Overview of Digital Personal Data Protection Act (DPDP Act) 2023

  • Blog|Company Law|
  • 6 Min Read
  • By Taxmann
  • |
  • Last Updated on 4 May, 2025

Recent Posts

Blog, Company Law

SEBI Guidelines for KYC Norms in Securities Market

Blog, Company Law

Interest Rate Derivatives – Definition | Products | Market Growth

Latest from Taxmann

DPDP Act

​The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law, enacted on August 11, 2023. It establishes a legal framework for the processing of digital personal data, recognising individuals' rights to protect their personal data while allowing for lawful data processing.​

Table of Contents

  1. Introduction
  2. Legislative Genesis
  3. Seven Foundational Principles
  4. Territorial & Material Scope
  5. Key Definitions
  6. Rights of Data Principals
  7. Obligations of Data Fiduciaries
  8. Consent & “Legitimate Uses”
  9. Cross‑Border Transfer
  10. Regulatory Architecture
  11. Penalty Framework
  12. Interplay with Other Laws
  13. Timeline to Compliance
  14. Conclusion
Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.

1. Introduction

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) is the Republic’s first dedicated statute on personal‑data privacy. Enacted on 11 August 2023 and awaiting phased commencement, the Act fulfils two constitutional imperatives –

  1. Protect the fundamental right to privacy (Justice K.S. Puttaswamy v. Union of India, 2017).
  2. Permit legitimate data processing for economic development, good governance and national security.

Replacing the patchwork rules that previously sat under the Information Technology Act, 2000, the DPDP Act introduces clear rights for individuals (Data Principals) and corresponding duties for organisations that determine the purpose and means of processing (Data Fiduciaries).

This overview distils the Act’s legislative background, guiding principles, territorial reach, individual rights, fiduciary obligations, enforcement architecture, penalty matrix and interplay with other laws.

2. Legislative Genesis

Milestone Description
2017 Supreme Court declares privacy a fundamental right. Government appoints Justice B.N. Srikrishna Committee.
2018 Committee submits report “A Free and Fair Digital Economy” and Draft Personal Data Protection Bill.
2019 – 2021 Successive Bills introduced; Joint Parliamentary Committee proposes 2021 version, then withdrawn.
03 Aug 2023 Digital Personal Data Protection Bill, 2023, tabled in Lok Sabha.
09 Aug 2023 The bill passes both Houses.
11 Aug 2023 Presidential assent—DPDP Act (No. 22 of 2023). Commencement to follow the notified provisions.

Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes

3. Seven Foundational Principles

The statute expressly adopts seven privacy principles that guide every substantive obligation –

  1. Consent, Lawfulness & Transparency Personal data shall be process only upon free, inform, and specific consent of individual or another lawful ground.
  2. Purpose Limitation personal data shall be processed strictly for the stated purpose.
  3. Data Minimisation  Only such data shall be collected as is necessary and proportionate to specified purpose of processing.
  4. Accuracy Reasonable efforts must be made to ensure that personal data is accurate and kept up to date.
  5. Storage Limitation  erase data once the purpose ends or the retention law expires.
  6. Reasonable Security Safeguards Appropriate technical and organisational measures shall be implemented to ensure confidentiality, integrity, and availability of personal data.
  7. Accountability Entities processing personal data must be responsible for compliance and adjudicatory penalties in case of breach.

Every right or duty in later chapters flows from these axioms.

4. Territorial & Material Scope

4.1 Processing inside India

Any digital personal data collected online or digitised later, processed in India, falls squarely under the DPDP Act.

4.2 Extra‑territorial reach

Processing outside India is also covered if it relates to offering goods or services to, or profiling of, individuals within India. Global businesses hosting servers abroad cannot escape compliance if they target Indian users.

4.3 Exclusions

The Act does not apply to –

  • Purely personal or domestic processing by an individual.
  • Personal data made public by the individual herself or under statutory mandate.
  • Non‑digital data that is never digitised.
  • Government agencies are exempted for reasons of sovereignty, security, or public order (Section 17).

Taxmann.com | Research | Indian Acts & Rules

5. Key Definitions

Term Meaning (Section 2)
Data Principal Individual to whom personal data relates; for a child (< 18 years), the parent/guardian acts instead.
Data Fiduciary A person (natural/juristic) who alone or in conjunction with others, determines the purpose and means of processing personal data.
Data Processor Person who processes personal data on behalf of a Data Fiduciary.
Significant Data Fiduciary (SDF) Any Data Fiduciary designated by the Central Govt. based on factors such as volume/sensitivity, risk to individual rights, etc.
Personal Data Breach Unauthorised processing or accidental disclosure/alteration/loss of personal data that compromises confidentiality, integrity or availability of data.

6. Rights of Data Principals

The Act grants individuals four core rights (plus the right to nominate a representative) –

  1. Right to Information (Access) about personal data – confirmation and summary of personal data being processed and to whom it is shared.
  2. Right to Correction/Update/Erasure of personal data rectify inaccurate or misleading data, complete incomplete data and update personal data. Also, erase data once the purpose ends or consent is withdrawn (subject to legal-retention carve-outs).
  3. Right to Grievance Redressal  complain first to the Fiduciary and, if unsatisfied, escalate to the Data Protection Board of India.
  4. Right to nominate – Nomination in the event of Death or Incapacity of Data Principal to exercise his/her Rights.

These rights are actionable, time‑bound and enforceable via penalties.

7. Obligations of Data Fiduciaries

Every Data Fiduciary must—

  • Obtain valid and informed consent from the Data principal with prior notice in clear and plain language; enable easy withdrawal of such consent
  • Adhere to the principles of purpose limitation (processing only for the specified purpose) and data minimisation (collecting only necessary data).
  • Ensure the accuracy of personal data and implement appropriate (technical & organisational controls).
  • Respect Data‑Principal rights within prescribed timelines.
  • Notify the Data Protection Board of India and affected individuals “as soon as practicable” after a personal‑data breach.

Additional duties for Children’s data – Parental consent, no behavioural tracking or targeted advertising, and no processing detrimental to a child’s well‑being.

Additional duties for SDFs – Appoint an Indian‑based Data Protection Officer, conduct annual independent audits, perform compulsory DPIA for high-risk processing, record‑keeping and comply with further safeguards as notified by the Government.

8. Consent & “Legitimate Uses”

Consent must be free, informed, specific, unambiguous, unconditional and given by clear affirmative action. The Act prohibits the use of dark‑pattern consent and allows for withdrawal at any time.

Processing without consent (Section 7) is permitt only in the following tightly‑defined situations—

  • When Data Principal voluntarily provides data and raises no objection.
  • For State functions related to providing subsidies, benefits, licences, etc.
  • Compliance with laws, court orders or judgments.
  • In Medical and epidemic emergencies.
  • In Disaster management or situations involving the breakdown of public order.
  • For employment-related processing that is proportionate to the purpose.

9. Cross‑Border Transfer

Unlike earlier drafts, the DPDP Act adopts a “black‑list” approach – it allows personal data to flow to any foreign country except those specifically notified as restricted by the Central Government. Contractual and security safeguards remain advisable, and certain sensitive‑sector restrictions (e.g., payments) continue under the purview of sectoral regulators.

10. Regulatory Architecture

Data Protection Board of India (DPBI).

  • The DPBI is an adjudicatory authority and is responsible for addressing complaints and investigating breaches.
  • It is headed by the Chairperson and consists of Members.
  • The Board Investigates breaches, decides complaints, issues binding directions, and levies monetary penalties.
  • Decisions made by DPBI can be appeal to Telecom Disputes Settlement and Appellate Tribunal (TDSAT), then to the Supreme Court.

Voluntary Undertaking.
A Fiduciary under inquiry may offer a remedial undertaking; DPB may accept, monitor and enforce it in lieu of full adjudication.

11. Penalty Framework

Contravention Maximum Penalty ()
Lack of reasonable security safeguards → breach 250 crore
Failure to inform DPB/Data Principals of a breach 200 crore
Violation of children-specific provisions 200 crore
Non‑compliance by SDF with extra duties 150 crore
Breach of any other provision  of the Act or Rules 50 crore
Frivolous grievance or complaint by Data Principal 10,000

DPB must consider gravity, duration, gain/loss, nature of data, and mitigating actions before quantifying any fine.

12. Interplay with Other Laws

  • IT Act 2000 – Section 43A of the Information Technology Act, 2000 shall be omitted. The SPDI Rules have been superseded by the DPDP Act.
  • Sectoral Regulations – RBI, IRDAI, SEBI retention or localisation mandates coexist; if simultaneous compliance is impossible, DPDP prevails to the extent of conflict.
  • Upcoming Digital India Act – Expected to dovetail with DPDP to modernise intermediary and cybersecurity rules.

13. Timeline to Compliance

The Government will notify staggered commencement dates and allied Rules (breach‑report format, notice language standard, grievance window, etc.). Businesses should—

  1. Map personal data flows and classify processing purposes.
  2. Gap‑assess current privacy notices, consent screens and security controls.
  3. Draft a retention schedule and deletion workflows.
  4. Set up a rights & grievance portal; train staff.
  5. If likely to be an SDF, appoint a Data‑Protection Officer and prepare for annual audit.

14. Conclusion

The DPDP Act ushers India into the front rank of jurisdictions with omnibus data‑protection legislation. For individuals, it converts privacy from an abstract right into actionable powers. For organisations, it imposes rigorous, enforceable duties—with penalties of up to ₹250 crore—for failure to process personal data responsibly.

Dive Deeper:
Scope and Key Definitions Under DPDP Act
Rights of Data Principals under the DPDP Act 2023
Lawful Processing and Consent under DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Obligations of Data Fiduciaries under DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals

Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Leave a Reply

Your email address will not be published. Required fields are marked *

«
»

Everything on Tax and Corporate Laws of India

To subscribe to our weekly newsletter please log in/register on Taxmann.com

Author: Taxmann

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.

The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:

  • The statutory material is obtained only from the authorized and reliable sources
  • All the latest developments in the judicial and legislative fields are covered
  • Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
  • Every content published by Taxmann is complete, accurate and lucid
  • All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
  • The golden rules of grammar, style and consistency are thoroughly followed
  • Font and size that's easy to read and remain consistent across all imprint and digital publications are applied