India's Digital Personal Data Protection Act, 2023: A Transformative Step In Data Privacy Law

Introduction

India's Digital Personal Data Protection Act, 2023 (herein referred to as "DPDP Act") represents a landmark reform in data privacy, establishing a comprehensive, technology-aligned framework that balances individuals' fundamental right to data protection with the needs of legitimate data processing. Enacted on August 11, 2023 but yet to come into effect, it defines "digital personal data" broadly to cover any information about an identifiable person in digital form and applies to all entities processing such data in India, including those located abroad. By asserting extraterritorial jurisdiction, the Act ensures that the digital data of Indian residents remain protected regardless of where it is processed, while excluding purely domestic or personal use to preserve practical exemptions.

Related: TMT Law Firm

Need for the DPDP Act

The DPDP Act, 2023 fills critical gaps present in Information Technology Act, 2000 (herein referred to as "IT Act")[1] and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (herein referred to as "SPDI Rules")[2] by providing a comprehensive, sector-agnostic framework for all digital personal data, including extraterritorial processing related to Indian residents. Replacing implied consent with explicit, informed, and revocable consent, it grants data principals rights of access, correction, erasure, grievance redressal, and representation.

A new Data Protection Board of India will oversee enforcement and impose substantial penalties, while data fiduciaries must adhere to obligations on minimization, accuracy, security, breach notification, and restricted cross-border transfers. Upon its commencement, Section 43A of the IT Act will be repealed and the SPDI Rules rendered obsolete, unifying India's data protection regime, aligning it with global standards, and fostering responsible innovation and trust in the digital economy.

The DPDP Act and It's Rules: Prominent Features

The Global Data Privacy Landscape[3]

India's DPDP Act, 2023, is part of a growing worldwide movement toward strengthening individual data privacy rights, mandating organizational accountability, and imposing stringent regulatory oversight. Central to the DPDP Act is the requirement that digital personal data processing be lawful, transparent, and limited to specified purposes, with explicit, freely given, informed, specific, and revocable consent as the primary lawful basis, presented in clear language and accompanied by contact details for grievance redressal.

Pre-existing consent remains valid but triggers prompt notification obligations. Consent exceptions such as legal compliance, emergencies, and government functions are narrowly defined and subject to transparency mandates. Data fiduciaries must collect only necessary data, ensure its accuracy, implement robust safeguards (encryption, access controls, audit logs), notify the Board and individuals of breaches, and erase or anonymize data when purposes conclude or consent is withdrawn.

Processing children's data requires verifiable parental consent and prohibits targeted advertising or behavioural tracking of minors. The Government may designate Significant Data Fiduciaries, based on data volume, sensitivity, risk, and importance, thus imposing extra obligations like appointing Data Protection Officers, conducting audits and impact assessments, and maintaining swift grievance processes.

The Data Protection Board of India, an autonomous regulator of legal, technical, and governance experts, wields investigatory and adjudicatory powers, issuing corrective orders and substantial penalties up to ₹250 crore for security failures and ₹200 crore for breach notifications or children's data violations, without a formal cure period but with appellate review.

The accompanying Digital Personal Data Protection Rules,2025 (herein referred to as "DPDP Rules") operationalize the Act by mentioning provisions connect to consent management, breach notification, grievance redressal, data protection impact assessments, independent audits for Significant Fiduciaries, data retention limits, cross-border transfer protocols, registration and reporting to stakeholders, together forging a modern, enforceable data-protection framework aligned with global norms while reflecting India's socio-legal context.

However, the DPDP Act poses some several challenges, primarily due to the absence of clear procedural standards for implementation. It lacks clarity on how Data fiduciary should operationalize key obligations such as data breach reporting and grievance redressal. Further, the absence of explicit timelines and procedural safeguards for the Data Protection Board may lead to inconsistent regulatory practices. Ambiguities around cross border data transfer and the wide scope for government exemptions also raise concerns regarding accountability and transparency

The DPDP Act aligns with global trends in data privacy, mirroring core principles of the EU's General Data Protection Regulation (herein referred to as "GDPR") such as explicit consent, data minimization, purpose limitation, rights to access, correction, and erasure and the California Consumer Privacy Act's (herein referred to as "CCPA") emphasis on consumer control and transparency, while tailoring obligations and enforcement mechanisms to India's socio-legal context and incorporating features like extraterritorial jurisdiction and tiered regulation for "Significant Data Fiduciaries."

The European Union's GDPR: A Robust Paradigm[4]

The GDPR, enforced since 2018, remains the most influential global benchmark, emphasizing protections through detailed data subject rights, transparency, accountability, and cross-border data transfer controls. Over 2021-2025, the GDPR enforcement has intensified, accumulating over €5.88 billion in fines across sectors, signaling mounting regulatory vigilance. One of the significant case study is Meta's €1.2 Billion Fine (May 2023) which was imposed by the Hon'ble Irish Data Protection Authority (IE DPA)[5], a record-breaking fine which penalized Meta (formerly Facebook) for unlawfully transferring European users' personal data to the United States(US), without adequate safeguards, violating GDPR's cross-border data transfer rules.

This case strongly affirms GDPR's extraterritorial reach and the criticality of safeguarding data beyond national borders. Meta is appealing, but the decision is expected to influence global data governance frameworks, including India's. Also Amazon's €746 Million Fine (July 2021)[6] sets an impressive example. The Hon'ble Luxembourg's National Commission for Data Protection, fined Amazon for processing consumer data, specifically in its advertising targeting system, without proper consent.

Triggered by a complaint from over 10,000 individuals, this case highlights the GDPR's focus on consent validity and consumer control over targeted advertising. Ireland's DPC fined Meta Ireland for inadequate protections on Instagram's handling of children's personal data, public display of contact information of minors, and failure to conduct necessary Data Protection Impact Assessments (DPIAs). This case underscores GDPR's strict stance on vulnerable user groups and the importance of privacy by design. In addition, the Schrems II ruling by the Court of Justice of the European Union(CJEU) in 2020[7] reverberates through ongoing enforcement, invalidating prior U.S.-EU data transfer frameworks due to insufficient safeguards. The Data Privacy Framework of 2023 reflects evolving regulatory attempts to reconcile privacy with international data flows.

United States' California Consumer Privacy Act, 2020 and California Privacy Rights Act,2023: Consumer-Focused Data Privacy[8]

While the U.S. lacks a unified federal data protection law, states like California have enacted the CCPA and the stricter California Privacy Rights Act, 2023 (herein referred to as "CPRA"), emphasizing consumer rights such as the right to know, delete, and opt-out of sale of personal information. Enforcement showcases increasing regulatory action across sectors. Sephora was penalized for failing to disclose data sales and not honoring opt-out requests in 2022[9]. The case was finally settled with a compensation of USD 1.2 million by the State of California's Hon'ble Department of Justice Office of the Attorney General. This case demonstrates the Attorney General's strict approach towards transparency and consumer autonomy in using personal information. Another major settlement by the State of California's Hon'ble Department of Justice Office of the Attorney General is the Kaiser Health's $49 Million Penalty (2023)[10]. This record settlement arose from improper disposal of medical records, involving over 7,700 patients, emphasizing the intersection of data privacy and physical data security under CCPA and health privacy laws. Kaiser agreed to extensive remedial measures including audits and training. The CCPA also treats privacy policies and notices with high scrutiny, requiring clear, timely disclosures and user-friendly interfaces for privacy rights execution.

Other Global Regulatory Developments

The Brazilian Data Protection Law (LGPD)[11] mirrors GDPR principles with a focus on consent, transparency, and a dedicated regulatory authority. It highlights growing data privacy emphasis beyond US and EU paradigms. Jurisdictions like Singapore, South Korea, and Japan adopt hybrid frameworks inspired by GDPR, accommodating digital innovation with data protection (e.g., Singapore's Personal Data Protection Act, 2014)[12]. The spread of such advanced privacy laws underlines the global progression toward harmonizing individual rights with responsible data use, forcing corporations worldwide to adopt privacy-by-design principles and proactive compliance cultures. These judicial principles provide valuable guidance for enforcing India's DPDP Act, which similarly stresses explicit consent, data minimization, breach notification, and rights to erasure and grievance redressal.

Landmark Cases and Judicial Precedents:

The Hon'ble Delhi High Court's Directions on DPDP Implementation (2025)[13]

The Hon'ble Delhi High Court questioned the Government on delays in notifying DPDP Rules and operationalizing the Act, underscoring judicial insistence on timely and effective enforcement mechanisms and grievance redressal to prevent abuse of personal data in practice. This judicial reminder emphasizes the pragmatic need for rules and regulator readiness for the DPDP's intent to be realized.

Star Health Insurance Data Breach (2024)[14]

This incident involving exposure of personal data of over 31 million customers reaffirmed fiduciaries' obligations for breach notification, cooperation with investigations, and safeguarding sensitive health information. The case illustrates the potential for severe penalties under the DPDP framework and the importance of internal security governance as upheld by the Hon'ble Insurance Regulatory and Development Authority of India (IRDAI).

WhatsApp Privacy Policy Case (2021-2023)[15][16]

Regulatory and judicial scrutiny over WhatsApp 2021 privacy policy focused on transparency, user consent, and data sharing with its parent company Meta. The Hon'ble Supreme Court directed WhatsApp to publicize user rights and retracted forced acceptance of the new terms pending DPDP legislation, highlighting evolving privacy expectations and reinforcing DPDP's consent and transparency principles.

Medusind Healthcare Data Breach (2023[17])[18]

This significant breach exposed sensitive health and financial data of over 360,000 individuals, highlighting crucial fiduciary obligations of organizations to protect personal data. It underlines the DPDP Act's strict breach notification rules and the need for robust technical safeguards and breach response capabilities. The settlement was finally decided by the United States Hon'ble District Court Southern District Of Florida Miami Division for an amount of USD 5 million.

LinkedIn Data Scraping Litigation and Verdict (2021 onwards[19])[20]

The extended litigation involving hiQ Labs and LinkedIn in the United States Hon'ble Court Of Appeals For The Ninth Circuit revolved around scraping of public LinkedIn profiles. The Hon'ble court upheld that scraping publicly accessible data does not violate unauthorized access laws unless technical barriers are circumvented. While India's DPDP Act requires explicit consent, this case prompts questions about the boundary between public data use and personal data protection, influencing policy frameworks on data scraping and consent regimes.

Hon'ble Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017)[21]

This nine-judge bench of the Hon'ble Supreme Court's benchmark ruling unequivocally declared the right to privacy as a fundamental right under the Indian Constitution (Articles 14, 19, and 21). Originating from challenges to the Aadhaar biometric system, the Hon'ble court emphasized that privacy is integral to personal liberty and can only be curtailed under compelling state interests with due process. This judgment laid the constitutional foundation demanding comprehensive data protection law the prime motivation behind the present DPDP Act.

Conclusion

India's Digital Personal Data Protection Act, 2023 (DPDP Act) marks a transformative shift in India's data governance, replacing the limited IT Act, 2000 and SPDI Rules, 2011 with a comprehensive, consent-driven framework that applies to all digital personal data, including processing by government and entities abroad targeting Indian residents. It introduces robust individual rights (access, correction, erasure, grievance redressal, and nomination), strict obligations on Data Fiduciaries and Processors, special safeguards for children, and heightened compliance for Significant Data Fiduciaries. The Act establishes the Data Protection Board of India with investigatory and adjudicatory powers, backed by stringent penalties up to ₹250 crore and cross-border transfer restrictions. Complementary DPDP Rules, 2025 operationalize these principles through consent management, breach notifications, audits, and retention norms. Globally, the DPDP aligns with GDPR's consent and rights model but is more consent-centric than U.S. frameworks (CCPA/CPRA), stricter on children's data than EU laws, and lighter on cross-border restrictions than GDPR. Notable global enforcement cases (Meta, Amazon under GDPR; Sephora, Kaiser under CCPA) and Indian breaches (Medusind, Star Health) highlight the urgent need for compliance. Anchored by K.S. Puttaswamy v. Union of India (2017), which recognized privacy as a fundamental right, the DPDP Act situates India within the evolving global privacy landscape while addressing local challenges. Despite progressive legal architecture, enforcement challenges loom centralization of regulatory authority might lead to resource bottlenecks, especially curbing scrutiny of smaller fiduciaries. The law's effectiveness hinges on government capacity building, public awareness, corporate culture shifts, and clarifying sector-specific intersections. Emerging technologies like AI, evolving cross-border data flows, and integration with other privacy instruments will shape DPDP's trajectory. Stakeholder consultations on DPDP Rules, 2025, are essential for refining operational nuances including consent managers, data retention timelines, and audit frameworks.

Footnotes

1. https://www.meity.gov.in/content/information-technology-act-2000

2. https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf

3. https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/

4. https://www.csis.org/blogs/strategic-technologies-blog/3-years-later-analysis-gdpr-enforcement

5. https://www.edpb.europa.eu/system/files/2023-05/edpb_bindingdecision_202301_ie_sa_facebooktransfers_en.pdf

6. https://www.bbc.com/news/business-58024116

7. https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf

8. https://www.cliffordchance.com/insights/thought_leadership/trends/2025/data-privacy-legal-trends.html

9. https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement

10. https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-49-million-settlement-kaiser-illegal-disposal

11. https://www.gov.br/anpd/pt-br/centrais-de-conteudo/outros-documentos-e-publicacoes-institucionais/lgpd-en-lei-no-13-709-capa.pdf

12. https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act

13. https://www.livelaw.in/high-court/delhi-high-court/delhi-high-court-questions-centre-on-implementation-of-digital-personal-data-protection-act-305532

14. https://www.scconline.com/blog/post/2025/01/28/legal-ramifications-data-breach-discussed-in-light-of-star-health-and-allied-insurance-breach/

15. https://www.scconline.com/blog/post/2023/02/03/directed-whatsapp-to-widely-publicise-stand-that-its-users-in-india-do-not-have-to-accept-its-2021-privacy-policy-in-order-to-use-mobile-application/

16. https://www.cci.gov.in/images/antitrustorder/en/order1732001619.pdf

17. Owings et al. v. Medusind, Inc., Case No. 1:25-cv-20117, Southern District of Florida, filed January 9, 2025.

18. https://www.medusinddataincidentsettlement.com/Content/Documents/Owings%20v%20Medusind_Settlement%20Agreement.pdf

19. https://cdn.ca9.uscourts.gov/datastore/opinions/2022/04/18/17-16783.pdf

20. https://natlawreview.com/article/linkedin-s-data-scraping-battle-hiq-labs-ends-proposed-judgment

21. (2017) 10 SCC 1, AIR 2017 SC 4161

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.