Digital Personal Data Protection Act, 2023
- 1
India's first comprehensive data protection law, governing how personal digital data is collected and processed.
- 2
Establishes 'Data Principals' (individuals) and 'Data Fiduciaries' (entities processing data) as core concepts.
- 3
Consent is the primary basis for data processing — it must be free, specific, informed, and unconditional.
- 4
Creates a Data Protection Board of India to adjudicate complaints and impose penalties.
- 5
Penalties can reach up to ₹250 crore per instance of breach for significant data fiduciaries.
Level-Based Learning
Choose your depthSimple Explanation
DPDP is India's privacy law for the internet age. Every time an app asks for your name, phone number, or location — that's personal data. This law says companies must ask your permission, tell you why they need it, and delete it when you ask. Think of it as your digital 'do not disturb' sign.
Why This Law Exists
India had no comprehensive data protection law despite having 800 million internet users. Companies were collecting, selling, and misusing personal data with no accountability. The Supreme Court in 2017 (Puttaswamy case) ruled Privacy is a fundamental right — DPDP is the legislative follow-through.
Real-Life Example
You sign up for a food delivery app and share your location. The app cannot secretly sell your location data to advertisers without your explicit consent. If they do, you can file a complaint with the Data Protection Board and the company could face penalties up to ₹250 crore.
Real-World Impact
For Citizens
What this means for you
Right to know what data companies hold about you and why.
Right to correct inaccurate personal data held by any company.
Right to erase your data when it's no longer needed.
Special protections for children's data — apps cannot profile your child.
Can file complaints with the Data Protection Board for violations.
For Businesses & Startups
Compliance & opportunities
Must build consent management systems before collecting any personal data.
Significant Data Fiduciaries face additional compliance — Data Audits, DPIAs, DPO appointments.
Penalties up to ₹250 crore per breach instance can be existential for startups.
No mandatory data localization — servers can remain overseas (unlike RBI regulations for financial data).
Privacy-by-design is now a legal requirement, not just a best practice.
Timeline / Change Tracker
Puttaswamy Judgment
9-judge Supreme Court bench unanimously rules Privacy is a fundamental right under Article 21 — creating the constitutional basis for data protection law.
Justice Srikrishna Committee
Expert committee submits draft Personal Data Protection Bill — widely praised for its GDPR-aligned approach.
PDP Bill Introduced
Government introduces Personal Data Protection Bill in Parliament — referred to a Joint Parliamentary Committee.
JPC Report
Joint Parliamentary Committee submits 542-page report with 81 amendments — significantly expanding the bill's scope.
PDP Bill Withdrawn
Government withdraws the 2019 bill citing need for comprehensive revamp — signals major policy reset.
DPDP Act Enacted
Digital Personal Data Protection Act passed in August 2023 — receives Presidential assent on August 11.
Rules Awaited
DPDP Rules drafted and released for public consultation — final notification expected in 2025.
Test Yourself
4 questionsUnder DPDP 2023, who is called a 'Data Principal'?
What is the maximum penalty for a data breach by a Significant Data Fiduciary?
How does DPDP 2023 handle cross-border data transfers?
What special rule applies to processing children's data under DPDP?
Ask AI About This Law
Ask Unscripted!Not sure what to ask? Try these:
Educational use only. Not legal advice.