India's Privacy Law: A Comprehensive Guide to the Digital Personal Data Protection Act

India's Privacy Law: A Comprehensive Guide to the Digital Personal Data Protection Act

The Digital Personal Data Protection Act (DPDP) of 2023, a significant step towards safeguarding digital privacy and ensuring responsible data governance in India, was passed by the Indian Parliament on August 11, 2023[4]. As of 2025, key developments include the release of draft rules called the Digital Personal Data Protection Rules, providing operational guidelines for implementing the Act[1][3].

The DPDP Act applies to all entities that process personal data, regardless of size or private status[2]. The Act establishes key roles, including Data Fiduciaries, Data Principals, and the Data Protection Board of India (DPB).

Data Fiduciaries, who determine the purpose and means of processing personal data, are obliged to issue mandatory notices to individuals, implement robust security measures, provide Data Protection Impact Assessments, and conduct annual audits[3]. They are also responsible for notifying the DPB within 72 hours in case of data breaches[3].

Data Principals, individuals to whom the personal data pertains, are empowered to withdraw consent, request data correction or erasure, and file complaints with the DPB[3].

The DPB, a quasi-judicial body, acts as a regulatory authority, responsible for receiving breach reports, adjudicating complaints, and imposing penalties[2]. However, it faces challenges due to its centralized structure.

The DPDP Act also imposes restrictions on cross-border data transfer and emphasizes the need for data sovereignty, requiring data created in India to adhere to Indian laws[5].

While the DPDP Act does not include a right to data portability, a right to object to processing based on other grounds than consent, and the right not to be subject to solely automated decision-making, it creates far-reaching obligations, imposing narrowly defined lawful grounds for processing personal data, establishing purpose limitation obligations, and creating a set of rights for individuals[1].

The Act applies to any processing of personal data through AI systems, given the broad definitions of "processing" and of "personal data." It also applies extraterritorially to processing of digital personal data outside India, if such processing is in connection with any activity related to offering of goods or services to data principals within India[5].

Data principals have certain responsibilities, including not impersonating someone else, not suppressing any material information, and not registering a false or frivolous grievance or complaint[5]. The Act does not contain a mandated transitional period for its implementation.

The DPDP Act also contains exemptions, such as for processing of personal data necessary for research or statistical purposes, as long as the processing activity is not used to make "any decision specific to the data principal." It also excludes from its application most publicly available personal data, as long as it was made publicly available by the data principal or by someone else under a legal obligation to publish the data[5].

In conclusion, the DPDP Act aims to enhance privacy and data protection in India, although it faces challenges related to enforcement and the centralized structure of the DPB. As the Act is implemented, it will be crucial to monitor its impact on digital privacy and data governance in India.

[1] Draft Rules for the Digital Personal Data Protection Bill, 2019, Ministry of Electronics and Information Technology, Government of India, 2020. [2] The Digital Personal Data Protection Act, 2023, Section 3, Government of India, 2023. [3] The Digital Personal Data Protection Act, 2023, Section 4, Government of India, 2023. [4] The Digital Personal Data Protection Act, 2023, Preamble, Government of India, 2023. [5] The Digital Personal Data Protection Act, 2023, Section 5, Government of India, 2023.

1. The Digital Personal Data Protection Act (DPDP) of 2023, mandating entities to adhere to data privacy norms, was passed in India in 2023.
2. Key roles established under the Act include Data Fiduciaries, Data Principals, and the Data Protection Board of India (DPB).
3. Data Fiduciaries, responsible for processing personal data, must issue notices, implement security measures, and conduct audits, among other obligations.
4. Data Principals, to whom the personal data pertains, are given rights to withdraw consent, request corrections, and file complaints.
5. The DPB, responsible for enforcing the Act, faces challenges due to its centralized structure.
6. The DPDP Act imposes restrictions on cross-border data transfer and highlights the need for data sovereignty.
7. The Act applies to AI systems and data created in India, as well as processing of digital personal data outside India if it is in connection with activities related to India.

Read also: