What is the Digital Personal Data Protection Act, 2023?
A structured guide on basics of the Digital Personal Data Protection Act, 2023 (DPDP Act).
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) received the assent of the President on August 11, 2023. Based on the golden law on the subject, that is, the GDPR, the DPDP Act is yet to be enforced. Once in force, the legislation will replace Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 or the SPDI Rules.
The Ministry of Electronics and Information Technology released the Draft Digital Personal Data Protection Rules, 2025 on January 3rd. These rules are a critical extension of the DPDP Act and once enacted will provide clarity on various procedural and operational principles of the Act.
Basic Tenets of the DPDP Act
The DPDP Act covers several fundamental aspects:
1. Applicability of the DPDP Act
The DPDP Act has an extra-territorial application which means that the legislation will apply not only in India but also outside the territory of India. Furthermore, the legislation is not applicable to all kinds of data. It applies to only digital data. The legislation also lays down certain situations in which the legislation is not applicable.
Understanding the Key Players under the DPDP Act
Any natural person or individual to whom the data relates is the Data Principal. In simpler words, we all are Data Principals. For instance, you are buying groceries using Big Basket. You provide for your contact details, that is, your phone number and address. In such cases, you are the Data Principal as the data which is being processed for providing you the groceries is your personal data.
The legislation has broadened the scope of Data Principals to include within its ambit the parent or a lawful guardian of a child or a person with disability.
Any person who determines the purpose and means for processing the personal data of the Data Principal, either by himself or along with others, is known as a Data Fiduciary.
Any person who processes the personal data of a Data Principal on behalf of the Data Fiduciary is a Data Processor.
📝 Practical Example
For instance, you set up an account on Amazon, provide your contact information and payment details as you place an order for your gym wear from Adidas. You make payment using UPI.
Now the question is who all among these are the Data Fiduciaries?
In this particular illustration Adidas uses your personal details through Amazon to provide you with your gym wear. It determines the purpose and means of processing your contact and payment information and is thus a data fiduciary.
Amazon does not determine the purpose of processing your personal data and will thus be only an intermediary and not the Data Fiduciary. Amazon stores the data in its cloud computing service, AWS, which will be the Data Processor.
Similarly, the UPI platform that you are using for making the payment will also be considered to be a Data Fiduciary.
Rights and Duties of the Data Principals
Chapter III, Section 11 - 15 of the DPDP Act provides the Data Principals with certain rights regarding their sensitive personal data. These rights can be exercised against the Data Fiduciaries. In case of consent managers, the Data Principals can only exercise the right to grievance redressal. Let us briefly look at these rights:
The DPDP Act grants the Data Principals the right to request summaries of their personal data which is being processed. They can also request the identities of the Data Fiduciaries and the Data Principles with whom their personal data has been shared. The Data Fiduciaries cannot refuse the disclosure of such information unless the same has been exempted by the government, for instance, in case of investigation of offences.
The DPDP Act empowers the Data Principles to request the correct, completion, updation, or erasure of their personal data. The Data Fiduciaries are obligated to comply with the same unless the personal data is necessary for a specific purpose or is being used on the basis of voluntary legitimate purposes.
The right to access information and correct or erase the personal data is available only where the data is being processed with the consent of the Data Principal or is being used on the basis of voluntary legitimate purposes.
Data Fiduciaries and consent managers are required to ensure that the Data Principles have access to grievance redressal mechanism, thus upholding their right to grievance redressal.
A unique feature of the DPDP Act, which finds no mention under the GDPR, the golden law on data protection is the right to nominate someone to exercise the rights granted by the legislation in the event of the death of the Data Principal.
Duties of Data Principals
Section 15 of the DPDP Act lays down the duties of the Data Principals. In case they fail to fulfill these obligations under the legislation, they may be liable to penalties extending up to Rs. 10,000 under the DPDP Act.
⚠️ Key Duties Include:
- 1.Compliance with the existing applicable laws while exercising their rights granted under the DPDP Act.
- 2.Data Principles should not impersonate another person whenever they are providing their sensitive personal information for a specified purpose.
- 3.They should not suppress any material information in cases where they are providing personal data for any document, unique identifier, proof of identity and address issued by the State or any of its instrumentalities.
- 4.Data Principles should not register false grievances or complaints with the Data Fiduciaries or the Data Protection Board of India.
- 5.They are obligated only to disclose verifiably authentic information when exercising their right to correction and erasure of their data under the Act.
Obligations of the Data Fiduciaries
Section 8 of the DPDP Act lays down the obligations of the Data Fiduciaries. In case they fail to comply with these obligations, they can be liable for hefty penalties under the legislation. These duties are as follows:
Data Fiduciaries must ensure personal data is complete, accurate, and consistent whenever it is:
- Used to make decisions affecting data principals
- Disclosed to another data fiduciary
Data Fiduciaries are required to make additional efforts in order to comply with this particular obligation. This is because of the difficulty they face in establishing a "complete" database of all the personal information.
Data Fiduciaries have an obligation to notify the affected individual and the Data Protection Board of the breach of personal data. They face penalties of up to Rs 200 crore in case of non-compliance. CERT-In reporting requirements under cyber security laws provides for reporting certain cyber offences to the Computer Emergency Response Team.
The Data Fiduciaries must implement appropriate technical and organizational measures to comply with the DPDP Act. They are required to take reasonable security measures to prevent data breaches. These can include encryption wherever appropriate, notice and consent mechanisms and data retention policies). The legislation provides flexibility to the Data Fiduciaries in determining the appropriate measures. Failure to implement reasonable security measures carries penalties up to Rs 250 crore.
They are prohibited from retention of the personal data of the Data Principal. Every Data Fiduciary must erase personal data when:
- Data principal withdraws consent
- The specified purpose for which the personal data was collected is no longer served.
Data Fiduciaries must publish the contact details of the grievance officer, that is the person who will be dealing with the queries of the Data Principal.
👶 Special Provisions for Children's Data
Section 9 of the DPDP Act provides for the processing of the personal data of the children. It lays down certain obligations on the Data Fiduciary when handling the sensitive personal data of the children. These include:
- a)The Data Fiduciary is under an obligation to obtain the consent of the parent or the lawful guardian of the child or person with disability, whose data is being processed.
- b)Data Fiduciaries are prohibited from processing the personal data of children in such a way as to cause a negative impact on their well being.
- c)Tracking and behavioural monitoring of children or targeted advertisements at children are strictly prohibited.
In case the Data Fiduciaries fail to comply with these obligations, they might face penalties which may extend to Rs. 200 crore.
Conclusion
The DPDP Act is a significant advancement in the data protection framework of India. Even though it draws inspiration from the GDPR, it has adopted its own unique elements from Indian society. The DPDP Act balances the roles of the Data Principles and the Data Fiduciaries.
With substantial penalties for non-compliance, the DPDP Act emphasizes accountability while granting special protection to the vulnerable group of children and persons with disabilities. Once fully implemented with the Draft Rules of 2025, this legislation will modernize India's approach to personal data protection in the digital age.
Related Resources
Need Expert DPDPA Implementation Support?
While our resources provide comprehensive analysis, implementing DPDPA compliance requires expert guidance tailored to your organization's specific needs.