LegalFly
Browse briefs

The Digital Personal Data Protection Act 2023 - Explained with Notes

The Digital Personal Data Protection Act 2023 - Explained with Notes
In this article
  1. Introduction to the Digital Personal Data Protection Act, 2023
  2. Historical Background
  3. India's Pre-DPDP Framework
  4. GDPR vs. India's DPDP Act
  5. Key Provisions of the DPDP Act
  6. Scope, Applicability and Key Players
  7. The Core Principles
  8. Rights and Duties
  9. Children's Data and Significant Data Fiduciaries
  10. Exemptions
  11. Data Protection Board of India
  12. Penalties
  13. Implementation: The Phased Rollout Under the 2025 Rules
  14. Conclusion

Introduction to the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first standalone law dedicated to protecting personal data. It gives individuals control over their digital personal data, places clear obligations on the organisations that handle it, and creates a regulator — the Data Protection Board of India — to enforce the rules. After a long gestation, the operative Digital Personal Data Protection Rules, 2025 were notified on 13 November 2025, beginning a phased rollout of the new regime.

What is the Digital Personal Data Protection Act, 2023
At a glanceDetail
LawDigital Personal Data Protection Act, 2023 (Act No. 22 of 2023)
Presidential assent11 August 2023
Operative rulesDigital Personal Data Protection Rules, 2025 — notified 13 November 2025
RegulatorData Protection Board of India
Maximum penaltyUp to ₹250 crore per breach
ScopeDigital personal data processed in India, and abroad where goods/services are offered to people in India

Historical Background

The road to the DPDP Act was unusually long. The key milestones:

  • 2000 / 2011: The Information Technology Act, 2000 and its SPDI Rules, 2011 (under §43A) gave India its first, limited data-protection regime, covering "sensitive personal data or information."
  • 24 August 2017: In Justice K.S. Puttaswamy v. Union of India, a nine-judge bench of the Supreme Court held the right to privacy to be a fundamental right under Article 21 — the constitutional foundation for a data-protection law.
  • 2017–2018: The Government set up the Justice B.N. Srikrishna Committee, which submitted a report and a draft Personal Data Protection Bill, 2018.
  • 11 December 2019: The Personal Data Protection Bill, 2019 was tabled in the Lok Sabha and referred to a Joint Parliamentary Committee.
  • 3 August 2022: The 2019 Bill was withdrawn after wide criticism.
  • November 2022: A new, slimmer draft — the Digital Personal Data Protection Bill, 2022 — was released for public consultation.
  • 7–9 August 2023: The DPDP Bill, 2023 was passed by the Lok Sabha and Rajya Sabha; it received Presidential assent on 11 August 2023.
  • 3 January 2025 / 13 November 2025: Draft DPDP Rules were released for consultation, and the final DPDP Rules, 2025 were notified.
Timeline - Evolution of the Digital Personal Data Protection Bill in India

India's Pre-DPDP Framework

It is worth clearing up a common confusion: India never had a "Data Protection Act 1998" or "Data Protection Act 2018" — those are United Kingdom statutes. Before the DPDP Act, India's data-protection rules lived inside the Information Technology Act, 2000. Section 43A and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 required bodies handling "sensitive personal data" (passwords, financial and health data, biometrics, etc.) to maintain reasonable security practices, with a right to compensation for negligent handling.

That framework was thin and was overtaken by events — above all by Puttaswamy (2017), which made a comprehensive privacy law a constitutional necessity. Once the DPDP Act is fully in force and §43A of the IT Act is omitted, the SPDI Rules will effectively become redundant.

GDPR vs. India's DPDP Act

The DPDP Act draws on the EU's General Data Protection Regulation (GDPR, in force since May 2018) but is deliberately simpler and more permissive in places.

FeatureGDPR (EU)DPDP Act, 2023 (India)
Applies toEU/EEAIndia (and offshore processing aimed at people in India)
Lawful basesSix bases (consent, contract, legitimate interests, etc.)Consent, plus a defined list of "legitimate uses"
Sensitive-data categorySpecial categories with extra protectionNo separate "sensitive data" category
Cross-border transferAdequacy / safeguards (whitelist)Allowed except to countries the Government restricts (blacklist)
Breach noticeTo regulator within 72 hoursTo the Board and affected individuals (timelines set by Rules)
Maximum penaltyUp to 4% of global turnoverUp to ₹250 crore per breach

Key Provisions of the DPDP Act

Scope, Applicability and Key Players

The Act governs digital personal data — personal data in digital form, or collected offline and later digitised. It does not cover purely offline data, or personal data an individual makes publicly available. It applies to processing in India, and to processing outside India that is connected with offering goods or services to people in India. The main actors are:

  • Data Principal — the individual to whom the data relates (and, for a child, the parent/guardian).
  • Data Fiduciary — whoever decides the purpose and means of processing (the GDPR "controller").
  • Data Processor — who processes data on a fiduciary's behalf.
  • Consent Manager — a Board-registered Indian company through which an individual can give, manage and withdraw consent.

The Core Principles

The Act rests on a familiar set of data-protection principles:

  1. Lawful, fair and transparent processing with consent.
  2. Purpose limitation — use data only for the notified purpose.
  3. Data minimisation — collect only what is necessary.
  4. Accuracy of the data.
  5. Storage limitation — keep data only as long as needed.
  6. Reasonable security safeguards.
  7. Accountability, backed by penalties for breach.

Rights and Duties

Data Principals have the right to access a summary of their processed data, to correction and erasure, to grievance redressal, and to nominate another person to exercise their rights in case of death or incapacity. They also have duties — notably not to file false or frivolous complaints. Data Fiduciaries must give clear notice, obtain valid consent, maintain security safeguards, report breaches, erase data once the purpose is served, and respond to grievances.

The Act is drafted in deliberately plain language (the Government's "SARAL" approach — simple, accessible, rational, actionable) and, notably, uses "she/her" throughout to refer to individuals of any gender.

Children's Data and Significant Data Fiduciaries

Processing a child's data (under 18) generally requires verifiable parental consent, and behavioural tracking or targeted advertising directed at children is prohibited. The Government may designate certain high-volume or high-risk fiduciaries as Significant Data Fiduciaries (SDFs), who carry extra obligations: appointing an India-resident Data Protection Officer, conducting periodic Data Protection Impact Assessments and independent audits, and other due diligence.

Exemptions

The Act exempts certain processing, including by State agencies notified in the interests of security, sovereignty and public order; processing for research, archiving or statistics; enforcement of legal rights; and certain start-ups or notified classes of fiduciary. These broad State exemptions have attracted criticism for weakening citizens' protections against the Government.

Data Protection Board of India

The Data Protection Board of India is the regulator. It inquires into data breaches and complaints, directs remedial or mitigation measures, imposes financial penalties, refers suitable matters to alternate dispute resolution, and can advise the Government to block a persistently non-compliant fiduciary. It functions as a digital-by-design body, and its appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Penalties

The Schedule to the Act sets financial penalties per breach (not a percentage of turnover):

BreachPenalty up to
Failure to take reasonable security safeguards (leading to a data breach)₹250 crore
Failure to notify the Board / affected individuals of a breach₹200 crore
Breach of children's-data obligations₹200 crore
Breach of a Significant Data Fiduciary's extra obligations₹150 crore
Breach of any other provision or rule₹50 crore
Breach of a Data Principal's duties (e.g. false/frivolous complaints)₹10,000
Penalties for Breaches - Digital Personal Data Protection Act, 2023

Implementation: The Phased Rollout Under the 2025 Rules

The DPDP Act does not switch on all at once. Under the DPDP Rules, 2025 (notified 13 November 2025), the regime is being implemented in stages:

PhaseFromWhat comes into force
Phase I13 November 2025Establishment of the Data Protection Board of India
Phase II~13 November 2026The Consent Manager framework (Rule 4)
Phase III~13 May 2027All substantive compliance obligations — notice, consent, retention, breach reporting, children's data and SDF duties

In practical terms, organisations have a transition window: the core compliance duties bite from 2027, giving businesses time to build consent flows, breach-response processes and (where applicable) SDF governance.

Conclusion

The Digital Personal Data Protection Act, 2023 is a watershed — India's first comprehensive personal-data law, built on the constitutional right to privacy recognised in Puttaswamy. It favours a light-touch, principles-based design over the dense detail of the GDPR, leaving much to the DPDP Rules, 2025 and to the Data Protection Board. With substantive obligations phasing in through 2026–2027, the coming years will show how India balances individual privacy, the data economy and the State's own broad exemptions.