DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm

  • Blog|Company Law|
  • 4 Min Read
  • By Taxmann
  • |
  • Last Updated on 4 May, 2025

Recent Posts

Blog, Company Law

SEBI Guidelines for KYC Norms in Securities Market

Blog, Company Law

Interest Rate Derivatives – Definition | Products | Market Growth

Latest from Taxmann

DPDP Act vs IT Act

The Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 (IT Act) represent two distinct phases of India’s data governance framework. Before the DPDP Act, personal data protection in India was governed by Section 43A of the IT Act and the accompanying Sensitive Personal Data or Information (SPDI) Rules, 2011. This framework offered limited protection, focusing only on "sensitive personal data" handled by body corporates.

Table of Contents

  1. Historic Context
  2. Key Differences at a Glance
  3. Practical Impact for Existing ITA‑Compliant Firms
  4. Transitional Provisions & Timing
  5. Overlap & Persistence of ITA Controls
  6. Board & C‑Suite Agenda
  7. Regulatory Harmonisation Outlook
  8. Conclusion
Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.

1. Historic Context

Since 2011, personal data in India has been largely governed by Section 43A and the SPDI Rules under the Information Technology Act 2000 (ITA). These rules covered “sensitive personal data” and imposed contractual consent & reasonable security. The DPDP Act omits  Section 43A of the IT Act, upon its commencement, establishing a modern, standalone privacy code.

2. Key Differences at a Glance

Feature ITA 2000/SPDI Rules DPDP Act 2023
Scope Body corporate in India applies to  SPDI only Covers All digital personal data; extraterritorial
Consent Implied by privacy policy + “opt‑out” possible Explicit, affirmative consent or specific Section 7 grounds
Rights Limited to withdrawal, review & correction (via Rule 5) Comprehensive access, correction, erasure, grievance, nomination
Regulator No dedicated authority; adjudicating officers & Cyat Dedicated Data Protection Board of India
Penalties Compensation (actual damage) + Sec 45 fine (₹25 K) Civil penalties up to ₹250 crore
Criminal offences Yes (Sec 66) for dishonesty/hacking None in DPDP (but ITA cyber‑offences still apply)
Overrides ITA Sec 81 “Notwithstanding…” Proviso amended: DPDP now stands independent

Taxmann.com | Research | Indian Acts & Rules

3. Practical Impact for Existing ITA‑Compliant Firms

DPDP Demand Old ITA Practice Adjustment Needed
Language localisation of the notice English privacy policy Translate, layer, add DPB details.
Uniform PD definition Only SPDI covered Extend controls to all personal data.
Breach notification Optional “as soon as possible” to CERT‑In Mandatory to DPB + users, likely within 72 hrs.
Individual rights portal Not required Build portal + backend workflow.
Heavy monetary fines Max ₹25 K statutory + damages Budget for potential ₹Cr penalties; consider cyber‑insurance.

4. Transitional Provisions & Timing

Milestone Expected Window Action
Commencement Notification Q4 2025 DPDP provisions enter force in phases.
Repeal of Sec 43A + SPDI Same date SPDI Rules sunset; DPDP prevails.
CERT‑In Directions (2022) Continue Coexist; breach must be reported to both CERT‑In & DPB.

Tip – Maintain dual‑reporting until MEITY harmonises CERT‑In breach‑report timelines with DPDP.

Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes

5. Overlap & Persistence of ITA Controls

  • Section 66 offences (computer‑related dishonesty) continue DPDP doesn’t decriminalise hacking.
  • Section 69 (lawful interception) unaffected remains key for state access.
  • CERT‑In 6‑hour incident‑report directive remains for cybersecurity incidents (expanded list).

Thus, privacy breaches may now trigger three regimes: CERT‑In (cybersecurity), DPDP (privacy), RBI/DOT (sectoral). Build an integrated reporting workflow.

6. Board & C‑Suite Agenda

  1. Rewrite policy stack  supersede SPDI references.
  2. Re‑calibrate risk appetite  penalties now material to P&L.
  3. Rename roles  “Grievance Officer” may remain, but ensure functions align with DPDP rights SLA.
  4. Re‑tool breach IRP  add DPB notification templates.
  5. Educate management  privacy becomes board-level KPI, akin to financial compliance.

7. Regulatory Harmonisation Outlook

The forthcoming Digital India Act (DIA) will replace large parts of ITA. Early consultation papers indicate DIA will incorporate cybersecurity, intermediary duties and algorithmic accountability, while DPDP remains the sole privacy law. Expect cross‑references and unified penalty matrix by 2026.

8. Conclusion

The DPDP Act replaces a two-decade-old, patchwork privacy regime and introduces a modern, rights-centric framework with real enforcement teeth. Organisations that merely tick SPDI boxes must now undertake enterprise-wide transformation to meet DPDP’s stringent standards.

Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Scope and Key Definitions Under DPDP Act
Rights of Data Principals under the DPDP Act 2023
Lawful Processing and Consent under DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Obligations of Data Fiduciaries under DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals

Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Leave a Reply

Your email address will not be published. Required fields are marked *

«
»

Everything on Tax and Corporate Laws of India

To subscribe to our weekly newsletter please log in/register on Taxmann.com

Author: Taxmann

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.

The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:

  • The statutory material is obtained only from the authorized and reliable sources
  • All the latest developments in the judicial and legislative fields are covered
  • Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
  • Every content published by Taxmann is complete, accurate and lucid
  • All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
  • The golden rules of grammar, style and consistency are thoroughly followed
  • Font and size that's easy to read and remain consistent across all imprint and digital publications are applied