Key highlights
India's Digital Personal Data Protection Act, 2023 (DPDP Act) is a milestone in the history of digital privacy, establishing new regulations on how the data of citizens is processed, shared, and safeguarded—by both Indian and international businesses interacting with Indian users.
Your Essential Digital Rights
The law gives citizens ("data principals") the right to access, amend, and delete their personal data with companies ("data fiduciaries"). Citizens can also get clear details on what data is being collected, how it is being processed, and seek grievance redressal in case their rights are infringed.
Consent is key: Organisations have to notify you and get your explicit, informed consent before they can collect or process your personal information. Children's (below 18) consent has to be handled by a parent or guardian, and targeted advertising or tracking of children is completely forbidden.
Consent may be revoked at any point, and data must be erased as soon as its intended purpose is fulfilled or the user revokes consent.
When Your Data Can Be Processed Without Your Consent
Some activities are permitted without express consent, like when information is voluntarily provided for a specified reason, for government services and benefits, for compliance with the law, medical emergencies, disaster response, or certain employment requirements.
The Acts enables the government to exempt some agencies and activities (e.g., security, public order, statistical research) from particular provisions where it is considered necessary.
What Companies Must Do
Organizations are required to ensure the quality and safety of personal data, notify the Data Protection Board of India (DPB) of breaches in a timely manner, and delete personal data when it is not required.
Larger organizations, "significant data fiduciaries," have additional responsibilities: designating a Data Protection Officer, performing regular audits, and performing risk assessments. A new system of redressal has been established: Citizens can appeal to the DPB, as the adjudicator, and then further appeal to tribunals.
Cross-Border Transfers and Exemptions
There is no mandate from the Indian government to store data locally, although the government may publish a negative list of nations where data transfers are prohibited.
The legislation allows the federal government to exempt government agencies for reasons such as security or law enforcement, prompting continuing arguments over the breadth of the exclusions.
Penalties and Lasting Difficulties
Disobedience of the Act can result in heavy penalties for companies, whereas individuals are also required to refrain from making frivolous complaints or impersonation, which is liable to be fined up to Rs. 10,000.
Certain privacy activists point to the wide-ranging powers conferred on the central government, expressing apprehensions regarding checks and balances on official exemptions and the narrow definition of "legitimate interests" in relation to international standards.
In total, the DPDP Act places digital rights and privacy at the center of India's rapidly expanding digital economy—despite ongoing debate about how far these protections reach and how aggressively they'll be enforced.
Sources: CookieYes, Data Protection Law Hub, Law.Asia
