Digital Personal Data Protection Act

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first dedicated personal data protection law, passed by Parliament on August 9, 2023, and receiving Presidential assent on August 11, 2023. It replaces the Information Technology (Amendment) Act provisions on data protection and fills the legislative gap identified by the Supreme Court's K.S. Puttaswamy vs. Union of India judgment (2017), which held privacy a fundamental right under Article 21. Key definitions: - Data Principal: the individual whose personal data is being processed - Data Fiduciary: the entity (person, company, state) that determines the purpose and means of data processing - Significant Data Fiduciary (SDF): designated by the government based on volume of data, sensitivity, national security risk — subject to additional obligations (Data Protection Impact Assessment, Data Audits, appointment of Data Protection Officer) - Consent Manager: a registered entity that enables Data Principals to give, manage, review, and withdraw consent Core rights of Data Principals (individuals): (1) Right to access information about data processing; (2) Right to correction and erasure of data; (3) Right to grievance redressal; (4) Right to nominate a person to exercise rights in case of death/incapacity. Core obligations of Data Fiduciaries: (1) Process only with valid consent or for legitimate use; (2) Purpose limitation (only for stated purposes); (3) Data minimisation; (4) Storage limitation; (5) Implement security safeguards; (6) Report data breaches; (7) Children's data — verifiable parental consent required; no behavioural tracking of children. Data Protection Board of India (DPBI): quasi-judicial body established under the Act to adjudicate complaints and impose penalties. Board members are appointed by the Central Government. Penalties: up to ₹250 crore per instance of violation; up to ₹10,000 for failure of Data Principal to give accurate information. Cross-border data transfer: The Act allows transfer of personal data outside India except to countries blacklisted by the Central Government (positive list model — transfer permitted unless specifically restricted). This is less restrictive than the EU's GDPR adequacy framework. DPDP Rules, 2025: The Central Government notified the Digital Personal Data Protection Rules, 2025 on November 14, 2025, operationalising the Act in phases. Phase I (from November 13, 2025): Data Protection Board of India constituted; online complaint portal launched. Phase II (November 2026): Consent Manager registration process. Phase III (May 2027): Full compliance obligations kick in — notice requirements, security protocols, breach notification (within 72 hours), SDF obligations, and Data Principal rights. Until Phase III, the Act's penalty provisions are not yet fully enforceable.

• 1 Enacted August 11, 2023 — India's first comprehensive personal data protection law
• 2 Constitutional basis: K.S. Puttaswamy vs. UoI (2017) — privacy as fundamental right (Art. 21)
• 3 Data Principal (individual) vs. Data Fiduciary (processor) — core framework
• 4 Significant Data Fiduciary (SDF): additional obligations — DPIA, audit, DPO appointment
• 5 Consent Manager: registered entity to manage individual consent
• 6 4 rights of Data Principals: access, correction/erasure, grievance, nomination
• 7 Children's data: verifiable parental consent; no behavioural tracking
• 8 Data Protection Board of India (DPBI): constituted November 2025 (Phase I); online complaint portal
• 9 DPDP Rules 2025: notified November 14, 2025; full compliance from May 2027 (Phase III); breach notification within 72 hours
• 10 Cross-border transfers: permitted unless country is on government's restricted list

When an EdTech company collects a minor's data for personalised learning recommendations, under the DPDP Act it must obtain verifiable parental consent and is prohibited from behavioural tracking of the child. If the company suffers a data breach and fails to notify the DPBI, it could face penalties up to ₹250 crore — illustrating the Act's protective and punitive dimensions.