The Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023, marking the culmination of a seven-year legislative journey to establish India's first comprehensive data protection framework. The Act, passed by the Lok Sabha on 7 August and the Rajya Sabha on 9 August 2023 during the Monsoon Session, introduces a consent-based regime for processing digital personal data with penalties of up to Rs 250 crore for violations.
Background
India's journey towards a dedicated data protection law began with the Supreme Court's recognition of the right to privacy as a fundamental right in K.S. Puttaswamy v. Union of India (2017). Justice B.N. Srikrishna's Committee submitted its report and a draft Personal Data Protection Bill in 2018. The Personal Data Protection Bill, 2019 was introduced in Parliament and referred to a Joint Parliamentary Committee, which submitted its report in late 2021 recommending significant changes.
The Government withdrew the 2019 Bill in August 2022, citing the need for a comprehensive re-drafting. The Digital Personal Data Protection Bill, 2022 was released for public consultation in November 2022. The final version, introduced as the DPDP Bill, 2023, adopted a more principles-based approach compared to the prescriptive framework of the earlier iterations, drawing comparisons to a simplified version of the European GDPR adapted for Indian conditions.
The existing framework under Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 was widely recognised as inadequate for the digital economy's scale and complexity.
Key Provisions
The DPDP Act establishes the following regulatory framework:
Consent-based processing: Personal data may be processed only with the consent of the data principal (the individual whose data is being processed) or for certain legitimate uses specified in the Act. Consent must be free, specific, informed, unconditional, and unambiguous.
Purpose limitation and data minimisation: Data fiduciaries (entities processing personal data) may collect and process data only for the specified purpose communicated at the time of obtaining consent. Data collection must be limited to what is necessary for the stated purpose.
Data Principal rights: Individuals have the right to access information about their data processing, the right to correction and erasure of personal data, the right to grievance redressal, and the right to nominate another person to exercise their rights.
Data Protection Board of India: The Act establishes the Data Protection Board as the adjudicatory body for data protection complaints and compliance matters. The Board will have the power to impose penalties and issue directions.
Significant Data Fiduciaries: The Central Government may designate certain data fiduciaries as Significant Data Fiduciaries based on volume and sensitivity of data processed. These entities face enhanced obligations including appointing a Data Protection Officer, conducting periodic data audits, and undertaking data protection impact assessments.
Cross-border data transfers: The Act permits data transfers to countries and territories notified by the Central Government, departing from the earlier localisation-heavy approach. Transfers to non-notified jurisdictions will be restricted.
Penalties: The Act prescribes financial penalties of up to Rs 250 crore for specified breaches, with a schedule of penalties for different categories of non-compliance. Notably, the Act does not provide for criminal liability.
Government exemptions: The Act provides broad exemptions for processing by State instrumentalities in the interest of sovereignty, security of the State, public order, and certain other specified grounds.
Implications for Practitioners
The DPDP Act creates a fundamentally new compliance landscape for every organisation that processes digital personal data in India. Technology law practitioners should begin advising clients on consent mechanism design, privacy policy revisions, and data processing inventory exercises. The consent requirements will necessitate significant re-engineering of data collection interfaces across digital platforms.
Corporate lawyers should note that the liability extends to all data fiduciaries, not merely technology companies. Banks, hospitals, educational institutions, and any entity processing customer or employee data will fall within the Act's scope. Practitioners should conduct gap analyses between current data practices and the Act's requirements.
The absence of criminal liability represents a deliberate policy choice, relying instead on substantial financial penalties to drive compliance. However, practitioners should note that the Data Protection Board's composition, appointment process, and operational independence will significantly influence the enforcement regime's effectiveness — areas where the rules are yet to be notified.
The broad government exemption provisions may face constitutional challenge on grounds of proportionality, given the Puttaswamy framework's requirement that privacy restrictions satisfy the proportionality test.