The Digital Personal Data Protection Act, 2023, which received Presidential assent on 11 August 2023, remained pending full operationalisation as of December 2023, with the Ministry of Electronics and Information Technology developing the subordinate rules framework necessary for the Act's implementation. The DPDP Act represents India's first comprehensive standalone legislation on personal data protection, establishing a consent-based framework for the processing of digital personal data and creating the institutional machinery for enforcement through a Data Protection Board.
Background
India's journey toward comprehensive data protection legislation spanned over six years, beginning with the Justice B.N. Srikrishna Committee's 2018 recommendations and passing through multiple iterations of draft Bills — the Personal Data Protection Bill, 2019, the Data Protection Bill, 2021 (withdrawn), and finally the Digital Personal Data Protection Bill, 2023. The Act was passed by Parliament on 9 August 2023 and received Presidential assent on 11 August 2023.
However, the Act's operative provisions are structured to come into force on dates to be notified by the Central Government, and the detailed implementation framework is delegated to subordinate rules. As of December 2023, neither the commencement notification nor the draft rules had been issued, leaving the business community in a preparatory phase without definitive compliance requirements.
Key Provisions
The DPDP Act establishes the following framework:
Consent-based processing: Personal data may be processed only for lawful purposes with the consent of the Data Principal (the individual whose data is processed) or for certain legitimate uses specified in the Act.
Data Fiduciary obligations: Entities that determine the purpose and means of processing personal data (Data Fiduciaries) are subject to obligations regarding data accuracy, storage limitation, and the implementation of appropriate technical and organisational safeguards.
Rights of Data Principals: Individuals are granted the right to access their data, the right to correction and erasure, the right to nominate another person to exercise their data rights, and the right to grievance redressal.
Data Protection Board of India: The Act establishes the Data Protection Board as the adjudicatory and enforcement body, empowered to impose penalties for non-compliance. The Board is to function as a digital-first institution, accepting complaints and conducting proceedings electronically.
Significant Data Fiduciary category: Certain entities designated as Significant Data Fiduciaries — based on volume and sensitivity of data processed — face enhanced obligations, including the appointment of a Data Protection Officer and conducting periodic data protection impact assessments.
Cross-border data transfers: The Act permits transfer of personal data outside India, except to countries specifically notified by the Central Government as restricted destinations.
Implications for Practitioners
Technology law practitioners should advise clients to commence readiness assessments even in the absence of finalised rules. The Act's broad framework — particularly the consent management requirements, Data Fiduciary obligations, and the establishment of grievance redressal mechanisms — necessitates operational and technical preparation that will require lead time regardless of when the rules are notified.
Corporate counsel should conduct a mapping exercise to identify all personal data processing activities within their organisations, classify them against the Act's lawful processing grounds, and assess the consent mechanisms currently in place. The designation of Significant Data Fiduciaries will create a differentiated compliance burden, and organisations processing large volumes of personal data should prepare for the enhanced obligations.
The absence of rules as of December 2023 creates a window for proactive preparation that could prove advantageous once compliance timelines are prescribed.