Digital Personal Data Protection Act 2023

Digital Personal Data Protection Act 2023 are formed to protect the rights and duties related to the management of large amounts of digital personal data created in the economy. It aims to maintain a balance between individual privacy rights and at the same allow data to be used for various purposes. Recently Digital Personal Data Protection Act (DPDPA), 2023 was passed that will replace the existing Information Technology Act, 2000, the Draft Indian Telecommunication Bill, 2022, and a Policy addressing the governance of non-personal data.

Digital Personal Data Protection Act 2023 Overview

The Digital Personal Data Protection Act 2023 represents a significant milestone in India’s journey towards safeguarding personal data in the digital age. Enacted to address the growing concerns around data privacy, this comprehensive legislation sets the framework for the collection, processing, storage, and transfer of personal data. It aims to strike a balance between protecting individual privacy rights and facilitating the digital economy’s growth. The Act outlines clear guidelines for data fiduciaries and processors, ensuring transparency and accountability in personal data handling.

What is DPDP Act 2023?

The DPDP Act 2023, short for the Digital Personal Data Protection Act 2023, is India’s answer to the global call for stronger personal data protection mechanisms. It establishes legal provisions for protecting personal information from unauthorized access and misuse, emphasizing individuals’ rights to their data. The Act mandates obtaining explicit consent from individuals before collecting or processing their data, introduces penalties for data breaches, and sets up a regulatory authority to oversee compliance. Designed to adapt to the digital era’s challenges, the DPDP Act 2023 is a cornerstone in ensuring data privacy and security in India.

Digital Personal Data Protection Act 2023 – A Brief History

The digital population in India has grown at a significant pace in the last decade, and the number of active Internet users has reached a mark of 700 million with 467 million social media users. As a result, India has emerged as the second-largest internet market. By 2025, IDC projects that the total size of data generated worldwide could reach 175 trillion Zettabytes.  In the digital era, the creation of digital data its ownership, sharing, protection, and maintaining trust among those transmitting data become increasingly important. So, there is a need for comprehensive data protection law. Here is a brief overview of the history of data protection law in India.

1) During the 2000s: India had no comprehensive data protection laws. The privacy aspects were addressed under the Information Technology Act, 2000. Consumer Protection Act 2015, and Copyrights Act 1957 are other acts that also protect personal information to some extent. A comprehensive was lacking.

2) 2017: The Supreme Court of India in the landmark judgment of Justice K.S. Puttaswamy (Retd.) vs Union of India upheld the ‘Right to Privacy’ as a part of the fundamental right- ‘ Right to Life’ enshrined under Article 21 of the Indian Constitution.

3) 2017-2018: To draft a comprehensive data protection framework for India the Justice B.N. Srikrishna Committee was formed. IT submitted a draft bill in 2018, which formed the basis for the subsequent Personal Data Protection Bill.

4) 2019: In the Parliament, the Personal Data Protection Bill, 2019, was introduced. The bill aimed to regulate the processing of personal data, impose obligations on data fiduciaries and establish individuals’ rights.

5) 2023:  Digital Personal Data Protection Act (DPDPA) – 2023 comes into effect on August 11, 2023.

DPDP Act 2023 Objectives

The objectives of the Digital Personal Data Protection Act 2023 are multifaceted, aiming primarily to protect individuals’ privacy in the digital ecosystem. It seeks to establish a comprehensive and coherent framework for the digital economy that respects privacy rights. The Act aims to ensure the personal data of citizens is processed securely and transparently, promoting trust in digital services. Additionally, it intends to foster responsible data processing practices among entities, enhancing data security across sectors.

Purpose of Digital Personal Data Protection Act

The purpose of the Digital Personal Data Protection Act is to safeguard personal data from unauthorized access, use, and dissemination. It provides a legal structure for data processing activities, ensuring that personal data is handled in a manner that respects individual privacy. The Act also aims to empower individuals with rights over their data, including the right to access, correct, and erase their personal information. By doing so, it establishes clear accountability and responsibilities for data fiduciaries and processors.

Why DPDP Act was Introduced?

The DPDP Act was introduced in response to the urgent need for robust data protection laws in the face of rapidly evolving digital technologies and increasing cyber threats. With the digitalization of services and the exponential growth of data, there was a clear necessity to protect personal information from misuse and breaches. The Act was designed to provide a legal framework that aligns with global data protection standards, ensuring that India remains a secure and trustworthy digital market. It reflects a commitment to protecting citizens’ privacy while enabling digital innovation and economic growth.

Visual Guide – Digital Personal Data Protection Act 2023

Need of Data Protection

There is a need for data protection as:

• In the digital age, there is present large volume of data. So, data protection law will ensure protection of the individuals’ personal information. It will also preserve their right to privacy.
• It will prevent unauthorized access and misuse of sensitive information.
• Without effective data protection there could be increased surveillance, profiling of individuals etc
• It will reduce the risk of identity fraud, theft, and other cybercrimes.
• It will builds trust between businesses, organizations, and individuals. It will increase confidence in digital interactions.
• The bill will define the rights and responsibilities of digital citizens (Digital Nagrik) and the legal duties of Data Fiduciaries in utilizing collected data.
• As the volume of data on internet is increasing significantly and the use of new technologies like artificial intelligence, internet of things poses a threat of misuse of data.

Digital Personal Data Protection Act 2023 

Objective: To provide a comprehensive framework for the Protection and Processing of Personal Data. It recognizes both the rights of the individuals to protect their Personal Data and the need to process such Personal Data for lawful purposes and other related matters.

Definition of Data: Any representation of information, fact(s), concept(s), opinion(s), and instruction(s) which is capable of being communicated, interpreted, and processed by human beings or by automated means. Further, any data about an individual (Data Principal) who is identifiable by or in relation to such data has been referred to as Personal Data in the Act.

DPDP Act 2023 Key Features

The Digital Personal Data Protection Act 2023 introduces several key features designed to enhance data privacy and security. These include:

Applicability

• The Bill applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised. 
• It will also apply to the processing of personal data outside India if it is for offering goods or services in India.

Consent

• Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
• For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
• A notice must be given before seeking consent. The notice should contain details about the personal data to be collected and the purpose of processing. 
• Consent may be withdrawn at any point of time.

Rights of data principal

Data principal is an individual whose data is being processed. An individual will have the right

• To obtain information about processing
• To seek correction and erasure of personal data
• To nominate another person to exercise rights in the event of death or incapacity and
• Grievance redressal

Duties of Data Principals

Data Principals must not

• Register a false or frivolous complaint
• Furnish any false particulars or impersonate another person in specified cases
• Violation of duties will be punishable with a penalty of up to Rs 10,000.

Duties of Data Fiduciaries

Data fiduciaries are the entities that determine the purpose and means of processing. They must

• Make reasonable efforts to ensure the accuracy and completeness of data.
• Build reasonable security safeguards to prevent a data breach.
• Inform the Data Protection Board of India and affected persons in the event of a breach.
• Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.

Transfer of Personal Data outside India

• The central government will notify countries where a data fiduciary may transfer personal data. 
• Transfers will be subject to prescribed terms and conditions.

Exemptions

• Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases.  These include
• prevention and investigation of offences, and
• enforcement of legal rights or claims.

The central government may, by notification, exempt certain activities from the application of the Bill.  These include

• processing by government entities in the interest of the security of the state and public order, and
• research, archiving, or statistical purposes.

Data Protection Board of India

The central government will establish the Data Protection Board of India. Main functions of the Board wll be:

• monitoring compliance and imposing penalties,
• directing data fiduciaries to take necessary measures in the event of a data breach, and
• Grievance redressal

Penalities and Appeal

The act specifies penalties for various offences such as:

• Penality of Rs 200 crore for non-fulfilment of obligations for children, and
• Penality of Rs 250 crore for failure to take security measures to prevent data breaches

The decisions of the board can be appealed to Telecom Dispute Settlement and Appellate Tribunal.

Main Provisions of DPDP Act

The main provisions of the DPDP Act focus on establishing a robust legal framework for data protection:

• Data Processing Guidelines: Specifies conditions under which data can be processed, including provisions for sensitive personal data.
• Accountability and Transparency: Requires data fiduciaries to implement policies, maintain records, and conduct data protection impact assessments.
• Penalties for Non-Compliance: Introduces significant penalties for violations, including financial fines and corrective actions.
• Grievance Redressal Mechanism: Outlines procedures for individuals to address complaints regarding data processing violations.

Digital Personal Data Protection Highlights

The highlights of the Digital Personal Data Protection Act 2023 encapsulate its commitment to safeguarding personal data in the digital age:

• Comprehensive Coverage: Applies to all entities processing personal data within the territory of India, as well as those outside India dealing with Indian residents’ data.
• Cross-Border Data Transfer: Sets criteria for the transfer of personal data outside India, ensuring adequate levels of protection.
• Child Data Protection: Introduces specific protections for personal data of children, requiring verifiable parental consent for data processing.
• Data Breach Notification: Mandates timely notification to the authority and affected individuals in the event of a data breach.

Rights under DPDP Act 2023

The Digital Personal Data Protection Act 2023 empowers individuals with several rights to ensure their personal data is handled respectfully and responsibly. These rights include:

• Right to Access: Individuals can request access to their personal data held by data fiduciaries to understand how and why it is processed.
• Right to Correction: Enables individuals to correct inaccurate or incomplete personal data to ensure its accuracy.
• Right to Erasure: Also known as the ‘right to be forgotten,’ this allows individuals to have their personal data deleted under certain conditions.
• Right to Data Portability: Individuals can obtain and reuse their personal data across different services.

Individual Rights DPDP Act

Under the DPDP Act, individual rights are designed to give individuals control over their personal data. These rights include:

• Right to Withdraw Consent: Individuals can withdraw consent for data processing at any time, subject to legal or contractual restrictions.
• Right to Object: Individuals have the right to object to the processing of their personal data, including for direct marketing purposes.
• Right to Restriction of Processing: Allows individuals to request a restriction on the processing of their personal data under specific circumstances.
• Right to Information: Individuals have the right to be informed about the collection and use of their personal data in a clear, transparent manner.

Data Protection Rights India

The DPDP Act 2023 establishes comprehensive data protection rights in India, aligning with global standards for data privacy and security. These rights aim to:

• Protect Privacy: Ensure personal data is processed in a manner that respects individual privacy and autonomy.
• Enhance Control: Empower individuals with the ability to control how their personal data is collected, used, and shared.
• Promote Transparency: Mandate data fiduciaries to be transparent about data processing activities and policies.
• Ensure Accountability: Hold data fiduciaries accountable for adhering to the Act and protecting individuals’ rights.

DPDP Act 2023 Compliance

Compliance with the Digital Personal Data Protection Act 2023 is essential for businesses handling personal data within India. To comply, organizations must:

• Understand the Act: Familiarize themselves with the Act’s provisions, focusing on consent, data rights, and processing requirements.
• Implement Data Protection Measures: Adopt robust data security practices to protect personal data against breaches and unauthorized access.
• Appoint a Data Protection Officer (DPO): Designate a DPO responsible for overseeing data protection strategies and compliance with the DPDP Act.

How to Comply with DPDP Act

Complying with the DPDP Act involves several key steps for businesses:

• Conduct a Data Audit: Assess the types of personal data collected, processed, and stored to understand compliance requirements.
• Update Privacy Policies: Ensure privacy policies are transparent, detailing the purpose of data collection and rights available to individuals.
• Obtain Valid Consent: Collect explicit consent from individuals before processing their personal data, providing them with clear options to opt-in or opt-out.
• Train Employees: Educate staff on data protection principles and the importance of compliance to prevent data breaches.

Business Obligations under DPDP Act

Businesses have specific obligations under the DPDP Act to ensure the protection of personal data:

• Data Minimization: Collect only the data necessary for the purposes stated at the time of collection.
• Accuracy and Retention: Keep personal data accurate and up-to-date, retaining it only for as long as necessary to fulfill the stated purpose.
• Notify Data Breaches: Report any data breaches to the relevant authority and affected individuals promptly, as specified by the Act.
• Ensure Data Subject Rights: Facilitate individuals’ rights regarding their personal data, including access, correction, and deletion requests.

DPDP Act 2023 Penalties

The Digital Personal Data Protection Act 2023 outlines strict penalties for non-compliance to ensure organizations take data protection seriously. Penalties include:

• Financial Fines: Significant fines based on the severity of the data breach or non-compliance, potentially amounting to a percentage of the company’s annual revenue.
• Legal Actions: Legal proceedings against entities or individuals responsible for violations of the Act.
• Compensation to Individuals: Obligation to compensate affected individuals for any harm resulting from data breaches or misuse.

Enforcement of Digital Personal Data Protection Act

Enforcement of the Digital Personal Data Protection Act is carried out by a dedicated regulatory authority established under the Act. This authority is responsible for:

• Monitoring Compliance: Regular audits and assessments to ensure organizations comply with the Act.
• Investigating Breaches: Investigating reported data breaches and taking appropriate action against violators.
• Raising Awareness: Conducting awareness programs to educate about data protection rights and responsibilities.

Fines under DPDP Act

Fines under the DPDP Act are designed to be a deterrent against the mishandling of personal data. The structure of fines includes:

• Tiered Fines: Fines vary based on the nature and severity of the violation, with more significant penalties for more severe breaches.
• Percentage of Turnover: In some cases, fines may be calculated as a percentage of the violator’s global annual turnover, making penalties substantial for larger companies.
• Daily Fines: For ongoing violations, daily fines may be imposed until compliance is achieved, ensuring prompt action is taken to rectify issues.

DPDP Act vs GDPR

Comparing the Digital Personal Data Protection Act 2023 (DPDP Act) with the General Data Protection Regulation (GDPR) reveals both similarities and distinctions:

• Scope and Application: While the GDPR is a regulation across the European Union, the DPDP Act is specific to India, each with its territorial applicability and global reach for companies dealing with respective citizens’ data.
• Consent: Both laws emphasize the importance of obtaining clear and informed consent for data processing, but the GDPR has stricter requirements for consent validity.
• Data Protection Officer (DPO): The appointment of a DPO is mandatory under GDPR for certain organizations, whereas the DPDP Act also suggests appointing a data protection officer depending on the volume and sensitivity of data processed.

Digital Personal Data Protection Act Compared to International Laws

When comparing the Digital Personal Data Protection Act to international data protection laws, several key aspects stand out:

• Data Subject Rights: Like many international laws, the DPDP Act grants individuals several rights over their personal data, including access, correction, and deletion, similar to rights under GDPR and the California Consumer Privacy Act (CCPA).
• Data Breach Notifications: The DPDP Act aligns with global standards by requiring timely notification of data breaches, akin to GDPR and other international frameworks.
• Regulatory Authority: The establishment of a regulatory authority for overseeing compliance and enforcement is a common feature in many data protection laws, including the DPDP Act.

DPDP and Global Data Protection

The DPDP Act represents India’s commitment to aligning with global data protection standards:

• Harmonization with International Practices: The Act incorporates principles recognized internationally, such as data minimization, purpose limitation, and transparency, facilitating cross-border data flows with countries having stringent data protection measures.
• Global Business Compliance: For multinational companies, understanding the nuances between the DPDP Act and other data protection laws like GDPR is crucial for global compliance strategies, ensuring data protection measures meet all applicable legal requirements.
• Enhancing Data Protection Framework: By introducing the DPDP Act, India strengthens its legal framework for data protection, encouraging a culture of privacy and security that is in line with global practices.

Impact of DPDP Act on Businesses

The Digital Personal Data Protection Act 2023 has significant implications for businesses operating in India:

• Compliance Requirements: Businesses must adhere to stringent data processing guidelines, necessitating updates to privacy policies and data handling practices.
• Increased Accountability: The Act mandates accountability measures, including data protection impact assessments and the appointment of a Data Protection Officer (DPO) for certain organizations.
• Financial Implications: Non-compliance with the Act can result in substantial financial penalties, making it crucial for businesses to invest in robust data protection measures.

How DPDP Act Affects Consumers

For consumers, the DPDP Act 2023 marks a pivotal shift towards greater control and security of their personal data:

• Enhanced Privacy Rights: Consumers gain significant rights over their data, including the right to access, correct, and delete their personal information.
• Consent Management: The Act emphasizes consent, requiring businesses to obtain clear, informed consent from consumers before collecting or processing their data.
• Transparency and Trust: With businesses required to be more transparent about their data practices, consumers can expect increased trust in digital transactions and services.

DPDP Act 2023 Implications

The implications of the DPDP Act 2023 extend beyond businesses and consumers, affecting the broader digital ecosystem:

• Data Protection Standards: The Act sets a new benchmark for data protection in India, aligning with global standards and enhancing India’s position in the international digital economy.
• Innovation and Compliance: While the Act encourages innovation by providing a clear legal framework for data processing, it also requires businesses to incorporate privacy-by-design principles, balancing innovation with privacy.
• Cross-Border Data Flows: The Act’s provisions on cross-border data transfer will influence how international data flows are managed, requiring adequacy decisions or contractual safeguards for data transferred outside India.

Significance of Digital Personal Data Protection Act 2023

The Significance of Digital Personal Data Protection Act, 2023 are given below:

• The new act will replace the existing Information Technology Act, 2000, the Draft Indian Telecommunication Bill, 2022, and a Policy that addresses the governance of non-personal data.
• Personal data of the user will be more safe. More freedom will be there in deciding how to transfer their personal data.
• Companies and consumers will be held accountable. Provision of penality is provided if they do not follow the norms listed in the act.
• There will be data sovereignty as companies will be able to store data locally. It will empower the Indian government to impose taxes on major Internet corporations.
• Different entities including mobile apps, internet companies, and businesses are held responsible for the collection, storage, and processing of citizens’ data under the “Right to Privacy.”

Official Sources and Links

Source	Description	Link
The Gazette of India	Official publication of all acts passed by the Parliament of India.	Visit Site
Ministry of Electronics & Information Technology (MeitY)	Nodal agency for IT and electronics in India, providing official details on the DPDP Act.	Visit Site
Data Security Council of India (DSCI)	Premier industry body on data protection in India, offering analyses and summaries on legislation.	Visit Site
Indian Kanoon	Platform providing comprehensive legal information, documents, and interpretations.	Visit Site
Legal Information Institute of India	Provides access to a wide range of legal documents and acts.	Visit Site
Nishith Desai Associates	Law firm known for detailed legal analyses and articles.	Visit Site
Bar and Bench	Platform for legal news, analyses, and insights.	Visit Site
LiveLaw	Provides latest legal news and updates.	Visit Site
International Association of Privacy Professionals (IAPP)	Offers international comparisons and analyses on data protection laws.	Visit Site

Preparing for DPDP Act 2023

Businesses and organizations must take proactive steps to prepare for the Digital Personal Data Protection Act 2023:

• Understand the Legislation: Begin with a thorough review of the DPDP Act to understand its scope, requirements, and how it applies to your operations.
• Assess Current Data Practices: Conduct a data audit to identify what personal data you collect, how it’s processed, and if it complies with the new regulations.
• Implement Necessary Changes: Update data collection, processing, and storage practices to ensure they align with the Act’s requirements, focusing on data minimization and security.

DPDP Act Checklist for Businesses

To ensure compliance with the DPDP Act, businesses should follow this checklist:

• Privacy Policy Update: Revise your privacy policy to include detailed information on data processing activities as required by the Act.
• Consent Mechanisms: Implement or update mechanisms to obtain explicit consent from individuals before collecting their data.
• Data Protection Measures: Strengthen data security measures to protect against breaches and unauthorized access.
• Training and Awareness: Educate employees about the DPDP Act’s requirements and their roles in ensuring compliance.

Data Protection Act Readiness

Achieving readiness for the Digital Personal Data Protection Act involves several key steps:

• Gap Analysis: Compare current data protection practices against the Act’s requirements to identify gaps.
• Action Plan Development: Develop a comprehensive action plan to address identified gaps, assigning responsibilities and deadlines.
• Regular Monitoring and Review: Establish ongoing monitoring and review processes to ensure continuous compliance and adapt to any updates in the legislation.
• Engage with Stakeholders: Communicate with all stakeholders, including employees, customers, and partners, about how you’re preparing for the DPDP Act and what changes they can expect.

Data Privacy Law in Other Countries

An overview of data privacy law in other countries includes:

• European Union: In 2018, General Data Protection Regulation (GDPR) came into effect. It is a comprehensive law that was formed to imposes strict rules on the collection and processing of personal data especially by businesses and organizations.
• Japan: To governs personal data Act on the Protection of Personal Information (APPI) is present. It requires consent of the user and provides for various security measures.
• China: In China, the right to prevent the misuse of personal data is present underThe Personal Information Protection Law (PIPL).
• Australia: Private individual data is goverend under Privacy Act.
• South Africa: Individual information is protected under Protection of Personal Information Act (POPIA).

Concerns related to the Digital Personal Data Protection Act 2023

Various concerns related to the Digital Personal Data Protection Act 2023 are:

• It dilutes the Right to privacy as exceptions are granted to the government and its agencies.
• Amendment made to the Right to Information Act, 2005 that would prohibit sharing of detail related to personal information of government officials.
• Lack the provision of Right to Portablity and Right to Forgotten.
• Dilution of independence of the data protection board.
• The act overrides Section 43A of the Information Technology Act, 2000. It make it compulsory for the companies to provide compensation to users in case of unauthorized use of their data.

Check this Articles:

• Consumer Protection Act 1986
• Consumer Protection Act 2019
• Environment Protection Act 1986
• Wildlife Protection Act, 1972
• Protection of Women from Domestic Violence Act, 2005

Digital Personal Data Protection Act 2023 – FAQs

What is the Digital Personal Data Protection Act, 2023?

The Digital Personal Data Protection Act, 2023, is a comprehensive law enacted by India to regulate the processing of personal data by public and private entities, ensuring the protection of individuals’ privacy in the digital age.

How will the DPDP Act affect my organization?

The DPDP Act requires organizations to obtain explicit consent for data processing, implement robust data protection measures, and ensure transparency in data handling practices. Non-compliance could result in significant penalties.

To whom does the DPDP Act apply?

The DPDP Act applies to any entity that processes the digital personal data of individuals within India, regardless of whether the entity is located in India or not. It covers both online and offline data processing activities.

How should consent be obtained under the DPDP Act?

Consent must be informed, specific, and freely given. Organizations must clearly communicate the purpose of data collection and processing to individuals before obtaining their consent.

What are the key provisions of the DPDP Act?

Key provisions include the requirement for explicit consent, rights of data subjects (such as access, correction, and deletion of personal data), obligations of data fiduciaries, penalties for non-compliance, and the establishment of a Data Protection Authority.

Who is the person who enforces the Data Protection Act?

The data protection act is enforced by the Information Commissioner’s Office. The office can levy penalties against organisations failing to comply with data protection.

What is the main purpose of the Data Privacy Act?

Data Privacy Act main purpose is to protect all types of information, including private, personal, or sensitive. It will protects the privacy of individuals while ensuring free flow of information to promote innovation and growth.

Does GDPR apply to Indians?

Yes, GDPR applies to the Indian companies that target EU residents or monitor their behaviour. GDPR that came into force in 2018 is a comprehensive law for EU member states that protects the individual rights.

What is the penalty for non compliance for Indian data privacy law?

The act specifies penalties for various offences including penality of Rs 200 crore for non-fulfilment of obligations for children, and penality of Rs 250 crore for failure to take security measures to prevent data breaches.