Skip to content Skip to sidebar Skip to footer

Digital Personal Data Protection Act, 2023

Digital Personal Data Protection Act, 2023 (DPDP Act, 2023) marks a significant step towards regulating the processing and handling of personal data in India. By focusing on the management of digital personal data without distinguishing between tiers of data sensitivity, the Act aims to provide a comprehensive framework that safeguards individuals’ data privacy while accommodating the needs of businesses and organizations.

 Scope and Key Definitions

The DPDP Act, 2023, applies to both the processing of digital personal data within India and the extraterritorial processing of such data when it is related to offering goods or services to Indian residents. It does not cover personal data that has been made publicly available under legal obligations.

Key definitions include:

– Data: Information in a format suitable for processing.

– Data Fiduciary: The entity determining the purpose and means of data processing.

– Data Principal: The individual to whom the personal data pertains.

– Data Processor: The entity processing data on behalf of the Data Fiduciary.

– Data Protection Officer (DPO): An individual appointed to ensure compliance with the DPDP Act.

 International Data Transfers

The Act allows the Central Government to restrict the transfer of personal data outside India, a departure from previous bills which allowed transfers only to countries designated by the government. This “blacklist” approach, combined with existing laws, offers a stringent framework for cross-border data transfer.

 Consent and Notification Obligations

Consent under the DPDP Act, 2023, must be free, specific, informed, unconditional, and unambiguous. Data Fiduciaries are required to accompany every consent request with detailed notices, including information on withdrawing consent and lodging complaints with the Data Protection Board.

 Legitimate Uses

The Act outlines circumstances under which data fiduciaries can process personal data without explicit consent, including employment purposes, legal obligations, medical emergencies, safety during disasters, and compliance with legal orders.

 Responsibilities of Data Fiduciaries and Processors

Data Fiduciaries are tasked with ensuring compliance with the law, including erasure requirements and personal data breach reporting. Although the Act does not explicitly impose obligations on Data Processors, it is expected that fiduciaries will ensure processors adhere to legal standards through contractual agreements.

 Processing Children’s Personal Data

Special attention is given to the processing of children’s personal data, requiring verifiable parental or guardian consent and prohibiting behavior tracking and targeted advertising towards children.

 Obligations of Significant Data Fiduciaries (SDFs)

SDFs have additional responsibilities, including conducting audits, impact assessments, and appointing a Data Protection Officer domiciled in India.

 Further Exemptions and Rights of Data Principals

The Act provides exemptions for processing data for BPO operations and by state instrumentalities under certain conditions. It also enumerates the rights of data principals, such as accessing, correcting, or erasing their data.

 Consent Managers and Data Protection Board

Consent Managers are introduced as intermediaries to help manage consent, while the Data Protection Board is established to oversee compliance, investigate violations, and impose penalties.

 Authority of the Central Government

The Central Government plays a pivotal role in the enforcement of the DPDP Act, with the authority to issue notifications, regulations, and, in some cases, blocking orders to prevent data fiduciaries from offering services in India.

 Voluntary Commitments and Penalties

The Act encourages voluntary compliance efforts and establishes a civil liability regime with penalties ranging up to INR 250 crore for noncompliance.


The Digital Personal Data Protection Act, 2023, represents a significant evolution in India’s approach to data privacy and protection. By setting stringent requirements for consent, international data transfer, and the processing of children’s data, among others, it aims to balance the rights of individuals with the operational needs of businesses. Organizations must carefully assess their data handling practices and align them with the DPDP Act’s provisions to ensure compliance and protect the interests of data principals.

Leave a comment

    Subscribe to the updates!

    [mc4wp_form id="461" element_id="style-11"]