2026 | Vol 2(1) | January

The Digital Personal Data Protection Act, 2023

2026

Law Justified Magazine

3/15/2026

The Digital Personal Data Protection (DPDP) Act, 2023 enacted in August 2023, it is the country's first comprehensive piece of legislation dedicated to the privacy and security of personal data. Inspired by global frameworks like the EU's GDPR but tailored for the "Digital India" ecosystem, the Act replaces the outdated Section 43A of the Information Technology Act, 2000.

Objectives and Scope

The primary objective of the DPDP Act is to balance the fundamental right of individuals to protect their personal data with the need to process such data for lawful purposes. It recognizes that in a digital economy, data is a vital resource, but its usage must be governed by principles of transparency and accountability.

Material and Territorial Scope

The Act applies to the processing of digital personal data within India. This includes:

Data collected online.

Data collected offline but subsequently digitized.

Crucially, the Act has extraterritorial jurisdiction. It applies to entities outside India if they process the personal data of Indian residents to offer goods or services within the country. However, it specifically excludes:

Data processed for personal or domestic purposes.

Data made publicly available by the individual themselves (e.g., a public social media post).

Key Definitions

To understand the Act, one must identify its three central figures:

Data Principal: The individual to whom the personal data relates (the citizen).

Data Fiduciary: The entity (company, government body, or individual) that determines the "purpose and means" of data processing. They carry the primary burden of compliance.

Data Processor: Any person or entity that processes data on behalf of a Data Fiduciary.

The Consent Framework and "Legitimate Uses"

Under the DPDP Act, consent is the bedrock of lawful processing. For consent to be valid, it must be:

Free and Specific: Not bundled with other terms.

Informed: Preceded by a clear notice.

Unconditional and Unambiguous: Requiring a clear affirmative action (no pre-ticked boxes).

The Notice Requirement

Before seeking consent, a Data Fiduciary must provide a notice (available in English or any of the 22 languages in the Eighth Schedule of the Constitution) explaining what data is being collected and why.

Legitimate Uses (Exemptions from Consent)

The Act identifies specific scenarios where data can be processed without explicit consent, termed "Certain Legitimate Uses":

Voluntary Sharing: If an individual provides data for a specific purpose (e.g., giving a phone number at a restaurant for a digital bill).

State Functions: For providing benefits, subsidies, or licenses.

Medical Emergencies: To save lives or provide health services during epidemics.

Employment: For purposes related to employment or safeguarding the employer from loss.

Obligations of Data Fiduciaries

The Act shifts the responsibility of data safety onto the Fiduciaries. Their core duties include:

Accuracy: Ensuring data is correct and complete.

Security: Implementing "reasonable security safeguards" to prevent breaches.

Storage Limitation: Deleting data as soon as the purpose for its collection has been served (unless legal retention is required).

Breach Notification: In the event of a data leak, the Fiduciary must inform both the Data Protection Board and the affected individuals.

Significant Data Fiduciaries (SDFs)

The Government may designate certain entities as SDFs based on the volume of data they handle or the risk to national security and public order. SDFs face stricter rules, such as appointing a Data Protection Officer (DPO) based in India and conducting periodic Data Protection Impact Assessments (DPIAs).

Rights and Duties of Data Principals

The Act empowers Indian citizens with several enforceable rights:

Right to Access: To know what data is being processed and with whom it has been shared.

Right to Correction/Erasure: To update inaccurate data or request deletion.

Right to Grievance Redressal: To have a mechanism to complain to the Fiduciary.

Right to Nominate: To appoint a person to exercise these rights in case of death or incapacity.

Note on Duties: Uniquely, the Act also imposes duties on citizens. Data Principals must not furnish false information, impersonate others, or file frivolous complaints. Violating these duties can lead to a penalty of up to ₹10,000.

Protection of Children’s Data

The DPDP Act treats children (individuals under 18) with heightened care.

Verifiable Parental Consent: Fiduciaries must obtain consent from a parent or legal guardian.

Prohibited Activities: Fiduciaries are banned from processing data that may cause "detrimental effect" on a child’s well-being.

No Tracking: Behavioral tracking or targeted advertising directed at children is strictly prohibited.

The Data Protection Board of India (DPBI)

The Act establishes the DPBI as the primary regulatory and adjudicatory body. Unlike traditional regulators that might focus on policy, the DPBI is designed to be a "digital-first" adjudicator.

Functions: It investigates breaches, hears complaints, and imposes penalties.

Powers: It has the power to summon witnesses and examine evidence, similar to a civil court.

Appeals: Decisions of the Board can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Penalties and Enforcement

The Act does not provide for criminal jail time but relies on a heavy financial deterrent. Penalties are determined based on the nature and gravity of the breach.

Critique and Challenges

While the Act is a massive leap forward, it has faced criticism on several fronts:

Government Exemptions: The Central Government can exempt its agencies from many provisions in the interest of "sovereignty" or "public order," leading to concerns about state surveillance.

Lack of Right to Portability: Unlike the GDPR, the Indian Act does not explicitly grant the "Right to Data Portability" (moving data easily between service providers).

Right to be Forgotten: While the Act allows for erasure, it is more limited than the "Right to be Forgotten" seen in other jurisdictions.

Conclusion

The Digital Personal Data Protection Act, 2023 marks India's transition into a regulated data regime. While the efficacy of the Act will depend on the strength of the Data Protection Board. It provides a solid foundation for protecting the digital identity of millions of Indian internet users.

References

India Code: https://www.indiacode.nic.in/bitstream/123456789/22037/1/a2023-22.pdf

© 2025-2026 Law Justified Magazine, unless otherwise provided, all rights reserved.

The author(s) of each article published in the Law Justified Magazine is/are solely responsible for the content thereof; neither the Law Justified Magazine nor its editors or publisher nor anyone else involved in creating, producing, or distribution assumes any liability or responsibility for the accuracy, completeness, correctness or usefulness of any information provided in the Law Justified Magazine, nor shall they be liable for any direct, indirect, incidental, special, consequential or punitive damages arising out of the use of the Law Justified Magazine.

Disclaimer

Law Justified Magazine is fully open access, which means all its contents is freely available to its reader free of cost.

Publishes articles under CC BY-NC-ND 4.0 International Licence of creative commons licensing. That means, reusers can copy and distribute the material in any medium or format in unadapted form only, for noncommercial purposes only, and only so long as attribution is given to the creator.

Open Access Policy

About Law Justified Magazine

Law Justified Magazine is an open access, monthly, digital magazine, which publishes on legal and policy issues majorly focusing on current legal developments for practitioners and professionals.

Frequency | Monthly

Mode | Online

Scope | Law | Policy

Language | English

Article Type | News | Short Article

Starting Year of Publication | 2025 (November)

Terms & Conditions

Privacy Policy