The intersection of competition law and data privacy aligns closely with user protection and empowerment. While the Competition Act, 2002 is designed to preserve market competitiveness, the Digital Personal Data Protection Act, 2023 (DPDP Act), empowers individuals by ensuring lawful collection and processing of their personal data.

With the enactment of the DPDP Act, it is timely to discuss how the two laws coalesce and complement one another rather than conflict with each other.

With the intent to grant greater control over personal data and maintain a balance between the protection of privacy and data-driven innovations, India enacted the Digital Personal Data Protection Act 2023 (DPDPA) in August 2023. The government is also likely to notify rules prescribing specific compliances under the DPDPA over the next few months. With this background, here are five key steps that over the top (OTT) and content streaming platforms should proactively consider to ensure compliance with the DPDPA. 

With the implementation of the Digital Personal Data Protection Act 2023 (Act) all set, India’s buzzing ed-tech space is predicted to undergo a reshaping of its contours and business models.

Reconciling workplace security and safety, with employee privacy, dignity, and autonomy is a balancing act. Globally, power asymmetry in employment renders ‘consent’ unfavorable. Under the General Data Protection Regulation (GDPR), ‘legitimate interests’ as a ground to process employee data has been criticised for being overly flexible.

The Digital Personal Data Protection Act 2023 (Act) places the primary obligation on ‘data fiduciaries’ to protect digital personal data of individuals and implement consent artifacts, including for any outsourcing arrangements for processing. Entities who merely process such data at the behest of another entity, called ‘data processors’ have been excluded from the statutory compliance obligations under the Act. The Act defines ‘data fiduciary’ as any entity determining the means and purpose of processing personal data. Entities handling data are required to undertake this classification exercise as the first step, i.e., whether they are merely data processors or can be classified as data fiduciaries.