THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: INDIA’S NEW PRIVACY PARADIGM

AUTHOR: UDIT NAYAK BA.LLB(H)

SCHOOL OF LAW MANGALAYATAN UNIVERSITY JABALPUR

TO THE POINT

The Digital Personal Data Protection Act, 2023 (DPDPA), notified on August 11, 2023, and gradually being enforced through 2024-25, represents India’s first comprehensive privacy legislation. The Act establishes rights-based protections for data principals while imposing significant compliance obligations on data fiduciaries. With potential penalties reaching ₹250 crore for certain violations, the Act signifies India’s commitment to aligning with global data protection standards while maintaining sovereignty over cross-border data transfers.

LEGAL LEXICON

• Data Principal: Natural person to whom the personal data relates
• Data Fiduciary: Person who determines the purpose and means of processing personal data
• Data Processor: Person who processes personal data on behalf of a data fiduciary
• Significant Data Fiduciary: Data fiduciary notified by the government based on volume/sensitivity of data processed
• Consent Manager: Entity that enables data principals to give, manage, review and withdraw consent
• Notice: Communication to data principal about personal data collection and processing
• Consent Fatigue: Phenomenon where frequent consent requests lead to automatic approval without understanding
• Data Protection Board: Adjudicatory body established under the Act
• Privacy by Design: Proactive embedding of privacy into design specifications of technologies

THE PROOF

The DPDPA replaces the outdated Information Technology Act provisions on data protection with a modern framework balancing individual rights with legitimate data use. Unlike its predecessor, the Personal Data Protection Bill, 2019, the DPDPA is significantly leaner (only 43 sections) and aims to minimize compliance burdens while ensuring robust protections.

The Act’s jurisdiction extends to:

1. Processing of digital personal data within India
2. Processing of digital personal data outside India, if connected to offering goods or services in India
3. Non-applicability to non-automated processing, personal data processed by individuals for personal or domestic purposes, and publicly available information

Key Provisions and Compliance Requirements

The Act establishes seven data protection obligations for fiduciaries:

1. Purpose Limitation: Personal data may only be processed for the specified purpose for which it was collected
2. Collection Limitation: Only necessary personal data can be collected
3. Storage Limitation: Personal data may not be retained once the purpose is fulfilled
4. Quality Assurance: Reasonable efforts must be made to ensure data completeness and accuracy
5. Security Safeguards: Reasonable security safeguards must be implemented
6. Accountability: Data fiduciaries remain accountable for compliance, even when processing is undertaken by data processors
7. Notice and Consent Requirements: Clear, precise notices must be provided in the languages specified in the Eighth Schedule of the Constitution

Rights of Data Principals

The Act confers specific rights to data principals:

1. Right to Information: About personal data being processed
2. Right to Correction and Erasure: Correction, completion, updating or erasure of personal data
3. Right to Grievance Redressal: Timely resolution of grievances
4. Right to Nominate: Nomination of another individual in case of death or incapacity
5. Right to Portability: Transfer of personal data to another fiduciary (applicable for significant data fiduciaries only)

Compliance Framework for Businesses

The compliance framework introduces substantial obligations:

1. Consent Management:
   • Valid consent must be free, specific, informed, and unambiguous
   • Must be preceded by clear notice in scheduled languages
   • Withdrawal of consent must be as easy as giving it
   • Consent managers may be registered to facilitate consent management
2. Data Principal Rights Management:
   • Establish clear procedures for handling rights requests
   • Respond within prescribed timelines (to be specified)
   • Provide reasons for denial of rights requests
3. Children’s Data Protection:
   • Parental consent required for processing children’s data (under 18 years)
   • Prohibition on tracking, behavioral monitoring or targeted advertising directed at children
   • Age verification mechanisms mandatory
4. Data Breach Notification:
   • Mandatory notification to Data Protection Board and affected data principals
   • Notification timeline and format to be prescribed
5. Cross-Border Data Transfers:
   • Permitted to “notified countries or territories”
   • Subject to terms and conditions specified by the Central Government
6. Additional Obligations for Significant Data Fiduciaries:
   • Appointment of Data Protection Officer
   • Independent data audits
   • Data protection impact assessments

Enforcement Mechanism

The Act establishes a Data Protection Board of India with authority to:

• Determine non-compliance
• Impose penalties (up to ₹250 crore)
• Issue directions to data fiduciaries
• Award compensation to data principals

The penalty structure is tiered based on violation severity:

• Up to ₹10,000 for minor personal data breaches by individuals
• Up to ₹50 crore for failure to protect children’s data
• Up to ₹250 crore for significant data breaches

ABSTRACT

The Digital Personal Data Protection Act, 2023, marks a watershed moment in India’s data protection landscape, culminating a five-year legislative journey since the Puttaswamy judgment recognized privacy as a fundamental right. The Act balances individual privacy protection with enabling lawful data processing for economic and innovation purposes.

Unlike its global counterparts such as GDPR, the DPDPA focuses exclusively on digital personal data, leaving non-digital data outside its purview. The legislation adopts consent-based and purpose-limitation approaches, complemented by significant fiduciary obligations and meaningful rights for data principals.

Notable features include the establishment of a Data Protection Board, stringent protections for children’s data, and a risk-based approach to compliance obligations. The Act’s unique approach to cross-border data transfers—permitting transfers only to “notified countries”—reflects India’s focus on data sovereignty while enabling global data flows.

The DPDPA harmonizes with existing legislation like the IT Act, while providing exemptions for state functions, regulatory activities, and legally-mandated processing. This balancing approach aims to protect individual rights while enabling legitimate data use for economic growth and innovation.

CASE LAWS AND JUDICIAL PRECEDENTS

While the DPDPA is new and specific case law has yet to develop, several foundational judgments shaped its development:

1. Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 The Supreme Court’s landmark nine-judge bench decision recognized the right to privacy as a fundamental right under Article 21 of the Constitution. The Court held that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” This judgment necessitated a comprehensive data protection framework, directly leading to the DPDPA.
2. Karmanya Singh Sareen v. Union of India (2018) In this WhatsApp privacy policy challenge, the Delhi High Court observed that consent for data sharing must be free, specific, informed, and unambiguous—principles now incorporated in the DPDPA’s consent requirements.
3. S.P. Sharma v. The Registrar, Delhi High Court (2021) The Delhi High Court emphasized the “right to be forgotten” as an aspect of data privacy, holding that “the Right to Privacy includes the right to be forgotten and the right to be left alone.” The DPDPA now formally recognizes the right to erasure.
4. Internet Freedom Foundation v. Union of India (2022) Challenging facial recognition technology deployment, this case highlighted the need for purpose limitation and data minimization—principles that have been incorporated into the DPDPA’s core obligations.
5. Facebook Inc. v. Delhi Legislative Assembly (2021) 7 SCC 1 The Supreme Court’s observations on social media platforms’ responsibilities foreshadowed the DPDPA’s approach to significant data fiduciaries.

These judicial precedents established the constitutional foundation and regulatory principles that the DPDPA has now codified into statutory law.

CONCLUSION

The Digital Personal Data Protection Act, 2023, represents a pivotal development in India’s digital governance framework, balancing individual privacy rights with legitimate data use needs. As implementation progresses through 2024-25, several key implications emerge:

1. Compliance Transformation: Organizations across sectors must undertake comprehensive compliance transformations, particularly “significant data fiduciaries” who face enhanced obligations.
2. Economic Impact: The Act is likely to foster trust in India’s digital ecosystem, potentially accelerating digital adoption while imposing compliance costs estimated at ₹4,000-8,000 crore across industries.
3. Global Data Flows: The “notified countries” approach to cross-border transfers represents India’s unique solution to balancing data sovereignty with global integration.
4. Enforcement Evolution: The effectiveness of the Data Protection Board as an adjudicatory mechanism, independent of existing regulatory structures, will determine the Act’s practical impact.
5. Rights Realization: The real test lies in whether data principals can meaningfully exercise their newly granted rights, particularly given literacy and digital divide challenges.
6. Remaining Gaps: Non-personal data, AI governance, and data localization requirements remain partly addressed through separate regulatory initiatives.

The DPDPA signifies India’s entry into the global data protection community, albeit with a distinctly Indian approach that prioritizes digital economy growth alongside privacy protection. As implementation proceeds, the regulatory landscape will further evolve through rules, clarifications, and judicial interpretations, potentially addressing the current gaps and ambiguities in the legislation.

For businesses, proactive compliance represents not merely legal necessity but strategic advantage in building customer trust. For citizens, awareness and exercise of data rights remain crucial to realizing the Act’s protective intent. With increasing data breaches and privacy concerns worldwide, the DPDPA represents a timely and necessary step in India’s digital governance journey, even as its full impact remains to be seen.

FREQUENTLY ASKED QUESTIONS

Q1: When does the Digital Personal Data Protection Act come into force? A: The Act was notified on August 11, 2023, but is being implemented in phases. The Central Government appointed May 10, 2024 as the date for Sections 1, 2, 3, 28-49 to come into force, while remaining provisions will be notified subsequently.

Q2: Which organizations are classified as “Significant Data Fiduciaries”? A: The criteria for designating Significant Data Fiduciaries include the volume and sensitivity of personal data processed, risk of harm to data principals, impact on sovereignty and integrity of India, risk to electoral democracy, security of the state, and public order. The specific thresholds will be notified by the government.

Q3: What are the exemptions under the DPDPA? A: Key exemptions include processing for:

• State security, prevention/detection/investigation of crime
• Personal/domestic purposes
• Journalistic purposes (subject to codes of practice)
• Research, archiving, or statistical purposes (subject to safeguards)
• Data of non-residents processed pursuant to contracts with persons outside India

Q4: How does the DPDPA handle cross-border data transfers? A: Personal data may be transferred to countries or territories notified by the Central Government, subject to terms and conditions. This represents a shift from the data localization requirements proposed in earlier drafts.

Q5: What are the penalties for non-compliance? A: Penalties range from ₹10,000 for minor breaches by individuals to ₹250 crore for severe violations by organizations. Specific violations have defined penalty ranges, such as up to ₹200 crore for failure to notify data breaches.

Q6: How does the Act protect children’s data? A: The Act requires verifiable parental consent for processing children’s data (under 18 years) and prohibits tracking, profiling, or behavioral monitoring of children. It also prohibits targeted advertising directed at children.

Q7: What is the Data Protection Board and how does it function? A: The Data Protection Board is an independent adjudicatory body appointed by the Central Government with powers to determine non-compliance, impose penalties, and award compensation. The Board will operate digitally and handle complaints through an online portal.

Q8: Does the DPDPA apply to non-digital data? A: No, the Act applies only to digital personal data. Non-digital (physical/paper) personal data remains outside its scope.

Q9: How does the DPDPA interact with existing sectoral regulations? A: The DPDPA operates alongside existing sectoral regulations (banking, healthcare, telecom). In case of inconsistency, provisions of the DPDPA will generally prevail unless specifically excluded.

Q10: What immediate compliance steps should organizations take? A: Organizations should:

• Map personal data processing activities
• Review and update privacy notices and consent mechanisms
• implement data retention and deletion policies
• Establish data principal rights management procedures
• Develop data breach notification protocols
• Review cross-border data transfer mechanisms
• Conduct training and awareness programs