21st century is the age of digitalization and technology, here everything is meant being online from a needle to a vehicle or house. We are adept to this trend of digitalization so much that we forget that. the risk persisting behind is so grave that it can make the life miserable. The working of technology is very much simple, providing service makes it to take the information of ours which we do share in order to benefit the service or product, but do we ever think it deep enough that what happens to the data we share with the service provider how does he handle it and what can he do with that data is unimaginable. The service provider can sell your data which include your name, image of you, location real time or address and much to someone who can cause threat to you or your family.
The great threat is posed onto the privacy of person(user), intimate or open which is very much immoral and unlawful (widely recognized after the KS Puttaswamy case). So to tackle all these the govt compelled all the service provider to provide at first the terms and condition before the opening of the website or app and ask for the consent of user that his so and so data shall be used. But the problem which later rose was that the website in order of stealing the data made the passage of terms and condition so lenthy and big that people actually started skipping the condition part and just gave the consent, which the service provider wanted to be as, in such situation according to the rule of a tort law widely recognised in the case of Pamavati V. Dugganaika and smith v baker, which explicitly hold the person liable for any harm giving consent for such, the user shall have no option left but mere being the victim of an offence which even law does categorize as law.
But to tackle each of such situation the parliament of India has enacted a law titled as ‘digital personal data protection act 2023’ which aims to provide extra protection to the user of the technology from any unforeseeable and unintentional harm.
What is This law-
This act was passed on the 7 august from the Lok Sabha and on 9th from the Rajya Sabha and received the president on assent on 11 august same year in 2023. The act came as the result of so much need for a law to curb the privacy loss of people using the technology and to cure the sick mindset of service providers of taking the privacy and use it unlawfully. Preamble of the act postulates that it is
‘An Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.’
Digital Personal Data Protection Act, 2023: Key Characteristics
I. Jurisdictional Scope and Applicability
Digital Personal Data Protection Act, 2023 establishes a clear boundary for its authority, focusing exclusively on data processed digitally.
Digital Focus and Exclusion: The law applies to digital personal data processed within India, including data that was converted from non-digital sources. It explicitly excludes non-digital records (e.g., paper-only files) and data processed solely for personal or domestic purposes, ensuring it targets commercial and state activities.
Extraterritorial Reach: Reflecting global standards like the GDPR, the Act applies to Data Fiduciaries outside India if their processing activities relate to offering goods or services to Data Principals within India.
Governmental Exemptions: Provisions exist for the Central Government to exempt its own agencies from compliance requirements on specific grounds, notably national security, public order, or the prevention of cognizable offenses. This broad discretionary power remains a critical point of academic and legal scrutiny regarding its potential impact on surveillance and accountability.
II. Core Definitions and Stakeholder Roles
The Act formalizes the relationship between individuals and data-handling entities.
Data Principal and Personal Data: The Data Principal is the individual to whom the data relates (analogous to the ‘data subject’). Personal Data is defined broadly as any data capable of identifying an individual, directly or indirectly.
Data Fiduciary and Processor: The Data Fiduciary is the entity determining the purpose and means of data processing (the ‘Controller’). The Data Processor handles data on the Fiduciary’s behalf.
Significant Data Fiduciaries (SDFs): Entities designated as SDFs (based on volume, sensitivity, or risk impact) are subject to enhanced compliance obligations, including mandatory data protection impact assessments, data audits, and the appointment of a Data Protection Officer.
III. Principles of Data Processing and Consent Mechanisms
The DPDP Act is built upon foundational data protection principles, with explicit mechanisms for lawful processing.
Principles of Lawful Processing: Processing must adhere to principles of Lawfulness, Fairness, and Transparency, along with Purpose Limitation (data used only for specified, explicit purposes) and Data Minimization (collection limited to what is necessary).
Informed Consent: Processing requires free, specific, informed, and unambiguous consent from the Data Principal, obtainable via clear notice and withdrawable at any time.
Legitimate Uses and Deemed Consent: The Act permits processing without explicit consent under specified Legitimate Uses, such as employment purposes, public health emergencies, or contractual necessity. The concept of Deemed Consent—where consent is inferred under certain circumstances—is a notable feature, balancing ease of business with privacy, though it requires careful regulatory oversight to prevent misuse.
IV. Rights of the Data Principal
The Act grants individuals specific rights to manage and control their personal data.
Right to Access and Grievance: Data Principals have the right to obtain a summary of their processed data and the identities of those with whom it has been shared. They also have the Right to Grievance Redressal with the Data Fiduciary and escalation to the Data Protection Board.
Right to Correction and Erasure: Individuals may request the correction of inaccurate data or the deletion (erasure) of data that no longer serves the stated purpose.
Right to Nominate: Data Principals can designate a nominee to exercise their rights in the event of death or incapacity.
Limited Scope: It is significant that the Act does not explicitly confer a ‘Right to be Forgotten’ or data portability, distinguishing it from the broader rights guaranteed under the GDPR.
V. Data Fiduciary Obligations and Special Provisions
Fiduciaries are bound by strict requirements to ensure data security and integrity.
Security and Breach Notification: Fiduciaries must implement reasonable technical and organizational Security Safeguards and are required to notify both the Data Protection Board and the affected Data Principals promptly in the event of a personal data breach.
Protection of Children: Processing data of children (defined as those under 18) requires verifiable parental consent. Furthermore, the Act prohibits behavioral monitoring and targeted advertising directed at children, establishing a high bar for data protection for minors.
Cross-Border Data Transfers: The Act adopts a flexible approach, allowing the transfer of personal data outside India unless the Central Government explicitly restricts a specific country by placing it on a negative list.
VI. Enforcement Mechanism and Penalties
The Act establishes a new body for enforcement and outlines a regime of financial penalties.
Data Protection Board of India (DPBI): The DPBI is established as the primary independent body responsible for enforcement, inquiry, and imposing penalties.
Financial Penalties: The Act prescribes substantial penalties, reaching up to INR 250 crore (approximately $30 million) per instance of violation. Critically, the Act does not provide Data Principals with a direct right to seek compensation (damages) from the Fiduciary; remedies are determined and imposed by the DPBI.
Implementation Status: As of October 2025, the Act is in the phase of rulemaking, with detailed regulations regarding compliance mechanisms, the DPBI’s structure, and consent protocols still under consultation and expected to be notified for full implementation soon.
Source of this Act-
The DPDP Act, 2023, is the product of a multi-year effort rooted in the Supreme Court’s landmark 2017 verdict which established the Right to Privacy as a fundamental right under the Indian Constitution. This judicial mandate compelled the government to create a formal data protection framework. The process began with the Justice B.N. Srikrishna Committee Report and its draft bill in 2018, which laid down core principles of consent and accountability, heavily influenced by global standards like the European Union’s GDPR. After several iterations, including the withdrawn 2019 Bill and the simplified 2022 draft, the final Act was passed in August 2023. It replaces the limited data protection framework previously given under the Information Technology Act, 2000, establishing a comprehensive and independent regulatory regime for digital personal data in India.
Comparison to the GDPR and CCPA
| DPDP Act, 2023 (India) | GDPR (European Union) |
| Applies only to Digital Personal Data (or digitized from physical form). Excludes non-digital/physical records. | Applies to all Personal Data, regardless of format (digital or physical/paper filing systems). |
| No distinction between ‘Personal Data’ and ‘Sensitive Personal Data’ (like health, religion, or biometrics); the rules apply uniformly. | Distinguishes between Personal Data and Special Categories of Personal Data (biometrics, health, etc.), requiring higher protection and explicit consent for the latter. |
| Consent + “Legitimate Uses” (limited to specific items like employment, state functions, medical emergency). | Six Lawful Bases, including Consent, Contractual Necessity, Legal Obligation, Vital Interest, Public Interest, and Legitimate Interests (a broad, flexible basis). |
| Right to Access, Correction, Erasure, and Grievance Redressal, Right to Nominate. | Right to Access, Rectification, Erasure, Grievance Redressal, Right to Data Portability, Right to Object to Automated Decision-Making, and Right to be Forgotten. |
| Yes. Data Principals have duties (e.g., not to file frivolous complaints or furnish false particulars), with a penalty of up to ₹10,000 for violation. | No explicit duties imposed on the Data Subject. |
| Uses a “Negative List” approach: Data transfer is permitted to any country unless specifically restricted (blacklisted) by the Central Government. | Uses an “Adequacy” approach: Transfer is permitted only to countries deemed ‘adequate’ by the EU Commission or subject to appropriate safeguards like Standard Contractual Clauses (SCCs). |
| 18 years (Verifiable parental consent is mandatory). | 16 years, which Member States can lower to 13 years. |
| Capped at ₹250 Crore (approx. $30 million) per violation, irrespective of global turnover. | Up to €20 million or 4% of the entity’s total global annual turnover from the preceding financial year, whichever is higher (significantly higher cap). |
| No direct right for Data Principals to seek compensation (damages) from the Fiduciary; redressal is Board-driven. | Direct right for Data Subjects to claim compensation for material or non-material damage caused by a violation. |
| DPDP Act, 2023 (India) | CCPA/CPRA (California, USA) |
| Consent-based (Opt-in Model): Processing requires explicit, informed consent unless it falls under “Legitimate Uses.” | Control-based (Opt-out Model): Data collection is generally allowed, but consumers have the right to Opt-Out of the Sale or Sharing of their personal data. |
| Generally applies to all entities processing digital personal data within India, with no revenue/volume thresholds. | Applies only to businesses meeting specific thresholds (e.g., annual gross revenue over $25 million, or processing data of 100,000+ consumers). |
| Focuses strictly on Digital Personal Data. Makes no distinction between personal data and sensitive personal data. | Applies to Personal Information and specifically identifies Sensitive Personal Information (race, health data, account login details, etc.) requiring more stringent safeguards. |
| Right to Access, Correction, Erasure, and Grievance Redressal. Includes a unique Right to Nominate. | Right to Know, Right to Delete, Right to Opt-Out of Sale/Sharing, Right to Limit the Use of Sensitive Personal Information. |
| Requires verifiable parental consent for all processing of data belonging to children (under 18 years). | Requires an explicit Opt-In for consumers under 16 years before their data can be sold or shared; parental consent for children under 13 years. |
| Data Protection Board of India (DPBI): A single, centralized adjudicatory body. | California Privacy Protection Agency (CPPA): An independent state-level regulator responsible for rulemaking and enforcement. |
| Up to ₹250 Crore (approx. $30 million) per violation. Focused on administrative penalties imposed by the DPBI. | Up to $7,500 per intentional violation; $2,500 per unintentional violation. Includes a private right of action for consumers in case of a data breach. |
Conclusion-
Ultimately, the enactment of the Digital Personal Data Protection (DPDP) Act, 2023, marks a necessary and historic turning point in the digital life of every Indian citizen. For too long, we were unknowingly vulnerable victims in the wild west of the digital economy, forced to surrender our most intimate data under threat of losing access to basic services. The lengthy, unreadable terms and conditions—a deliberate mechanism for deemed consent—made us legally defenseless.
This new Act is the definitive answer to that vulnerability, born directly from the Supreme Court’s recognition of the Right to Privacy as a fundamental human right. It transforms us, the users, from mere consumers to empowered Data Principals, granting us the right to know what’s being processed, to correct inaccuracies, and to demand erasure.
While the DPDP Act takes clear inspiration from the global standard, the GDPR, in principles like consent and extraterritorial reach, it is uniquely Indian in its pragmatic, and sometimes controversial, approach. The introduction of ‘Legitimate Uses’ and the creation of a centralized, formidable Data Protection Board of India (DPBI) with the power to levy massive ₹250 Crore fines signals a serious intent to enforce compliance.
The true success of the DPDP Act now hinges on the implementation of its final rules and the vigilance of the DPBI. This law is not merely a formality; it is a foundational shield for our digital autonomy, forcing the powerful Fiduciaries to finally prioritize the dignity and privacy of the individuals who trust them with their data. The era of the unchecked digital landlord is over; accountability has finally arrived.
Author Bio
