India approves Digital Data Protection law imposing new compliance requirements for gaming Cos

Published on:

The Indian Parliament has finally approved the Digital Personal Data Protection Bill, 2023 (“Bill”) ushering a new era in the story of Digital India.

The Bill will now become an act after receiving presidential assent. The legislation lays down a comprehensive framework for data protection in India. In line with Puttuswamy decision by Supreme Court, this new law recognizes the right to privacy of individuals to whom personal data relates to.

Similar to GDPR, personal data may be processed by entities which determine means and purposes of processing which are referred to as Data Fiduciaries and entities such as contractors, service providers, which may process personal data on behalf of such Data Fiduciaries as “Data Processors”.

For gaming sector, the players will be the data principals while gaming companies that collect data will be the data fiduciaries.

The law lays down broad ground rules, several of which, like consent, purpose limitation and data minimization, have been developed through the consultation process.

The provisions will apply to any data about an individual who is identifiable by, or in relation to such data in digital form or personal data which may be digitized later. All online gaming companies use digital form to collect personal data making the legislation applicable on default.

The Bill allows a Data Fiduciary to process the personal data of children only with parental consent. ESports organisers where players may be below 18 years will need to obtain parental consent which anyway is a requirement under the Contract law.

The principle of data minimisation will be applied to all digital data collection and entities can collect only as much personal data as is necessary to serve the specified purpose.

Minister of Electronics and Information Technology Ashwini Vaishnaw said that the law would be put into motion over the coming six to ten months.