In today’s digital world, every time we use a mobile app, sign up on a website, or even shop online, we share some of our personal information—like our name, phone number, email, or even our location. But what happens to that data? Can companies use it freely? Can they sell it to others? That’s where data privacy laws come in.
India has finally taken a big step towards protecting its citizens’ data through the Digital Personal Data Protection Act, 2023 (DPDP Act). This law sets rules for how companies, governments, and organizations should collect, store, and use our personal data. Let's explore what the Data Privacy Act India is all about.
Why Was This Law Needed?
Before the DPDP Act, India didn’t have a specific law focused only on personal data. Various older laws, like the Information Technology Act, 2000, had some privacy rules, but they weren’t strong or detailed enough.
With the rise of digital services, data breaches became common. Major companies were accused of misusing user data or failing to protect it. Citizens didn’t have a clear idea of their rights, and companies weren’t always held accountable. The Supreme Court also ruled in 2017 that privacy is a fundamental right, which made it necessary for the government to frame a strong privacy law.
Advance your career with our 6-month Advanced Certification Program in Data Protection & Privacy Laws. Learn from industry experts, covering GDPR, DPDP Act, cross-border data transfers, and compliance frameworks.
Key Features of the Data Privacy Act
The Digital Personal Data Protection Act, 2023 lays down the rules for how personal data should be collected, stored, and used. It protects users (called Data Principals) and puts responsibilities on the companies or organizations collecting the data (called Data Fiduciaries). Here's a breakdown of the Act’s most important features:
1. Applicability (Section 3 & 4)
The Act applies to digital personal data—whether collected online or digitized later. It applies to:
Data processed in India
Data processed outside India, if it involves offering goods or services to people in India
This means even foreign websites and apps must follow the law if they serve Indian users.
2. Consent-Based Processing (Section 6 & 7)
Companies must take clear and informed consent before collecting your data.
Consent must be:
Free and voluntary
Specific to the purpose
Given in plain language
The user must be told:
What data will be collected
Why it is being collected
How it will be used
There is also a provision for "Deemed Consent" (Section 7), where in some specific situations (e.g., medical emergencies or government benefits), consent is assumed.
3. Rights of Data Principals (Section 11-14)
You have several rights under the Act:
Right to Information: Know how your data is being used
Right to Correction and Erasure: Ask for incorrect or outdated data to be corrected or deleted
Right to Grievance Redressal: File complaints if your data is misused
Right to Nominate: Nominate someone to manage your rights in case of death or incapacity
These rights empower users to take control of their own data.
4. Duties of Data Principals (Section 15)
Along with rights, users also have duties
You must not file false complaints
You should not impersonate someone else
You must provide authentic information
Misuse or dishonesty by users can lead to penalties.
5. Obligations of Data Fiduciaries (Section 8 & 9)
Data Fiduciaries (the companies or entities collecting data) must:
Use data only for the purpose stated
Delete data when it’s no longer needed
Keep data secure and confidential
Ensure proper consent mechanisms
They are also required to notify users and the Data Protection Board in case of a data breach.
6. Significant Data Fiduciaries (Section 10)
Some organizations, based on their size or risk level, may be classified as “Significant Data Fiduciaries”. They have extra obligations like
Appointing a Data Protection Officer (DPO)
Conducting Data Protection Impact Assessments (DPIA)
This ensures that larger companies or those handling sensitive data follow stricter rules.
7. Protection for Children (Section 9)
No data can be collected from a child below 18 years without parental consent.
Companies cannot track, profile or show targeted ads to children.
This is aimed at protecting minors from online harm or manipulation.
8. Cross-Border Data Transfer (Section 16)
Personal data can be transferred outside India.
However, the government may restrict transfers to certain countries if needed for national interest.
Unlike earlier versions of the bill, the 2023 Act doesn’t mandate storage only in India.
9. Data Protection Board of India (Section 18-29)
A new Data Protection Board will be set up to:
Enforce the law
Handle complaints
Conduct inquiries
Impose penalties
The Board will have the powers of a civil court and can summon parties, examine evidence, and issue directions.
10. Penalties and Compensation (Section 33 & Schedule)
Violating the Act can result in monetary penalties. Some examples:
Failure to prevent a data breach: up to ₹250 crore
Failure to fulfill duties: up to ₹10,000 (for individuals)
Not responding to user complaints: up to ₹50 crore
Penalties are decided based on the seriousness of the violation, size of the company, and harm caused.
11. Government Powers and Exemptions (Section 17 & 30)
The Central Government can exempt certain organizations (like security or intelligence agencies) from the law for:
National security
Public order
Sovereignty of India
However, this power has received criticism for being too broad and possibly misused.
12. Override on Other Laws (Section 38)
The DPDP Act overrides any conflicting provisions in other laws.
But if a law provides stronger privacy protection, it will continue to apply.
This makes the DPDP Act a primary data protection law in India.
Relation with Other Laws
India's Data Privacy Act doesn’t exist in isolation—it interacts with other legal frameworks. This section explores how the DPDP Act connects with existing laws like the IT Act, Supreme Court rulings, and sector-specific regulations to form a broader privacy ecosystem. The DPDP Act doesn’t replace all existing laws but works alongside them.
1. IT Act, 2000
The Information Technology Act, 2000 was India’s first attempt to regulate digital activity, and it included some provisions on data protection—mainly in Section 43A (compensation for negligence in handling sensitive data) and Section 72A (punishment for disclosure without consent). However, these provisions were vague and lacked proper enforcement. The DPDP Act brings more clarity, introduces user rights, defines obligations, and creates a regulatory authority. In case of conflict, the DPDP Act overrides the IT Act’s provisions.
2. Right to Privacy (Puttaswamy Judgment, 2017)
In the Justice K.S. Puttaswamy v. Union of India (2017) case, the Supreme Court of India declared that privacy is a fundamental right under Article 21 of the Constitution. This judgment created the constitutional foundation for a strong privacy law. The DPDP Act is the legal response to that ruling, translating the right to privacy into actionable rights and obligations in the digital space. It ensures individuals have control over how their personal data is used, shared, or stored.
3. Sectoral Laws
Various sectors like banking (RBI guidelines), telecom (TRAI regulations) and healthcare (Clinical Establishments Act) have specific privacy rules. These rules will continue to apply but they now operate under the larger umbrella of the DPDP Act. The Act serves as a general data protection law ensuring a common standard across sectors. In cases of overlap sectoral laws must align with the DPDP Act unless they offer stronger protections. This avoids legal conflict and ensures consistency in privacy enforcement.
Concerns and Criticism
While the DPDP Act is a strong step forward, it's not without flaws. This section discusses major concerns raised by experts—ranging from government overreach to lack of clarity—and areas where the law could be improved to ensure better user protection. While the DPDP Act is a good step, it also has a few concerns:
Government Exemptions: The central government can exempt certain agencies from the law in the name of national security or public order. Critics say this can be misused.
No Right to Data Portability: Unlike some foreign laws, this Act does not allow users to transfer their data from one service to another.
Too Much Power with Government: The Data Protection Board is not entirely independent—it is controlled by the government, raising concerns about fairness and transparency.
Age Limit for Children: Making 18 the age limit for taking parental consent is seen as outdated. Many say it should be reduced to 13 or 16, as in other countries.
How It Compares Globally
India’s DPDP Act shares similarities with international laws like the GDPR (General Data Protection Regulation) in the European Union, but there are key differences:
Feature | GDPR (EU) | DPDP Act (India) |
Age of consent | 13–16 years | 18 years |
Data Protection Body | Independent authority | Appointed by central government |
Right to be forgotten | Available | Not clearly defined |
Penalty limit | €20 million or 4% of revenue | ₹250 crore per violation |
Implications of the DPDP Act, 2023
The DPDP Act has profound effects on the business, individuals and the regulatory authorities.
For Businesses
The Act requires organizations to evaluate several aspects of their data collection and processing activities. They need to:
Carry out data protection impact assessments.
Employ people in the organization to oversee the compliance process known as Data Protection Officers (DPOs).
Mitigate risks by investing in cybersecurity so as to avoid the occurrence of hacking or other related issues.
For Individuals
The DPDP Act, 2023 enables people to seize and control their own data. It promotes privacy consciousness and offers its users means of ensuring that they are protected from infringement of their right.
Summary
India has taken its first strong step toward protecting our digital privacy with the Digital Personal Data Protection Act, 2023. It sets important rules for companies to follow, gives users more power, and brings India in line with global privacy standards for data.
But it will change over time, just like any other new law. As digital services grow and technology changes, the law needs to be changed to meet these new needs. Because your data is finally protected, it's a big win for everyone in the Indian community who uses the internet.
Related Posts:
Data Privacy Act India: FAQs
Q1. What is the Digital Personal Data Protection Act, 2023?
It’s a law that regulates how personal digital data is collected, stored, and used in India.
Q2. Does the law apply to WhatsApp, Google, or Facebook?
Yes, if they process Indian users’ data, they must follow the rules.
Q3. What can I do if my data is misused?
You can complain to the Data Protection Board of India for action.
Q4. Can companies send my data outside India?
Yes, but only to countries approved by the Indian government.
Q5. Are there penalties for data breaches?
Yes, companies can be fined up to ₹250 crore for violations.