Jurivine

Rooted In law

The Digital Personal Data Protection Act, 2023: Critical Analysis and Implementation Framework

Posted :

in :

by :

jurivine.legal@gmail.com

Tags :, , , , , ,

Author: Preyasi Singh

Background & Objective of the Act

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s landmark legislation in the domain of data privacy and protection, enacted on 11 August 2023 after years of committee reports, draft bills, and public consultations. It directly follows the Supreme Court’s decision in Justice K.S. Puttaswamy v. Union of India (2017), where a nine-judge bench unanimously held that privacy is a fundamental right under Article 21 of the Constitution.

The central objective of the DPDP Act is to create a framework for the processing of digital personal data that balances two competing imperatives: the individual’s right to informational privacy and the legitimate needs of the State and private sector to process data for lawful purposes. It regulates how entities collect, store, use, share, and transfer personal data related to individuals within India’s territory, including processing by foreign entities offering goods or services in India.

While inspired by the European Union’s General Data Protection Regulation (GDPR), the DPDP Act adopts a more principles-based model rather than GDPR’s highly prescriptive approach, intending to provide flexibility for businesses and administrative bodies while anchoring accountability through core duties, rights, and penalties.

Who Does It Apply To?

The DPDP Act casts a wide jurisdictional net and applies to: 

  • Data Fiduciaries: Any person, company, government body, or other entity that determines the purpose and means of processing personal data. This includes large platforms, startups, government departments, NGOs, and even individuals when they process data for commercial or professional purposes.​
  • Data Processors: Entities that process personal data on behalf of Data Fiduciaries, such as cloud providers, payroll vendors, CRMs, and outsourced support services, who must operate under binding contracts.
  • Territorial Scope: Applies to the processing of digital personal data within India and outside India as well, if it’s connected with offering goods or services to individuals in India (for example, a foreign e‑commerce platform targeting Indian users).​

Exemptions include data processed for personal or domestic purposes, data made publicly available by the data principal, and certain processing for research, archiving, or statistical purposes under prescribed safeguards. Government entities may also be exempted from parts of the Act for reasons such as national security or public order through central government notification.

Key Sections Explained

Section 3: Obligations of Data Fiduciary 

Section 3 lays down core obligations for Data Fiduciaries to process personal data only for lawful purposes with clear, specific, and legitimate aims. Processing must be limited to what is necessary for those purposes (data minimisation), and collection or secondary use beyond the stated objectives is discouraged. For instance, a food delivery app that collects location data to deliver orders cannot repurpose this information for unrelated targeted advertising without an appropriate legal basis and fresh consent.

Section 6: Notice and Consent 

Section 6 makes informed consent the principal basis for data processing, except where specific “legitimate uses” or exemptions apply. Consent must be:​

  • Free, specific, informed, unconditional, and unambiguous.
  • Based on a clear, concise notice in plain language, available in English and other prescribed Indian languages.​

The notice must explain what data is collected, the purpose and duration of processing, potential data sharing, and how individuals can exercise their rights. Consent may be withdrawn at any time, and the withdrawal mechanism must be as simple as the mechanism for giving consent.

Section 8: Rights of Data Principal 

  • Right to obtain a summary of personal data being processed and processing activities.
  • Right to correction, completion, and updating of inaccurate or incomplete personal data.
  • Right to erasure of personal data once the purpose has been fulfilled and no legal obligation requires further retention.
  • Right to grievance redressal against the Data Fiduciary and, if unsatisfied, before the Data Protection Board of India.

The Act also allows Data Principals to nominate another person to exercise their rights in the event of death or incapacity.

Section 9: Children’s Data Protection 

The Act lacks implementation detail and requires “verifiable parental consent” for processing children’s data, yet does not define “verifiable” or age verification standards. Global experience with the GDPR demonstrates that age verification mechanisms present significant compliance burdens and create friction for legitimate service providers.

Section 10: Duties of Data Principal

Uniquely, the DPDP Act imposes duties on individuals in addition to their rights. Data Principals must:​

  • Do not impersonate another person.
  • Do not suppress material information while providing personal data.
  • Do not file false or frivolous complaints.

Violation of these duties can attract penalties up to 10,000 INR, signaling a two‑way responsibility model instead of a purely rights‑centric approach.

Section 16: Data Protection Board 

Section 16 establishes the Data Protection Board of India as the key regulatory and adjudicatory authority. The Board is empowered to:​

  • Monitor compliance and investigate breaches.
  • Direct remedial measures.
  • Levy monetary penalties.
  • Resolve grievances escalated after first being raised with the Data Fiduciary.​

Members of the Board are appointed by the Central Government, and appeals from Board orders lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under the notified framework.​

Section 18: Transfer of Data Outside India 

Section 18 allows personal data to be transferred outside India but permits the Central Government to restrict transfers to specified countries or territories, effectively using a whitelist/blacklist model. Transfers remain allowed to all jurisdictions except those explicitly restricted, but the government may also notify jurisdictions as safe or unsafe depending on the adequacy of protections or geopolitical considerations. This provides flexibility but introduces uncertainty if the criteria for such notifications are not transparent.

Section 33: Penalty Schedule Transfer of Data Outside India 

The schedule prescribe a range of monetary penalties for non‑compliance, going up to 250 INR crore for serious violations. Higher penalties apply to:​

  • Failure to take reasonable security safeguards to prevent a personal data breach.
  • Significant non‑compliance with children’s data obligations.
  • Repeated non‑compliance with Board directions.​

The penalty framework aims to be proportionate and deterrent, though questions remain around how proportionality will be applied to startups and MSMEs in practice.

Rights, Duties & Penalties

Rights of Data Principals

Under the DPDP Act, individuals have several enforceable rights:​

  • Right to clear notice and consent mechanisms.
  • Right to access summaries of their data and processing activities.
  • Right to correction, completion, and updating of personal data.
  • Right to erasure after purpose completion, subject to legal retention requirements.
  • Right to grievance redressal first with the Data Fiduciary and then before the Data Protection Board.
  • Right to nominate another person to exercise rights posthumously or on incapacity.​

Duties of Data Fiduciaries

Data Fiduciaries must:​

  • Ensure accuracy and completeness of personal data used for decisions.
  • Implement reasonable technical and organizational security safeguards.
  • Notify the Data Protection Board and affected Data Principals in case of a significant data breach.
  • Erase personal data once purposes are fulfilled unless retention is legally required.
  • Implement mechanisms for consent management and rights‑handling within prescribed timelines (aligned later by DPDP Rules).​
  • Appoint a Data Protection Officer and perform Data Protection Impact Assessments (DPIAs) if classified as “Significant Data Fiduciaries.”​

Duties of Data Principals

As noted, Data Principals must avoid impersonation, false information, and frivolous complaints. These duties are intended to prevent abuse of rights and maintain integrity in the grievance and consent systems.​

Penalties Structure

The Act prescribes a tiered penalty framework:​

  • Up to 250 INR crore for failure to take reasonable security safeguards.
  • Significant penalties for violations of children’s data rules and for repeated non‑compliance with Board directions.
  • Up to 10,000 INR for breach of Data Principal duties.

DPDP Rules and guidance are expected to refine how the Board evaluates severity, harm, and mitigating factors when determining penalty amounts.

Practical Examples / Real-Life Scenarios

E-commerce Transaction:

Priya uses an online marketplace that collects her name, address, phone number, payment details, and browsing history. Under the DPDP Act, the platform must:​

  • Provide a clear, concise notice describing what is collected and why.
  • Use her address and contact details for order fulfillment and customer support.

However, the platform cannot share detailed browsing patterns with third‑party advertisers or use them for unrelated profiling without separate, specific consent. If Priya chooses to delete her account, the platform must erase her personal data except for data required for statutory obligations, such as tax records or anti‑fraud controls.

Healthcare Application:

A telemedicine app processes diagnoses, medications, and possibly genetic information, all of which qualify as highly sensitive personal data. The Act requires enhanced consent for such data, but continuity of care and clinical research often demand long-term retention and sharing, putting the right to erasure in potential conflict with medical record obligations.​

Workplace Monitoring:

An IT services company monitors employee email metadata and device usage to prevent data exfiltration. Under the DPDP framework, the employer must inform employees of such monitoring, specify purposes (security, compliance), and avoid excessive collection that infringes privacy beyond necessity. Using invasive techniques such as continuous keystroke logging on personal communications or outside working hours could violate purpose limitation and necessity principles unless narrowly justified.

Common Myths or Mistakes
Myth 1: The DPDP Act Only Applies to Large Tech Companies

Reality: The Act applies to any entity processing digital personal data, regardless of size. A small neighborhood grocery store maintaining a customer database or a freelance consultant collecting client information must comply. The principles-based approach means even startups and MSMEs fall within its ambit.

Myth 2: Consent Once Obtained is Permanent

Reality: Consent must be specific to each purpose and can be withdrawn anytime. Organizations erroneously believe that a one-time consent form covers all future uses. However, if a company initially collected data for service delivery and later wants to use it for analytics, fresh consent is required. Moreover, consent withdrawal must be as easy as giving consent, not buried in settings.

Myth 3: Privacy Policies Provide Legal Protection

Reality: Having a privacy policy does not automatically ensure compliance. Many organizations copy-paste generic policies without customizing them to actual data practices. The Act requires that notices be clear, concise, and in plain language. A 50-page privacy policy in legal jargon violates the spirit of informed consent.

Myth 4: Data Anonymization Exempts from All Obligations

Reality: While genuinely anonymized data falls outside the Act’s scope, pseudonymization or weak anonymization does not. Many organizations believe removing names renders data anonymous, but if individuals can be re-identified through other attributes, the data remains personal data subject to the Act.

Myth 5: Government Agencies are Completely Exempt

Reality: While the government enjoys certain exemptions for national security and public order, government agencies processing data for welfare schemes, digital services, or administrative purposes must substantially comply with the Act. The exemptions are narrow and cannot be used as blanket immunity.

Common Mistakes by Organizations:

  • Not maintaining a clear data inventory or mapping of data flows makes compliance and deletion difficult.
  • Relying on pre‑ticked boxes, bundled consent, or dark patterns, which conflict with requirements for free, informed, and specific consent.​
Recent Amendments / Landmark Cases

Legislative Developments:

  • Draft DPDP Rules 2024 and DPDP Rules 2025: Meity has circulated draft rules and later refined DPDP Rules 2025 to operationalise the Act, including detailed provisions on breach notification, grievance timelines, and parental verification mechanisms.​
  • Grievance mechanisms are typically expected to acknowledge complaints promptly and resolve them within specified outer limits (often up to 90 days), with some commentary suggesting stricter internal targets like 7-30 days for certain rights requests.​
  • Amendment Bill 2024 (Children’s Data): A 2024 amendment proposal refines Section 9 by empowering the government to restrict behavioural tracking and targeted advertising directed at children and to define what counts as “verifiably safe” processing of children’s data.​

Landmark Judicial Foundations

  • Justice K.S. Puttaswamy v. Union of India (2017): Recognised privacy as a fundamental right and laid down the proportionality test for any restriction on privacy, directly shaping the need for a statutory data protection law.​
  • Aadhaar Judgment (2018): Upheld use of Aadhaar for targeted welfare delivery but invalidated mandatory linking with bank accounts and mobiles, reinforcing data minimisation and purpose limitation principles that echo in the DPDP framework.​

Regulatory and Policy Context

Commentators and policy analysts have raised concerns about government exemption powers, the impact on Right to Information (RTI) due to changes in Section 8(1)(j) RTI Act via DPDP, and the need for clearer criteria on cross‑border transfer whitelisting and blacklisting.

Global Alignment:

India is negotiating mutual recognition agreements with the EU and other jurisdictions to facilitate cross-border data flows. These developments will shape how Indian businesses handle international data transfers and how foreign companies process Indian users’ data.

Conclusion: Why This Act Matters Today

The Digital Personal Data Protection Act, 2023, is a cornerstone of India’s evolving digital constitutional order, translating the fundamental right to privacy into a detailed regulatory framework governing everyday data flows. In a rapidly digitising economy aiming for multi‑trillion‑dollar digital output, credible data protection rules are essential to sustaining user trust and enabling responsible innovation.

The Act matters today because it:

  • Gives individuals enforceable control over access, correction, and erasure of their digital footprints.
  • Imposes concrete responsibilities and penalties on organizations, pushing them towards security‑by‑design and privacy‑by‑default models.
  • Provides a structured regime for cross‑border data transfers at a time when India is deeply integrated into global data and services value chains.​
  • Lays an institutional foundation through the Data Protection Board for specialised adjudication of data‑related harms and disputes.

At the same time, debates around government exemptions, cross‑border transfer discretion, and practical enforcement show that the DPDP Act is not the end of India’s data protection journey but a starting point. Subsequent rules, amendments, Board decisions, and judicial scrutiny will determine whether the Act ultimately realises its promise of a digital ecosystem that is both innovation‑friendly and rights‑respecting.

References:

  1. The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023)
  2. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
  3. Ministry of Electronics and Information Technology, DPDP Rules Draft, 2024 4.
  4. PRS Legislative Research, “The Digital Personal Data Protection Act, 2023” 5. 6.
  5. Babu, R. (2024), “Data Protection Laws in India: A Comparative Analysis,” Journal of Cyber Law and Policy
  6. FICCI-EY Report (2024), “Data Protection Compliance Framework for Indian Businesses”

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *