BRICS Industrial Intelligence

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's landmark data privacy legislation, enacted on August 11, 2023, as Act No. 22 of 2023. After years of deliberation -- including the withdrawal of the earlier Personal Data Protection Bill, 2019 -- this Act establishes a comprehensive framework governing the processing of digital personal data within India and, extraterritorially, the processing of data related to offering goods or services to individuals in India. The DPDPA introduces key concepts such as the Data Fiduciary, Data Principal, Consent Manager, and the Significant Data Fiduciary, while creating the Data Protection Board of India as the primary enforcement authority. With penalties reaching up to Rs. 250 crore per violation and a cap of Rs. 500 crore per breach instance, the Act signals India's commitment to balancing individual data rights with the needs of a rapidly digitizing economy.

Key Provisions

Consent-Based Processing Framework. At the core of the DPDPA lies the requirement that personal data may only be processed with the free, specific, informed, unconditional, and unambiguous consent of the Data Principal, or under enumerated "legitimate uses." Consent must be obtained through a clear affirmative action and must be limited to data necessary for the specified purpose. Data Principals retain the right to withdraw consent at any time with ease comparable to the original granting process.

Data Fiduciary Obligations. The Act imposes a structured set of obligations on Data Fiduciaries: ensuring data accuracy and completeness, implementing reasonable security safeguards, notifying the Board and affected individuals of data breaches, and erasing data once its processing purpose is fulfilled. Data Fiduciaries must also publish business contact information for a Data Protection Officer or equivalent representative.

Notice and Transparency. Every collection of personal data must be preceded or accompanied by a clear notice describing the data being collected, the purpose of processing, the manner in which the Data Principal can exercise rights, and the process for filing complaints. Notices must be available in English and any language listed in the Eighth Schedule of the Constitution.

Children's Data Protections. The DPDPA provides heightened protections for children (defined as persons under 18 years). Data Fiduciaries must obtain verifiable parental consent before processing a child's data, may not undertake processing likely to cause detriment to a child's well-being, and are prohibited from tracking, behavioural monitoring, or targeted advertising directed at children.

Significant Data Fiduciary Regime. The Central Government may designate certain Data Fiduciaries as "Significant" based on factors such as data volume and sensitivity. These entities face additional obligations including appointing a Data Protection Officer based in India, engaging independent data auditors, and conducting periodic Data Protection Impact Assessments.

Cross-Border Data Transfers. Rather than adopting a whitelist or adequacy-based approach, the DPDPA uses a "blacklist" model: the Central Government may restrict transfers to specific countries or territories, leaving all other transfers permissible by default.

Rights of Data Principals. The Act grants Data Principals the right to access summaries of their processed data, know the identities of third parties with whom data has been shared, request correction and erasure, have grievances redressed within prescribed timeframes, and nominate another individual to exercise their rights in case of death or incapacity.

Duties of Data Principals. Uniquely, the DPDPA also imposes duties on Data Principals, including obligations not to furnish false information, impersonate others, suppress material information, or file frivolous complaints. Violations by Data Principals carry penalties up to Rs. 10,000.

Goals and Timelines

The DPDPA was designed for phased implementation. While it received Presidential assent on August 11, 2023, different provisions may come into force on different dates as notified by the Central Government. As of the time of enactment, the key milestones include the establishment of the Data Protection Board of India, the notification of rules governing consent management, breach notification procedures, and the designation criteria for Significant Data Fiduciaries. The Act does not set a single compliance deadline, instead granting the government flexibility to stagger enforcement in recognition of varying preparedness levels across industry sectors.

Implementation Mechanisms

Data Protection Board of India. The primary enforcement body is the Data Protection Board, established as a body corporate functioning as a digital office. The Board investigates complaints, determines non-compliance, directs remedial measures during data breaches, and imposes penalties. Board members are appointed by the Central Government from persons with expertise in data protection, IT, cybersecurity, public administration, or law.

Consent Manager System. The Act introduces a novel Consent Manager framework -- registered intermediaries that serve as a single point of contact for Data Principals to give, manage, review, and withdraw consent through accessible and interoperable platforms.

Appellate Mechanism. Appeals against Board decisions are heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), with appeals to be filed within 60 days of receiving a Board order.

Rule-Making Authority. The Central Government retains broad rule-making powers, enabling it to prescribe detailed procedures for consent, breach notification, children's data verification, Board functioning, and other operational matters.

Industry Impact

The DPDPA has far-reaching implications for India's technology and business landscape. The IT services industry, which constitutes a major portion of India's software exports, must redesign data processing workflows to ensure consent compliance and implement robust breach notification systems. SaaS providers, fintech companies, e-commerce platforms, and healthtech startups face particular compliance burdens related to the consent mechanism, children's data restrictions, and the Significant Data Fiduciary obligations.

The Consent Manager model creates a new market vertical, encouraging the development of consent management platforms and related enterprise software. Meanwhile, the cross-border data transfer framework -- more permissive than the GDPR's adequacy model -- positions India as relatively open to international data flows, which benefits the global delivery model relied upon by India's IT sector.

However, the broad exemptions granted to the State for processing personal data on grounds of sovereignty, security, and public order have drawn criticism from privacy advocates, who argue these carve-outs undermine the Act's protective goals. The startup exemption provision, while intended to reduce compliance burdens on emerging companies, has raised questions about the threshold criteria and scope of exempted obligations.

Amendment History

The DPDPA 2023 represents the culmination of a prolonged legislative process. The Justice B.N. Srikrishna Committee submitted its report and a draft Personal Data Protection Bill in 2018. The Personal Data Protection Bill, 2019 was introduced in Parliament in December 2019 and referred to a Joint Parliamentary Committee, which submitted its report in 2021 with numerous recommended amendments. The 2019 Bill was withdrawn in August 2022, and a new Digital Personal Data Protection Bill was released for public consultation in November 2022. The final Act, substantially simplified compared to its predecessors, was passed by Parliament and received Presidential assent on August 11, 2023. Upon enactment, the DPDPA consequentially amended the Information Technology Act, 2000 (repealing Section 43A on data protection compensation) and the Right to Information Act, 2005 (strengthening personal data protections under Section 8).