An Overview of The Digital Data Protection Act, 2023

5th May, 2025 - 10:22 am Categories: Data Protection 0 Comments

The Digital Personal Data Protection Bill, 2023, introduced on 3 August, 2023, the bill received the President’s assent on 11 August 2023 and became law of the land[1].The Digital Personal Protection Act, 2023 (“hereinafter referred to as DPDP Act”) lays down the procedure for processing personal data lawfully while simultaneously empowering and protecting the rights of data principle as defined under section 2(j) of the Act. The act is set to replace the existing framework provided under the IT Act,2000, and the SPDI Rules,2011.

The bill marks the fourth version presented in the parliament, succeeding the government earlier version of the bill that was introduced in parliament in 2019 as the “Personal Data Protection Bill, 2019”. The government, however, withdrew this bill, a fresh draft was made, which was different from the previous versions, that is, the Draft Digital Personal Data Production Bill, 2022[2].  The bill’s introduction came 6 years after the landmark judgement of K.S. Puttaswamy v. Union of India[3] wherein the SC recognized the fundamental right of privacy. The act inculcates the term “data principal” to refer to the personal data of an individual and “data fiduciary” is the term used that determines the means of handling of data principal’s personal data.

OVERVIEW OF THE ACT

1. The act only applies to personal data, whether collected in digital or non-digital data. (section 3 (a) of the act)
2. The act extends to digital personal data processed outside India when the processing is related to provision of goods and services to the data principal situated in India (Section 3(b) of the act.)
3. Under the act, the data principal must be provided with a notice, either before or at the time of requesting consent, detailing the personal data being collected, the purpose, and how they can withdraw consent, seek grievance redressal or file a complaint with the Data Protection Board. The act also introduces ‘legitimate user’ allowing processing without consent in specific cases such as voluntary data sharing, employment, medical emergencies, and delivery of the government service or benefit. (Section 5 of the act)
4. The act permits the processing of the personal data only for a lawful purpose for which the data principal has provided consent in accordance with the act. The consent must be free, specific, informed, and with a clear affirmative action. The data principal has the option to view the notice and consent form in English or any other language specified under Schedule Eight of the Constitution of India. (Section 6 of the act)
5. The data fiduciaries must ensure compliance with the DPDP Act, including for data processed by processor on their behalf. They must ensure accuracy and completeness of personal data if it affects the data principal or is shared with another fiduciary. The personal data must be deleted if the consent is withdrawn and the purpose is no longer served unless retention is required by law. (Section 8 of the act)
6. The act permits data fiduciaries to transfer personal data to any country or territory unless the central government specifically notifies certain countries where transfers are restricted. However, if any law or sectoral regulation imposes stricter requirements or additional restrictions on cross-border transfer, whether for specific types of data or certain categories of data fiduciaries, the stricter provisions prevail. (Section 16 of the act).
7. The act mandates obtaining verifiable consent from a parent or guardian for processing the personal data of children and persons with disabilities. It prohibits tracking, behavioural monitoring, targeted advertising and processing likely to harm children. The central government may exempt certain data fiduciaries or processing activities from these requirements and may also relax obligations for processing data of children above a specified age but under 18. (Section 9 of the act)
8. The act grants data principals’ rights such as accessing information about their data, including a summary of the data, processing activity, identities of data fiduciaries and principals with whom their data is shared. They also have the right to correct, erase data and nominate an individual on their behalf in the event of death or incapacitation. Data fiduciary must provide accessible grievance mechanisms and data principal must exhaust them before approaching the Data Protection Board. (Section 11 of the act)
9. The act establishes the “Data Protection Board” as the enforcement body with power to investigate data breaches, issue remedial direction, impose penalties, inspect documents, and summon individuals. Appeals against DPB order can be filed before the TDSAT Act,1997, with further appeals to the SC. (Section 18 and 29 of the act).
10. The act can impose monetary penalties up to 250 crores after enquiry considering the factors like nature, gravity, duration of the breach etc. The DPDP Act does not provide for compensation to data principal for data breaches, unlike the Information Technology Act,2000. However, it imposes duties on data principals, such as providing authentic data, avoiding impersonation and not filing false complaints. Violation of such duties can attract penalties up to INR 10,000. (Section 33 of the act).
11. The act also exempts consent, notice and other obligation in cases such as enforcing legal rights, processing by courts or tribunal, investigation or prosecution of offences and processing data of non-Indian residents in India.

Recently, the DPDP Rules, 2025[4] were released by the MeitY , to bring the DPDP Act,2023 into effect by offering practical guidance on key issues like data processing, consent management, breach notification, special provision for children’s data and cross-border data transfers. These draft rules mark an important step in strengthening India’s data protection framework. The Minister for MeitY has clarified that this approach was intentional as to avoid rigid regulation given the fast-changing digital landscape[5]. However, there are some key issues with the draft rules.

One of the key aspects covered is the requirement for data fiduciaries to provide clear, plain language notice to data principals, detailing the personal data collected, purpose and grievance mechanism. Despite these standards, the lack of specificity of how the notice should be delivered creates room for manipulative practices, that could hinder the truly informed consent. Security standards are also addressed with Rule 6 mandating the data fiduciary to adopt encryption, access control while ensuring contractual provisions extend these obligations to the data processor. However, the actual implementation and clarity around this remain limited.

Exceptions for the government agencies are also provided, allowing them to process personal data without fresh consent, however, the broad scope of these exemptions, coupled with the undefined terms, raises concerns about the potential state surveillance and circumvention of the constitutional safeguard as established in the Puttaswamy judgement. The exemption for research and statistics under rule 15 lacks clear definitions and fails to require data principal consent, leaving the door open for misuse.

Rule 9 talks about the Data Protection officer, however, there is an ambiguity regarding their qualification, which should be addressed. Special provisions apply to children and persons with disability, who require verifiable consent from the parent and guardian prior to processing their data under Rule 10; however, there is no clear distinction made for children and persons with disability equating them as the same, thereby questioning the autonomy of persons with disability.  These are some of the issues in the draft Rules, while these rules provide some much-needed structure, their overall effectiveness hinges on the clarity of implementation and checks placed on both states and private actors.

DPDP act is not the end of the road, it lays the groundwork for the evolving landscape of data privacy laws in India. The act represents an important but cautious step towards personal data protection in India. Its ultimate success hinges upon the government’s intent and commitment to safeguarding privacy. With robust institutional safeguards and a strong commitment to privacy protection, the act has potential to establish a balanced and effective data protection framework in the Country.

Author: Harshita Logre , in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at Khurana & Khurana, Advocates and IP Attorney.

[1]“The Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Gazette of India, August 11, 2023

[2]“The Digital Personal Data Protection Bill, 2022, Ministry of Electronics & Information Technology, Government of India, accessed August 9, 2023

[3]K.S. Puttaswamy v. Union of India (2019) 1 SCC 1

[4] Government of India. (2025). Digital Personal Data Protection Rules, 2025. Ministry of Electronics and Information Technology.

[5] Karthika Rajmohan, Internet Freedom Foundation, see at: https://internetfreedom.in/first-read-on-the-dpdp-rules-2025/.