What is Digital Personal Data Protection (DPDP) Act?
Historical Background
Key Points
15 points- 1.
The Act defines Personal Data as any data that can identify an individual. This includes not only obvious identifiers like name and address but also online identifiers like IP addresses and location data. This broad definition ensures that a wide range of digital information is protected under the law.
- 2.
A Data Fiduciary is any entity that determines the purpose and means of processing personal data. This could be a company, a government agency, or even an individual. The Act places significant obligations on Data Fiduciaries, including implementing security safeguards and providing individuals with access to their data.
- 3.
The Act introduces the concept of a Data Processor, which is an entity that processes data on behalf of a Data Fiduciary. For example, a cloud service provider that stores data for a company would be considered a Data Processor. Data Processors also have obligations under the Act, although these are generally less extensive than those of Data Fiduciaries.
- 4.
Consent is a crucial element. Data Fiduciaries must obtain explicit consent from individuals before processing their personal data, except in certain limited circumstances. This consent must be freely given, specific, informed, and unambiguous. For example, a website cannot bury a consent clause in its terms of service; it must obtain clear and affirmative consent from the user.
- 5.
The Act allows for certain Legitimate Uses of data without consent, such as for legal compliance, medical emergencies, or providing services requested by the individual. However, these exceptions are narrowly defined and must be necessary and proportionate to the purpose. For instance, a hospital can process a patient's data without consent in an emergency situation, but it cannot use that data for marketing purposes without consent.
- 6.
Individuals have the right to Access, Correction, and Erasure of their personal data. This means they can request a copy of their data, ask for it to be corrected if it is inaccurate, and ask for it to be erased if it is no longer needed. This empowers individuals to control their digital footprint.
- 7.
The Act establishes a Data Protection Board of India to oversee enforcement and adjudicate disputes. The Board has the power to investigate complaints, impose penalties, and issue directions to Data Fiduciaries. This provides a mechanism for individuals to seek redress if their rights are violated.
- 8.
The Act imposes significant Penalties for non-compliance, ranging from monetary fines to imprisonment. The severity of the penalty depends on the nature and extent of the violation. This creates a strong incentive for Data Fiduciaries to comply with the law.
- 9.
The Act addresses Cross-Border Data Transfers, allowing data to be transferred outside India except to countries that are specifically restricted by the government. This aims to balance the need for data localization with the need for businesses to operate globally.
- 10.
For children (defined as individuals under 18), the Act requires Data Fiduciaries to obtain verifiable parental consent before processing their personal data. This is a stricter standard than for adults and reflects the greater vulnerability of children. This is why the Karnataka government is considering restrictions on mobile phone use for children under 16, as it relates to data collection by social media companies.
- 11.
The Act mandates Data Breach Notification. Data Fiduciaries must notify the Data Protection Board and affected individuals of any data breach that is likely to cause harm. This allows individuals to take steps to protect themselves from potential harm, such as identity theft.
- 12.
The Act includes provisions for Voluntary Undertakings, where Data Fiduciaries can commit to specific actions to address non-compliance. This provides a more flexible and collaborative approach to enforcement, allowing Data Fiduciaries to rectify issues without facing penalties.
- 13.
The Act distinguishes between Significant Data Fiduciaries and other Data Fiduciaries, with Significant Data Fiduciaries facing stricter obligations due to the volume and sensitivity of the data they process. The government will determine the criteria for designating an entity as a Significant Data Fiduciary.
- 14.
The Act provides for the establishment of Grievance Redressal Mechanisms within Data Fiduciaries to handle complaints from individuals. This ensures that individuals have a first point of contact for resolving issues related to their data.
- 15.
The Act promotes Data Minimization, requiring Data Fiduciaries to collect only the personal data that is necessary for the specified purpose. This reduces the risk of data breaches and misuse.
Visual Insights
Evolution of Data Protection Law in India
Key events leading to the enactment of the Digital Personal Data Protection Act, 2023.
India's journey towards a comprehensive data protection law reflects a growing awareness of the need to balance individual privacy with the demands of a digital economy.
- 2000Information Technology Act, 2000 enacted, providing initial framework for data protection.
- 2017Justice B.N. Srikrishna Committee formed to recommend a data protection framework.
- 2019First version of the Personal Data Protection Bill introduced in Parliament.
- 2022Personal Data Protection Bill withdrawn due to concerns over its scope and government powers.
- 2023Digital Personal Data Protection Bill introduced, passed by Parliament, and became law.
- 2024Ministry of Electronics and Information Technology (MeitY) begins consultations on rules and regulations under the DPDP Act.
- 2024Companies begin reviewing data processing practices to comply with the DPDP Act.
- 2026Karnataka government considers mobile phone restrictions for students under 16, referencing DPDP Act.
Digital Personal Data Protection Act: Key Aspects
Mind map illustrating the key components and relationships within the Digital Personal Data Protection Act.
DPDP Act, 2023
- ●Key Definitions
- ●Individual Rights
- ●Obligations of Data Fiduciaries
- ●Data Protection Board of India
- ●Cross-Border Data Transfers
Recent Developments
10 developmentsThe Digital Personal Data Protection Act was passed by both houses of Parliament in August 2023 and received Presidential assent shortly thereafter.
In January 2024, the Ministry of Electronics and Information Technology (MeitY) began consultations with stakeholders on the rules and regulations to be framed under the DPDP Act.
The government is expected to notify the specific provisions of the Act in a phased manner, starting with the establishment of the Data Protection Board of India in 2024.
Several companies have begun reviewing their data processing practices and updating their privacy policies to comply with the DPDP Act in 2024.
The DPDP Act has been cited by government officials in discussions about age-based restrictions on social media platforms, as it requires parental consent for processing children's data in 2024.
The Karnataka government's consideration of mobile phone restrictions for students under 16 highlights the ongoing debate about balancing data protection with the needs of children and the role of parental consent in 2026.
Union IT minister Ashwini Vaishnaw stated in 2026 that the government is holding consultations with social media platforms regarding age-based restrictions, referencing the DPDP Act.
The Economic Survey of India has warned about compulsive digital use among young people and recommended safeguards such as age verification, aligning with the principles of the DPDP Act in 2026.
Other Indian states, including Andhra Pradesh and Goa, are also considering measures to address the effects of excessive screen time, reflecting a broader national concern about data protection and children's well-being in 2026.
Global tech companies are assessing the impact of the DPDP Act on their operations in India and adjusting their data processing practices accordingly in 2024.