Digital Personal Data Protection Act 2023: Key Provisions Explained

# Digital Personal Data Protection Act 2023: Key Provisions Explained

After years of deliberation, multiple draft bills, and extensive public consultation, India finally enacted the **Digital Personal Data Protection Act, 2023 (DPDPA)** on August 11, 2023. The Act received Presidential assent on the same date and was published in the Gazette of India. It represents India's first comprehensive standalone legislation dedicated exclusively to the protection of digital personal data.

The DPDPA is the legislative culmination of the right to privacy recognised as a Fundamental Right by the Supreme Court in **Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1**, where a nine-judge Constitution bench unanimously held that the right to privacy is an intrinsic part of the right to life and personal liberty under **Article 21 of the Constitution of India**. Justice Puttaswamy's judgment specifically noted that informational privacy -- the ability to control the dissemination of personal information -- requires a robust data protection framework.

This article provides a comprehensive educational overview of the DPDPA 2023, its key definitions, the rights it grants to individuals, the obligations it imposes on entities handling personal data, the enforcement mechanism, penalties, and how it compares with global data protection frameworks.

---

Background and Legislative Journey

India's journey towards a data protection law has been long and eventful:

- **2017** -- The Supreme Court's Puttaswamy judgment affirmed the right to privacy as a Fundamental Right and called for a comprehensive data protection regime.

- **2017-2018** -- The **Justice B.N. Srikrishna Committee** was constituted by the Government to study data protection issues. The Committee submitted its report, "A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians," along with a draft Personal Data Protection Bill in July 2018.

- **2019** -- The **Personal Data Protection Bill, 2019** was introduced in Parliament. It was referred to a Joint Parliamentary Committee (JPC).

- **2021** -- The JPC submitted its report with the **Data Protection Bill, 2021**, incorporating significant changes.

- **2022** -- The Government **withdrew** the 2019 Bill in August 2022, citing the need for a comprehensive new framework.

- **2022** -- The **Digital Personal Data Protection Bill, 2022** was released for public consultation in November 2022.

- **2023** -- The **Digital Personal Data Protection Bill, 2023** was introduced in Parliament and passed by both Houses. It received Presidential assent on August 11, 2023.

The DPDPA 2023 adopts a significantly simplified and principles-based approach compared to its predecessors, making it more concise and accessible.

---

Applicability and Scope

Territorial Scope

The DPDPA 2023 applies to the processing of **digital personal data** within the territory of India where such data is:

1. Collected in **digital form**, or

2. Collected in **non-digital form** and subsequently **digitised**.

The Act also applies to the processing of digital personal data **outside India** if such processing is in connection with any activity related to the **offering of goods or services** to Data Principals within India (Section 3).

What it Does Not Cover

The Act does **not** apply to:

- Personal data processed by an individual for any **personal or domestic purpose**.

- Personal data that is made or caused to be made **publicly available** by the Data Principal themselves or by any other person under a legal obligation.

---

Key Definitions

Understanding the DPDPA requires familiarity with its core definitions under **Section 2**:

Data Principal

The individual to whom the personal data relates. In the case of a child (below 18 years), the Data Principal includes the **parent or lawful guardian**. This is conceptually equivalent to the "data subject" under the European Union's General Data Protection Regulation (GDPR).

Personal Data

Any data about an individual who is **identifiable by or in relation to** such data. This includes names, email addresses, phone numbers, identification numbers, location data, online identifiers, and any other information that can identify an individual.

Data Fiduciary

Any person (including an individual, company, firm, association of persons, the State, or a State instrumentality) who, alone or in conjunction with others, **determines the purpose and means of processing** of personal data. This is equivalent to the "data controller" under the GDPR.

Significant Data Fiduciary

A Data Fiduciary designated as such by the Central Government based on factors including:

- The **volume and sensitivity** of personal data processed.

- **Risk to the rights** of Data Principals.

- **Potential impact** on the sovereignty and integrity of India.

- Risk to **electoral democracy**.

- **Security of the State**.

- **Public order**.

Significant Data Fiduciaries have additional compliance obligations (discussed below).

Data Processor

Any person who processes personal data **on behalf of a Data Fiduciary**. Unlike the GDPR, the DPDPA places primary responsibility on the Data Fiduciary rather than on the Data Processor directly.

Consent Manager

A person registered with the Data Protection Board who enables Data Principals to give, manage, review, and withdraw consent through an **accessible, transparent, and interoperable platform**.

---

Consent: The Foundation of Lawful Processing

**Section 6** of the DPDPA establishes that personal data may be processed only for a **lawful purpose** and only after obtaining the **consent** of the Data Principal (unless processing is for certain legitimate uses described below).

Requirements for Valid Consent

Consent under the DPDPA must be:

- **Free** -- Given voluntarily without coercion, undue influence, or deception.

- **Specific** -- Relating to a specific, clearly defined purpose.

- **Informed** -- The Data Principal must be provided with clear information about what data is being collected, the purpose of processing, and the means to exercise their rights.

- **Unconditional** -- Consent cannot be bundled with conditions unrelated to the purpose for which consent is sought.

- **Unambiguous** -- Indicated by a clear affirmative action (not pre-ticked boxes or silence).

Consent Notice

Before seeking consent, the Data Fiduciary must provide a **consent notice** (Section 5) to the Data Principal containing:

- A description of the personal data to be collected and the **purpose** of processing.

- The manner in which the Data Principal can exercise their **rights** (including the right to withdraw consent and file grievances).

The notice must be in **clear and plain language** and may be provided in any of the 22 languages specified in the Eighth Schedule to the Constitution, in addition to English.

Withdrawal of Consent

The Data Principal has the right to **withdraw consent** at any time. Withdrawal must be as easy as giving consent. Upon withdrawal, the Data Fiduciary must cease processing the personal data within a **reasonable period** and also cause the Data Processor to do the same, unless retention is required under any law (Section 6(4)).

---

Legitimate Uses Without Consent

**Section 7** of the DPDPA specifies certain situations where personal data can be processed **without the Data Principal's consent**:

1. **Specified purpose** -- Where the Data Principal has voluntarily provided their personal data and has not indicated that they do not consent (e.g., filling out a form to receive a service).

2. **State functions** -- Processing by or on behalf of the State for providing benefits, subsidies, services, certificates, licences, or permits.

3. **Legal obligations** -- Processing necessary for compliance with any **law or court order**.

4. **Medical emergency** -- Processing necessary to respond to a medical emergency involving a threat to the life or health of the Data Principal or any other individual.

5. **Employment purposes** -- Processing for purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality, and related activities.

6. **Public interest** -- Processing in the interest of prevention, detection, investigation, or prosecution of offences, and for purposes related to the sovereignty and integrity of India or security of the State.

---

Rights of the Data Principal

**Sections 11 to 14** of the DPDPA grant the following rights to Data Principals:

1. Right to Access Information (Section 11)

The Data Principal has the right to obtain from the Data Fiduciary:

- A summary of the personal data being processed and the processing activities.

- The identities of all Data Fiduciaries and Data Processors with whom the personal data has been shared.

- Any other information as may be prescribed.

2. Right to Correction and Erasure (Section 12)

The Data Principal has the right to:

- **Correct** personal data that is inaccurate or misleading.

- **Complete** personal data that is incomplete.

- **Update** personal data that is out of date.

- **Erase** personal data that is no longer necessary for the purpose for which it was collected, unless retention is required for legal or specified purposes.

3. Right to Grievance Redressal (Section 13)

The Data Principal has the right to have a readily available means of **grievance redressal** provided by the Data Fiduciary. The Data Fiduciary must respond to the grievance within a prescribed time frame.

4. Right to Nominate (Section 14)

The Data Principal has the right to nominate another individual who shall, in the event of the Data Principal's **death or incapacity**, exercise the Data Principal's rights under the Act. This is a unique provision not commonly found in other data protection frameworks globally.

---

Obligations of Data Fiduciaries

**Sections 8 and 9** impose several obligations on Data Fiduciaries:

General Obligations (Section 8)

1. **Purpose limitation** -- Process personal data only for the purpose for which consent was obtained or for legitimate uses specified in the Act.

2. **Data accuracy** -- Make reasonable efforts to ensure that personal data is **complete, accurate, and consistent**.

3. **Data security** -- Implement appropriate **technical and organisational measures** to protect personal data against breaches, including measures to prevent unauthorised collection, use, or disclosure.

4. **Data breach notification** -- Notify the **Data Protection Board of India** and each **affected Data Principal** in the event of a personal data breach, in the prescribed manner and within the prescribed time frame.

5. **Data retention limitation** -- Erase personal data when the Data Principal withdraws consent or when the specified purpose is no longer served, whichever is earlier, unless retention is required by law.

6. **Grievance redressal mechanism** -- Publish contact details of a **Data Protection Officer** (or any designated person) to address grievances.

Additional Obligations for Significant Data Fiduciaries (Section 10)

Significant Data Fiduciaries must additionally:

1. Appoint a **Data Protection Officer** (DPO) based in India.

2. Appoint an **independent data auditor** to evaluate compliance.

3. Conduct a **Data Protection Impact Assessment** (DPIA) periodically.

4. Undertake periodic **audits** of their data processing activities.

5. Take other measures as may be prescribed by the Central Government.

---

Processing of Children's Data

**Section 9** provides special protections for children (persons below 18 years of age):

- The Data Fiduciary must obtain **verifiable consent of the parent or lawful guardian** before processing a child's personal data.

- The Data Fiduciary shall **not** undertake processing of personal data that is likely to cause any **detrimental effect** on the well-being of the child.

- **Tracking, behavioural monitoring, or targeted advertising** directed at children is **prohibited**.

The Central Government may, by notification, exempt certain Data Fiduciaries or classes of Data Fiduciaries from these requirements if satisfied that they process data in a verifiably safe manner.

---

Cross-Border Data Transfer

**Section 16** of the DPDPA adopts a relatively permissive approach to cross-border data transfers:

- Personal data can be transferred to **any country or territory outside India**, except those specifically **restricted or blocked** by the Central Government through notification.

- The Central Government may, by notification, restrict transfer of personal data to specific countries or territories based on an assessment of relevant factors.

This is a significant departure from the earlier drafts (particularly the 2019 Bill), which proposed **data localisation** requirements mandating that certain categories of personal data be stored and processed only within India. The DPDPA 2023 adopts a "blacklisting" approach (restricting specific countries) rather than the "whitelisting" approach used by the GDPR (permitting transfers only to countries with an adequate level of protection).

---

Data Protection Board of India

**Sections 18 to 28** establish the **Data Protection Board of India (DPBI)** as the adjudicatory body for the enforcement of the Act.

Composition and Functioning

- The Board consists of a **Chairperson** and **Members** appointed by the Central Government.

- The Board is a **digital office** that exercises its functions in a manner as digital by design as possible, with proceedings conducted through digital means.

- The Board has the powers of a **civil court** for certain purposes (summoning witnesses, requiring production of documents, etc.).

Functions

- Determine **non-compliance** with the provisions of the Act upon complaints or references.

- Impose **penalties** as prescribed.

- Direct remedial measures to be taken by Data Fiduciaries.

- Refer complaints to **alternate dispute resolution** where appropriate.

The Board is not a regulator in the traditional sense (like the GDPR's Data Protection Authorities); it functions more as an **adjudicatory tribunal** that addresses specific complaints and breaches.

---

Penalties

**Section 33** and the **Schedule to the Act** prescribe penalties for various non-compliance scenarios:

| Breach | Maximum Penalty |

|---|---|

| Failure to take reasonable security safeguards to prevent personal data breach | **Rs 250 crore** |

| Failure to notify the Board and affected Data Principals of a personal data breach | **Rs 200 crore** |

| Non-fulfilment of additional obligations by Significant Data Fiduciaries | **Rs 150 crore** |

| Breach of obligations relating to children's data | **Rs 200 crore** |

| Non-compliance with any other provision of the Act | **Rs 50 crore** |

Additionally, **Section 15** imposes duties on Data Principals. A Data Principal who provides **false or misleading information**, suppresses material information, or **impersonates another person** while exercising their rights can face a penalty of up to **Rs 10,000**.

These penalties are **per instance** and are determined by the Data Protection Board based on factors such as the nature and gravity of the non-compliance, the number of affected Data Principals, the gain or advantage (if any) to the entity, and the measures taken to mitigate the breach.

---

Exemptions

**Section 17** provides exemptions from various provisions of the Act in the following cases:

1. **Instrumentalities of the State** -- Processing in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, or prevention, detection, investigation, or prosecution of offences. The Central Government can exempt any instrumentality of the State from the application of the Act.

2. **Research, archiving, and statistical purposes** -- Processing for research, archiving, or statistical purposes, subject to prescribed safeguards.

3. **Startups and other notified classes** -- The Central Government may notify certain Data Fiduciaries or classes of Data Fiduciaries that are exempt from certain provisions, taking into account the volume and nature of personal data processed. This is intended to reduce the compliance burden on startups and smaller entities.

4. **Processing by courts and tribunals** -- Processing necessary for enforcing any legal right or claim.

The broad exemption granted to State instrumentalities under Section 17(2)(a) has been a subject of significant debate and criticism, with concerns that it may undermine the privacy protections the Act is designed to provide.

---

Comparison with the GDPR

| Aspect | DPDPA 2023 | GDPR |

|---|---|---|

| **Scope** | Digital personal data only | All personal data (digital and non-digital) |

| **Consent approach** | Free, specific, informed, unconditional | Freely given, specific, informed, unambiguous |

| **Legal bases for processing** | Consent + legitimate uses (Section 7) | Six legal bases including legitimate interest |

| **Right to data portability** | Not explicitly provided | Provided under Article 20 |

| **Right to object** | Not explicitly provided | Provided under Article 21 |

| **Data localisation** | No mandatory localisation; blacklist approach for cross-border transfers | Adequacy-based whitelisting for transfers outside EEA |

| **Enforcement body** | Data Protection Board (adjudicatory) | Independent supervisory authorities (regulatory + adjudicatory) |

| **Maximum penalty** | Rs 250 crore (approx. EUR 28 million) | EUR 20 million or 4% of global annual turnover |

| **Children's age threshold** | 18 years | 16 years (member states can lower to 13) |

| **Right to be forgotten** | Right to erasure (Section 12) | Right to erasure (Article 17) |

| **Data Protection Officer** | Required for Significant Data Fiduciaries only | Required for certain controllers and processors |

The DPDPA is notably more concise than the GDPR (about 30 sections versus the GDPR's 99 articles and 173 recitals), reflecting a deliberate design choice to keep the legislation simple and principle-based, with details to be filled in through rules and notifications.

---

Current Implementation Status

As of early 2026, the DPDPA 2023 is in a **phased implementation** stage:

- The Act has received Presidential assent and has been published in the Gazette.

- The Central Government is in the process of framing the **rules** under the Act, which will provide detailed procedural requirements, timelines, and standards.

- The **Data Protection Board of India** is being constituted, with the appointment process for the Chairperson and Members underway.

- The Government has indicated that the Act will be brought into force in a **phased manner**, with different provisions being notified on different dates.

- Several industry bodies and organisations are proactively aligning their data practices with the DPDPA, even before the rules are formally notified.

Entities that process personal data are advised to begin their compliance preparations early, including conducting data mapping exercises, reviewing consent mechanisms, updating privacy policies, and establishing grievance redressal processes.

---

Frequently Asked Questions

Does the DPDPA apply to offline data?

The DPDPA applies to the processing of **digital personal data**. However, if data is collected in a non-digital form (e.g., a paper form) and subsequently **digitised**, the Act applies to the processing of that digitised data (Section 3).

What is the difference between a Data Fiduciary and a Data Processor?

A **Data Fiduciary** determines the purpose and means of processing personal data (equivalent to a "data controller" under the GDPR). A **Data Processor** processes personal data on behalf of the Data Fiduciary (equivalent to a "processor" under the GDPR). The DPDPA places primary compliance responsibility on the Data Fiduciary.

Can personal data be transferred outside India?

Yes, personal data can be transferred to any country or territory **except** those specifically restricted by the Central Government through notification (Section 16). The Government has not yet published a list of restricted countries as of early 2026.

What should a business do to comply with the DPDPA?

While the detailed rules are awaited, businesses should begin by:

- **Mapping their data flows** -- Identifying what personal data they collect, from whom, for what purpose, and where it is stored.

- **Reviewing consent mechanisms** -- Ensuring consent is collected in a manner that is free, specific, informed, and unconditional.

- **Updating privacy policies** -- Ensuring transparency about data processing activities.

- **Implementing security measures** -- Establishing technical and organisational safeguards appropriate to the nature and volume of data processed.

- **Setting up grievance redressal** -- Designating a person or mechanism for handling Data Principal grievances.

- **Reviewing vendor contracts** -- Ensuring Data Processor agreements include adequate data protection obligations.

What rights do I have over my personal data under the DPDPA?

As a Data Principal, you have the right to:

- **Access** information about your personal data being processed.

- **Correct, complete, update, or erase** your personal data.

- **Grievance redressal** from the Data Fiduciary.

- **Nominate** another person to exercise your rights in the event of death or incapacity.

- **Withdraw consent** at any time.

What happens if a company suffers a data breach?

The Data Fiduciary must notify the **Data Protection Board of India** and each **affected Data Principal** about the breach in the prescribed manner and time frame. Failure to implement reasonable security safeguards can attract a penalty of up to **Rs 250 crore**, and failure to notify can attract a penalty of up to **Rs 200 crore**.

Does the DPDPA have a "right to be forgotten"?

The DPDPA provides for the **right to erasure** (Section 12), which allows the Data Principal to request the erasure of personal data that is no longer necessary for the purpose for which it was collected. While this is conceptually similar to the "right to be forgotten" under the GDPR, the DPDPA does not use that specific terminology. The scope and application of this right will be further clarified through rules.

Are there any duties imposed on Data Principals?

Yes. **Section 15** imposes duties on Data Principals, including:

- Not filing **false or frivolous** complaints with the Data Fiduciary or the Board.

- Not providing **false information** or suppressing material information.

- Not **impersonating** another person while providing personal data.

- Complying with applicable laws when exercising their rights.

Violation of these duties can attract a penalty of up to **Rs 10,000**.

---

Conclusion

The Digital Personal Data Protection Act, 2023 marks a watershed moment in India's legal landscape. By establishing a comprehensive framework for the protection of digital personal data, it gives legislative expression to the constitutional right to privacy and creates a structured mechanism for individuals to exercise control over their personal information.

While the Act is a significant step forward, its effectiveness will depend largely on the rules that are framed, the functioning of the Data Protection Board, and the manner in which exemptions -- particularly those relating to State instrumentalities -- are operationalised. The phased implementation approach offers both opportunities and challenges, as entities across sectors prepare to align their data practices with the new legal requirements.

As India's digital economy continues to expand rapidly, the DPDPA 2023 provides the foundational legal architecture for ensuring that personal data is processed in a manner that respects individual rights while enabling innovation and economic growth.

---

*Disclaimer: This article is intended for educational and informational purposes only. It does not constitute legal advice. The DPDPA 2023 is subject to rules and notifications by the Central Government that may affect the interpretation and application of its provisions. Readers are encouraged to consult a qualified legal professional for guidance specific to their circumstances.*