Quick Legal Summary (60-Second Overview)
The Digital Personal Data Protection Act 2023 is India’s primary data protection and data privacy act, enacted to regulate the processing of digital personal data and replace the outdated Section 43A framework under the Information Technology Act 2000. The data protection and data privacy act applies to any entity processing personal data of individuals located in India, regardless of where that entity is based, and imposes penalties up to Rs 250 crore for non compliance. Individuals (called Data Principals) gain enforceable rights including access, correction, erasure, and grievance redressal, enforced by the newly created Data Protection Board of India.
Statutory Background of the Data Protection and Data Privacy Act in India
The data protection and data privacy act 2023, formally titled the Digital Personal Data Protection Act 2023, received Presidential assent on August 11, 2023. This legislation followed nearly seven years of deliberation that began after the Supreme Court of India, in Justice K.S. Puttaswamy versus Union of India (2017), declared the right to privacy a fundamental right under Article 21 of the Constitution of India. Before this Act, India relied on the Information Technology Act 2000 and the IT Rules 2011, both of which lacked a comprehensive enforcement mechanism for personal data breaches.
The Digital Personal Data Protection Act 2023 repeals Section 43A of the Information Technology Act 2000 once fully notified. The Ministry of Electronics and Information Technology released the Draft Digital Personal Data Protection Rules 2025 for public consultation, and the rules are expected to be implemented in phases. Organizations seeking to understand contractual obligations arising from this Act should also review how data processing clauses intersect with broader commercial agreements, a topic covered in detail in Drafting Enforceable Commercial Contracts Under Indian Contract Law.
Scope and Applicability of the Digital Personal Data Protection Act 2023
The Digital Personal Data Protection Act 2023 applies to the processing of digital personal data within the territory of India, including data collected online or digitized after offline collection. The Act also applies extraterritorially to entities outside India if they process personal data of individuals located in India for offering goods or services.
Key entities defined under the data protection and data privacy act include:
- Data Principal: The individual to whom the personal data relates.
- Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data, equivalent to a data controller under global frameworks.
- Data Processor: Any entity that processes personal data on behalf of a Data Fiduciary.
- Significant Data Fiduciary: An entity notified by the Central Government based on factors like volume of data processed, risk to electoral democracy, or sensitivity of data, subject to enhanced obligations including mandatory Data Protection Officer appointment.
The Act explicitly excludes personal data processed for personal or domestic purposes, and data made publicly available by the Data Principal or under a legal obligation.
Core Rights of Data Principals Under Indian Data Privacy Law
The data protection and privacy act grants Indian citizens specific enforceable rights against Data Fiduciaries. These rights are codified under Sections 11 to 14 of the Digital Personal Data Protection Act 2023.
| Right | Section Reference | Description |
|---|---|---|
| Right to Access Information | Section 11 | Data Principal can obtain a summary of personal data processed and processing activities |
| Right to Correction and Erasure | Section 12 | Data Principal can request correction of inaccurate data or erasure once purpose is fulfilled |
| Right to Grievance Redressal | Section 13 | Data Fiduciary must provide a readily available means of grievance redressal |
| Right to Nominate | Section 14 | Data Principal can nominate another individual to exercise rights in case of death or incapacity |
These rights mirror, in part, the structure of consumer protection mechanisms. Individuals exercising grievance redressal rights under this Act may find it useful to compare procedural timelines with consumer complaint mechanisms discussed in Filing Consumer Complaints Under the Consumer Protection Act 2019.
Obligations of Data Fiduciaries Under the Data Protection and Data Privacy Act 2019 Framework
Although earlier drafts referenced as the data protection and privacy act 2019 (the original Personal Data Protection Bill 2019) were eventually withdrawn and replaced, the core fiduciary obligations carried forward into the 2023 Act remain substantially similar.
Mandatory obligations for every Data Fiduciary under the Digital Personal Data Protection Act 2023 include:
- Obtaining free, specific, informed, and unambiguous consent before processing personal data, as required under Section 6.
- Providing a clear notice in plain language detailing what personal data is collected and for what purpose, per Section 5.
- Implementing reasonable security safeguards to prevent personal data breaches under Section 8(5).
- Notifying the Data Protection Board of India and affected Data Principals in the event of a personal data breach, as mandated under Section 8(6).
- Ceasing to retain personal data once the specified purpose is no longer being served, unless retention is required by law.
- Establishing grievance redressal mechanisms with a published timeline for resolution.
Consent Framework and Legitimate Uses Without Consent
The Digital Personal Data Protection Act 2023 distinguishes between consent based processing and certain legitimate uses where consent is not mandatory. Section 7 of the Act lists legitimate uses, which include processing for the performance of a function under law, compliance with judgments or court orders, medical emergencies, and employment related purposes.
Comparison of consent requirements versus legitimate use exemptions:
| Basis of Processing | Consent Required | Example |
|---|---|---|
| Standard Commercial Processing | Yes | E commerce platform processing user address for delivery |
| Legitimate Use – Government Function | No | Disbursement of subsidies or benefits by government |
| Legitimate Use – Medical Emergency | No | Hospital accessing medical history during emergency treatment |
| Legitimate Use – Employment | No | Processing employee data for HR administration |
For consent to be valid under the data protection and data privacy act, it must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. Pre ticked checkboxes or bundled consent for unrelated services are not considered valid under this Act.
Special Provisions for Processing Personal Data of Children
Section 9 of the Digital Personal Data Protection Act 2023 mandates that Data Fiduciaries obtain verifiable parental consent before processing personal data of any individual below 18 years of age. The data protection and data privacy act specifically prohibits Data Fiduciaries from undertaking behavioral monitoring, targeted advertising, or tracking directed at children, except in cases exempted by the Central Government for specific purposes such as healthcare or education platforms with appropriate safeguards.
Cross Border Data Transfer Provisions
Section 16 of the Digital Personal Data Protection Act 2023 permits the transfer of personal data outside India, except to countries specifically restricted by the Central Government through notification. This represents a departure from the data localization heavy approach proposed in earlier drafts of the data protection and privacy act 2019, which had mandated mirroring of certain sensitive personal data within India.
This shift toward a blacklist approach rather than a whitelist approach aligns India’s framework closer to global data protection and privacy laws, including the European Union’s General Data Protection Regulation, which permits transfers based on adequacy decisions.
Comparative Analysis: India’s Data Protection and Data Privacy Act Versus Global Frameworks
| Parameter | India (DPDP Act 2023) | EU GDPR | American Data Protection and Privacy Act (ADPPA Draft) |
|---|---|---|---|
| Enforcement Body | Data Protection Board of India | Data Protection Authorities of Member States | Federal Trade Commission (proposed) |
| Maximum Penalty | Up to Rs 250 crore | Up to 4% of global annual turnover | Tiered penalties based on revenue |
| Consent Standard | Free, specific, informed, unambiguous | Explicit and freely given | Opt out with sensitive data opt in |
| Cross Border Transfer | Blacklist approach (restricted countries notified) | Adequacy decision based | Restrictions on data brokers |
| Children’s Data | Verifiable parental consent under 18 | Parental consent under 16 (member state variable) | Enhanced protections under 17 |
Entities engaged in international operations should also examine how this Act interacts with intellectual property considerations when handling proprietary databases, a subject explored in Protecting Trade Secrets and Confidential Business Information Under Indian Law.
Penalties and Enforcement Mechanism Under the Digital Personal Data Protection Act 2023
The Schedule to the Digital Personal Data Protection Act 2023 prescribes monetary penalties for specific violations, adjudicated by the Data Protection Board of India.
- Failure to take reasonable security safeguards resulting in a data breach: penalty up to Rs 250 crore.
- Failure to notify the Board and affected Data Principals of a breach: penalty up to Rs 200 crore.
- Non fulfilment of additional obligations related to children’s data: penalty up to Rs 200 crore.
- Non fulfilment of obligations by Significant Data Fiduciaries: penalty up to Rs 150 crore.
- Breach of any other provision or rule: penalty up to Rs 50 crore.
The Data Protection Board of India functions as an adjudicatory body with powers similar to a civil court, and its orders can be appealed before the Appellate Tribunal designated under the Telecom Regulatory Authority of India Act 1997, specifically the Telecom Disputes Settlement and Appellate Tribunal.
Comparison With Other National Data Protection and Privacy Acts
Several jurisdictions outside India have enacted comparable legislation under similar nomenclature, which is relevant for multinational entities operating in India.
- Data Protection and Privacy Act 2019 Uganda: Enacted by the Parliament of Uganda, this statute regulates the collection and processing of personal data by data controllers and processors within Uganda, establishing the Personal Data Protection Office as the regulatory authority.
- Data Protection Act Cap 97: This reference typically corresponds to data protection legislation codified within certain Commonwealth jurisdictions’ law revision editions, governing similar principles of lawful processing and data subject rights.
- American Data Protection and Privacy Act: A federal legislative proposal in the United States intended to create a unified national standard for data privacy, addressing the current patchwork of state level laws such as the California Consumer Privacy Act.
Practical Compliance Steps for Businesses Under the Data Protection and Data Privacy Act
Organizations operating in India must undertake the following compliance measures to align with the Digital Personal Data Protection Act 2023:
- Conduct a Data Protection Impact Assessment to map all categories of personal data collected, processed, and stored.
- Update privacy notices to comply with the data protection act privacy notice requirements under Section 5, ensuring notices are available in all languages specified in the Eighth Schedule to the Constitution of India where required.
- Implement consent management platforms capable of recording, withdrawing, and managing granular consent.
- Appoint a Data Protection Officer if classified as a Significant Data Fiduciary, with the officer based in India and reporting to the Board of Directors.
- Establish a breach response protocol with defined timelines for notifying the Data Protection Board of India.
- Review vendor and third party contracts to ensure Data Processors are contractually bound to the same security standards.
Businesses structuring these compliance frameworks within broader corporate governance documents may benefit from reviewing director liability provisions discussed in Director Duties and Liabilities Under the Companies Act 2013.
Frequently Asked Questions on the Data Protection and Data Privacy Act
1. What is data protection and data privacy under Indian law?
Data protection and data privacy under Indian law refers to the legal framework established by the Digital Personal Data Protection Act 2023, which governs how personal data of individuals is collected, processed, stored, and shared by Data Fiduciaries, while granting Data Principals enforceable rights over their own data.
2. Is the data protection and data privacy act 2019 still applicable in India?
No, the Personal Data Protection Bill 2019 was withdrawn from Parliament in August 2022 and was subsequently replaced by the Digital Personal Data Protection Act 2023, which is the current operative data protection and data privacy act in India.
3. What is a data protection act privacy notice and is it mandatory?
A data protection act privacy notice is a mandatory disclosure that a Data Fiduciary must provide to a Data Principal at or before the time of collecting personal data, detailing the purpose of processing, categories of data collected, and the process for exercising rights under Section 11 to 14 of the Digital Personal Data Protection Act 2023.
4. How does India’s data protection and data privacy act compare to global data protection and privacy laws?
India’s Digital Personal Data Protection Act 2023 shares structural similarities with global data protection and privacy laws such as the EU GDPR, particularly regarding consent requirements and breach notification, but differs in its blacklist approach to cross border data transfers and its tiered penalty structure capped at Rs 250 crore.
5. Does the data protection and data privacy act 2019 Uganda apply to Indian companies?
The data protection and data privacy act 2019 Uganda applies only to data controllers and processors operating within Uganda or processing data of Ugandan residents; Indian companies with operations or data subjects in Uganda would need to separately comply with that jurisdiction’s Personal Data Protection Office regulations in addition to India’s Digital Personal Data Protection Act 2023.
6. What penalties apply for non compliance with the data protection and data privacy act in India?
Penalties under the Digital Personal Data Protection Act 2023 range from Rs 50 crore for general violations to Rs 250 crore for failure to implement reasonable security safeguards leading to a personal data breach, as determined by the Data Protection Board of India.
About the Author: Written and verified by Pankaj Tiwari (B.Sc., LL.B.), founder of Legal Vichar, specializing in Indian Civil, Property, and Corporate Laws. For professional inquiries, connect on LinkedIn.