🇮🇳Digital Personal Data Protection Act, 2023

A law built around accountability, not paperwork

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. It passed in August 2023 after nearly a decade of attempts. But understanding what it actually does — and why — matters far more than knowing when it passed.

The Act is built around one central idea: if you collect and use someone's personal data, you are accountable for what happens to it. Not your vendor. Not your cloud provider. Not the software you use. You. Everything else in the Act flows from that premise.

Who the Act covers — and who it doesn't

The Act applies to any organisation that processes digital personal data within India, or that processes personal data of Indian residents outside India in connection with offering them goods or services. If you have Indian users or customers and you process their data, you are almost certainly covered.

The Act's scope has two distinct relief mechanisms that are often confused. Legitimate uses under Section 7 permit processing without consent for specific purposes — including state benefit delivery, compliance with legal obligations, medical emergencies, and employment — but the processing is still fully within scope of the Act's other obligations. True exemptions under Section 17 remove certain processing from the Act's reach entirely: processing necessary for enforcing legal rights or claims, processing by courts performing judicial functions, processing in connection with prevention or investigation of offences, and processing of personal data of non-Indian residents under a contract with a foreign party. There is also a research and statistical exemption under the Rules, subject to prescribed standards. These categories are narrow and fact-specific. Do not assume they apply without verifying against the specific provision.

The Act introduces three key roles. The Data Fiduciary is the organisation that decides why and how personal data is processed — this is you. The Data Processor is an entity that processes data on the Fiduciary's behalf under a contract. The Data Principal is the individual whose data is being processed — your customer, employee, or user. The Fiduciary-Processor distinction matters because the Fiduciary remains accountable for everything a Processor does, regardless of what the contract says.

The two legal bases — and nothing else

Under the Act, you can only process personal data if you have one of two things: consent or a legitimate use. There is no legitimate interest basis, no contract performance basis, no balancing test. The framework is deliberately simpler than GDPR — but that simplicity creates its own demands.

Consent must be free, specific, informed, unconditional, and unambiguous. It requires a clear affirmative action. And the notice you give before seeking consent must be self-standing — it must make sense on its own, without the person having to read a separate privacy policy. The Act also places the burden of proof on you: if consent is ever challenged, you must be able to prove that a valid notice was given and valid consent was obtained.

Legitimate uses cover specific situations: voluntary provision of data by the person, state benefit delivery, compliance with law, medical emergencies, disasters, and employment. They are not a catch-all. If none of the listed legitimate uses apply, you need consent.

The Significant Data Fiduciary tier

Not all organisations face the same obligations. The Act creates a higher tier — the Significant Data Fiduciary — for organisations the Central Government designates based on volume and sensitivity of data processed, risk to Data Principal rights, potential impact on national security, and similar criteria.

If you are designated as an SDF, additional obligations apply immediately: appoint a Data Protection Officer based in India and accountable to your Board; appoint an independent data auditor; conduct annual Data Protection Impact Assessments and compliance audits; ensure the person carrying out each DPIA and audit furnishes to the Data Protection Board a report containing significant observations from that exercise; and exercise due diligence on algorithmic software to ensure it does not pose a risk to Data Principal rights.

The designation has not yet been issued as of the time of writing. But the criteria are clear enough that large consumer platforms, health-data processors, and financial institutions should be preparing now rather than waiting for the notification to arrive.

Data Principal rights — and the grievance mechanism

Every Data Principal has the right to access a summary of their personal data and the processors it has been shared with; the right to correction, completion, updating and erasure; the right to nominate a representative for rights exercise in the event of their death or incapacity; and the right to grievance redressal. These are not aspirational — they are operational obligations you must be able to fulfil.

The grievance mechanism is particularly important. Data Principals must exhaust your internal grievance process before they can approach the Data Protection Board. That means your mechanism must be real, accessible, and respond within 90 days. A generic contact form does not satisfy this requirement.

There are also duties on Data Principals — they must not impersonate others, must not provide false information in correction or erasure requests, and must not register frivolous complaints. This matters operationally: you are entitled to verify the identity of someone making a rights request, and you are not required to act on a request that violates these duties. But your own obligations do not reduce because a Data Principal acts in bad faith.

Penalties — real numbers, real risk

The Act's penalty structure is significant. Failure to implement reasonable security safeguards can attract penalties of up to ₹250 crore. Failure to notify the Board or affected Data Principals of a breach can attract up to ₹200 crore. Breach of children's data obligations can attract up to ₹200 crore. Breach of SDF obligations can attract up to ₹150 crore. These are per-violation figures, not annual caps.

The Data Protection Board has civil-court powers during inquiries — it can summon persons, require production of documents, and inspect data and records. It functions as a digital office, meaning proceedings can be conducted without physical presence. A complaint from a Data Principal can trigger Board action; the Board will determine whether there are sufficient grounds to proceed with an inquiry, and may close proceedings if it finds there are not.