Author’s Note
Now you can face penalties up to Rupees 250 crores. Our faculty said this while I was attending classes for the Diploma in Information System Audit. He said that if you are found guilty of leaking a customer’s data, then you are gone! Now, what is it? Let’s discuss it in this article.
Introduction
This Act focuses on privacy and data governance for people, recognising an individual’s right to privacy while ensuring that organisations can process data for legitimate and lawful purposes.
That means this Act’s main intent is to create new rights, impose significant obligations, and introduce penalties that can go up to Rs. 250 crores.
In this article, I have discussed the analysis of this Act, covering applicability, legal intent, compliance requirements, rights, exemptions, audits, enforcement, and long-term implications.
Applicability of the DPDP Act, 2023 (“the Act”)
Under Section 3, the Act applies to the processing of digital personal data, whether it is collected digitally through portals, apps, websites, customer relationship management tools, ERPs, email, or digital onboarding. It is also applicable if the data is collected offline but later digitised; for example, paper forms later uploaded to systems, with or without migration. If the data is processed outside India and goods/services are offered to individuals within India, then this Act will also be applicable.
Non-applicability
The Act does not apply if data is solely used for personal/domestic purposes like personal contacts, home recordings, etc. Also, suppose I posted my phone number on social media; then I made my personal data publicly available. In that case, I am not protected under this Act.
Do STS Ventures, being a small firm, come within the purview of this Act?
Being a small consulting firm, it will come under the Act as, for KYC purposes, it collects names, phone numbers, Aadhaar, PAN, email IDs, and financial or professional data of its clients. Hence, STS Ventures shall be a data fiduciary, and I, being the customer, am the data principal.
Objective and Legal Intent of the Act
This Act aims to establish a balance between individual rights by protecting privacy as a fundamental right and ensuring transparency, control over personal data, correction and erasure, grievance mechanisms, and protection against misuse.
It allows businesses and government bodies to process data responsibly, ensuring economic activity continues without compromising rights, as it mandates adequate technical, organisational, and legal safeguards. Also, the high penalties are introduced to ensure compliance seriousness.
Remember how our data got leaked at RailYatri or even AIIMS? But the fact is nobody was held accountable for the same. Hence, this Act is the most important decision of the hour, aiming to bring discipline, transparency, and accountability into India’s digital ecosystem.
Grounds for Processing
The first ground is the consent framework, which means consent must be free, specific, informed, unconditional, unambiguous, and given through clear affirmative action. Also, the withdrawal of consent must be as easy as giving consent.
The second ground is legitimate use (Section 7), which means no consent is required when processing is for government benefits/subsidies, court orders, legal obligations, emergencies (medical), public health crises, employment purposes, or disaster management.
Obligations of STS Ventures as per the Example Above
Section 8 sets out the obligations every organisation must follow. Accountability remains even if it outsources its data processing. It must inform, before collecting data, what data is being collected, why it is being collected, how rights can be exercised, and how to file a complaint.
Also, STS Ventures must implement reasonable cybersecurity measures, and every data breach must be reported to the Data Protection Board as well as affected individuals.
Data Retention & Erasure
Data must be erased when the purpose is fulfilled, consent is withdrawn, or storage is no longer legally required. A proper grievance mechanism is mandatory, and a DPO/Authorised Officer’s contact details must be displayed.
Special Protection for Children (Section 9)
Processing of children’s data (below 18 years) requires verifiable parental consent, with no behavioural monitoring, no targeted advertising, and no harmful or detrimental activities. This impacts schools, ed-tech platforms, gaming apps, and content platforms dealing with minors.
Significant Data Fiduciary (SDF) Obligations
SDFs like banks, UIDAI, Zomato, PhonePe, LIC, etc., have more responsibilities. They must appoint a Data Protection Officer located in India, appoint an independent data auditor, conduct data protection impact assessments, and carry out periodic audits.
Rights of STS Ventures as per the Example Above
The Act grants comprehensive rights like the right to access a summary of data processed, processing activities, and sharing details. They also have the right to correction, completion, and updation of data.
They have the right to erasure, subject to legal retention requirements—like audit files must be retained for a minimum of 7 years, so that is a legal requirement.
My Duties as Data Principal in the Above Case
I must not impersonate anyone, must not file frivolous complaints, and must furnish authentic information.
Exemptions (Sections 16 & 17)
Transfers to certain countries may be restricted. The Government may notify banned jurisdictions. The exemptions for state functions include law enforcement, courts, and sovereignty and security matters. There are also exemptions for research and statistics, provided the data is anonymised or unlinked from individuals. Certain compliance relaxations may also be granted to startups.
Data Protection Board of India
The Board is established to conduct inquiries, issue directions, impose penalties, accept voluntary undertakings, and operate as a digital office (online filings, hearings, and orders). This Board functions with civil court powers for summoning, inspecting documents, collecting evidence, etc.
Penalties
I personally feel these are very harsh penalties. Let’s discuss them as per this schedule:
| Violation | Maximum Penalty (in Rupees) |
|---|---|
| Failure to prevent data breach | 250 crores |
| Failure to notify breach | 200 crores |
| Violation of children’s data obligations | 200 crores |
| Violations by Significant Data Fiduciaries | 150 crores |
| Breach of duties by individuals | 10,000 |
| Any other contravention | 50 crores |
These penalties are per instance, making compliance mandatory even for small entities.
Power to Block Non-compliant Platforms (Section 37)
If an organisation repeatedly violates the Act, the Government may direct intermediaries to block public access to the platform within India. I feel this is one of the strongest powers in Indian cyber law.
Relation with Other Laws
The DPDP Act operates in addition to other laws like the Income-tax Act, Companies Act, and RBI Act, and it prevails in case of conflict.
Amendment to the Income-tax Act
Earlier, the Income-tax Act, 1961 had Section 43A, which penalised companies for failure to protect data (mostly IT/outsourcing companies processing foreign data). Now, DPDP has introduced a new and stronger penalty system for mishandling personal data across all sectors. So, to avoid two different penalty laws running simultaneously, DPDP removed Section 43A. That means personal data breach liability will now be governed by DPDP penalties, not by the old tax law.
Amendment to the RTI Act
The Right to Information Act, 2005 allows citizens to request information from government bodies. However, sometimes these RTI replies may contain someone’s personal data (like mobile number, address, medical info, bank details, etc.). The DPDP amendment ensures that privacy is protected even more strongly, and government departments must be careful not to disclose personal data unless allowed by law.
Amendment to the TRAI Act
TDSAT gets jurisdiction. The TRAI Act, 1997 governs telecom disputes. The Telecom Disputes Settlement and Appellate Tribunal resolves disputes against telecom orders. The amendment clarifies that cases involving TRAI orders, data issues, or regulatory overlap in telecom can be appealed before TDSAT.
Conclusion
The Digital Personal Data Protection Act, 2023 is not just another compliance requirement; it is a structural shift in how organisations collect, process, store, and share personal data. It elevates privacy to the level of a protected legal right while ensuring that businesses can continue operations responsibly.
****
Author can be contacted at aman.rajput@mail.ca.in
Author Bio
