Digital Personal Data Protection Act, 2023 (India)
India's DPDP Act, 2023 is the country's first comprehensive data protection law, centered on consent and legitimate uses, with the Data Protection Board as enforcer. It introduces data fiduciary duties, children's data protections, and steep penalties.
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive law dedicated to personal data protection. It received presidential assent and was published on August 11, 2023, after years of debate and earlier draft bills. The Act will come into force in stages as the government notifies provisions and issues implementing rules. It replaces the limited data protection provisions that previously existed under the Information Technology Act and its rules.
The DPDP Act is built around consent and a small set of legitimate uses. It introduces the roles of Data Fiduciary and Data Principal and creates the Data Protection Board of India to adjudicate complaints and impose penalties.
Who It Applies To
The Act applies to the processing of digital personal data within India where the data is collected in digital form or in non-digital form and later digitized. It also applies to processing outside India if it is in connection with offering goods or services to data principals in India. It does not apply to personal data processed for purely personal or domestic purposes or to data made publicly available by the data principal or under a legal obligation. Certain government processing can be exempted by notification.
Key Requirements
Data fiduciaries must process personal data only for a lawful purpose with the consent of the data principal or for certain legitimate uses. Consent requests must be accompanied by a clear notice describing the data, the purpose, and how to exercise rights, and must be available in English and Indian languages. Data principals have rights to access, correction, completion, erasure, and grievance redressal, and the right to nominate. The Act introduces consent managers as registered intermediaries. Processing of children's data requires verifiable parental consent and prohibits tracking and targeted advertising directed at children. Significant Data Fiduciaries face extra duties such as appointing a Data Protection Officer in India, an independent data auditor, and conducting periodic data protection impact assessments. Fiduciaries must implement reasonable security safeguards and report personal data breaches to the Board and affected principals.
Penalties for Non-Compliance
The Data Protection Board can impose monetary penalties for breaches of the Act. The maximum penalty is up to INR 250 crore for failing to take reasonable security safeguards, with other graded penalties for different violations. There is no statutory provision for compensation to individuals; enforcement is through penalties imposed by the Board.
How to Comply
Map your digital personal data and identify a lawful basis, relying on consent or a legitimate use. Provide clear, multilingual notices and build consent and withdrawal mechanisms. Establish processes for access, correction, erasure, and grievance redressal. Apply verifiable parental consent for children's data. Implement reasonable security safeguards and a breach reporting process. If you are a Significant Data Fiduciary, appoint a DPO in India, engage a data auditor, and run impact assessments. Track the staged notification of rules.