Overview of Digital Personal Data Protection Act (DPDP Act) 2023

​The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law, enacted on August 11, 2023. It establishes a legal framework for the processing of digital personal data, recognising individuals' rights to protect their personal data while allowing for lawful data processing.​

Table of Contents

1. Introduction
2. Legislative Genesis
3. Seven Foundational Principles
4. Territorial & Material Scope
5. Key Definitions
6. Rights of Data Principals
7. Obligations of Data Fiduciaries
8. Consent & “Legitimate Uses”
9. Cross‑Border Transfer
10. Regulatory Architecture
11. Penalty Framework
12. Interplay with Other Laws
13. Timeline to Compliance
14. Conclusion

Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.

1. Introduction

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) is the Republic’s first dedicated statute on personal‑data privacy. Enacted on 11 August 2023 and awaiting phased commencement, the Act fulfils two constitutional imperatives –

1. Protect the fundamental right to privacy (Justice K.S. Puttaswamy v. Union of India, 2017).
2. Permit legitimate data processing for economic development, good governance and national security.

Replacing the patchwork rules that previously sat under the Information Technology Act, 2000, the DPDP Act introduces clear rights for individuals (Data Principals) and corresponding duties for organisations that determine the purpose and means of processing (Data Fiduciaries).

This overview distils the Act’s legislative background, guiding principles, territorial reach, individual rights, fiduciary obligations, enforcement architecture, penalty matrix and interplay with other laws.

2. Legislative Genesis

Milestone	Description
2017	Supreme Court declares privacy a fundamental right. Government appoints Justice B.N. Srikrishna Committee.
2018	Committee submits report “A Free and Fair Digital Economy” and Draft Personal Data Protection Bill.
2019 – 2021	Successive Bills introduced; Joint Parliamentary Committee proposes 2021 version, then withdrawn.
03 Aug 2023	Digital Personal Data Protection Bill, 2023, tabled in Lok Sabha.
09 Aug 2023	The bill passes both Houses.
11 Aug 2023	Presidential assent—DPDP Act (No. 22 of 2023). Commencement to follow the notified provisions.

3. Seven Foundational Principles

The statute expressly adopts seven privacy principles that guide every substantive obligation –

1. Consent, Lawfulness & Transparency – Personal data shall be process only upon free, inform, and specific consent of individual or another lawful ground.
2. Purpose Limitation – personal data shall be processed strictly for the stated purpose.
3. Data Minimisation – Only such data shall be collected as is necessary and proportionate to specified purpose of processing.
4. Accuracy – Reasonable efforts must be made to ensure that personal data is accurate and kept up to date.
5. Storage Limitation – erase data once the purpose ends or the retention law expires.
6. Reasonable Security Safeguards – Appropriate technical and organisational measures shall be implemented to ensure confidentiality, integrity, and availability of personal data.
7. Accountability – Entities processing personal data must be responsible for compliance and adjudicatory penalties in case of breach.

Every right or duty in later chapters flows from these axioms.

4. Territorial & Material Scope

4.1 Processing inside India

Any digital personal data collected online or digitised later, processed in India, falls squarely under the DPDP Act.

4.2 Extra‑territorial reach

Processing outside India is also covered if it relates to offering goods or services to, or profiling of, individuals within India. Global businesses hosting servers abroad cannot escape compliance if they target Indian users.

4.3 Exclusions

The Act does not apply to –

• Purely personal or domestic processing by an individual.
• Personal data made public by the individual herself or under statutory mandate.
• Non‑digital data that is never digitised.
• Government agencies are exempted for reasons of sovereignty, security, or public order (Section 17).

5. Key Definitions

Term	Meaning (Section 2)
Data Principal	Individual to whom personal data relates; for a child (< 18 years), the parent/guardian acts instead.
Data Fiduciary	A person (natural/juristic) who alone or in conjunction with others, determines the purpose and means of processing personal data.
Data Processor	Person who processes personal data on behalf of a Data Fiduciary.
Significant Data Fiduciary (SDF)	Any Data Fiduciary designated by the Central Govt. based on factors such as volume/sensitivity, risk to individual rights, etc.
Personal Data Breach	Unauthorised processing or accidental disclosure/alteration/loss of personal data that compromises confidentiality, integrity or availability of data.

6. Rights of Data Principals

The Act grants individuals four core rights (plus the right to nominate a representative) –

1. Right to Information (Access) about personal data – confirmation and summary of personal data being processed and to whom it is shared.
2. Right to Correction/Update/Erasure of personal data – rectify inaccurate or misleading data, complete incomplete data and update personal data. Also, erase data once the purpose ends or consent is withdrawn (subject to legal-retention carve-outs).
3. Right to Grievance Redressal – complain first to the Fiduciary and, if unsatisfied, escalate to the Data Protection Board of India.
4. Right to nominate – Nomination in the event of Death or Incapacity of Data Principal to exercise his/her Rights.

These rights are actionable, time‑bound and enforceable via penalties.

7. Obligations of Data Fiduciaries

Every Data Fiduciary must—

• Obtain valid and informed consent from the Data principal with prior notice in clear and plain language; enable easy withdrawal of such consent
• Adhere to the principles of purpose limitation (processing only for the specified purpose) and data minimisation (collecting only necessary data).
• Ensure the accuracy of personal data and implement appropriate (technical & organisational controls).
• Respect Data‑Principal rights within prescribed timelines.
• Notify the Data Protection Board of India and affected individuals “as soon as practicable” after a personal‑data breach.

Additional duties for Children’s data – Parental consent, no behavioural tracking or targeted advertising, and no processing detrimental to a child’s well‑being.

Additional duties for SDFs – Appoint an Indian‑based Data Protection Officer, conduct annual independent audits, perform compulsory DPIA for high-risk processing, record‑keeping and comply with further safeguards as notified by the Government.

8. Consent & “Legitimate Uses”

Consent must be free, informed, specific, unambiguous, unconditional and given by clear affirmative action. The Act prohibits the use of dark‑pattern consent and allows for withdrawal at any time.

Processing without consent (Section 7) is permitt only in the following tightly‑defined situations—

• When Data Principal voluntarily provides data and raises no objection.
• For State functions related to providing subsidies, benefits, licences, etc.
• Compliance with laws, court orders or judgments.
• In Medical and epidemic emergencies.
• In Disaster management or situations involving the breakdown of public order.
• For employment-related processing that is proportionate to the purpose.

9. Cross‑Border Transfer

Unlike earlier drafts, the DPDP Act adopts a “black‑list” approach – it allows personal data to flow to any foreign country except those specifically notified as restricted by the Central Government. Contractual and security safeguards remain advisable, and certain sensitive‑sector restrictions (e.g., payments) continue under the purview of sectoral regulators.

10. Regulatory Architecture

Data Protection Board of India (DPBI).

• The DPBI is an adjudicatory authority and is responsible for addressing complaints and investigating breaches.
• It is headed by the Chairperson and consists of Members.
• The Board Investigates breaches, decides complaints, issues binding directions, and levies monetary penalties.
• Decisions made by DPBI can be appeal to Telecom Disputes Settlement and Appellate Tribunal (TDSAT), then to the Supreme Court.

Voluntary Undertaking.
A Fiduciary under inquiry may offer a remedial undertaking; DPB may accept, monitor and enforce it in lieu of full adjudication.

11. Penalty Framework

Contravention	Maximum Penalty (₹)
Lack of reasonable security safeguards → breach	250 crore
Failure to inform DPB/Data Principals of a breach	200 crore
Violation of children-specific provisions	200 crore
Non‑compliance by SDF with extra duties	150 crore
Breach of any other provision  of the Act or Rules	50 crore
Frivolous grievance or complaint by Data Principal	10,000

DPB must consider gravity, duration, gain/loss, nature of data, and mitigating actions before quantifying any fine.

12. Interplay with Other Laws

• IT Act 2000 – Section 43A of the Information Technology Act, 2000 shall be omitted. The SPDI Rules have been superseded by the DPDP Act.
• Sectoral Regulations – RBI, IRDAI, SEBI retention or localisation mandates coexist; if simultaneous compliance is impossible, DPDP prevails to the extent of conflict.
• Upcoming Digital India Act – Expected to dovetail with DPDP to modernise intermediary and cybersecurity rules.

13. Timeline to Compliance

The Government will notify staggered commencement dates and allied Rules (breach‑report format, notice language standard, grievance window, etc.). Businesses should—

1. Map personal data flows and classify processing purposes.
2. Gap‑assess current privacy notices, consent screens and security controls.
3. Draft a retention schedule and deletion workflows.
4. Set up a rights & grievance portal; train staff.
5. If likely to be an SDF, appoint a Data‑Protection Officer and prepare for annual audit.

14. Conclusion

The DPDP Act ushers India into the front rank of jurisdictions with omnibus data‑protection legislation. For individuals, it converts privacy from an abstract right into actionable powers. For organisations, it imposes rigorous, enforceable duties—with penalties of up to ₹250 crore—for failure to process personal data responsibly.

The post Overview of Digital Personal Data Protection Act (DPDP Act) 2023 appeared first on Taxmann Blog.

source