Navigating the Digital Frontier: India’s Personal Data Protection Act, 2023 – Part 1

 

Introduction: The Dawn of Data Protection in India

In today’s interconnected world, personal data has become a valuable commodity. The rapid advancement of technology, the growth of e-commerce, social media, and digital services, and the increasing reliance on data analytics have led to an unprecedented collection and processing of personal data. This has brought forth global challenges in ensuring data protection, privacy, security, and ethical use of information.

The Digital Personal Data Protection Act, 2023, is a response to the global and national challenges in data protection. It aims to create a resilient and responsible data governance framework that respects individual privacy, ensures national security, fosters economic growth, and aligns with international standards. By doing so, it positions India at the forefront of the global data protection landscape, reflecting a commitment to safeguarding the digital rights and interests of its citizens.

The digital transformation sweeping across India has brought unprecedented opportunities alongside significant challenges regarding personal data protection. With over 1.4 billion people and a rapidly expanding digital economy, India’s need for a robust data protection framework became increasingly apparent. This necessity culminated in the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), which received Presidential assent on August 11, 2023[1]. The legislation represents India’s first standalone law specifically designed to regulate the processing of digital personal data, marking a watershed moment in the country’s legal landscape.

The journey toward this legislation began in earnest following a landmark constitutional judgment. On August 24, 2017, a nine-judge bench of the Supreme Court of India delivered a unanimous verdict in Justice K.S. Puttaswamy (Retd.) v. Union of India, declaring that the right to privacy is a fundamental right protected under Article 21 of the Constitution of India[2]. This historic judgment overruled earlier decisions and established that privacy is intrinsic to the right to life and personal liberty. The Court observed that privacy encompasses various dimensions including informational privacy, decisional privacy, and physical privacy, all essential to human dignity and autonomy.

The Constitutional Foundation: Puttaswamy Judgment

The Puttaswamy judgment emerged from a challenge to the Aadhaar scheme, India’s biometric identification program. Justice K.S. Puttaswamy, a retired judge of the Karnataka High Court, contended that the mandatory collection of biometric data without adequate safeguards violated citizens’ privacy rights. The case required the Court to address whether the Constitution guarantees a right to privacy, as earlier eight-judge and six-judge benches had held otherwise.

Justice D.Y. Chandrachud, writing for himself and three other judges, articulated that privacy is not merely a common law right but a constitutionally protected fundamental right. The judgment emphasized that privacy enables individuals to exercise control over vital aspects of their lives and protects personal autonomy in matters of intimacy, family, and personal choices. The Court specifically noted that sexual orientation is an essential attribute of privacy and that discrimination based on sexual orientation is deeply offensive to dignity and self-worth.

This constitutional recognition of privacy created an imperative for Parliament to enact legislation safeguarding personal data. The judgment acknowledged that in an age where information technology governs virtually every aspect of life, the law must evolve to protect individual liberty against the overarching presence of both state and non-state entities.

Legislative Evolution and the Path to DPDPA

Following the Puttaswamy judgment, the Government of India constituted a Committee of Experts on Data Protection in 2017, chaired by Justice B.N. Srikrishna. This committee submitted its report in July 2018, which formed the basis for the Personal Data Protection Bill, 2019. That bill was introduced in Parliament in December 2019 and referred to a Joint Parliamentary Committee, which submitted its report in December 2021. However, the government withdrew this bill in August 2022, citing the need for a fresh comprehensive legal framework.

In November 2022, the Ministry of Electronics and Information Technology released a draft Digital Personal Data Protection Bill for public consultation. After incorporating stakeholder feedback, the revised Digital Personal Data Protection Bill, 2023 was introduced in Lok Sabha on August 3, 2023. The bill passed through both houses of Parliament with remarkable speed, passing Lok Sabha on August 7 and Rajya Sabha on August 9, 2023[3]. The President’s assent on August 11, 2023, transformed it into the Digital Personal Data Protection Act, 2023.

Phased Implementation

The DPDPA provides for phased implementation, with different provisions coming into force on dates notified by the Central Government. On November 13, 2025, the government notified the Digital Personal Data Protection Rules, 2025, and established the Data Protection Board of India[4]. The Rules provide for an eighteen-month compliance period, with full implementation expected by May 13, 2027. This phased approach allows organizations time to align their systems and practices with the new requirements.

Core Principles and Scope of the DPDPA

The DPDPA adopts what the government describes as the “SARAL” approach—Simple, Accessible, Rational, and Actionable. The legislation applies to the processing of digital personal data within India and also has extraterritorial application. Specifically, it applies to processing of personal data outside India if such processing relates to offering goods or services to individuals within India. This extraterritorial reach mirrors the approach taken by the European Union’s General Data Protection Regulation (GDPR).

Personal data under the DPDPA is defined as any data about an individual who is identifiable by or in relation to such data. Digital personal data means personal data in digital form. Importantly, the Act applies to data that is collected digitally or collected in non-digital form and subsequently digitized. However, it excludes personal data processed for purely personal or domestic purposes and personal data made publicly available by the data principal or under legal obligation.

Key Stakeholders

The DPDPA defines three primary stakeholders. The Data Principal is the individual to whom the personal data relates. For children under eighteen years of age, parents or legal guardians act as data principals. Similarly, for persons with disabilities, lawful guardians exercise rights on their behalf. The Data Fiduciary is any person who, alone or jointly with others, determines the purpose and means of processing personal data. This concept parallels the “data controller” under GDPR. Finally, the Data Processor is any person who processes personal data on behalf of a data fiduciary. Unlike GDPR, the DPDPA does not impose direct statutory obligations on data processors; responsibilities rest primarily with data fiduciaries.

Consent and Lawful Bases for Processing

The DPDPA establishes consent as the primary legal basis for processing personal data. The Act requires that consent must be free, specific, informed, unconditional, and unambiguous, signified by a clear affirmative action. Data fiduciaries must provide a notice describing the personal data to be collected, the purpose of processing, and the manner in which consent may be withdrawn. This notice must be provided in English or any of the twenty-two languages specified in the Eighth Schedule of the Constitution, ensuring accessibility across India’s linguistically diverse population.

Consent must be limited to personal data necessary for the specified purpose. Data principals have the right to withdraw consent at any time, and the withdrawal mechanism must be as simple as the process for giving consent. Upon withdrawal, data fiduciaries must cease processing and delete the personal data unless retention is required under any law.

Legitimate Uses Beyond Consent

The DPDPA also recognizes certain “legitimate uses” where consent may not be required. These include processing for voluntary sharing by the data principal for a specified purpose, processing necessary for compliance with any law or court order, processing for employment-related purposes, and processing necessary to respond to medical emergencies or public health crises. Additionally, processing for purposes specified by the State such as issuing licenses, permits, or welfare benefits falls within legitimate uses. These exceptions balance individual privacy rights with practical necessities of governance and public welfare.

Rights of Data Principals

The DPDPA grants data principals several important rights concerning their personal data. Data principals have the right to access information about personal data and processing activities. Specifically, they can obtain a summary of personal data being processed, the processing activities undertaken, and the identities of all data fiduciaries and processors with whom their data has been shared.

Data principals also possess the right to correction, completion, and updating of their personal data. This right becomes particularly important when personal data is inaccurate or incomplete. Additionally, data principals have the right to erasure of their personal data. Data fiduciaries must erase personal data once the purpose for which it was collected has been fulfilled or when consent is withdrawn, unless retention is mandated by law.

One innovative feature of the DPDPA is the right to nominate another individual to exercise these rights in the event of death or incapacity. This provision recognizes that digital assets and personal data may have significance beyond an individual’s lifetime and ensures continuity in data protection rights.

Grievance Redressal

The Act mandates that data fiduciaries establish mechanisms for effective grievance redressal. Data principals can submit complaints regarding violations of their rights, and data fiduciaries must respond within a reasonable timeframe. If unsatisfied with the resolution, data principals may escalate their grievances to the Data Protection Board of India.

Obligations of Data Fiduciaries

Data fiduciaries bear substantial responsibilities under the DPDPA. They must ensure that personal data is processed lawfully and transparently, limiting collection to what is necessary for the specified purpose. Data fiduciaries must implement reasonable security safeguards to prevent personal data breaches, which include unauthorized processing, acquisition, disclosure, or any action that compromises the confidentiality, integrity, or availability of personal data.

In the event of a personal data breach, data fiduciaries must immediately notify the Data Protection Board and inform each affected data principal. This requirement differs from GDPR, which requires notification to supervisory authorities within 72 hours and to affected individuals only when the breach poses high risk. The DPDPA’s approach mandates universal notification regardless of severity, reflecting a more stringent standard.

Data fiduciaries must ensure accuracy and completeness of personal data. They are required to erase personal data once the purpose is served or when the data principal withdraws consent. The Act also mandates that data fiduciaries not undertake any processing that is likely to cause harm to children or involve tracking, behavioral monitoring, or targeted advertising directed at children.

Significant Data Fiduciaries

The Central Government has the authority to notify certain data fiduciaries as “Significant Data Fiduciaries” based on factors such as the volume and sensitivity of personal data processed, risk to the rights of data principals, and potential impact on India’s sovereignty and integrity. Significant data fiduciaries face additional obligations including appointing a Data Protection Officer, appointing an independent data auditor, conducting periodic data protection impact assessments, and undertaking other measures as prescribed. This tiered approach recognizes that larger organizations processing substantial volumes of sensitive data require heightened oversight.

The Data Protection Board of India

The DPDPA establishes the Data Protection Board of India as the principal regulatory and adjudicatory authority for data protection. The Board consists of a Chairperson and members appointed by the Central Government. Members must possess special knowledge or practical experience in fields such as data governance, law, information technology, or consumer protection. The Board functions as a quasi-judicial body rather than a policy-making regulator, focusing specifically on enforcement and adjudication.

The Board’s functions include determining non-compliance with the Act, imposing monetary penalties, issuing directions for remedial action in case of data breaches, and hearing grievances escalated by data principals. The Board operates digitally, allowing individuals to file complaints online and track proceedings through a dedicated portal and mobile application. This digital-first approach aims to make the grievance redressal process accessible and efficient.

Appeals against the Board’s decisions lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which was established under the Telecom Regulatory Authority of India Act, 1997. This appellate mechanism ensures judicial oversight of the Board’s orders and decisions.

Penalties and Enforcement

The DPDPA empowers the Data Protection Board to impose significant penalties for non-compliance. Penalties range from INR 50 crores to INR 250 crores (approximately USD 6 million to USD 30 million) depending on the nature and severity of the violation. The Act specifies different penalty amounts for various breaches including failure to protect children’s data, breach of confidentiality, failure to implement reasonable security safeguards, and failure to erase data. These substantial penalties underscore the seriousness with which India approaches data protection compliance.

Cross-Border Data Transfers and Exemptions

Unlike some earlier draft versions, the DPDPA does not impose blanket restrictions on cross-border data transfers. Personal data may be transferred outside India to any country except those specifically notified as restricted by the Central Government. This approach differs significantly from GDPR, which requires adequacy decisions or appropriate safeguards such as standard contractual clauses for transfers to third countries. India’s framework is more flexible, adopting a blacklist approach rather than a whitelist mechanism[5].

The Act provides several exemptions recognizing the legitimate needs of government operations and research activities. Processing by government instrumentalities for purposes related to national security, public order, sovereignty and integrity of India, or prevention and investigation of offenses is exempt from certain provisions. Similarly, processing for research, archiving, or statistical purposes by government entities or entities notified by the government is exempt, provided such processing does not involve making decisions specifically affecting data principals.

Comparison with Global Data Protection Frameworks

The DPDPA shares several foundational principles with the European Union’s General Data Protection Regulation, which has become the global benchmark for data protection. Both frameworks emphasize consent-based processing, recognize individual rights of access and erasure, impose accountability on data controllers or fiduciaries, and provide for substantial penalties for non-compliance. Additionally, both have extraterritorial application extending jurisdiction beyond geographical boundaries[6].

However, important differences exist between the two frameworks. The GDPR provides six lawful bases for processing including consent, contract, legal obligation, vital interests, public task, and legitimate interests. The DPDPA relies primarily on consent with a narrower set of legitimate uses. The GDPR distinguishes between regular personal data and special categories of data (such as health, biometric, genetic, and data revealing racial or ethnic origin) that require enhanced protection. The DPDPA treats all personal data uniformly without categorizing sensitive personal data separately.

The GDPR grants data subjects extensive rights including not only access, correction, and erasure but also rights to data portability, restriction of processing, and objection to automated decision-making. The DPDPA provides a more limited set of rights, omitting data portability and specific protections against automated decision-making. Additionally, GDPR requires data protection impact assessments for high-risk processing, designates data protection officers for certain categories of controllers, and mandates breach notification to supervisory authorities within 72 hours. The DPDPA requires breach notification immediately but without a specific timeframe[7].

Comparison with US Privacy Laws

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act, represents another significant data protection regime. Like the DPDPA, the CCPA emphasizes transparency and consumer control over personal data. Both frameworks require clear notices and provide rights to access and delete personal information. However, the CCPA focuses heavily on the right to opt out of the sale of personal information, a concept absent from the DPDPA since the Act does not specifically address data sales. The CCPA also applies based on revenue thresholds and volume of data processed, whereas the DPDPA has universal application to all data fiduciaries processing data of individuals in India.

Special Protections for Children and Vulnerable Populations

The DPDPA demonstrates particular concern for protecting children’s data. The Act defines a child as any individual who has not completed eighteen years of age, adopting a higher age threshold than GDPR’s sixteen years (or thirteen in some member states). Processing children’s personal data requires verifiable consent from parents or legal guardians. Data fiduciaries are prohibited from undertaking any processing that could cause harm to children, including tracking, behavioral monitoring, or targeted advertising directed at children.

Similarly, the Act provides protections for persons with disabilities by requiring verifiable consent from lawful guardians for processing their personal data. These provisions recognize the vulnerability of certain populations and establish heightened safeguards to protect their interests.

Innovation: Consent Managers

One distinctive feature of the DPDPA is the concept of Consent Managers. These are entities registered with the Data Protection Board that enable data principals to give, manage, review, and withdraw their consent through a single platform. Consent Managers act as intermediaries, simplifying the consent process especially when individuals interact with multiple data fiduciaries. This innovation addresses a practical challenge in the digital ecosystem where individuals often struggle to track and manage consents given to numerous platforms and services[8].

Consent Managers must maintain technological and operational capabilities to effectively manage consent and must adhere to standards prescribed by the Data Protection Board. This framework creates a user-centric mechanism that potentially enhances individual control over personal data while reducing compliance burdens on data fiduciaries.

Challenges and Implementation Considerations

While the DPDPA represents significant progress in India’s data protection journey, its implementation presents several challenges. The Act’s reliance on rules and notifications for many operational details means that its full scope will only become clear as the government issues implementing regulations. Organizations must navigate this evolving regulatory landscape while ensuring ongoing compliance with existing laws until the DPDPA becomes fully operative.

The absence of a definition for sensitive personal data may create uncertainties, particularly for sectors handling health information, financial data, or biometric information. International organizations operating in India must reconcile DPDPA requirements with obligations under GDPR, CCPA, and other jurisdictions’ laws. The differing definitions of lawful processing bases, consent requirements, and individual rights create compliance complexities for multinational entities.

The two-year term for Data Protection Board members, while allowing for re-appointment, has raised questions about the independence and continuity of the regulatory authority. Shorter tenures compared to other regulatory bodies may impact institutional knowledge and consistent enforcement. Additionally, broad exemptions for government processing, particularly for national security and public order, have generated concerns about adequate oversight and potential for misuse.

Prior Legal Framework

Before the DPDPA, India’s data protection framework consisted primarily of Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Section 43A provided for compensation to affected persons for negligence in implementing reasonable security practices resulting in wrongful loss or gain. The 2011 Rules defined sensitive personal data and prescribed security practices for body corporates collecting, receiving, or processing such information[9].

This patchwork framework had significant limitations including narrow scope confined to body corporates, absence of an independent regulatory authority, limited enforcement mechanisms, and inadequate provisions for cross-border data transfers. The DPDPA addresses these deficiencies by establishing a dedicated regulatory body, providing detailed individual rights, imposing specific obligations on data fiduciaries, and creating a robust penalty framework.

Conclusion: India’s Data Protection Future

The Digital Personal Data Protection Act, 2023 marks a pivotal moment in India’s legal evolution, establishing a framework that balances individual privacy rights with the imperatives of digital economic growth. By enshrining data protection principles in legislation and creating institutional mechanisms for enforcement, India has joined the community of nations committed to safeguarding personal data in the digital age.

The Act reflects lessons learned from global experiences while addressing India’s unique context—its scale, diversity, developmental priorities, and digital transformation journey. The phased implementation provides organizations time to adapt, while the simplified language and digital-first approach of the Data Protection Board aim to make the law accessible and practical.

As India moves toward full implementation by 2027, the success of the DPDPA will depend on several factors. The quality and clarity of implementing rules will be crucial. The independence, expertise, and effectiveness of the Data Protection Board will determine enforcement outcomes. The willingness of organizations to embrace a culture of data protection beyond mere compliance will shape the practical impact. Most importantly, public awareness and engagement will empower individuals to exercise their rights meaningfully.

The DPDPA represents not merely a legal obligation but an opportunity—to build trust in the digital ecosystem, to establish India as a responsible data economy on the global stage, and to ensure that technological progress serves human dignity and individual autonomy. As the world’s largest democracy and one of its fastest-growing digital markets, India’s approach to data protection will have implications far beyond its borders, potentially influencing standards across South Asia and beyond.

References

[1] Ministry of Electronics and Information Technology, Government of India. (2023). The Digital Personal Data Protection Act, 2023 (No. 22 of 2023). The Gazette of India Extraordinary. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[2] Supreme Court of India. (2017). Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. Writ Petition (Civil) No. 494 of 2012. https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf

[3] Wikipedia. (2025). Digital Personal Data Protection Act, 2023. https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023

[4] Press Information Bureau, Government of India. (2025). Digital Personal Data Protection (DPDP) Rules, 2025. Ministry of Electronics & Information Technology. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655

[5] Linklaters. (2023). India – The Digital Personal Data Protection Act, 2023 finally arrives. DigiLinks Blog. https://www.linklaters.com/en/insights/blogs/digilinks/2023/august/india-the-digital-personal-data-protection-act

[6] Latham & Watkins LLP. (2023). India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison. https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf

[7] DLA Piper. (2025). Data protection laws in India. Data Protection Laws of the World. https://www.dlapiperdataprotection.com/?t=law&c=IN

[8] Morgan Lewis. (2023). India Enacts New Privacy Law: The Digital Personal Data Protection Act. https://www.morganlewis.com/pubs/2023/08/india-enacts-new-privacy-law-the-digital-personal-data-protection-act

[9] PRS Legislative Research. (2023). The Digital Personal Data Protection Bill, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023

Published and Authorized by Rutvik Desai