Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) received presidential assent on 11 August 2023, establishing India's first standalone framework for the processing of digital personal data. Its constitutional lineage traces directly to the Supreme Court's nine-judge ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), which held the right to privacy to be intrinsic to the right to life and personal liberty under Article 21 of the Constitution. That judgment directed the government to enact a data-protection regime, prompting the B.N. Srikrishna Committee report of 2018 and a succession of withdrawn bills (the Personal Data Protection Bill, 2019, withdrawn in August 2022) before the present Act, deliberately pared down to a principles-based instrument of 44 sections, was passed by both houses of Parliament in August 2023.

The Act regulates the relationship between three principal actors: the Data Principal (the individual to whom the data relates), the Data Fiduciary (the entity determining the purpose and means of processing), and the Data Processor (a third party processing on a fiduciary's behalf). Processing is lawful only on one of two grounds: the consent of the Data Principal, or "certain legitimate uses" enumerated in Section 7, such as voluntary provision of data, state provision of subsidies or services, medical emergencies, and employment-related purposes. Where consent is the basis, Section 6 requires it to be free, specific, informed, unconditional and unambiguous, preceded by a notice in clear language and offered in English or any of the 22 languages in the Eighth Schedule. The Data Principal may withdraw consent at any time with comparable ease.

The Act creates additional structural mechanics around accountability and enforcement. Section 8 imposes obligations on Data Fiduciaries to maintain data accuracy, implement reasonable security safeguards, notify the Board and affected principals of breaches, and erase data once the purpose is served. Section 10 designates a category of Significant Data Fiduciary, identified by the Central Government on the basis of volume and sensitivity of data, risk to electoral democracy, and sovereignty considerations; such entities must appoint a Data Protection Officer based in India, an independent auditor, and conduct periodic Data Protection Impact Assessments. Cross-border transfer follows a "blacklist" model under Section 16—transfers are permitted to all jurisdictions except those the Central Government expressly restricts—a notable departure from the European approach. Enforcement rests with the Data Protection Board of India (Sections 18–26), a digital-by-design adjudicatory body that can impose penalties up to ₹250 crore for failures to prevent breaches.

Implementation has proceeded in stages. The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules in January 2025 for public consultation, addressing notice formats, consent-manager registration, breach-reporting timelines, and the functioning of the Board. The provisions are being operationalised in phases, with transition periods granted to fiduciaries to achieve compliance. The Act's reach is extraterritorial under Section 3: it applies to processing outside India where connected to offering goods or services to Data Principals within Indian territory, drawing global technology firms—Google, Meta, Amazon and domestic platforms alike—within its ambit.

The DPDP Act must be distinguished from adjacent instruments. It is narrower than the European Union's General Data Protection Regulation (GDPR), which it superficially resembles: the DPDP Act covers only digital personal data and personal data subsequently digitised, omits a separate category of "sensitive personal data," and substitutes the GDPR's six lawful bases with consent plus legitimate uses. It supersedes the limited Section 43A regime and the 2011 SPDI Rules under the Information Technology Act, 2000, though the IT Act continues to govern cybercrime and intermediary liability. It is also distinct from the Aadhaar Act, 2016, which governs a specific identity database rather than data processing at large.

Controversy has attended several provisions. Section 17(2)(a) permits the Central Government to exempt state instrumentalities from the Act's obligations in the interests of sovereignty, security and public order, drawing criticism that it creates broad governmental immunity. Section 44(3) amended the Right to Information Act, 2005, by expanding the exemption in Section 8(1)(j) to bar disclosure of any "personal information," which transparency advocates and several opposition members argued would erode the RTI regime by shielding officials from accountability. The absence of a recognised right to data portability and a right to be forgotten—both present in earlier drafts—has also been noted, as has the Act's reliance on delegated rule-making for substantive detail, concentrating discretion in the executive.

For the working practitioner, the DPDP Act reshapes compliance, governance and diplomatic engagement. Desk officers tracking digital trade and data-flow negotiations must read it alongside India's positions at the WTO and in bilateral frameworks, given its blacklist approach to cross-border transfer. Corporate counsel and policy researchers must map fiduciary obligations against operational data flows ahead of full enforcement. For UPSC General Studies Paper II candidates, the Act sits at the intersection of fundamental rights, governance, and the regulation of the digital economy, exemplifying how a constitutional mandate from Puttaswamy translates into administrative architecture. Its evolution—particularly the final Rules and the Board's first adjudications—will define the contours of informational privacy for the world's most populous democracy.