data-privacy-act-india
data-privacy-act-india

Data Privacy Act India 2023: Key Features, Concerns & Implications

In today’s digital world, every time we use a mobile app, sign up on a website, or even shop online, we share some of our personal information—like our name, phone number, email, or even our location. But what happens to that data? Can companies use it freely? Can they sell it to others? That’s where data privacy laws come in.

India has finally taken a big step towards protecting its citizens’ data through the Digital Personal Data Protection Act, 2023 (DPDP Act). This law sets rules for how companies, governments, and organizations should collect, store, and use our personal data. Let's explore what the Data Privacy Act India is all about.

Why Was This Law Needed?

Before the DPDP Act, India didn’t have a specific law focused only on personal data. Various older laws, like the Information Technology Act, 2000, had some privacy rules, but they weren’t strong or detailed enough.

With the rise of digital services, data breaches became common. Major companies were accused of misusing user data or failing to protect it. Citizens didn’t have a clear idea of their rights, and companies weren’t always held accountable. The Supreme Court also ruled in 2017 that privacy is a fundamental right, which made it necessary for the government to frame a strong privacy law.

Advance your career with our 6-month Advanced Certification Program in Data Protection & Privacy Laws. Learn from industry experts, covering GDPR, DPDP Act, cross-border data transfers, and compliance frameworks. 

Key Features of the Data Privacy Act

The Digital Personal Data Protection Act, 2023 lays down the rules for how personal data should be collected, stored, and used. It protects users (called Data Principals) and puts responsibilities on the companies or organizations collecting the data (called Data Fiduciaries). Here's a breakdown of the Act’s most important features:

1. Applicability (Section 3 & 4)

The Act applies to digital personal data—whether collected online or digitized later. It applies to:

  • Data processed in India

  • Data processed outside India, if it involves offering goods or services to people in India

This means even foreign websites and apps must follow the law if they serve Indian users.

2. Consent-Based Processing (Section 6 & 7)

Companies must take clear and informed consent before collecting your data.

Consent must be:

  • Free and voluntary

  • Specific to the purpose

  • Given in plain language

The user must be told:

  • What data will be collected

  • Why it is being collected

  • How it will be used

There is also a provision for "Deemed Consent" (Section 7), where in some specific situations (e.g., medical emergencies or government benefits), consent is assumed.

3. Rights of Data Principals (Section 11-14)

You have several rights under the Act:

  • Right to Information: Know how your data is being used

  • Right to Correction and Erasure: Ask for incorrect or outdated data to be corrected or deleted

  • Right to Grievance Redressal: File complaints if your data is misused

  • Right to Nominate: Nominate someone to manage your rights in case of death or incapacity

These rights empower users to take control of their own data.

4. Duties of Data Principals (Section 15)

Along with rights, users also have duties

  • You must not file false complaints

  • You should not impersonate someone else

  • You must provide authentic information

Misuse or dishonesty by users can lead to penalties.

5. Obligations of Data Fiduciaries (Section 8 & 9)

Data Fiduciaries (the companies or entities collecting data) must:

  • Use data only for the purpose stated

  • Delete data when it’s no longer needed

  • Keep data secure and confidential

  • Ensure proper consent mechanisms

They are also required to notify users and the Data Protection Board in case of a data breach.

6. Significant Data Fiduciaries (Section 10)

Some organizations, based on their size or risk level, may be classified as “Significant Data Fiduciaries”. They have extra obligations like

  • Appointing a Data Protection Officer (DPO)

  • Conducting Data Protection Impact Assessments (DPIA)

This ensures that larger companies or those handling sensitive data follow stricter rules.

7. Protection for Children (Section 9)

  • No data can be collected from a child below 18 years without parental consent.

  • Companies cannot track, profile or show targeted ads to children.

This is aimed at protecting minors from online harm or manipulation.

8. Cross-Border Data Transfer (Section 16)

  • Personal data can be transferred outside India.

  • However, the government may restrict transfers to certain countries if needed for national interest.

Unlike earlier versions of the bill, the 2023 Act doesn’t mandate storage only in India.

9. Data Protection Board of India (Section 18-29)

A new Data Protection Board will be set up to:

  • Enforce the law

  • Handle complaints

  • Conduct inquiries

  • Impose penalties

The Board will have the powers of a civil court and can summon parties, examine evidence, and issue directions.

10. Penalties and Compensation (Section 33 & Schedule)

Violating the Act can result in monetary penalties. Some examples:

  • Failure to prevent a data breach: up to ₹250 crore

  • Failure to fulfill duties: up to ₹10,000 (for individuals)

  • Not responding to user complaints: up to ₹50 crore

Penalties are decided based on the seriousness of the violation, size of the company, and harm caused.

11. Government Powers and Exemptions (Section 17 & 30)

The Central Government can exempt certain organizations (like security or intelligence agencies) from the law for:

  • National security

  • Public order

  • Sovereignty of India

However, this power has received criticism for being too broad and possibly misused.

12. Override on Other Laws (Section 38)

  • The DPDP Act overrides any conflicting provisions in other laws.

  • But if a law provides stronger privacy protection, it will continue to apply.

This makes the DPDP Act a primary data protection law in India.

Relation with Other Laws

India's Data Privacy Act doesn’t exist in isolation—it interacts with other legal frameworks. This section explores how the DPDP Act connects with existing laws like the IT Act, Supreme Court rulings, and sector-specific regulations to form a broader privacy ecosystem. The DPDP Act doesn’t replace all existing laws but works alongside them.

1. IT Act, 2000

The Information Technology Act, 2000 was India’s first attempt to regulate digital activity, and it included some provisions on data protection—mainly in Section 43A (compensation for negligence in handling sensitive data) and Section 72A (punishment for disclosure without consent). However, these provisions were vague and lacked proper enforcement. The DPDP Act brings more clarity, introduces user rights, defines obligations, and creates a regulatory authority. In case of conflict, the DPDP Act overrides the IT Act’s provisions.

2. Right to Privacy (Puttaswamy Judgment, 2017)

In the Justice K.S. Puttaswamy v. Union of India (2017) case, the Supreme Court of India declared that privacy is a fundamental right under Article 21 of the Constitution. This judgment created the constitutional foundation for a strong privacy law. The DPDP Act is the legal response to that ruling, translating the right to privacy into actionable rights and obligations in the digital space. It ensures individuals have control over how their personal data is used, shared, or stored.

3. Sectoral Laws

Various sectors like banking (RBI guidelines), telecom (TRAI regulations) and healthcare (Clinical Establishments Act) have specific privacy rules. These rules will continue to apply but they now operate under the larger umbrella of the DPDP Act. The Act serves as a general data protection law ensuring a common standard across sectors. In cases of overlap sectoral laws must align with the DPDP Act unless they offer stronger protections. This avoids legal conflict and ensures consistency in privacy enforcement.

Concerns and Criticism

While the DPDP Act is a strong step forward, it's not without flaws. This section discusses major concerns raised by experts—ranging from government overreach to lack of clarity—and areas where the law could be improved to ensure better user protection. While the DPDP Act is a good step, it also has a few concerns:

  • Government Exemptions: The central government can exempt certain agencies from the law in the name of national security or public order. Critics say this can be misused.

  • No Right to Data Portability: Unlike some foreign laws, this Act does not allow users to transfer their data from one service to another.

  • Too Much Power with Government: The Data Protection Board is not entirely independent—it is controlled by the government, raising concerns about fairness and transparency.

  • Age Limit for Children: Making 18 the age limit for taking parental consent is seen as outdated. Many say it should be reduced to 13 or 16, as in other countries.

How It Compares Globally

India’s DPDP Act shares similarities with international laws like the GDPR (General Data Protection Regulation) in the European Union, but there are key differences:

Feature

GDPR (EU)

DPDP Act (India)

Age of consent

13–16 years

18 years

Data Protection Body

Independent authority

Appointed by central government

Right to be forgotten

Available

Not clearly defined

Penalty limit

€20 million or 4% of revenue

₹250 crore per violation

Implications of the DPDP Act, 2023

The DPDP Act has profound effects on the business, individuals and the regulatory authorities.

For Businesses

The Act requires organizations to evaluate several aspects of their data collection and processing activities. They need to:

  • Carry out data protection impact assessments.

  • Employ people in the organization to oversee the compliance process known as Data Protection Officers (DPOs).

  • Mitigate risks by investing in cybersecurity so as to avoid the occurrence of hacking or other related issues.

For Individuals

The DPDP Act, 2023 enables people to seize and control their own data. It promotes privacy consciousness and offers its users means of ensuring that they are protected from infringement of their right.

Summary

India has taken its first strong step toward protecting our digital privacy with the Digital Personal Data Protection Act, 2023. It sets important rules for companies to follow, gives users more power, and brings India in line with global privacy standards for data.

But it will change over time, just like any other new law. As digital services grow and technology changes, the law needs to be changed to meet these new needs. Because your data is finally protected, it's a big win for everyone in the Indian community who uses the internet.

Related Posts:

Data Privacy Act India: FAQs

Q1. What is the Digital Personal Data Protection Act, 2023?

 It’s a law that regulates how personal digital data is collected, stored, and used in India.

Q2. Does the law apply to WhatsApp, Google, or Facebook?

 Yes, if they process Indian users’ data, they must follow the rules.

Q3. What can I do if my data is misused?

 You can complain to the Data Protection Board of India for action.

Q4. Can companies send my data outside India?

 Yes, but only to countries approved by the Indian government.

Q5. Are there penalties for data breaches?

 Yes, companies can be fined up to ₹250 crore for violations.

Featured Posts