Data Protection (DPDP Act) — Definition & Meaning in India

Also known as: Digital Personal Data Protection Act · DPDP Act 2023 · DPDPA · Data Protection Act India

Legal Glossary Cyber Law DPDP Act data protection cyber law
Statute: Digital Personal Data Protection Act, 2023, Section 4
New Law: ,
Landmark Case: Justice K.S. Puttaswamy v. Union of India ((2017) 10 SCC 1)
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
6 min read

Data Protection (DPDP Act) refers to India's comprehensive legal framework for the protection of digital personal data, established by the Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023). Under Indian law, the DPDP Act creates a rights-based regime governing the collection, processing, storage, and transfer of personal data, imposing obligations on data fiduciaries and conferring enforceable rights on data principals (individuals whose data is processed).

The Digital Personal Data Protection Act, 2023 was enacted on 11 August 2023 following Presidential assent. Its core operative provision establishes the scope of data protection:

Section 4 — Application of the Act: "The provisions of this Act shall apply to the processing of digital personal data within the territory of India where the personal data is collected — (a) in digital form; or (b) in non-digital form and digitised subsequently."

The Act also has extra-territorial application:

Section 4(2): The Act applies to processing of digital personal data outside India "if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India."

The constitutional foundation for the DPDP Act rests on the Supreme Court's recognition of the right to privacy as a fundamental right under Article 21 of the Constitution. The DPDP Act replaces the erstwhile Section 43A of the IT Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which previously constituted India's limited data protection regime.

Key structural elements of the Act include:

  • Grounds for processing (Section 4-7): Personal data may only be processed for a lawful purpose with consent of the data principal, or for "certain legitimate uses" specified in Section 7 (state functions, medical emergencies, employment purposes, etc.)
  • Data Protection Board (Section 18-27): An adjudicatory body established to determine non-compliance, impose penalties, and hear grievances
  • Significant Data Fiduciary (Section 10): The Central Government may designate certain data fiduciaries as "significant" based on volume of data processed, risk to data principals, and impact on sovereignty — triggering enhanced obligations including appointing a Data Protection Officer and conducting data protection impact assessments
  • Cross-border transfer (Section 16): Personal data may be transferred to countries not restricted by the Central Government through notification
  • Penalties (Schedule): Up to Rs 250 crore for failure to take reasonable security safeguards; up to Rs 200 crore for failure to notify the Board and data principals of a data breach; up to Rs 150 crore for non-compliance with obligations regarding children's data

How courts have interpreted this term

Justice K.S. Puttaswamy (Retd.) v. Union of India [(2017) 10 SCC 1]

A nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental right protected under Articles 14, 19, and 21 of the Constitution. Justice D.Y. Chandrachud, writing the lead opinion, stated that "informational privacy" — the right to control the dissemination of personal information — is a facet of the right to privacy. This ruling established the constitutional foundation upon which the DPDP Act was subsequently built, mandating that any state restriction on informational privacy must satisfy the three-fold test of legality, necessity, and proportionality.

Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar judgment) [(2019) 1 SCC 1]

A five-judge Constitution Bench upheld the constitutional validity of the Aadhaar scheme under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, while striking down Section 57 that permitted private entities to use Aadhaar for authentication. Justice A.K. Sikri, writing for the majority, applied the proportionality test from the Puttaswamy (privacy) ruling and held that while the state could mandate Aadhaar for welfare delivery and tax filing, its use by private companies lacked a "compelling state interest." This judgment directly shaped the DPDP Act's approach to consent-based processing and the distinction between state and private-sector data use.

Binoy Viswam v. Union of India [(2017) 7 SCC 59]

The Supreme Court upheld the mandatory linking of PAN with Aadhaar under Section 139AA of the Income Tax Act, observing that the right to informational privacy is not absolute and must be balanced against the state's legitimate interest in preventing tax evasion. This balancing framework influenced the "certain legitimate uses" exemptions in Section 7 of the DPDP Act.

Why this matters

The DPDP Act represents India's first comprehensive data protection legislation, applicable to every entity processing digital personal data of individuals in India. With India having over 800 million internet users and a rapidly growing digital economy, the Act affects virtually every business — from startups and e-commerce platforms to banks, hospitals, and educational institutions.

For businesses operating as data fiduciaries, compliance requires implementing notice-and-consent mechanisms (Section 5-6), ensuring data accuracy and purpose limitation (Section 8), establishing grievance redressal mechanisms (Section 13), and building systems for data erasure upon withdrawal of consent or fulfilment of purpose (Section 12). Significant data fiduciaries face additional obligations including periodic data audits, impact assessments, and appointment of an independent data auditor.

For individuals (data principals), the Act confers six key rights: the right to information about processing (Section 11), the right to correction and erasure (Section 12), the right to grievance redressal (Section 13), the right to nominate (Section 14), and the right to withdraw consent at any time with the same ease with which it was given (Section 6(5)). Importantly, the Act also imposes duties on data principals — Section 15 requires data principals not to file false or frivolous complaints and not to furnish false personal data.

For practitioners, the DPDP Act creates a new adjudicatory body — the Data Protection Board of India — with the power to impose financial penalties up to Rs 250 crore per instance of non-compliance. Appeals from the Board lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The Act's phased implementation timeline means that different provisions are being notified at different stages, requiring continuous monitoring of compliance deadlines.

Core concepts within the DPDP Act:

Parent framework:

Related areas:

Frequently asked questions

When did the DPDP Act come into effect in India?

The Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023 and was published in the Official Gazette on the same date. However, the Act is being implemented in phases, with different provisions notified at different times. The Central Government notifies effective dates through official notifications published in the Gazette of India, and businesses must monitor these notifications to ensure timely compliance.

Does the DPDP Act apply to data collected before the Act was enacted?

Yes. Section 4 of the DPDP Act applies to the processing of digital personal data, regardless of when it was collected. If a data fiduciary continues to process personal data collected before the Act's commencement, it must ensure that such processing complies with the Act's provisions, including obtaining consent or establishing a legitimate use ground.

What are the penalties for non-compliance with the DPDP Act?

The Schedule to the DPDP Act prescribes financial penalties: up to Rs 250 crore for failure to implement reasonable security safeguards to prevent a data breach; up to Rs 200 crore for failure to notify the Data Protection Board and affected data principals of a breach; up to Rs 150 crore for non-compliance with obligations regarding children's data; and up to Rs 50 crore for other breaches of obligations by data fiduciaries. The Data Protection Board determines penalties based on the nature, gravity, and duration of the breach.

How is the DPDP Act different from GDPR?

While both frameworks are consent-based, the DPDP Act differs from the EU's General Data Protection Regulation in several respects. The DPDP Act applies only to digital personal data (not paper records), does not create a distinct category of "sensitive personal data," grants broader exemptions for state processing, and does not include a right to data portability. However, the DPDP Act imposes duties on data principals (which GDPR does not) and creates a dedicated adjudicatory body — the Data Protection Board — rather than relying on a supervisory authority model.

This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.

Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.

Related Terms

Personal Data Data Fiduciary Data Principal Consent (Data Protection) IT Act, 2000 Cybercrime
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.