On August 11, 2023, India enacted the Digital Personal Data Protection Act, 2023 (“DPDP Act“). Non-personal data is exempt from the DPDP Act’s provisions, which are focused on digital personal data. Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 will be superseded by the DPDP Act once its provisions come into effect. It is intended that the DPDP Act will take effect gradually, i.e., as and when the Central Government periodically announces the Act’s provisions.

Key Highlights


Only Applies to Digital Personal Data – The DPDP Act, 2023 only applies to personal data, whether collected in digital form or non-digital data, which is digitised subsequently.

Overseas Applicability – The DPDP Act applies to digital personal data that is processed outside India, only if such processing is in connection with any activity related to offering of goods or services to data principals (data subjects) in India.

Exclusions – The DPDP Act does not apply to: (i) personal data processed by an individual for any personal or domestic purpose; or (ii) personal data made publicly available by the data principal herself or any other person under a legal obligation.

Data Protection Principles:

Limitation on Purpose: Personal information shall only be processed for legitimate purposes for which the data principal has granted her consent and in compliance with the DPDP Act.

Limitation on Collection: Only required personal information should be gathered

No Sub-classification of Personal Data: The provisions of the DPDP Act apply to all kinds of personal data and does not envisage sub-categories of personal data, such as sensitive personal data or critical personal data. Accordingly, the requirements of the DPDP Act will be applicable equally to all forms of personal data, agnostic of the nature or type of the personal data

Consent & Notice:

Affirmative Consent – Consent is the underlying basis for processing personal data and needs to be free, specific, informed, unconditional and unambiguous. Such consent has to be provided by a clear affirmative action, and signify the data principal’s agreement for processing of her personal data for the specified purpose.

Withdrawal of Consent – The data principal has the right to withdraw consent at any time with same level of ease with which she gave her consent. Such withdrawal of consent will not affect the legality of processing of the personal data based on consent before its withdrawal.

Notice – A notice needs to be provided to the data principal, along with or preceding every request for consent, informing the data principal about the personal data and the proposed purpose of processing; and the manner in which she may exercise her rights to withdraw consent, avail the grievance redressal mechanism and make a complaint to the Data Protection Board (‘DPB’). Where the data principal has given consent for processing her personal data before the law comes into force, a similar notice needs to be provided to her, as soon as it is reasonably practicable and the data fiduciary may continue processing the data principal’s data, till such time that they withdraw the prevalent consent in response to the aforesaid notice.

Notice & Consent in Multiple Languages – The data principal should have the option to view the notice and consent form in English or in any other language specified in the Eighth Schedule of the Constitution of India (which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, etc.).

Obligations of Data Fiduciary:

Compliance with the DPDP Act is the responsibility of data fiduciaries, and this includes any processing of personal data carried out on their behalf by a data processor. Data fiduciaries must guarantee the accuracy and completeness of any personal data they process if it will be shared with another data fiduciary or used to make decisions that could impact the data principal.

Rights of Data Principals: The DPDP Act provides certain rights to data principals, which include right to access information about personal data, including a summary of personal data being processed, the underlying processing activities and any other information as prescribed, and identities of all data fiduciaries and data principals with whom such data was shared; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc. As per the DPDP Act, the data fiduciaries need to offer readily available grievance redressal mechanisms to data principals. In this regard, the data principal must exhaust all options for grievance redressal before approaching the DPB.


Monetary Penalties for Breach – Depending on the nature of contravention, monetary penalties up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, and whether as a result of a breach, the defaulting person has realized a gain or avoided any loss etc.

No Compensation – The DPDP Act does not provide for payment of compensation to data principals whose personal data has been compromised. This is a deviation from the Information Technology Act, 2000 which allows affected data principals to claim compensation from a data fiduciary who failed to implement reasonable security safeguards and as a consequence, have caused wrongful loss or gain. That said, the DPDP Act casts certain duties on the data principals, amongst others, to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB, etc. For any breach in observance of such duties, the data principals may be penalized up to INR 10,000.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.


The following disclaimer governs the use of this website (“Website”) and the services provided by the Law offices of Kr. Vivek Tanwar Advocate & Associates in accordance with the laws of India. By accessing or using this Website, you acknowledge and agree to the terms and conditions stated in this disclaimer.

The information provided on this Website is for general informational purposes only and should not be considered as legal advice or relied upon as such. The content of this Website is not intended to create, and receipt of it does not constitute, an attorney-client relationship between you and the Law Firm. Any reliance on the information provided on this Website is done at your own risk.

The Law Firm makes no representations or warranties of any kind, express or implied, regarding the accuracy, completeness, reliability, or suitability of the information contained on this Website.

The Law Firm disclaims all liability for any errors or omissions in the content of this Website or for any actions taken in reliance on the information provided herein. The information contained in this website, should not be construed as an act of solicitation of work or advertisement in any manner.