Legal
What is DPDP Act 2023 Explained: A Comprehensive Guide to India's Data Privacy Law
IndiaConsent
What is DPDP Act 2023 Explained: A Comprehensive Guide to India's Data Privacy Law
The Digital Personal Data Protection (DPDP) Act, 2023, is India’s first comprehensive privacy legislation. Enacted in August 2023, the law marks a paradigm shift in how digital personal data is handled, stored, and processed within India and for foreign entities serving individuals in India. With substantial financial penalties for non-compliance and a heavy focus on individual rights, understanding the nuances of the DPDP Act is critical for any enterprise.
In this guide, we break down the core components of the DPDP Act 2023, key terminology, the compliance obligations for business entities, and individual rights.
1. Key Terminology Under the DPDP Act
To navigate the DPDP framework, you must first understand the specific roles and entities it defines:
- Data Principal: The individual to whom the personal data relates. In the context of a workplace, this is the employee; in commerce, the customer.
- Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data. This is equivalent to a "Data Controller" under GDPR.
- Data Processor: Any person or entity who processes personal data on behalf of a Data Fiduciary.
- Consent Manager: A registered entity that acts on behalf of the Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. IndiaConsent is built specifically to fulfill the technical standards of a registered Consent Manager.
- Data Protection Board of India (DPB): The regulatory body established by the Central Government to monitor compliance, resolve grievances, and direct penalties.
2. When Does the DPDP Act Apply?
The DPDP Act applies to the processing of digital personal data within India. It governs data collected online, as well as data collected offline and subsequently digitized.
Extraterritorial Application
The Act applies outside India if the processing is in connection with any activity related to offering goods or services to Data Principals within the territory of India. If you run a SaaS application in the US or Europe but actively serve Indian users, you are legally bound by the DPDP Act.
3. The Consent Framework (Section 6)
Under Section 6 of the DPDP Act, consent is the primary legal basis for processing personal data (with a few exceptions for "legitimate uses" such as medical emergencies or court orders). To be valid, consent must be:
- Free: Given voluntarily without coercion or pressure.
- Specific: The consent must target a precise purpose. Vague or catch-all consent agreements are invalid.
- Informed: The individual must know exactly what data is collected and why.
- Unconditional: Consent cannot be a precondition for a service unless that data is strictly necessary to provide the service.
- Unambiguous: Must involve a clear affirmative action (e.g., ticking an unchecked box). Pre-ticked checkboxes or silence do not constitute consent.
Easy Withdrawal of Consent
The Act mandates that the ease of withdrawing consent must match the ease of giving it. If a user can opt-in with a single click, they must be able to opt-out just as easily. Once consent is withdrawn, the Data Fiduciary must cease processing the data and ensure its deletion, propagating the deletion request to all third-party Data Processors.
4. Obligations of Data Fiduciaries
Data Fiduciaries bear the primary responsibility for ensuring compliance under the Act:
- Notice Requirement: Every request for consent must be accompanied or preceded by a clear notice detailing the personal data to be collected, the purpose of processing, and how the user can exercise their rights or file a complaint.
- Data Accuracy: If data is used to make decisions affecting the Data Principal or shared with another Data Fiduciary, the original Fiduciary must ensure the data is accurate and complete.
- Security Safeguards: Data Fiduciaries must implement reasonable security safeguards (such as encryption and access controls) to prevent personal data breaches.
- Breach Notification: In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board (DPB) and each affected Data Principal.
- Data Minimization & Deletion: Personal data must be deleted once the specified purpose for which it was collected has been fulfilled, or when the Data Principal withdraws consent.
5. Rights of the Data Principal
The DPDP Act places power back in the hands of individuals, granting them four fundamental rights:
- Right to Access Information: Principals can request a summary of the personal data being processed, the processing activities, and the identities of all other Data Fiduciaries/Processors with whom the data has been shared.
- Right to Correction, Completion, and Erasure: Individuals can request the correction of inaccurate data, completion of incomplete profiles, or complete deletion of their personal data.
- Right to Grievance Redressal: If a Data Principal is unsatisfied with how their data is handled, they have the right to register a grievance with the Data Fiduciary. They must exhaust this internal channel before escalating to the DPB.
- Right to Nominate: Data Principals can nominate another individual to exercise their rights in the event of death or incapacity.
6. Penalties for Non-Compliance
Unlike some international frameworks that calculate fines based on global turnover percentages, the DPDP Act outlines flat-rate statutory limits based on the severity of the violation:
| Nature of Non-Compliance | Maximum Penalty |
|---|---|
| Failure to prevent personal data breaches | Up to ₹250 Crore ($30M USD) |
| Failure to notify the Board or affected users of a breach | Up to ₹200 Crore |
| Non-fulfillment of obligations in relation to children's data | Up to ₹200 Crore |
| Breach of obligations by a Consent Manager | Up to ₹150 Crore |
| General non-compliance with other provisions | Up to ₹50 Crore |
Conclusion: Preparing for the DPDP Era
The Digital Personal Data Protection Act 2023 represents a significant upgrade to India’s digital landscape. For enterprises, this means transitioning from passive cookie notices to active, granular consent flows and auditable data pipelines.
By leveraging tools like IndiaConsent, businesses can automate the generation of cryptographically signed consent artifacts, manage multi-fiduciary revocations, and prepare for the Technical Audits required under the upcoming DPDP Rules.
About the Author: IndiaConsent Legal & Compliance Team.
Related Articles: