phase of the 'Make in India' initiative, propelled by a nearly seven-fold increase in electronic production and an approximately eleven-fold rise in electronics exports since 2014. The commencement of commercial production of chip packaging signifies a new era of the electronics revolution in India, embracing the mantra of 'Design in India, Make in India'. This expansion, while a monumental step towards a developed India, simultaneously amplifies the scope of digital personal data processing, bringing entities within this value chain directly under the purview of the Digital Personal Data Protection Act, 2023 (DPDP Act).
The DPDP Act, 2023, establishes a robust legal framework governing the processing of digital personal data within India. Its applicability extends not only to processing within the country but also to processing outside India if it relates to offering goods or services to Data Principals located in India. As India's electronics value chain rapidly expands, from design and manufacturing to assembly, testing, and export, numerous entities will inevitably engage in the processing of digital personal data. These entities, determining the purpose and means of such processing, are defined as 'Data Fiduciaries' under the Act, holding significant responsibilities towards 'Data Principals' – the individuals to whom the personal data relates.
For companies operating within India's burgeoning semiconductor and electronics manufacturing ecosystem, understanding their role as Data Fiduciaries is foundational. Whether processing employee data, customer information, supply chain data, or data related to the sale and export of electronic goods, these entities must comply with the Act. The spirit of 'Make in India' and 'Design in India' must now be complemented by 'Protect Data in India', ensuring that the technological advancements are underpinned by robust data protection practices. The Act provides the necessary guidelines for this, emphasizing that the processing of digital personal data must be lawful, fair, and transparent to the Data Principal.
A cornerstone of the DPDP Act is the requirement for valid consent from the Data Principal for the processing of their personal data. This consent must be free, specific, informed, unconditional, and unambiguous, clearly signifying the Data Principal's agreement to the processing of their personal data for a specified purpose. Before seeking consent, Data Fiduciaries, including those involved in electronics manufacturing and exports, must provide a clear and itemized notice to the Data Principal. This notice must accurately describe the personal data to be collected, the purpose of its processing, and how the Data Principal can exercise their rights under the Act. For instance, any company exporting electronics that collects data on Indian customers, even if processed abroad, would need to adhere to these notice and consent requirements.
Beyond consent, the DPDP Act mandates several core principles for data processing. These include purpose limitation, ensuring that personal data is used only for the purpose for which consent was obtained or deemed obtained. Data minimization is another crucial principle, requiring Data Fiduciaries to collect only such personal data as is necessary for the stated purpose. Furthermore, Data Fiduciaries are responsible for maintaining the accuracy, completeness, and consistency of the personal data they process, ensuring data quality throughout the processing lifecycle. Data retention policies must also align with the Act, stipulating that personal data should be retained only for as long as necessary for the purpose for which it was collected.
In a sector as technologically advanced as electronics and semiconductors, implementing robust security safeguards is paramount. The DPDP Act places an obligation on Data Fiduciaries to adopt reasonable security safeguards to prevent personal data breaches. Should a personal data breach occur, the Act mandates prompt notification to both the Data Protection Board of India and each affected Data Principal. This proactive approach to security and breach management is critical for maintaining trust and protecting the sensitive information handled within the sophisticated electronics value chain, including data processed by facilities like the new CG Semi OSAT plant.
The Act also empowers Data Principals with several rights designed to give them greater control over their personal data. These rights include the right to access information about their personal data, the right to correction and erasure of their personal data, the right to grievance redressal, and the right to nominate another individual to exercise these rights in the event of their death or incapacity. Data Fiduciaries operating in India's booming electronics export market must establish clear mechanisms to facilitate the exercise of these rights by Data Principals, whether they are employees, customers, or other stakeholders.
Given India's significant growth in electronics exports, with an eleven-fold increase since 2014, the provisions concerning cross-border transfers are particularly relevant. The DPDP Act permits the transfer of personal data outside India to such countries or territories as may be specified by the Central Government. This means that entities involved in exporting electronic products or services that involve processing the digital personal data of Indian Data Principals must ensure that any international transfers comply with these specified regulations. This applies even to operations like the global chip hub vision, where data may need to be moved across jurisdictions.
Non-compliance with the provisions of the DPDP Act carries significant consequences. The Act prescribes financial penalties for various breaches, underscoring the serious nature of data protection obligations. The Data Protection Board of India has been established as the authority responsible for enforcing the provisions of the Act, ensuring that Data Fiduciaries adhere to their responsibilities. While the Central Government retains the power to exempt certain Data Fiduciaries or classes of Data Fiduciaries in specific circumstances, the general expectation is strict adherence to the law as India cements its position as a leader in electronics manufacturing and exports.
As India continues its trajectory to become the world's second-largest mobile manufacturer and exporter, and moves towards building an entire electronics value chain, the Digital Personal Data Protection Act, 2023, serves as an essential guide. The 'next phase of Make in India' in electronics brings not only economic growth but also a heightened need for robust data governance. Compliance with the DPDP Act is not merely a legal obligation but a strategic imperative, fostering trust and sustainability in India's digital future. Entities within this vibrant sector must proactively engage with the Act's requirements to ensure their operations are both innovative and compliant.
ComplyDP