The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), India's first comprehensive data protection legislation, received presidential assent on 11 August 2023 and was published in the Gazette of India. The Act establishes a consent-based framework for the processing of digital personal data, creates the Data Protection Board of India as the adjudicatory body, and introduces significant financial penalties for non-compliance. The legislation applies to digital personal data processed within India and to processing outside India where it involves profiling or offering goods and services to individuals within India.
Background
India's journey towards a dedicated data protection law began with the Supreme Court's recognition of informational privacy as a fundamental right in K.S. Puttaswamy v. Union of India (2017). The subsequent Justice B.N. Srikrishna Committee (2018) produced the first draft of a data protection bill, followed by the Personal Data Protection Bill, 2019 introduced in Parliament. After a Joint Parliamentary Committee review, the 2019 Bill was withdrawn in August 2022 and replaced with the Digital Personal Data Protection Bill, 2023, which was passed by the Lok Sabha on 7 August 2023 and by the Rajya Sabha on 9 August 2023.
The DPDP Act represents a significant departure from the 2019 Bill, adopting a simplified, principles-based approach rather than the detailed, prescriptive model of the European GDPR that had influenced earlier drafts. The Act deals exclusively with digital personal data, leaving non-digital data to be regulated through separate frameworks.
Key Provisions
The Act introduces the following framework:
Consent-based processing: Personal data may be processed only for lawful purposes with the data principal's consent or for certain legitimate uses. Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action.
Data principal rights: Individuals (data principals) have the right to access information about their data, seek correction and erasure, nominate a representative, and file grievances. The Act introduces a right to grievance redressal before approaching the Data Protection Board.
Data fiduciary obligations: Entities processing personal data (data fiduciaries) must maintain data accuracy, implement security safeguards, notify breaches to the Board and affected individuals, and delete data when the purpose is fulfilled or consent withdrawn.
Significant data fiduciaries: The Central Government may designate certain data fiduciaries as "significant" based on volume and sensitivity of data processed. These entities face enhanced obligations including appointing a Data Protection Officer, conducting periodic data protection impact assessments, and independent audits.
Data Protection Board of India: Established as an independent adjudicatory body to determine non-compliance and impose penalties. The Board operates as a digital office with proceedings conducted digitally.
Penalties: Financial penalties range up to Rs 250 crore for failure to take security measures to prevent data breaches, making India's penalty framework among the more substantial in the Asia-Pacific region.
Government exemptions: The Act provides broad exemptions for government processing in the interest of sovereignty, security, public order, and prevention of offences, which has drawn criticism from privacy advocates.
Implications for Practitioners
The DPDP Act creates an entirely new compliance vertical for corporate India. Every organisation processing digital personal data of Indian residents must implement consent management systems, data breach notification protocols, and grievance redressal mechanisms.
For technology law practitioners, the immediate advisory focus should be on helping clients understand the compliance timeline. While the Act has received assent, its operative provisions depend on the notification of implementation rules, which will specify procedural requirements, consent mechanisms, and penalty guidelines. Organisations should use this interim period to conduct data mapping exercises and gap analyses against the Act's requirements.
Privacy lawyers should note the broad government exemption provisions, which may face constitutional challenge given the Puttaswamy framework requiring any privacy restriction to satisfy the tests of legality, necessity, and proportionality. These provisions may generate significant litigation once the Act becomes fully operative.