Updated Data Protection Laws Introduced by Chile and India

The first of these new laws is the ‘Personal Data Protection Law’ (PDPL), adopted by the Chilean government on 26 August 2024.  Although Chile already had data protection legislation dating back to 1999, the PDPL is a gamechanger because it, for the first time, explicitly aligns Chile’s data protection regulatory framework with the GDPR.  For example, the PDPL mandates the use of appropriate risk mitigation measures, such as anonymisation and pseudonymisation of data, also favoured by the Regulation.  

Like the GDPR, the PDPL also contains purpose limitation provisions and requirements for secure processing. The PDPL mirrors the GDPR’s robust suite of data subject rights, such as an individual’s right to access their personal information, keep it accurate and up to date, or have it deleted when it is no longer needed/justified. Importantly, from a data adequacy point of view, the new law also requires that where cross-border transfers of data are made from Chile, the importer country must provide an adequate level of data protection, or one of a range of derogations set out in the PDPL must apply (e.g., the data subjects have consented to the overseas sharing). The law also establishes Chile’s first national data protection authority, the Personal Data Protection Agency.  The new regulator will monitor compliance with the PDPL and apply sanctions for breaches, including fines at potentially high levels.

The other new law is the Indian Digital Personal Data Protection Act 2023 (DPDPA).  The DPDPA received presidential assent on 11 August 2023, and is due to come into force on notification by the Indian government (different parts of the Act may be notified on different dates by the government).  It is expected that the DPDPA will come into effect sometime later this year, as in the 2024 Budget the government allocated 20m rupees to set up the new Indian data protection authority, the Data Protection Board, to start applying the Act in the 2025 Financial Year (but only in adjudication of complaints and for breach reporting purposes – all powers under the DPDPA, e.g., to impose heavy fines, lie with the government).  Government-produced Rules on implementing the DPDPA are due to be issued for public consultation imminently.

Although there were data protection provisions contained in previous legislation from 2000 and 2011, the DPDPA is the first standalone, comprehensive data protection law in India.  The Act applies to the processing of digital personal data within the territory of India collected in digital form, or manually and later digitised. Personal data is defined as any data in digital form about an individual who is identifiable by or in relation to such data.  In an interesting and significant exclusion, the DPDPA does not cover personal data made publicly available either by the data principals themselves or by any other person due to a legal obligation. The Act also does not classify different forms of personal data based on their level of sensitivity (unlike the GDPR’s ‘special category’ data, for example).

The DPDPA introduces data subject rights such as rights to access, rectification and erasure, and obligations on data processors.  It has extra-territorial application (i.e., outside India) where processing is in connection with any activity that relates to the offering of goods or services to the data subject (called the ‘data principal’ in the Act) within India.  

Data controllers are known as ‘data fiduciaries’.  A data processor on behalf of a data fiduciary may process the data principal’s personal data for a lawful purpose, subject to the consent (gathered to GDPR standard) of the data principal, or if the processing is for a legitimate use.  

The Act provides for a special type of data fiduciaries – ‘significant data fiduciaries’ (SDFs).  SDFs are assessed based on a number of factors including: they process personal data of a sensitive nature or at a higher volume than ordinary data fiduciaries; their processing may potentially impact the sovereignty and integrity of India; or it may pose a risk to electoral democracy and the security of the state.  SDFs are required to appoint a data protection officer (DPO) and conduct periodic data protection impact assessments (DPIAs) and audits.  The government may designate any individual a data fiduciary, or a class, as SDFs.  

International transfers of data form India may be subject to sector-specific and/or country-specific restrictions under the Act.  The government will maintain a ‘negative list’ of importer countries to which data flows are blocked.  The conditions for barring a country from receiving Indian people’s data will be specified in the Rules when these are published.

As may be seen, there is some overlap between the DPDPA and the GDPR (although not as much as in the case of the Chilean PDPL).  However, the Indian law rather counterintuitively does not apply to the processing of foreign people’s personal data in India, so it is highly unlikely that the DPDPA will enable the Asian country to meet the requirements for achieving an adequacy decision.  Other key concerns which the European Parliament had about the Act include the interference of Indian intelligence services through digital surveillance and the national parliament’s apparent lack of control over the intelligence services’ actions.

The Chilean law does not come into force for two years, and the adequacy decision granting process can itself take a number of years, so it may be the end of the decade before Chile attains the all-important adequacy status which will allow transfers of EU personal data to it unhindered.  It will be interesting to see what action the Commission takes, if any, regarding re-evaluating India’s adequacy position in the light of the introduction of the DPDPA.

If you or your business would like specific advice or guidance on sending personal data outside of the UK or EU lawfully and safely, please contact URM and ask to speak to one of our specialist data protection consultants, who are all knowledgeable on international data transfers.