Digital Personal Data Protection (DPDP) Act, 2023

Background

Ever searched for a pair of shoes online, only to see ads for similar products chasing you across every app? Or signed up for a service and later received unsolicited calls or emails from companies you’ve never heard of? That’s your digital footprint at work—bits of your personal data being collected, shared, and sometimes exploited without your full knowledge or consent.

In today’s hyper-connected world, every tap on your smartphone, every form you fill, every payment you make, and every selfie you upload leaves behind a trail of data. This information—names, phone numbers, locations, preferences, even Aadhaar or PAN details—is quietly harvested by apps, websites, and companies. But here’s the big question: Who controls this data? And more importantly, who is held responsible if it’s misused, leaked, or sold to third parties?

Recognizing the urgent need to protect citizens' privacy, the Indian government passed the Digital Personal Data Protection (DPDP) Act, 2023. It aims to give you, the individual, more control over your personal data—how it’s collected, stored, and shared. Think of it as your digital rights manual in an age where data is power.

This article unpacks why the DPDP Act is important for the common citizen, why its implementation is still a work in progress, and what its key provisions mean for you. We’ll also explore concerns raised about the Act, and how personal data is currently being handled in India.

Understanding this law isn’t just for IT professionals or policy makers. If you use WhatsApp, order groceries online, apply for a government scheme, or even browse YouTube, the DPDP Act affects you. It's a major step toward empowering users—but its success depends on how well it’s enforced, and how well we, the public, understand our new digital rights.

Why This Law Matters to You

Ever shared your mobile number at a retail store, only to be bombarded later with spam calls from unknown companies? Or used your Aadhaar to book tickets, pay bills, or sign up for a service—only to wonder where else that sensitive information might have ended up?

In today’s digital world, personal data is the new currency. Every time you use a UPI app, log in with your Aadhaar, or click “I Agree” without reading the fine print, you’re handing over pieces of your identity. And without strong legal protections, that data can be misused, sold, or leaked—often without your knowledge or consent.

The Digital Personal Data Protection (DPDP) Act, 2023 seeks to change this. It empowers individuals by giving them control over how their personal data is collected, stored, and used. Under the Act, you have the right to know exactly why your data is being collected and how it will be used. Companies must obtain your clear and informed consent in simple, understandable language—not hidden behind legal jargon. Crucially, you also have the right to withdraw that consent at any time, and to request that your data be deleted when it’s no longer needed or when you no longer wish to share it.

Beyond giving you control, the Act also provides a framework for accountability. If your data is misused, you have the right to file a complaint and seek redress. These provisions are designed not just to protect individuals but also to build public trust in the digital ecosystem. Whether you're a student registering for an entrance exam, a pensioner accessing digital banking, or simply someone browsing online shopping platforms, the DPDP Act places you—not corporations or governments—at the center of data ownership and privacy.

Key Provisions of the DPDP Act, 2023

The DPDP Act aims to create a secure and transparent digital ecosystem that safeguards citizens’ personal data and enhances India’s digital governance.The Digital Personal Data Protection (DPDP) Act, 2023 introduces a series of important rights for individuals and corresponding obligations for organizations that collect and process personal data—known legally as “Data Fiduciaries.” These provisions mark a fundamental shift in how personal information is handled in the digital space.

Key Provisions of the law are as under:

Informed consent 

One of the most significant features of the Act is the emphasis on informed consent. No organization is allowed to collect a person’s personal data without their clear, voluntary, and informed approval. This consent must be sought in simple and understandable language, stating why the data is being collected, how it will be used, and how long it will be retained. Gone are the days of hidden clauses buried in fine print. If the individual does not consent, the data cannot be collected—except in exceptional circumstances defined by law.

Right to withdraw consent

Further strengthening user autonomy, the Act allows individuals to withdraw their consent at any time. Once a user revokes permission, the organization must stop using the data and delete it, unless there is a lawful reason to retain it. Importantly, withdrawal of consent should not lead to denial of services unless the data is essential for providing that service.

Right to access and correction

The DPDP Act also introduces a strong right to access and correction. Every citizen has the right to know what personal data is being held by a company, to request a copy of that data, and to ask for it to be corrected if it is inaccurate or incomplete. This is particularly relevant in contexts like health records, financial data, or school certificates, where errors can have serious implications.

Right to erasure (Right to Be Forgotten)

Additionally, the Act grants individuals the right to erasure, also known as the “right to be forgotten.” People can ask for their data to be deleted when it is no longer needed for the stated purpose, if it was collected unlawfully, or if the consent has been withdrawn. This provision is crucial in preventing the indefinite retention or misuse of outdated or irrelevant personal information.

Notice Requirement

Before collecting any personal data, organizations are required to issue a clear notice to users. This notice must explain the purpose of collection, the categories of data being collected, and details of the data fiduciary—including contact information for grievance redressal.

Obligations on Data Fiduciaries

Organizations, especially large digital platforms and financial institutions, are obligated to follow stringent data handling practices. They must minimize data collection to what is strictly necessary, protect it through security measures, and delete it when no longer needed. In case of any data breach, users must be informed without undue delay. Larger entities classified as “Significant Data Fiduciaries” will be required to appoint a Data Protection Officer and conduct regular data audits.

Cross-Border Data Transfers

Another notable provision relates to cross-border data flow. The Act permits transfer of personal data outside India only to countries that are explicitly approved by the Central Government. This ensures that Indian citizens’ data is not sent to jurisdictions that may not offer adequate privacy safeguards.

Data Protection Board of India

To oversee compliance and respond to complaints, the Act establishes the Data Protection Board of India. This quasi-judicial body will investigate violations, impose penalties, and ensure that both public and private entities adhere to the law. However, questions have been raised about its independence, as its members are appointed by the central government.

Penalties for Violations

The penalties for violating the law are substantial. Companies that fail to protect user data, notify breaches, or comply with other obligations can face fines of up to ₹250 crore. The severity of penalties will depend on factors like the volume of data compromised, the extent of harm caused, and whether the organization is a repeat offender.

Special Safeguards for Children

The Act also pays special attention to protecting children's data. It mandates parental consent before collecting any personal information of minors under the age of 18. Additionally, companies are barred from tracking, profiling, or targeting children for advertisements—safeguarding them from potential manipulation and exploitation.

Government Exemptions

One of the most debated aspects of the DPDP Act is the scope of government exemptions. The law allows the central government to exempt any of its departments or agencies from the Act’s provisions for reasons such as national security, public order, or friendly relations with foreign states. While this is intended to ensure operational flexibility, it has raised concerns about potential overreach and surveillance without adequate checks.

In essence, the DPDP Act establishes a clear legal foundation for the protection of personal data in India. It gives individuals more control over their digital identities and imposes accountability on those who collect and manage data. While the Act represents a positive step forward, its success will depend on transparent implementation, public awareness, and the creation of a regulatory ecosystem that balances privacy with innovation.

Points of Controversy and Concern

Despite its strengths, several provisions in the DPDP Act have raised concerns:

• Government Exemptions

  
  

  The Act allows the government to exempt its own agencies on vague grounds such as “public order” or “national interest,” which may lead to privacy violations or surveillance.

  
  

• Lack of Independent Oversight

  
  

  The proposed Data Protection Board is appointed by the government, raising questions about its autonomy.

  
  

• Absence of Certain Rights

  
  

  Unlike the EU's GDPR, the Act does not grant individuals the right to data portability or to know how automated decisions (algorithms) affect them.

  
  

• Digital Divide

  
  

  The law emphasizes digital consent mechanisms. This may exclude or confuse less digitally literate users, particularly in rural or older populations.

  
  

• Ambiguity in Terminology

  
  

  Terms like "public interest" and "legitimate use" are not clearly defined, potentially weakening the law’s enforceability.

The Road Ahead: A Shared Responsibility

The DPDP Act, 2023 is a crucial step in India's digital transformation, aiming to strike a balance between innovation, economic growth, and individual rights. But passing a law is only the beginning. To make this law meaningful: Citizens must be aware of their rights and exercise them. Organizations must act responsibly and prioritize privacy by design The government must ensure transparent rulemaking and equitable enforcement. As India prepares to implement this legislation, it’s essential that digital privacy becomes a part of public discourse—in schools, offices, and homes.

Present Status of implementation

Though passed by Parliament in August 2023, the law’s provisions are not yet in effect. There are several reasons for this delay:

• Pending Rulemaking:

  
  

  The Act lays out the framework, but detailed rules and guidelines still need to be notified by the government.

  
  

• Establishment of Data Protection Board:

  
  

  A key regulatory body is yet to be formed, which will handle complaints, investigations, and penalties.

  
  

• Time for Organizations to Comply

  
  

  Businesses and government departments need time to adjust their systems and processes in line with the new law.

  
  

• Need for Awareness and Infrastructure

  
  

  The digital divide in India means that proper implementation requires capacity building, training, and inclusive mechanisms.

How the Data Privacy is presently being handled.

Presently for data privacy we rely on Section 43A of the Information Technology (IT) Act, 2000, which mandates that companies handling sensitive personal data must implement reasonable security measures. If negligence leads to a data breach, affected individuals can seek compensation. Additionally, Section 72A of the IT Act penalizes unauthorized disclosure of personal information.

In 2011, the government introduced Sensitive Personal Data or Information (SPDI) Rules, defining what qualifies as sensitive data, such as financial details, health records, passwords, and biometric information. These rules require businesses to obtain explicit consent before collecting personal data. However, enforcement remains weak due to the absence of a dedicated regulatory authority, Lack of strong user rights, such as the ability to access, correct, or delete personal data, Sector-specific regulations that create inconsistencies in privacy standards, Weak enforcement, making it difficult to hold violators accountable.

In 2017, the Supreme Court of India ruled that privacy is a fundamental right in the landmark K.S. Puttaswamy case. This judgment highlighted the importance of informational privacy in the digital era, emphasizing that personal data must be protected from misuse. The ruling set the foundation for stronger privacy laws, leading to the drafting of the DPDP Act, 2023

Conclusion

In a data-driven world, privacy is not a privilege—it is a fundamental right. The DPDP Act promises to protect this right, but its success depends on informed citizens, responsible organizations, and accountable governance.Until the provisions come into force, let us all remain cautious, conscious, and committed to safe digital practices. After all, safeguarding personal data is not just about compliance—it's about dignity, trust, and freedom in the digital age.