Digital Personal Data Protection Act, 2023

What the DPDP Act does

The DPDP Act, 2023 is India’s cross-sectoral privacy and data protection law for digital personal data. It applies to data collected in digital form or digitised later, covers extraterritorial processing linked to offering goods/services to people in India, and excludes purely domestic/personal use and data made publicly available by law or by the individual. Commencement is by Government notification (different provisions can start on different dates). MeitY

Key concepts & roles

• Data Principal (the individual), Data Fiduciary (decides purpose/means), Data Processor, and Consent Manager (registered single-window to give/manage/withdraw consent). Notices/consent must be available in English or any Eighth Schedule language. MeitY
• Processing must be based on consent or “certain legitimate uses” enumerated in Section 7 (the Act’s limited non-consent grounds). MeitY

Rights of individuals (Data Principals)

1. Right to access a summary of personal data processed and entities with whom it’s shared.
2. Right to correction, completion, updating and erasure.
3. Right to grievance redressal via the fiduciary/consent manager.
4. Right to nominate another person to exercise rights upon death/incapacity. MeitY

Duties of individuals

Individuals must not impersonate, suppress material info for state IDs, file frivolous grievances, or provide non-authentic information when seeking correction/erasure. MeitY

Core obligations of Data Fiduciaries

• Give a clear notice before/with consent; enable easy withdrawal; cease processing after withdrawal unless another legal basis applies; provide contact for a DPO/authorised person; maintain an effective grievance mechanism; and notify personal data breaches to the Board and affected users. MeitY

Children’s data (strong safeguards)

• Parental/guardian verifiable consent required; processing that is likely detrimental to a child is barred; no tracking, behavioural monitoring, or targeted ads directed at children. MeitY

Significant Data Fiduciary (SDF)

Entities notified as SDFs (based on volume/sensitivity, risks to rights or national interests, etc.) must appoint an India-based Data Protection Officer, engage an independent data auditor, conduct periodic DPIAs and audits, and adopt other prescribed measures. MeitY

Cross-border data transfers

The Act follows a “restricted destinations” model: transfers are allowed except to countries/territories the Central Government may notify as restricted. MeitY

Oversight & enforcement

• Establishes the Data Protection Board of India (a body corporate) to monitor compliance, inquire into breaches, and impose penalties. MeitY
• The Act also empowers the Government, in specified circumstances, to direct intermediaries or agencies to block public access to information on computer resources (read with the IT Act, 2000). MeitY

Penalties (The Schedule)

Maximum monetary penalties the Board may impose include:

• Up to ₹250 crore for failure to take reasonable security safeguards to prevent a personal data breach.
• Up to ₹200 crore for failure to notify a breach to the Board/affected users.
• Up to ₹200 crore for breaches of children’s data obligations.
• Up to ₹150 crore for breaches of SDF obligations.
• ₹10,000 for breaches of Data Principal duties.
• Up to ₹50 crore for breaches of other provisions/rules; and tailored penalties for breach of a voluntary undertaking. MeitY

Interplay with other laws

The Act amends related statutes (e.g., RTI Act 2005, s.8(1)(j) now reads “information which relates to personal information”; IT Act 2000 s.43A omitted), and prevails in case of conflict with other laws.