Privacy In The Digital Era: Insights Into The Key Provisions Of The Digital Personal Data Protection Act, 2023

Khurana and Khurana


K&K is among leading IP and Commercial Law Practices in India with rankings and recommendations from Legal500, IAM, Chambers & Partners, AsiaIP, Acquisition-INTL, Corp-INTL, and Managing IP. K&K represents numerous entities through its 9 offices across India and over 160 professionals for varied IP, Corporate, Commercial, and Media/Entertainment Matters.
The Digital Personal Data Protection Act passed in August 2023, portrays India's significant footstep in the worldwide regulatory movement on digital personal data protection rights.
India Privacy
To print this article, all you need is to be registered or login on


The Digital Personal Data Protection Act passed in August 2023, portrays India's significant footstep in the worldwide regulatory movement on digital personal data protection rights. The DPDP Act was designed with a heavy emphasis on standardization, brevity, and simplicity. The Digital Personal Data Protection Bill, 2022, a draft bill released by the Ministry of Electronics and Information Technology on November 18, 2022, for public consultation, appears to have served as the basis for the DPDP Act, which is the outcome of the fifth iteration of proposed personal data protection legislation.1 Non-personal data is not covered by the DPDP Act, which is focused on digital personal data. The DPDP Act is intended to be implemented gradually, that is, as and when the Central Government periodically announces the Act's contents.

"Data protection" describes the policies, safeguards, and legally binding regulations that have been implemented to ensure that an individual does not lose control over his data. To put it briefly, one should have the freedom to decide whether or not to reveal specific information, as well as who needs to see it, when, and for what reason. One should also have the ability to change particular parts of the information, among other things. Experts in the field of law believe that the word "data protection" is a catch-all for anything related to handling personal information. This is due to the term "data protection" being used to refer to any activity related to handling personal data.2


The DPDP Act addresses personal data processing in India in two circumstances: first, when the data is collected in non-digital form initially and then converted to digital form; and second, when the data is acquired in digital format from data principals. Therefore, the processing of personal data that is not digitalized is not covered by the DPDP Act. In addition, the statute's purview has been expanded. It can be applied extraterritorially, meaning that if it has to do with providing products or services to data principals in India, digital personal data processed outside of India's borders can also be processed. Interestingly, the DPDP Act is silent on whether the processing of personal data belonging to data principals based outside of India is covered by its provisions.3

It allows for some exemptions from the strict requirements for the startup. The Act has added the term "Personal Data." It requires data fiduciaries to protect personal information under their care by putting in place appropriate security measures to prevent breaches. In the event of a data breach, the data fiduciary is obliged to notify the affected data principals as well as the Board. However, the notification mechanism is left up to the individual. The Act provides a comprehensive definition of processing personal data, which includes gathering, logging, organizing, storing, adapting, retrieving, using, aligning, combining, indexing, sharing, and disclosing personal data. 4

Key Provisions:

1. Applicability:

Section 3(a) states that managing personal data in digital form within India is covered by the Act. This covers situations in which the data is either (i) obtained online or (ii) collected offline and then digitally formatted. If the data processing takes place outside of India and relates to delivering products or services to data principals within the nation, then it is likewise covered by the Act. Nonetheless, the following situations are exempt from this section's requirements on the treatment of personal data:

  1. A person uses the information for domestic or personal purposes.
  2. The data subject or a legal requirement has released personal information.
  3. Personal information is needed for statistical analysis, research, or archiving purposes, so long as it's not used to make decisions about the data subject specifically and the processing complies with government-mandated standards.5

Any information about a specific person who may be identified from or through such information is considered personal data for this section. When referring to personal data, processing refers to an automated process or series of automated processes carried out on digital personal data.6 These processes can involve gathering, logging, organizing, structuring, storing, modifying, retrieving, using, aligning, or combining data, sharing, through transmission, and disseminating.7

2. Data Fiduciaries:

It is the responsibility of data fiduciaries to comply with the regulations specified in the 2023 Act, even in cases where a data processor handles any data processing on their behalf. To handle concerns, they must establish grievance redressal mechanisms. They also have to make sure that personal data is accurate and comprehensive, particularly when it's going to be shared with another data fiduciary or used to make choices that will affect the user. Data fiduciaries are required to delete user data and make sure their data processors do the same if the user withdraws consent or if it is reasonable to presume that the original purpose is no longer relevant, as in the event of extended user inactivity. On the other hand, if required by law, data fiduciaries may keep data. This new regulation is more precise than the 2022 Bill, which allowed data fiduciaries to keep data for vague "business and legal" purposes. Finally, data fiduciaries have a duty to notify the Data Protection Board (DPB) and the impacted users when there is a data breach.

A data principal's declaration that they agree for their data to be processed for a specific purpose and to be confined to the personal data that is required for that specific purpose is known as consent, as defined by Section 6 (1) of the Act. The Data Principal must provide free, explicit, informed, unconditional, unambiguous consent with clear affirmative action. The 2023 Act restricts the scope of consent validity to the personal information required to fulfill the designated purpose. Additionally, data principals are free to use consent managers' services to revoke their consent.

3. Data Principal- Rights and Duties:

The right to obtain information about the personal data being processed belongs to the people who are the subject of the data (also known as data principals). This contains details regarding the processing activities that are being performed as well as the names of all data fiduciaries and processors to whom their data has been shared with. Additionally, data principals have the right to ask data fiduciaries to update, correct, complete, or remove their data. In the event of their demise or incapacitation, they are still entitled to designate a representative. Data fiduciaries are required to set up procedures that are simple to use to handle complaints from data subjects.

The Data Protection Board (DPB) must be consulted only after all other channels for resolving complaints have been exhausted, according to the 2023 legislation. Furthermore, the 2023 Act mandates that data principals abstain from assuming false identities or suppressing information while requesting official government paperwork. Furthermore, when a data principal exercises their right to access data for correction and erasure, it requires them to submit accurate information.

4. Data Protection Board:

The DPDP Act states that the Data Protection Board (DPB) continues to act as an adjudication and enforcement body in addition to its current role as a regulatory body. The DPB's composition and operations are still under the control of the government. The 2023 Act provides detailed information about the membership requirements and the makeup of the DPB, both of which were noticeably omitted from the 2022 Bill. The central government of India formed the Data Protection Board, which will be responsible for many vital responsibilities.

These functions include: "(i) keeping an eye on compliance and applying sanctions; (ii) instructing data fiduciaries on what steps to take in the event of a data breach; and (iii) hearing complaints from those who have been impacted."8

5. Data of Children:

The Act maintains, in line with the definition from the 2022 Bill, that a "child" is any person under the age of eighteen. To process children's data, data fiduciaries must still obtain parental consent. If the Central Government finds that the processing is being carried out in a way that is clearly secure, this can be accomplished by decreasing the age requirement for requesting parental consent. Furthermore, it is imperative that a data fiduciary abstain from handling personal data in any way that would jeopardize a child's welfare.

6. Penalties:

In the event of non-compliance, data fiduciaries may be subject to financial penalties from the DPDP. As stated in Section 8(5) of the DPDPB, failing to establish appropriate security measures to avoid breaches of personal data might result in fines up to INR 250 Crores (two hundred and fifty million) under the recently imposed penalties under the DPDP. Significantly, the penalty cap of INR 500 Crores (five hundred million) for a single case has been lifted, meaning that processors and fiduciaries of data may now be subject to larger fines. It is important to note that the DPDPB has removed the data principal's ability to sue for damages if a data fiduciary violates its duties to protect personal data. Additionally, the DPDPB gives the Board the authority to fine data principals up to INR 10,000 (ten thousand) for not carrying out their legally mandated responsibilities.


An important turning point in the history of personal data protection in India has been reached with the implementation of the DPDP. Given the enormous number of internet users in the nation, the vast amount of data they produce, and India's significant involvement in cross-border investments and trade, this development has been long overdue. The current regulatory frameworks are not strong or complete, even while they outline requirements for data processors, incident reporting, and other matters, and offer specific protections for data principals.

By revamping the existing framework and replacing the current legislation, the DPDP marks a significant change. This is a significant advancement in safeguarding personal privacy in India. The DPDP gives people more authority over their data by creating a more open and accountable framework for processing personal data. Crucially, this act strengthens people's ability to claim their rights over their data and provides a major improvement in protecting them from the improper use of that data. This legislative effort has the potential to significantly impact India's data protection environment and guarantee the security and privacy of personal information.

However, the DPDP is not impervious to criticism. Some may argue that the regulations are too onerous and might hinder industrial innovation. defend their rights concerning their data. On the other hand, others may contend that the DPDP is insufficient in protecting personal privacy because of the significant jurisdiction granted to the Central Government in this regard. This legislative effort has the potential to significantly impact India's data protection environment and guarantee the security and privacy of personal information.


Digital Personal Data Protection Act, 2023

Huzaifa Shaikh & Radheshyam Prasad, Vacillating between No Law and Bad Law: An Analysis of the Digital Personal Data Protection Bill, 2022, 12 NLIU L. REV. 1 (2023).

Reviewing the Privacy Implications of India's Digital Personal Data Protection Act (2023) from Library Contexts Chanlang Ki Bareh, DESIDOC Journal of Library & Information Technology, Vol. 44, No. 1, January 2024, pp.50-58




1. (Last Accessed: 15.05.2024).


3. A Free and Fair Digital Economy Protecting Privacy, Empowering Indians, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, July 2018.

4. Ibid.

5. Huzaifa Shaikh & Radheshyam Prasad, Vacillating between No Law and Bad Law: An Analysis of the Digital Personal Data Protection Bill, 2022, 12 NLIU L. REV. 1 (2023).

6. Section 2(x),Digital Personal Data Protection Act, 2023.

7. Ibid.

8. Section 27, Digital Personal data Protection Act, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More